Feed aggregator

Review: Dark Sky -- fantastic weather app, now with improved interface

iPhone J.D. - Wed, 09/05/2018 - 01:23

Schools in New Orleans were closed yesterday, and many are still closed today, because for a while it looked like Tropical Storm Gordon was headed this way.  That storm instead headed towards the Mississippi/Alabama border, but it had me using my weather apps even more than normal.  Dark Sky has long been one of the best iOS weather apps because of its incredibly accurate to-the-minute forecasts for the next hour — so much so that many other apps rely on Dark Sky for their own data.  But the app was recently updated to version 6.0 with a new interface, plus it is even faster under the hood.  Especially with these improvements, there is no doubt that Dark Sky is one of the very best weather apps for the iPhone and iPad.

Accurate, minute-by-minute predictions for the next hour

One of the best features of the Dark Sky app is that it tells you whether you need to grab your umbrella as you walk out the door.  Dark Sky can figure out whether it is going to rain during the next hour at your precise location.  When you start the app, if there is rain in the next hour, you will see a graph similar to this one:

If the app tells you it will start raining in 8 minutes, you might as well start opening up your umbrella in 7 minutes.

This information is also useful if it is currently raining and you are trying to decide whether to wait for a gap in the rain, or if you should just go now because it isn't getting better any time soon. 

Great forecasts, with an improved unified interface

Many apps do a nice job of giving you forecasts for the new few hours and the next few days.  Dark Sky has always had accurate data, but thanks to the recent version 6 update, I really like the way that this data is displayed all in one place.

When you start the app, the app gives you a forecast for your specific current location, but you can quickly search for another location (and you can save up to six locations, allowing you to swipe left and right to switch between locations).  Clear icons and numbers tell you the current conditions.

Next, you see a map with rain indicated.  Dark Sky has always used an interesting style for showing radar information on a map; instead of the blocky tiny squares, the colors are smoothed out. 

Next you see the hourly forecast, provided in a fantastic interface thanks to the recent update.  A bar along the left side gives you a visual indication of rain (the color changes to blue).  Next you see the hour, the forecast information, and the temperature in a circle which moves left or right to show relative increases and decreases in temperature.  I love the way that Dark Sky now shows all of this information at once, making it incredibly easy to see when rain will start and stop over the next few hours and how the temperature will increase or decrease over the next 24 hours.

If you scroll down, you will see the forecast for the next week.  Again, the graphics are clean and the information is easy to understand.

If you tap on any day, you get hourly forecasts for that specific day in the same format that the app normally gives you for the next 24 hours.

Maps with radar

If you tap the Map button at the bottom of the app (or if you tap on the radar map at the top of the main screen of the app), you are brought into a map view.  You can zoom in or out to see precipitation, and you can tap a play button at the bottom to see an animation of the last three hours and the predicted next hour.  Again, the nice smooth animations which are unique to Dark Sky make it easy to see what is going on.


Time Machine

I usually use a weather app when I want to look to the future.  But if you need historical weather information for a particular location, Dark Sky can give you that too.


Apple Watch

If you use an Apple Watch, Dark Sky has a nice app which shows you much of the same information for your current location that you see in the iPhone app, except for the maps.



Dark Sky has long been the leader in accurate forecasts on the iPhone and other devices, and thanks to the recent interface update, it is now one of the best apps for presenting this information in a clean interface which quickly tells you what you need to know.  If you ever use an iPhone to pay attention to the weather, this is an app that you should own.

Click here to get Dark Sky ($3.99): 

Categories: iPhone Web Sites

In the news

iPhone J.D. - Fri, 08/31/2018 - 02:09

Yesterday, Apple announced that it will hold an product announcement event on its campus in Cupertino, California on Wednesday, September 12 at 10 Pacific.  Jason Snell of Six Colors posted a picture of the invitation.  If you don't mind spoiling the surprise of learning all of the details on September 12, Guilherme Rambo and Zac Hall of 9to5Mac seem to have obtained some marketing images from Apple showing off the new iPhone and the new Apple Watch.  John Gruber of Daring Fireball speculates that those images may have been posted to a public Apple server by mistake, leading to the leak.  If that's true, there are some very unhappy people in Cupertino today.  And now, the news of note from the past week:

  • Two factor authentication is a fantastic security method which I think will become even more prevalent in the future.  At my law firm, we use Microsoft Authenticator as a second authentication method for many of our firm's resources, such as remote access.  It works really well; using either an iPhone app — or easier still, a notification on my Apple Watch — I can confirm that yes, it really is me logging in.  This week, Alex Simons, Vice President of Program Management, Microsoft Identity Division, announced that Microsoft is rolling out Microsoft Authenticator as an Apple Watch app.  This means that even if you receive a push notification which requires a PIN or biometric, you can approve access with an Apple Watch.
  • Attorney John Voorhees of MacStories reviews the new version 3.0 0f Due, a task manager app.
  • Lisa Vaas of Naked Security reports that a U.S. citizen who is Muslim is suing US Customs and Border Protection for seizing her iPhone in an airport, copying all of the data on it, and keeping the iPhone for 130 days.  (via Ride the Lightning).
  • Zac Hall of 9to5Mac discusses using the HomeKit-compatible Lutron Serena Motorized Shades.
  • Michael Rockwell of The Sweet Setup explains how to use your iPhone and HomeKit devices to turn on the lights in your home whenever you or your spouse come home at night.
  • Jonny Evans of Computerworld has some productivity tips for the iPhone.
  • Kaitlyn Wells of Wirecutter recommends the best bag organizers to store all of your USB-to-Lightning cords, power adapters, and everything else you might want to carry around in a bag.
  • And finally, tomorrow, September 1, Apple is celebrating national parks around the world by giving you the opportunity to earn an award in the Activity app.  The graphic that you can earn was inspired by Redwood National Park's 50th anniversary.  If you do a walk, run, or wheelchair workout of 50 minutes or more, you get to add the below award to your digital collection.  I like these awards because they serve as motivators, even though we all know it is just a simple image.  If you own an Apple Watch, try to find an hour to walk tomorrow!

Categories: iPhone Web Sites

IBM Power Systems LC921 and LC922 Technical Overview and Introduction

IBM Redbooks Site - Wed, 08/29/2018 - 09:30
Draft Redpaper, last updated: Wed, 29 Aug 2018

This IBM® Redpaper™ publication is a comprehensive guide that covers the IBM Power Systems™ LC921 and LC922 (9006-12P and 9006-22P)) server tshat use the latest IBM POWER9™ processor technology and supports Linux operating systems (OS).

Categories: Technology

IBM Storage Networking SAN128B-6 Switch

IBM Redbooks Site - Wed, 08/29/2018 - 09:30
Web Doc, published: Wed, 29 Aug 2018

The IBM Storage Networking SAN128B-6 high-density switch scales easily to support storage growth, demanding workloads, and data center consolidation.

Categories: Technology

IBM Power System E950: Technical Overview and Introduction

IBM Redbooks Site - Tue, 08/28/2018 - 09:30
Redpaper, published: Tue, 28 Aug 2018

This IBM® Redpaper™ Redbooks publication gives a broad understanding of a new architecture of the IBM Power System E950 (9040-MR9) server that supports IBM AIX®, and Linux operating systems.

Categories: Technology

Review: Weego Jump Starter 22 -- jump start your car battery and recharge your iPhone battery

iPhone J.D. - Sun, 08/26/2018 - 22:28

Many of us keep handy an external battery that can be used to recharge an iPhone.  However, occasionally you need to charge another mobile device:  a car.  If you ever find yourself with a dead car battery, sometimes it is possible to find a friend with another car and jumping cables, but that is a huge aggravation and may not even be possible depending upon where your car is located.  The simple solution is to keep a portable jump starter in your trunk.  The Weego Jump Starter 22 is an amazing device that makes it incredibly simple to jump start your car, and as an added bonus you can use it to charge an iPhone or iPad.  This device recently saved my bacon, and I enthusiastically recommend that you get this device now so that you have it when you need it.

My story

Virtually all of us have had to deal with a dead car battery at some point.  Here is my recent story.  I own a relatively new car — a 2017 Honda Accord.  (Last year I wrote about how much I love the CarPlay in my new car.)  About two weeks ago, I drove my car to a store, but then when I left the store a few minutes later, my car battery was dead.  Fortunately, my wife was not too far away so she could drive to me so we could jump my car, but I knew that I wouldn't always be so lucky.  It seemed strange that this would happen to a relatively new car.  Did I maybe leave on a light overnight without realizing it?  For a while I had been thinking of buying a portable jump starter, and after this occurrence I decided to play it safe and buy the Weego Jump Starter 22 on Amazon that same day. 

A week later I had to fly to Florida for business for a few days.  When I returned to the New Orleans airport and went to start my car, once again it was dead.  This time, getting a friend to drive to me to jump my car would have been a huge nightmare.  They would have had to drive all the way to the airport, go into a pay parking lot, and even then I'm not sure how it would have worked because there were cars in all of the spots around me so I wouldn't have been able to get another car close enough to the battery in my car.  And to make matters worse, I could see that it was about to start raining in 15 minutes.

