Posted: Jul 29, 2009
by Billy Gray
Tagged iphone, encryption, security, cryptography
We agree with that assessment. When the iPhone 3GS was announced, Apple listed hardware encryption and better security among the new features, aimed at getting a better foothold in the enterprise marketplace where Blackberry tends to be the dominant mobile platform, and where corporate security policies can effectively shut out insecure technologies.
Surprising no one, details from Apple are scant, but based on their carefully worded statements it would appear that full-device hardware encryption (with the key on the device) was being employed to provide fairly scant security features. In fact, it poses the appearance of security with the potential for many considerable attack vectors. At the time of the announcement, Stephen wrote:
While there is no doubt that the encryption features will enhance iPhone device security, it remains to be seen how the practical improvements will compare to the launch hype. I strongly suspect that highly sensitive information storage will still require dedicated security applications.
More information is now coming to light. Brian X. Chen has an article in Wired titled, Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses, further making the case that what Apple is providing isn’t what security-conscious professionals really require:
Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. “It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”
Obviously, we have a vested interest in making the case for our own security applications for the iPhone and why we think they are so useful and provide such better security. But the most glaring thing about all this is Apple’s lack of disclosure, and poor implementation with the appearance of security. It’s not suitable for our own personal use, never mind in the enterprise environment.
Zetetic is the creator of the encrypted iPhone data vault and password manager
Strip and the open source encryption-enhanced database engine
SQLCipher.
Posted: Jul 29, 2009
by Billy Gray
Tagged palm, strip, development, webos, native
We’ve been getting a lot of emails recently asking about our plans with regard to Strip and Palm’s new platform WebOS. We really appreciate the inquiries! At the current time we don’t have any plans to build a port of the new SQLCipher-based Strip to WebOS / Palm Pré. It’s not that we don’t want to do it, it’s more a matter of a lack in the SDK.
Palms Mojo development framework, the SDK they are providing for developing apps on the Palm Pré, only provides for development in Javascript, HTML, and CSS. There is at this time no support for developing native applications, or applications with access to native libraries. SQLCipher is a specialized build of SQLite, written in C and using OpenSSL, that provides for transparent, page-based encryption of an embedded database, and it’s at the core of Strip. Without a native SDK, we simply can’t compile it for the platform and get to work.
We have made inquiries, and we’ve heard of some development shops getting special access, but so far we’ve not heard anything. If you’re a fan of Strip and you want it on your Palm Pré, it probably couldn’t hurt to chime in and send Palm your support for this.
Zetetic is the creator of the encrypted iPhone data vault and password manager
Strip and the open source encryption-enhanced database engine
SQLCipher.
Posted: Jul 24, 2009
by Stephen Lombardo
Tagged strip, iphone, support, software, pricing
An irate user sent us an email today about Strip, our iPhone data vault software. She wasn’t mad about a bug, or a missing feature. She was upset that we were charging money for it.
I am highly annoyed that your company would jump from a free app to a $9.99 app with such a limited number of entries. No, I will not be upgrading.
We don’t take this kind of feedback personally, but do feel it warrants a response. We decided to reply in an open letter explaining the motivation behind our software pricing.
Dear Customer,
I’m very sorry to hear that you’re upset about the charge associated with upgrading Strip. The App Store is filled with inexpensive applications: some of these are low quality, hastily developed, and quickly released. Hopefully you recognize through your evaluation that Strip doesn’t fall into that category.
Strip took 6 months for our team to build and represented a big investment for our company. We spent countless hours refining the design and adding features to make it easy and pleasing to use. Working with a large group of beta testers delayed our release but ensured the application was stable and high quality. It took months for us to wade through documentation and approval with the US Government to have Strip’s encryption classified for mass market release. On top of this we continue to provide support, bug fixes when problems occur, and new feature updates. We even released our secure database library as open source software to the community so that other developers can use it.
Strip Lite is as an opportunity for everyone to try the software without purchasing it first. That’s also why the description in the App Store clearly explains that the Lite version is an evaluation limited to a small number of records.
We are a small business that builds software. We have employees and families, and our objective is to make money. Our software, and the time that we spend building it, is worth more than “Free”. It’s worth more than $0.99 cents-a-pop, too.
What’s more, the vast majority of our customers agree. We have a growing community of active users that were happy to purchase a quality piece of software at a reasonable price.
The decision to upgrade or stop using Strip is entirely yours, but I really hope you will reconsider its value. Thanks so much for your time.
Cheers,
Stephen
Zetetic is the creator of the encrypted iPhone data vault and password manager
Strip and the open source encryption-enhanced database engine
SQLCipher.
