Category Archives: Apple

YouTube HTML5 not even worth of being beta

Google is beta testing HTML5 for video playback on YouTube, and my initial impressions of the technology are not good at all.  A few months earlier, I couldn’t get Internet Explorer, Firefox, or Google Chrome to run HTML5 video.  I am able to get the latest version of Chrome to render the video, but the results look terrible in its current stage.

Figure 1: YouTube HTML5 beta interface
YouTube HTML5 beta interface

As you can see in Figure 1, the rendering is horrible compared to Figure 2 in Adobe Flash mode.  The image scaling looks like it merely using pixel duplication rather than something decent like cubic interpolation much less something good like Lanczos3.  That’s why the image looks extremely blocky and pixilated.  There’s no apparent support for 480P, 720P, or 1080P either.

Figure 2: YouTube Flash 10 interface
YouTube Flash 10 interface

In Figure 2, we see a mature Flash 10 interface with much nicer quality image rendering as well as higher resolution support.  This isn’t to say that there’s fundamentally something wrong with HTML5, just that the current implementation on YouTube has a long way to go before it can replace Flash.  This is a major issue for iPhone/iPod/iPad users and Steve Jobs is throwing his whole weight behind HTML5 and has no intention of supporting Adobe Flash.

There’s good reason not to like Flash as it is very buggy and full of security holes that expose its host operating system to nasty malware attacks.  Furthermore, the performance of Flash on many laptops and nearly all netbooks is horrible short of having a really fast laptop with rarely deployed dedicated graphics hardware.  Microsoft Silverlight (which has been beta tested on iPhone) performs much better on similar hardware than Adobe Flash so there’s a possibility that HTML5 mode might also perform better.  But until the implementation becomes much more mature and capable, HTML5 doesn’t even appear to be worthy of being beta.

Apple keyboards hacked and possessed

Apple keyboard hacked and possessedIf the bad news about all the new critical iPhone and Mac OS X vulnerabilities announced at BlackHat 2009 weren’t bad enough, there now appears to be a new vulnerability in Apple’s hardware.  This type of a hack h0wever isn’t something where you can go into an Apple store and have an Apple “genius” exorcise because once the Apple keyboard is infected and locked; there is no practical way of undoing the damage.

Read the rest and see my video interview with the researcher at

Apple QuickTime is the worst H.264 codec in the world

UPDATE 10/7/2008 – Unsurprisingly, the 1080P QuickTime movies work fine on a Mac Mini!  Apple simply won’t write good Windows software.

One of the most interesting developments in the digital camera space is the convergence of HD digital video on to traditionally still cameras.  We saw this first with consumer point-n-shoot digital cameras with 720P capability and now we’re seeing professional grade cameras like Canon’s EOS 5P Mark II implement 1080P video capability.  The downside of this is that nearly all of these camera makers are adopting Apple’s QuickTime MOV format and this is highlighting the gross inefficiencies of Apple’s video playback software.

(We won’t get started on the hundreds of critical vulnerabilities in Apple QuickTime that endanger your computer)

Apple’s codec is so poorly coded – at least the Windows version – that my Intel Core 2 Duo 2.4 GHz desktop system with NVIDIA 8800GT can’t play 1080P H.264 QuickTime movies (2 samples on bottom of this page) smoothly.  Adrian Kingsley-Hughes has even told me that he gets rough playback on his high-end Intel QX9650 Quad-core desktop with ATI 3870 crossfire dual GPU.  This situation is ludicrous because it’s possible to play Blu-Ray H.264 1080P videos on a low-end dual-core computer with a low-end $35 ATI Radeon HD 3450 graphics adapter.

This just doesn’t affect 1080P video clips, it affects 720P video clips that consumers are far more likely to deal with.  Those clips do not work well on dual-core computers with integrated Intel graphics adapters.  You can forget about using an Intel Atom NetBook with 945 integrated graphics to play back 720P clips from your point-n-shoot camera smoothly and you can forget about using typical desktop systems with common Intel integrated graphics.

Interestingly, the 3rd party QuickTime Alternative DOES indeed play these 720P clips smoothly on low-end systems and 1080P clips on dedicated discrete graphics systems, but the audio does not work.  I’ll try to email the QT Alternative developers to see if they can fix this.