But I didn't have to worry about any of this.  I took the Weego Jump Starter 22 out of my trunk, hooked it up, started my car, and then I was on my way.  The whole experience took me less than two minutes and could not have been easier.  What normally would have been a disaster was instead incredibly quick and easy.

A few days later, I brought my car to the dealer, which confirmed that my battery had to be replaced, fortunately at no charge to me because it was under warranty.  Hopefully that is the end of this story, but if for some reason there is some other electrical issue in my car and I encounter a dead battery again, I'm not worried because I have the the Weego Jump Starter 22 with me.

How it works

Before I explain how it works, let me emphasize again how simple this thing is to use.  I am about as far as one can be from a car mechanic, and even for me, using this device was a breeze.

For example, the clamps on this thing are better than any other clamps I have ever seen.  Traditional clamps can be hard to fully open, and they open like a crocodile's mouth and can be difficult to attach to a terminal and sometimes slip off.  Weego has a patented innovation the company calls Smarty Clamps.  They open ultra-wide so it is simple to attach them to a terminal, and you don't have to squeeze very hard to get them to open fully.  Last year, Wirecutter rated the Weego Jump Starter 22s the best portable jump starter, in part because the "strong, easy-to-use clamps make a good connection on a variety of battery posts."  (The Weego Jump Starter 22 that I purchased has the same clamps; it is slightly more expensive than the 22s because it adds the ability to charge a cellphone, adds a 250 lumen flashlight, and it is rated IP65 so it is water, dust and dirt resistant.)

The Weego Jump Starter 22 comes in a metal box which looks like a lunch box and holds all of the parts.  It is nice to have something sturdy to hold it all together, and I just put the lunch box in my trunk.  It also comes with a holding bag if you want something even more compact to hold it all together.

The Jump Starter 22 delivers 1700 peak amps and 300 true cranking amps, which Weego says is sufficient for motorcycles, boats and 95% of cars & trucks on the road today — anything with up to a 5L gas or a 2.5L diesel engine.  (Weego also sells a Jump Starter 44 and a Jump Starter 66 which will work with muscle cars and big trucks — the types of cars which might laugh at my Honda Accord.)

The top of the Jump Starter 22 has a protective cover, to keep out water or dust.  To jump start a car, flip open that lid to expose a connector where you pug in the clamps.

Next, turn the Jump Starter 22 on, using the power button located on the bottom right side.

Next, you attach the black clamp to your negative terminal and the red clamp to your positive terminal.  If for some reason you get that mixed up and attach to the wrong terminals, the device will not send power and instead it beeps and lights next to the word "reverse" will flash.  So it is idiot-proof.

Next wait a second or two until you see a green ready light.  That means everything is good to go.  Start your car. 

Finally, you disconnect the clamps from the Jump Starter 22.  Once you do so, a charge is no longer flowing to the clamps, so you can disconnect the clamps from the terminals in whatever order you want.

All of the lights make it super easy to understand what is going on.  Also, four lights on the body of the device tell you how much power you have left.  I had all four lights before I jumped my car, and afterwards I still had all four lights.  It takes about 2.5 hours to fully charge the Weego Jump Starter 22, and Weego says that the device will hold a charge for at least a year, and it has 1,000 charge cycles. 

Unlike traditional jumping cables, you don't need to worry about the two clamps on the Jump Starter 22 touching each other.  The Weego only sends power when it detects that it is connected to a battery.  That, along with the reverse polarity detection, means that you don't need to worry about doing something wrong and creating sparks.

It was easy for me to find a place to put the device when I was charging my car, but if for some reason you don't have a good space, the device comes with a hook and lanyard that you could use to attach the device to the underside of your car hood.  You can also use the hook and lanyard in connection with the built-in flashlight to create a work light that lasts up to 14 hours.

The Jump Starter 22 comes with a USB-to-Micro USB charging cord.  It also comes with a USB car charger that goes into a car's power port / cigarette lighter, so you can charge this device while you are driving and when your battery is strong, and then it will be ready when necessary.

Charge your phone

Carrying a Weego Jump Starter in your car means that you never have to worry about a dead battery again.  But hopefully you won't need to use the device very often to start a car, and since the core of the device is a powerful battery, Weego also lets you use this device to charge your phone.  So if you drive somewhere only to realize that your phone is dead or low on power, just take the Weego Jump Starter 22 from your trunk, add a USB-to-Lightning cable, and you are ready to go.  (Consider storing a USB-to-Lightning cable, such as an inexpensive Anker PowerLinke cable, in the Weego lunch box so you have it if you need it.)