Posted: Jul 23, 2009
by Billy Gray
Tagged development, coworking, motivation, rcoder, amandapalmer, flyingjalapeno
I saw this post from The Flying Jalapeño Lives just now, wherein Corey poses a couple of methods for staying motivated as a programmer, particularly somebody works solo or remotely, possibly out of his or her home. They aren’t bad suggestions, but I figured I’d respond with another take on things, since I have some first-hand experience with the matter.
No amount of mental tricks and playing with your IDE can make up for the importance of real human company. For about a year and a half I worked out of my home, just me and the cats, and it was incredibly isolating. When you work alone all the time, you begin to actively seek out distractions on the intertubes (as if there aren’t enough to begin with!) Being around other flesh-and-blood people is critical to staying grounded, and really helps me to focus and stay motivated, rather than distracting me. I’m not the only member of Team Z in a co-working setup, either. Our man Steve Kradel is a recent convert down in Philadelphia.
I mentioned my problem to Lennon/R-Coder last year at RubyFringe, and he said something to the effect of, “dude, you need to get out of your house! Find a coworking space!” I’d never heard of such a thing, but The Bossman went and looked up Williamsburg Coworking, and I’ve been there almost every work day since. My productivity shot up by a lot (we checked, using Tempo!) I get to work with really smart people like Alexis and Stan from Percent Mobile, I’m in a creative environment, I have people to talk to, and it’s really easy to stay focused. Can’t recommend it enough. If you’re looking for a space in your city, get in touch. There’s quite a network of coworkers out there (ours spread across some 47 cities) who’d be glad to have your company, and I’d be happy to put anyone in touch, just send me an email.
On a tangential note, I saw this great interview with Amanda Palmer, which has some delicious quotes about staying on your work (or not!):
I got to a certain point where I realized that the voices in my head were working on an old, conditioned blueprint of what it actually means to be fulfilled and happy.
Slowly, I started to let that blueprint go and starting to improvise another one, just for the day. And now, I draw a new blueprint every day and then set it on fire at the end of the night. I think the key for me has been realizing that every day and week and month is an improvisation…and that I can never define my success or happiness by last week’s measuring stick…I wrote when I feel like it, and I don’t feel catholic guilt anymore when I don’t.
Interesting stuff, and as a song-writer myself, I know that guilt, I know it well. Obviously, composition and programming aren’t the same thing, but you do have to know when to walk away and recharge. Having other people around can help prevent you from banging your head on your desk instead of relaxing and trying to look at things differently. It’s time we all started valuing one another’s company more.
Zetetic is the creator of the encrypted iPhone data vault and password manager
Strip and the open source encryption-enhanced database engine
SQLCipher.
Posted: Jul 16, 2009
by Billy Gray
Tagged iphone, appstore, futureruby, conference, reviews
I’ve been meaning to get a post up about Future Ruby, the fantastic conference hosted by Unspace last weekend in Toronto, but I haven’t had a chance. Since we got back our team has been playing catch-up, so I wanted to pause quickly to highlight some interesting developments since the conference.
I got to chatting with Dan Grigsby about a possible means of offsetting the iTunes App Store’s negative review bias, and he went and made it a reality, with sample code and all. Very cool.
There were a number of inspiring and challenging presentations that have inspired post-con discussion and debate. If you search on the #futureruby hash tag on Twitter you’ll find all sorts of links to discussions, comment threads, summaries and even video. Looks like even BoingBoing took notice! Many of the attendees (including myself) have taken to watching the tag to keep up and keep in touch with each other.
More thoughts to come tomorrow, there’s more testing to do this afternoon on Tempo for the maintenance update.
Posted: Jul 16, 2009
by Billy Gray
Tagged tempo, updates, ie, browsers, time, tracking
Like most web programmers out there, we’ve wasted spent some “kwality” time trying to get our page layouts for Tempo to work and look good in Internet Explorer 7 (we don’t support IE6). The advent of IE8 has made this a bit easier by providing a compatibility mode for going back and forth, helping us to identify needed fixes for our ie7.css file.
As we delayed another over-due set of updates in order to fix some IE issues, I started to wonder what percentage of our users actually use IE, and if that percentage justifies spending all this time. According to Google Analytics, only 10.25% of our visitors (which is a larger group than our active subscribers) in the last two months were using some form of Internet Explorer.
