Tuesday, September 30, 2014

Apple is giving away all your stuff in the iCloud

I've used the login name "fishdan" since 1996 -- I own it about everywhere it's worth having.  Because I'm old, my primary usage is via yahoo, but I'm also fishdan@gmail, It's my primary interface to all things google, including my google+ account and the account I sync my android phone with.

Because I'm a good doobie I use 2 Stage verification with this account.  This has been a minor pain in the ass, but it always seemed like a good idea, and I'm rarely that far from my phone.

But because it's not my #1 account, I only check the email every other day or so.

Imagine my surprise when I looked at it today and saw the following:

Yep, 20 emails from Apple.  I knew that wasn't going to be good.

Here's the first one:

Full disclosure -- I don't own an Iphone and I'm not really a consumer of anything in the ITunes Universe.  I do have a few AppleIDs,  the most critical being professional ones related to being in the IOS developer's program and other professional things like that.  That one is linked to my yahoo email address.  I don't remember why I created the gmail apple account, but I certainly would not have hesitated to do so.  Probably for apps.

So, I'm troubled as soon as I read the email.  Someone was able to sign into my iCloud account from an Iphone?  I don't have an iCloud account!  You can see in the image above that then there was another email saying that my AppleID was used to sign into facetime and iMessage.

And immediately after that, 11 emails like this:

I suppose being charitable, I could assume that someone had perhaps fat fingered their email address and they were dishman@gmail.com.  Still, 11 requests to reset the password??

As it turns out, that was only for yesterday.  Today (starting at about 9 this morning) they made 6 more attempts to verify the email address (which is also in the first photo).  Of course I didn't respond to any of them (I hadn't even seen them yet), so my account could not have been verified right?  The last attempt to verify was at 9:08am and went unanswered.

And then at 9:28 this gem!

Seriously Apple?!?  With no verification, you allowed changes to my account, including the Apple ID, the password and the email address???

So I noticed this a few hours ago.  I went to Apple to try to reset my password.  Guess what!  If there was a reset password email, it was no longer being sent to my gmail account.

I tried to get in touch with apple, but they best they can do it to call me tomorrow morning -- we'll see how it turns out.

I feel confident my gmail account is secure because of two factor authentication.  I only use virtual credit card numbers online, all of which I set to expire one month after I use them, so I'm not too worried about there being a credit card number associated with the ITunes account.

What I am really unhappy about however is that whatever WAS in that account -- perhaps some apps -- perhaps photos?  Is now apparently gone to someone else.

I did nothing wrong here (and I would argue many things right) and STILL Apple allowed themselves to be socially engineered into giving up an account, even after they were exposed two years ago and deleted all of a guys photos of his kids, his collected works...

Bottom line?

You would have to be crazy to trust Apple or ICloud with anything sensitive, or anything you wouldn't want to lose!

I suspect that if I had had an ICloud account or an Iphone, my vulnerability would have been even worse.

Tuesday, August 19, 2014

seeing the progress of Windows Update in windows 8

Just upgraded to windows 8, and I'm not happy about a lot of it, but I kept digging to see if the answers I wanted are perhaps in there somewhere.

Most particularly I was very frustrated that I could not see the progress of windows update as it ran from the app.  It took me a long time to figure this out, but if you go to the control panel in the desktop and look at windows update there, you get to see it all as it happens!

Wednesday, May 14, 2014

Charity must begin at home

We have changed ourselves as a country and as a people when we think that the social safety net MUST come from government. When my grandparents came to Lynn in 1904 they came to a community that took them in and shared responsibility for them. If a kid was misbehaving, the first adult in the neighborhood to it would pass that information on to the parent. If someone was struggling their family was invited to dinner. Simple concepts that are rarely practiced any more.
Charity does more than help the recipient -- it integrates the giver into the community. We learn more about ourselves and our communities through our own acts of charity. In particular we learn that our society is not as hopeless as the doomsayers would have us believe. If we can all find a way to be a little more involved and have a closer relationship with our neighbors, we would find that we can solve more problems.
Sadly, some people would rather wash their hands of the responsibilities of humanity. When I hear people say "that's what I pay taxes for" as an excuse to look the other way -- it bothers me. There's a lot about our system that can be remedied if we can just work a little bit at being good towards each other and finding a way to be give of ourselves.
And that's what bothered me about this story. I think there is a concerted effort by some to make the social safety net be solely the responsibility of government. This doesn't work because government is whimsical. Today's charity is tomorrows pariah with a new majority in power. Republicans won't allow government funds to Democratic causes and vice versa.
But hopefully our hearts ARE constant. Where people want to step up and engage in charity, we should not punish them.