If the Weego is at full charge, you have 1700 Amps, which depending upon your iPhone model should give you somewhere from almost a full charge to multiple charges.  Weego advertises "up to 3 full charges" but obviously that depends upon which device you are using.  Weego also says that the Jump Starter 22 detects what kind of device you are using and "automatically provides [the] fastest charge to your phones, tablets & other USB devices," 5V or 9V at 2.4A output.

The Jump Starter 22 (without the clamps) has dimensions of 3.25" x 6.25" x .75" and weighs about 10 ounces.  You can certainly buy smaller external batteries to charge your iPhone, but the Jump Starter 22 is not intended to be the portable charger that you carry around and use every day.  It works great for the rare situation when you are away from the home or office and you need something to charge your iPhone or iPad right away — and then you are glad that the device is in your trunk so you can grab it and walk wherever you are going with something handy to charge your phone.


Having a portable jump starter in your car gives you peace of mind.  Everyone has a car battery die at some point, and with this device in your trunk, you'll never have to worry about being stranded or dealing with inconveniences when it happens to you.  And because of the excellent design of the Weego Jump Starter 22, it is fast and easy to jump start a car.  As an added bonus, you have a battery in your car that you can always use to charge an iPhone or iPad — which gives you even more peace of mind.

If you decide that you don't need an iPhone charger, and if you don't care about the flashlight and the IP65 rating, then get the Weego Jump Starter 22s.  It is cheaper, but the basic design is the same as the Jump Starter 22, including those fantastic clamps and useful status lights that walk you through using the device to jump a car battery.

Whichever model you get, this is a good product to get now, while you are thinking about it, so you have it later when you really need it.  You might need it for yourself, but even if you are helping a friend jump a car, it is going to be much, much easier to use a portable device like this versus getting your own car in the right position so that you can jump your friend's car using your own car.

Click here to get the Weego Jump Starter 22 from Amazon ($94.71)

Click here to get the Weego Jump Starter 22s from Amazon ($62.99)

Categories: iPhone Web Sites

In the news

iPhone J.D. - Fri, 08/24/2018 - 00:26

Rene Ritchie of iMore explains why he believes that Apple's September product announcement will take place on Wednesday, September 12, just over two weeks from now, and says that we could see a larger version of the iPhone X, perhaps with Apple Pencil support, an iPhone 9 with a design similar to the iPhone X but with an LCD screen, an Apple Watch Series 4 with smaller bezels so that the physical size is the same but the screen is larger, an iPad Pro 3, new Macs, and more.  That's a whole lot of new Apple products that could be just around the corner.  Clear some space on your credit card.  And now, the news of note from the past week:

  • Attorney John Voorhees of MacStories discusses an update to the Dark Sky app which I think greatly improves the interface of that weather app.  For a long time now, CARROT Weather has been my favorite weather app, but with this update, I've started to use Dark Sky even more.
  • Elizabeth Sullivan of PCMag reviews the Logitech Crayon — the $50 version of the Apple Pencil — and names it an Editors' Choice.  The Crayon is currently only being sold to schools, but I hope that will change in the future.  In fact, it would be fantastic to have lots of different stylus choices that all work as well as the Apple Pencil.
  • VPN software is used to keep your Internet use private, especially if you are using public Wi-Fi.  But according to Chance Miller of 9to5Mac, Apple has asked Facebook to remove its Onavo VPN app from the App Store.  While that app may keep your Internet use private from other people on the same network, apparently Facebook tracks everything that you do while using the app, making it a privacy nightmare.  Kudos to Apple for continuing to make privacy a priority.
  • Speaking of privacy, John Gruber of Daring Fireball links to a Digital Content Next story about a report from Vanderbilt Professor Douglas Schmidt which finds that while Google doesn't collect any of your personal data from the Safari web browser when you are not actively using it, a dormant Android phone running the Chrome browser sends information to Google 340 times in a 24-hour period.
  • Gruber also discusses the shake-to-undo feature of the iPhone, and notes that many people don't even know that the feature is there.  I don't use it often, but when I do, I'm glad it there.  Hopefully, you already know that it is there, but if not, you do now.
  • Zac Hall of 9to5Mac recommends HomeKit devices that you can use to monitor the temperature at your house.
  • Peter Cao of 9to5Mac shows off how 1Password is integrated into the operating system in iOS 12.  Juli Clover of MacRumors also wrote a good explanation with lots of pictures.  This feature looks fantastic.
  • Roger Fingas of AppleInsider reports that, from today through August 31, Apple will donate $1 to the National Park Foundation for every Apple Pay purchase made at an Apple store or on the Apple website.  And on September 1, there will be a special Activity Challenge on the Apple Watch.
  • Steven Musil of CNet reports that you can now use Apple Pay when you shop at Costco.
  • Ian Fuchs of Cult of Mac says that the free Highball app is an essential iOS app.  I agree; it is what I use to store all of my cocktail recipes. 
  • And finally, here is an ad for Face ID on the iPhone X that Apple debuted a few weeks ago which features a game show theme.  It is called Memory:

Categories: iPhone Web Sites

Implementing VersaStack with Cisco ACI Multi-Pod and IBM HyperSwap for High Availability

IBM Redbooks Site - Thu, 08/23/2018 - 09:30
Redbook, published: Thu, 23 Aug 2018

The IBM HyperSwap® high availability (HA) function allows business continuity in a hardware failure, power failure, connectivity failure, or disasters, such as fire or flooding.

Categories: Technology

Mac Power Users #444 -- using an iPhone, iPad, and Mac in my law practice and more

iPhone J.D. - Mon, 08/20/2018 - 00:29

This week, I was the guest on one of my favorite podcasts, Mac Power Users.  It was episode 444 of that podcast, a number which has a nice ring to it.  The co-hosts are California attorney David Sparks and Florida attorney Katie Floyd.  The three of us have known each other for a long time, and that camaraderie made for a fun podcast.  Although the three of us are attorneys, this is a general interest podcast, so I didn't discuss legal-specific apps I love such as TranscriptPad or iTimeKeep, but I did discuss just about everything else.  The topics included using a Mac at home when you have a PC at work, lots of different ways to get your work done using an iPhone and iPad, home automation using Apple's HomeKit platform, and CarPlay.  If you are interested in the things I write about on iPhone J.D., then I am sure that you will enjoy this podcast episode.

Thank you, David and Katie, for asking me to be a guest on the show.  When you click this episode link, you will see links to download this specific episode in your podcast player of choice on your iPhone, including my personal favorite, Overcast:

Click here to listen to Mac Power Users Episode 444:  Workflows with iPhone JD Jeff Richardson.

Categories: iPhone Web Sites

In the news

iPhone J.D. - Fri, 08/17/2018 - 00:32

For the past six years, Apple has introduced a new iPhone in the first or second week of September:  September 12, 2017; September 7, 2016; September 9, 2015; September 9, 2014; September 10, 2013; and September 11, 2012.  There is, of course, no guarantee that Apple will do the same thing again in 2018, but if I had to bet money, I'd say that we are just a few weeks from seeing the 2018 versions of the iPhone.  If you are in the market for a new iPhone, I recommend that you wait if you can.  New iPads are released at lots of different times of the year, but I think that there is also a very good chance that we will also see a new iPad Pro in September or maybe October.  And now, the news of note from the past week:

  • As a reminder, I am presenting a one hour CLE in New Orleans one week from today with tips for using an iPad in your law practice.  The CLE is free if you are a member of the New Orleans Bar Association.  Click here for more information.
  • California attorney David Sparks discusses giving up his laptop to use just his iPad when he is away from his desktop computer.
  • Speaking of David Sparks, on August 9, 2017, he gave a presentation at the CMD-D conference about using the Workflow app on iOS to automate tasks on your iPhone or iPad.  Apple purchased the Workflow app and it will be a part of iOS 12 this year, renamed to Shortcuts.  A video of that presentation was recently released, and even though it is a year old, virtually everything in there is just as relevant and useful today.  Plus, David has a great presentation style.  This is worth watching.
  • Chicago attorney John Voorhees of MacStories explains how third-party Twitter apps had to change this week because Twitter took away some of their features.
  • Speaking of Twitter, Virginia attorney Sharon Nelson discusses a rare example of using Twitter to serve a defendant with a lawsuit.  In this case, the defendant is WikiLeaks.
  • New York attorney Nicole Black recommends podcasts for lawyers.
  • iOS 12, which I expect to be released soon, was going to add a group videochat feature to FaceTime.  However, Apple announced this week that it this feature will be delayed.  Jason Snell discusses this in an article for Macworld.
  • John Gruber of Daring Fireball discusses a report by Kif Leswing for Business Insider that Apple is encouraging app developers to move from a pay-up-front model to a subscription model.
  • Matthew Cassinelli of The Sweet Setup discusses using 1Password on an Apple Watch.
  • And finally, Throwboy has a Kickstarter campaign to produce throw pillows shaped like iconic Apple hardware:  the Apple II, the Mac, the iMac, the iPod, and of course, the iPhone.  The goal was to raise $10,000, and they are already at $30,000.  Although the iPhone is my favorite Apple device of all time, I'm not sure which of these pillows I like the most.  They are all great:

Categories: iPhone Web Sites

The Problems and Promise of WebAssembly

Google Project Zero - Thu, 08/16/2018 - 13:02
Posted by Natalie Silvanovich, Project Zero

WebAssembly is a format that allows code written in assembly-like instructions to be run from JavaScript. It has recently been implemented in all four major browsers. We reviewed each browser’s WebAssembly implementation and found three vulnerabilities. This blog post gives an overview of the features and attack surface of WebAssembly, as well as the vulnerabilities we found.Building WebAssembly
A number of tools can be used to write WebAssembly code. An important goal of the designers of the format is to be able to compile C and C++ into WebAssembly, and compilers exist to do so. It is likely that other languages will compile into WebAssembly in the future. It is also possible to write WebAssembly in WebAssembly text format which is a direct text representation of WebAssembly binary format, the final format of all WebAssembly code.WebAssembly Modules
Code in WebAssembly binary format starts off in an ArrayBuffer or TypedArray in JavaScript. It is then loaded into a WebAssembly Module.
var code = new ArrayBuffer(len);… // write code into ArrayBuffervar m = new WebAssembly.Module(code);
A module is an object that contains the code and initialization information specified by the bytes in binary format. When a module is created, it parses the binary, loads needed information into the module, and then translates the WebAssembly instructions into an intermediate bytecode. Verification of the WebAssembly instructions is performed during this translation.
WebAssembly binaries consist of a series of sections (binary blobs) with different lengths and types. The sections supported by WebAssembly binary format are as follows.
SectionCodeDescriptionType1Contains a list of function signatures used by functions defined and called by the module. Each signature has an index, and can be used by multiple functions by specifying that index. Imports2Contains the names and types of objects to be imported. More on this later.Functions3The declarations (including the index of a signature specified in the Type Section) of the functions defined in this module.Table4Contains details about function tables. More on this later.Memory5Contains details about memory. More on this later.Global6Global declarations.Exports7Contains the names and types of objects and functions that will be exported.Start8Specifies a function that will be called on Module start-up.Elements9Table initialization information.Code10The WebAssembly instructions that make up the body of each function.Data11Memory initialization information.
If a section has a code that is not specified in the above table, it is called a custom section. Some browsers use custom sections to implement upcoming or experimental features. Unrecognized custom sections are skipped when loading a Module, and can be accessed as TypedArrays in JavaScript.
Module loading starts off by parsing the module. This involves going through each section, verifying its format and then loading the needed information into a native structure inside the WebAssembly engine. Most of the bugs that Project Zero found in WebAssembly occured in this phase.
To start, CVE-2018-4222 occurs when the WebAssembly binary is read out of the buffer containing it. TypedArray objects in JavaScript can contain offsets at which their underlying ArrayBuffers are accessed. The WebKit implementation of this added the offset to the ArrayBuffer data pointer twice. So the following code:
var b2 = new ArrayBuffer(1000);
var view = new Int8Array(b2, 700); // offset
var mod = new WebAssembly.Module(view);
Will read memory out-of-bounds in an unfixed version of WebKit. Note that this is also a functional error, as it prevents any TypedArray with an offset from being processed correctly by WebAssembly.
CVE-2018-6092 in Chrome is an example of an issue that occurs when parsing a WebAssembly buffer. Similar issues have been fixed in the past. In this vulnerability, there is an integer overflow when parsing the locals of a function specified in the code section of the binary. The number of locals of each type are added together, and the size_t that contains this number can wrap on a 32-bit platform.
It is also evident from the section table above (and specified in the WebAssembly standard) that sections must be unique and in the correct order. For example, the function section can’t load unless the type section containing the signatures it needs has been loaded already.   CVE-2018-4121 is an error in section order checking in WebKit. In unfixed versions of WebKit, the order check gets reset after a custom section is processed, basically allowing sections to occur any number of times in any order. This leads to an overflow in several vectors in WebKit, as its parsing implementation allocates memory based on the assumption that there is only one of each section, and then adds elements to the memory without checking. Even without this implementation detail, though, this bug would likely lead to many subtle memory corruption issues in the WebAssembly engine, as the order and non-duplicate nature of WebAssembly binary sections is very fundamental to the functionality of WebAssembly.
This vulnerability was independently discovered by Alex Plaskett, Fabian Beterke and Georgi Geshev of MWR Labs, and they describe their exploit here.WebAssembly Instances
After a binary is loaded into a Module, an Instance of the module needs to be created to run the code. An Instance binds the code to imported objects it needs to run, and does some final initialization.
var code = new ArrayBuffer(len);… // write code into ArrayBuffervar m = new WebAssembly.Module(code);var i = new WebAssembly.Instance(m, imports);
Each module has an Import Section it loaded from the WebAssembly binary. This section contains the names and types of objects that must be imported from JavaScript for the code in the module to run. There are four types of object that can be imported. Functions (JavaScript or WebAssembly) can be imported and called from WebAssembly. Numeric types can also be imported from JavaScript to populate globals.
Memory and Table objects are the final two types that can be imported. These are new object types added to JavaScript engines for use in WebAssembly. Memory objects contain the memory used by the WebAssembly code. This memory can be accessed in JavaScript via an ArrayBuffer, and in WebAssembly via load and store instructions. When creating a Memory object, the WebAssembly developer specifies the initial and optional maximum size of the memory. The Memory object is then created with the initial memory size allocated, and the allocated memory size can be increased in JavaScript by calling the grow method, and in WebAssembly using the grow instruction. Memory size can never decrease (at least according to the standard).
Table objects are function tables for WebAssembly. They contain function objects at specific indexes in the table, and these functions can be called from WebAssembly using the call_indirect instruction. Like memory, tables have an initial and optional maximum size, and their size can be expanded by calling the grow method in JavaScript. Table objects cannot be expanded in WebAssembly.  Table objects can only contain WebAssembly functions, not JavaScript functions, and an exception is thrown if the wrong type of function is added to a Table object. Currently, WebAssembly only supports one Memory object and one Table object per Instance object. This is likely to change in the future though.