Meanwhile, Adrian will run a test on his Mac Mini to see of the Mac version of Apple Quicktime is equally incompetent.  I would not be surprised if it turns out to work well because Apple likes to point out the inferiority of the Windows platform by personally ensuring it to be true.  Apple for example criticized Windows for being virus prone only to prove it by shipping a Windows virus with the iPod.  Apple criticized Windows for being bloated with Crapware only to prove it by shipping iTunes.  We’ll have to see what Adrian finds on his Mac Mini.

The iPhone wireless LAN ownage in a box

In May, Erratasec founder and researcher David Maynor sent out these pictures to a small security list beaming with joy as if to show off his new baby.  He asked us to guess what it’s for and a number of us made some educated guesses.  He then tipped us off that the battery on the bottom of the box would run for 5 days and that it was intended to be shipped to a nonexistent person.  Well that was all the clues I needed to solve the riddle of the iPhone in a shipping box.

Basically, the iPhone is a mini Apple computer running a stripped down specialized version of Mac OS X which is based on UNIX.  This allows David to install a set of passive or active wireless reconnaissance or penetration tools on the unlocked iPhone and run it for 5 days on an extended battery.  When the box is shipped to a nonexistent person at a company, organization, or government institution, the box will sit in the shipping and receiving area without an owner to claim it until it gets returned to the original shipper which might be some anonymous PO box.  Because the iPhone is well within range of the wireless network, it can be remotely controlled via the iPhone AT&T wireless 3G data service.

Traditionally, the wireless hacker must physically sit near a site in a car or building with a high powered directional antenna aimed at the target site.  Having the iPhone in a box inside the building means this would be completely unnecessary which saves on travel and reduces the risk of being caught on site.  Discovering the device in passive mode is practically impossible because wireless intrusion detection systems are incapable of analyzing wireless mobile data services.  This is the ultimate remote wireless hacking tool which could be used for ethical penetration testing or for criminal purposes and this is the subject of David Maynor’s presentation at DEFCON 16 tomorrow in Las Vegas.

It’s going to be interesting what the state of development is and I’m eager to get an update on whether FreeRADIUS-WPE, the ultimate enterprise wireless penetration tool (MUST READ for security professionals), has been implemented yet.  I’m hoping this will raise awareness that many enterprise wireless LANs have not been properly secured and Microsoft needs to fix their wireless client so that it is less suceptible to these attacks.

Developing …

Free hotspot from Apple and AT&T? How about free hotspot anywhere!

Nathan McFeters has an interesting post (original story from MacRumors) on how Apple and AT&T are using a simple HTTP header from the iPhone as a form of Access Control to grant Apple iPhones free hotspot service.  It doesn’t take much to figure out how to spoofed that HTTP header by any computer which will allow you to quickly gain free Wi-Fi service.

But I thought about it for a second and thought hey, it’s no worse than MAC filtering which is universally used at every for-fee hotspots.  The right sniffer and the right script can quickly change your MAC address to one that’s already logged in from some other user who already paid to gain access.  Just find a user on one end of the terminal, get the MAC address, then go to the other end where you’re waiting for your airplane so that your MAC addresses aren’t conflicting with each other on the same Access Point.

Sigh, I’ve been talking about how to secure a for-fee hotspot with 802.1x more than three years ago but I haven’t seen any takers yet.  I’ve also been advocating an anonymous secure hotspot more than a year ago.  If you don’t think this is a big deal, read this on sidejacking and read how even SSL doesn’t necessarily solve the problem.  Heck I’m in the process of converting to auto redirect everything to HTTPS SSL mode.

The best antidode for the Apple MacBook Air Kool Aid

I think that this video says it all:

Thanks to “Fake Steve Ballmer” for the video!

But let’s get real folks. The MacBook Air is a pretty slick design. Regardless of what peripheral capabilities it does and does not have, it packs a lot into a pretty tight package, and Apple deserves kudos for that. I am fairly certain that most users don’t need an optical drive, either (especially if they get media via iTunes or something similar). And a lot of consumers (and prosumers), basically anyone not tied to a corporate desk 8 hours a day has a WiFi connection, so the wired NIC is less of a requirement for a lot of people. But where did Apple miss? The mouse. Every laptop user I know who uses it for more than 1 meeting a week is forced to drag a mouse around with them everywhere. And that’s the real rub. I don’t care what you do to the device, users hate the trackpads and pointing sticks, and these devices will always be cumbersome if the user has to drag one (and a power cord) around. That’s the real pain point, not the thickness or even the weight.