Ten-odd percent of our users certainly warrants us taking the time, but it’s still a surprising metric. Furthermore, it’s down 1% from July of 2008 when IE clocked in at 11.28% of our users, despite the fact that our traffic and active users have climbed substantially from that period. I’m not sure if this indicates a preference on the part of our customers and our would-be customers, or if it means we haven’t provided IE users with the kind of interface they really want.
That said, we’ve been hard at work on a number of adjustments to Tempo’s interface to tidy things up, and many of these adjustments specifically address some display issues in IE7. We’re working on it, dear customers!
Posted: Jul 15, 2009
by Billy Gray
Tagged strip, management, password, account, pwnage
When people ask us if we have any iPhone apps in the iTunes App Store and we tell them, “yes,” they invariably get excited. Their expectations of some cool, new, game-changing technology seem to dampen when we tell them about Strip (unless they are cryptography enthusiasts). However, we often hear back from many of these same folks a few months later, telling us that they use Strip all the time, and can’t live without it.
Our friends and colleagues are starting to get worried about the bazillion sites on which they’ve set the same password. Maybe I’m preaching to the choir here, but we all do it from time to time. There’s just too many to track: car insurance websites, bank accounts, social networks,newspaper site, some online community where you registered to leave comments, some new online tool you want to try out, a thing here, a thing there. You probably sign up for something new on the Inter-tubes at least once a day.
As far as settings passwords go, you really have two options:
- Set something different for each one and actually remember them all (good luck with that).
- Use some clever ‘p4ssw0rd123’ or variant for all of them (e.g. p4assw0rd-facebook).
Choosing option 1 is the most secure, and the most difficult. Option 2 leaves you exposed to massive risk – one good guess, a password cracker, or a break-in on a site that didn’t hash your non-unique password could allow an attacker to get into your online bank account. Many sites e-mail your password back to you – then your ‘p4ssw0rd123’ has gone through quite a few tubes and machines in clear text by the time it arrives in your inbox. Which is also on someone else’s computers, isn’t it?
The basic work-flow of Strip was designed to fix this very problem, and it seems to get people hooked. Say you want to sign up for some new web service to try it out, but you don’t want to use that bank account or email account password. You hit the sign-up screen, you get to the password field and you fire up your iPhone (or Palm, for the Old School-ers), open up Strip, create a new entry, and generate a random password. Save it in Strip, set it on the site, and you’re done. Sure, it introduces an extra step, but now your brain isn’t filling up with garbage and you’ve drastically reduced the risk to your online information and identity.
Obviously, Strip itself could be a point of potential failure. If you left your iPhone (or Treo) in a taxi like many of our customers have done, you wouldn’t want the cabby or the next occupant to have access to private networks and mail servers. To mitigate this we use high-grade, peer-reviewed open source cryptography to make it very unlikely that anyone will ever unlock your copy of Strip before the heat death of the universe (so long as you set a strong password!) At this point we’ve got 12 years of experience under our belt, and the code is out there for anyone to see, improve, and criticize. We will continue to update Strip’s encryption engine, SQLCipher, to stay on top of the latest encryption updates, protocols, and techniques. We’ve even strengthened SQLCipher since we launched Strip in the App Store. Don’t take our word for it, have a look yourself.
Posted: Jul 07, 2009
by Billy Gray
Tagged
Starting at 11pm EDT tonight, Tues July 7th, Tempo may be briefly unavailable while we update the application. We’re moving the beta to production!
Posted: Jul 07, 2009
by Billy Gray
Tagged iphone, development, apple, sdk, apns, prowl
I have somewhat consistently maintained that the Apple Push Notification Service for iPhone developers is a really bad kludge. I still stand by that! It’s a poor stand-in for the local system scheduler that’s already on the device.
That said, there’s a proper tool for every job, and APNS is absolutely perfect for Prowl:
Prowl is a Growl client for the iPhone. Notifications from your Mac can be sent to your iPhone over push, with a full range of customization and grace you expect…. As soon as a Growl notification pops up on your Mac, Prowl will forward it to your iPhone or iPod Touch over the push notification service found in iPhone OS 3.0. Which notifications are pushed is configurable, allowing only the important messages to be delivered.
The possibilities there are really huge. Not to mention that it’s a geek’s dream, and perfect for sysadmins. Now you never need to miss those sweet nothings your desktop whispers in your ear when you’re out and about tolerating the company of other fleshy ones. Imagine:
- unix box: OMG disk is full!
- mail server: OMG OMG OMG I/O SPIKE!
All kidding aside, this is a nice bridge to between web/internet services on a dedicated connection and mobile devices, and it in no way involves text messages. Anything that cuts into the bottom line of the Text Message Tax Collectors makes me smile.