More than one Instance object can share the same Memory object and Table object. If two or more Instance objects share both of these objects, they are referred to as being in the same compartment. It is possible to create Instance objects that share a Table object, but not a Memory object, or vice versa, but no compiler should ever create Instances with this property. No compiler ever changes the values in a table after it is initialized, and this is likely to remain true in the future, but it is still possible for JavaScript callers to change them at any time.
There are two ways to add Memory and Table objects to an Instance object. The first is through the Import Section as mentioned above. The second way is to include a Memory or Table Section in the binary. Including these sections causes the WebAssembly engine to create the needed Memory or Table object for the module, with parameters provided in the binary. It is not valid to specify these objects in both the Import Section and the Table or Memory Section, as this would mean there is more than one of each object, which is not currently allowed. Memory and Table objects are not mandatory, and it is fairly common for code in WebAssembly not to have a Table object. It is also possible to create WebAssembly code that does not have a Memory object, for example a function that averages the parameters that are passed in, but this is rare in practice.
One feature of these objects that has led to several vulnerabilities is the ability to increase the size of the allocated Memory or Table object. For example, CVE-2018-5093, a series of integer overflow vulnerabilities in increasing the size of Memory and Table objects was recently found by OSS-Fuzz. A similar issue was found in Chrome by OSS-Fuzz.
Another question that immediately comes to mind about Memory objects is whether the internal ArrayBuffer can be detached, as many vulnerabilities have occured in ArrayBuffer detachment. According to the specification, Memory object ArrayBuffers cannot be detached by script, and this is true in all browsers except for Microsoft Edge (Chakra does not allow this, but Edge does). The Memory object ArrayBuffer also do not change size when the Memory object is expanded. Instead, they are detached as soon as the grow method is called. This prevents any bugs that could occur due to ArrayBuffers changing size.
Out of bounds access is always a concern when allowing script to use memory, but these types of issues are fairly uncommon in WebAssembly. One likely reason for this is that a limited number of WebAssembly instructions can access memory, and WebAssembly currently only supports a single page of memory, so the code that accesses memory is a WebAssembly engine is actually quite small. Also, on 64-bit systems, WebAssembly implements memory as safe buffers (also called signal buffers). To understand how safe buffers work, it is important to understand how loads and stores work in WebAssembly. These instructions have two operands, an address and an offset. When memory is accessed, these two operands are added to the pointer to the start of the internal memory of the Memory object, and the resulting location is where the memory access happens. Since both of these operands are 32-bit integers (note that this is likely to change in future versions of WebAssembly), and required to be above zero, a memory access can be at most 0xfffffffe (4GB) outside of the allocated buffer.
Safe buffers work by mapping 4GB into memory space, and then allocating the portion of memory that is actually needed by WebAssembly code as RW memory at the start of the mapped address space. Memory accesses can be at most 4GB from the start of the memory buffer, so all accesses should be in this range. Then, if memory is accessed outside of the allocated memory, it will cause a signal (or equivalent OS error), which is then handled by the WebAssembly engine, and an appropriate out of bounds exception is then thrown in JavaScript. Safe buffers eliminate the need for bounds checks in code, making vulnerabilities due to out-of-bounds access less likely on 64-bit systems. Explicit bounds checking is still required on 32-bit systems, but these are becoming less common.
After the imported objects are loaded, the WebAssembly engine goes through a few more steps to create the Instance Object. The Elements Section of the WebAssembly binary is used to initialize the Table object, if both of these exist, and then the Data Section of the WebAssembly binary is used to initialize the Memory object, if both exist. Then, the code in the Module is used to create functions, and these functions are exported (attached to a JavaScript object, so they are accessible in JavaScript). Finally, if a start function is specified in the Start Section, it is executed, and then the WebAssembly is ready to run!
var b2 = new ArrayBuffer(1000);
var view = new Int8Array(b2, 700); // offset
var mod = new WebAssembly.Module(a);var i = new WebAssembly.Instance(m, imports);i.exports.call_me(); //WebAssembly happens!
The final issue we found involves a number of these components. It was discovered and fixed by the Chrome team before we found it, so it doesn’t have a CVE, but it’s still an interesting bug.
This issue is related to the call_indirect instruction which calls a function in the Table object. When the function in the Table object is called, the function can remove itself from the Table object during the call. Before this issue was fixed, Chrome relied on the reference to the function in the Table object to prevent it from being freed during garbage collection. So removing the function from the Table object during a call has the potential to cause the call to use freed memory when it unwinds.
This bug was originally fixed by preventing a Table object from being changed in JavaScript when a WebAssembly call was in progress. Unfortunately, this fix did not completely resolve the issue. Since it is possible to create a WebAssembly Instance in any function, it was still possible to change the Table object by creating an Instance that imports the Table object and has an underlying module with an Elements Section. When the new Instance is created, the Elements Section is used to initialize the Table, allowing the table to be changed without calling the JavaScript function to change a Table object. The issue was ultimately resolved by holding an extra reference to all needed objects for the duration of the call.Execution
WebAssembly is executed by calling an exported function. Depending on the engine, the intermediate bytecode generated when the Module was parsed is either interpreted or used to generate native code via JIT. It’s not uncommon for WebAssembly engines to have bugs where the wrong code is generated for certain sequences of instructions; many such issues have been reported in the bugs trackers for the different engines. We didn’t see any such bugs that had a clear security impact though.The Future
Overall, the majority of the bugs we found in WebAssembly were related to the parsing of WebAssembly binaries, and this has been mirrored in vulnerabilities reported by other parties. Also, compared to other recent browser features, surprisingly few vulnerabilities have been reported in it. This is likely due to the simplicity of the current design, especially with regards to memory management.
There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems.
WebAssembly GC is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly.
Categories: Security