Friday, October 25, 2013

Public OpenPGP key of Daniel Fishman

Version: OpenPGP.js v.1.20130820
Comment: http://openpgpjs.org


*** exported with www.mailvelope.com ***P key of Daniel Fishman

Saturday, April 28, 2012

OSX single user repair permissions 10.6

After the Command-S startup, type the following on the command prompts, allowing time for each to do its thing:

/sbin/fsck -y<return> 
/sbin/mount -uw /<return> 
/sbin/autodiskmount -va<return> 

launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
/usr/sbin/diskutil repairPermissions / 

Thursday, March 08, 2012

mcp -- copying a file to multiple machines via scp

I have a series of 6 machines that I need to occasionally deploy the same file to in exactly the same place.  I got tired of it being such a pain so I wrote this little script I call mcp.sh  It's certainly easy enough for a shell script master to do this, but for me?  I struggled for 30 mins to get this right -- hopefully this saves you some pain.

I assume you have already passed your ssh key to the machines you want to connect to so you can scp without a password.  If not please read  http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/

You call mcp.sh with the absolute path to the file you want to copy, and it will copy it to exactly the same location on the target machine.

Put names of the machines (one per line) you want to update in the file hosts.txt


firstChar=`expr substr $1 1 1`
if [ -z $1 ]; then
        echo "usage mcp </absolute/path/to/file.txt>"
        exit 1
if [ $firstChar  != / ]; then
        echo "Must use absolute path"
        exit 1
for line in `cat hosts.txt`
 `scp $1 root@$line:$1`

improvement comments welcome

Monday, December 05, 2011

Using a Servlet to generate chart images for BIRT

I've been working with Google's chart tools -- specifically their Image Chart tools.  My problem -- I'm using BIRT as my PDF report engine, but I have a web interface.  I want the report to look the same on the web as it does in BIRT (which has it's own excellent native charting library).  I decided the easiest way is to use an
image tag, but I have the potential for copious data, so I have to use a POST instead of a GET.

Google lists an excellent hack using a form and an Iframe as a way to submit the post and that works for me from the web.   It does not work inside of BIRT -- because as far as I know there is no way to submit a form inside of a report.  Instead I decided to use an image tag which runs through a servlet I host.

So now I can write on my web page:

<img src="../chart/chart.png">

and I can include in a dynamic text in my BIRT report

"<img src='http://mywebserver/chart/chart.png'>"  //outside quotes required for BIRT dynamic text

And now I have the same chart in both!  Voila.

import org.apache.commons.io.IOUtils;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import java.io.*;
import java.net.*;
import java.util.Enumeration;
import java.util.Hashtable;

public class ChartServlet extends HttpServlet {

    public void service(HttpServletRequest request, HttpServletResponse response) {
        response.setHeader("content-type", "image/png");
        try {
            // Construct data
            Hashtable dataHash = new Hashtable();
            dataHash.put("cht", "lc");
            dataHash.put("chtt", "This is my chart");
            dataHash.put("chs", "600x300");
            dataHash.put("chxt", "x");
            dataHash.put("chd", "t:40,20,50,20,100");
            StringBuilder postBuffer = new StringBuilder();
            Enumeration enumeration = dataHash.keys();
            boolean first = true;
            while (enumeration.hasMoreElements()) {
                String key = (String) enumeration.nextElement();
                String value = (String) dataHash.get(key);
                String prefix = "&";
                if (first) {
                    prefix = "";
                    first = false;
                postBuffer.append(getURLPair(prefix, key, value));
            String params = postBuffer.toString();
            // Send data
            URL url = new URL("http://chart.googleapis.com/chart");
              //?chid=a"+String.valueOf(Math.random()).substring(2)); to avoid caching
            URLConnection conn = url.openConnection();
            OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream(),"UTF-8");
          // Get the response and write it directly to your response
            IOUtils.copy(conn.getInputStream(), response.getOutputStream());
        } catch (Exception e) {

    public static String getURLPair(String prefix, String key, String value) {
        try {
            String parameterString = prefix + URLEncoder.encode(key, "UTF-8") + "=" 
            + URLEncoder.encode(value, "UTF-8");
return parameterString;
        } catch (UnsupportedEncodingException e) {
        return null;


Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License.