Another recent innovation with APNS is the arrival of the first middleman, Urban Airship, which handles the details of maintaining state with APNS so you don’t have to construct the infrastructure yourself.
Image snagged from the Prowl website.
Posted: Jul 02, 2009
by Billy Gray
Tagged deepthought, well, socialnetworks
The Well was the first social network.
Although, I’m just being a contrarian to the social network hypers. The good old BBS probably pre-dates the Well, anyway.
Posted: Jul 01, 2009
by Billy Gray
Tagged tempo, redesign, update, beta
In preparation for taking Tempo’s new design out of beta and moving it to production, we’ve put together this overview of what has changed.
Will I still be able to use the old interface?
No, this is it! We’ve spent quite a lot time and hard work responding to your feedback and incorporating it into the new design. We know it’s not going to make everyone happy, but we’re pretty certain that after you use it for a little while, you won’t miss the old skin.
We are planning to make the move as early as next week, so if you still haven’t taken a look at the new version, if you still haven’t told us about that one thing that’s missing that you really need, now’s the time to try it out and get in touch!
The Layout
The basic layout consists of a left-side navigation bar, a footer (unseen in the image above) and desktop-window-like modules in the main content area. What you are looking at above is the Time screen, which is new to Tempo. Well, sorta.
In the initial version of Tempo, there was one screen that did just about everything – entering new time, reporting, viewing, exporting, etc. This became more and more cumbersome as we added features. For starters, you had to modify the current report view just to see your own time! In the second major revision of Tempo, we tried splitting a ‘My Time’ screen off of the main reporting screen, but it was poorly received. Our design skills just weren’t up to snuff, so we reverted.
In the new design, however, I think we’ve really nailed it, thanks to nGen Works. The Time screen gives you stats pertaining to your recent performance and a full listing of all your time (reflected in the API, as well).
It also allows you to easily switch between full-form entry of time, with all the various options laid out for you, and the simple command-line entry that we prefer here at Zetetic:
In the image above you can see the new tagging setup we blogged about recently, which includes support for Suggested Tags on a project! Here’s the command-line entry form, on the same Time screen:
One other big change here is in the table showing entered time. Have you ever found yourself looking at a data set, and thinking, “Hmm, what else is on this project?” Or, “I’d like to see all entries this goofball has tagged with ‘foo’.” Now, it’s as simple as clicking on the labels on an entry to dial up a new report on the Reports screen, fitting that criteria!
But, I’m getting ahead of myself. Before we discuss reports, let’s take a look at another one of the major design changes:
The Sidebar
One of the biggest changes is the introduction of a sidebar for navigating the application. There were a couple of things we wanted to emphasize here, aside from providing quick and easy access to the main areas of interest on the site.
The Add Time link produces a modal dialog (sample) allowing you to enter new time from anywhere in the application, even the Project or Account screens. Your Reports links out to a full listing of each of your saved reports, with creation dates and details, and the report links below it provide you quick and easy access to those reports you need to run at the end of each billing cycle.
Reports
The Reports screen is what used to be the one-stop-shop for all reporting functions in Tempo. This is probably the interface that changed most dramatically:
Still at your fingertips alongside Tempo’s powerful reporting are the charts, exports, invoicing, locking, batch-tagging, and saved reports features. There’s something about these various features that always threw new users, and hopefully this new design makes it clearer: they all pertain to the current report! E.g. If I dial in all time billed to Spacely Sprockets for the current quarter and then click on Export or Invoice, I’ll be exporting or invoicing all the time billed to Spacely Sprockets for the current quarter!
For those of you who are used to Tempo, these functions haven’t changed much, beyond their skin:
Projects
We needed to give the Projects screen some love to bring it into the fold of the new design, and also to pave the way for new features. The project listing itself isn’t new, but hopefully breaking out the team management helps to make things a little bit more obvious for new users:
Coming soon: individual project dashboards! Each project will have its own page where we can provide project-specific tracking and statistics.
Account
Finally, the account screen got a facelift. This is where all manner of things are handled, from billing to user profile to account preferences, it was all here and it was getting to be a long mess! This time around we’ve sectioned things off to make it way easier to work with.
That about wraps up the major changes in this round of hacking. It’s mostly design-centric, aside from some non-insignificant API changes you should be aware of, if you have your own software that interacts with Tempo’s API. We’re not done yet, there’s still more tweaking to do, more fixes to implement that have been sent in by our always-helpful customers! There’s still time to comment on the changes and make your voice heard, please get in touch right away if you haven’t already; we’re looking to push this out next week, barring any show-stoppers.
