...stuff I do and things I like...

so I got an Apple MacBook which is my first Apple computer (besides the iPhone 3G which I bought 2 month ago). I got it as my main computer for work so I guess I will get used to it quite fast. I primarily got it to get to know Mac OS X and to do some funky programming for the iPhone. The hardware is awesome fast processors (I got the 2.4Ghz version) and lots of RAM (got 4Gigs). The glass touchpad is quite nice (also I often use two finger to move the mouse - which of course doesn't work). The aluminum case looks great still I would have gotten the black version if it would exist.

So far the software is ok, I still have trouble finding/using stuff but this should be normal after only 3 days with a new OS. The thing that annoys me the most at the moment is the window handling. Apple+Tab just switches between applications and not windows. Some windows don't even appear in the list (e.g. the email that is currently being edited). I hope this can be solved through configuration.

I really miss APT-GET based software installation, but I guess this is the price of using a commercial OS. At least it is a un*x of some sort.

More Apple tails in the near future...

the conference was in Frankfurt at a nice hotel. The food was good and the event seemed to be organized quite well. But unfortunately the conference was not technical enough in my opinion. The organizers actually said that this is going to be the German OWASP theme: not be too technical and focus more on management/organizational aspects. This is rather sad in my opinion - since I'm just starting with the whole web security stuff now. (Of course I've played with web security many years ago but this was really just for fun and not professional.)

Lets see if there is going to be a OWASP Germany conference in 2009 and how technical it will be.

the Fahrplan (schedule) finally got published tonight, also it is not complete yet but this is normal. After having to cancel my talk last year (for time reasons) I'm going to do two talks this year. I'll do my Symbian talk from BlackHat Japan and my NFC talk from EuSecWest. Both talks will be updated of course.

So far I'm pretty happy with the time slots I got. Also being selected for speaking in Saal1 (the really big room) is awesome.

...from the weekend. On Friday I got my new Nokia 6212 classic Nokia's next NFC-enabled mobile phone. I haven't played much with it yet, but I will during my vacation before the 25th Chaos Communication Congress (25C3) where I will do a talk on attacking NFC mobile phones.

I also finally jailbroken my iPhone after using it for two month. I must say I should have done it earlier but I wanted to check it out in the state most consumers use it. I actually only started looking at the whole iPhone software scene today after the jailbreak. The funniest part was to realize that I kind of know the guy (Jay Freeman) behind Cydia (the apt-based software installer) from going to the same University (of California Santa Barbara). Playing with all the free stuff will keep me busy for the next weeks I guess.

Of course I also updated my iPhone to OS version 2.2 to verify that Apple fixed the bug that I reported. As far as I can see they fixed it. Google Street View looks cool, but seems slow, also it doesn't cover either Frankfurt nor Darmstadt. Being able to switch of keyboard auto correction is great. Podcast download on the device is the best new feature of course.

Last but not least I'm looking for a place to buy a unlocked (no sim/net-lock) Android-based G1 without a contract. I'm in Germany so I need some online shop that will ship to Germany. I want a good price of course. Any hints will be highly appreciated.

Today we published a small security bug present in the iPhone OS until version 2.1. The bug is small but has big impact in the way that it can be used to call arbitrary phone numbers from visiting a website.

More details including a video (but not full-disclosure) can be found here (German only): www.sit.fraunhofer.de/pressedownloads/pressemitteilungen/iPhoneHack.jsp

We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.

I'm looking for a method to do phone number reverse lookups, more specific for mobile phone numbers. I know there are plenty of services for the US but I actually need this for the rest of the world and especially for Europe.

Any hints or tips would be very welcome, thanks!

NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.

Overall I think the document is quite good covering the field well. My main point of critic is the way they present their references. The document cites many news sites instead of the original publisher's site/document. Therefore some of the references are more or less useless since they don't provide the path to more detailed information. I not only write this because they quote theregister on my MMS vulnerability but also because of quoting zdnet on various other vulnerabilities rather than the original advisories. To make it clear I don't think the articles by these news sites are bad or wrong, I just think people reading NIST publications expect a little more detail.