SAP HANA and ESS: A Winning Combination

IBM Redbooks Site - Thu, 08/16/2018 - 09:30
Redpaper, published: Thu, 16 Aug 2018

SAP HANA on IBM® POWER® is an established HANA solution with which customers can run HANA-based analytic and business applications on a flexible IBM Power based infrastructure.

Categories: Technology

A Guide to JES3 to JES2 Migration

IBM Redbooks Site - Wed, 08/15/2018 - 09:30
Redbook, published: Wed, 15 Aug 2018

This IBM® Redbooks® publication provides information to help clients that have JES3 and want to migrate to JES2.

Categories: Technology

Move ring on Apple Watch barely moving? Check your weight.

iPhone J.D. - Wed, 08/15/2018 - 00:22

Here's a quick tip for all of you Apple Watch owners who keep track of your circles, just in case you make the same mistake that I did.  I noticed a few days ago that the red circle (the Move ring) on my Apple Watch was increasing far slower than normal.  Even after 30 minutes on a treadmill, it was logging less than half of the calories that I normally see, and my overall red circle activity at the end of the day was substantially lower than normal.  It took a long time for me to find the solution, but ultimately I discovered that I needed to check my weight in the Health app on my iPhone, which was far lower than it should have been.  Once I adjusted my weight up to the correct number, my Move ring started to count calories at the same rate that it usually does.

How did this happen in the first place?  The Health app on the iPhone has a place to store your weight.  if your weight doesn't change often, just manually enter the number once and then forget about it.  However, if you are manually tracking your weight as it changes over time, it can be a pain to manually enter it in the Health app every day.  For a long time now, my faster solution has been to use the Workflow app — which will soon be renamed the Shortcuts app in iOS 12.  I have a very short workflow that simply asks me to enter my weight and then puts that data into the Health app:

Because it is one of the first four workflows in my Workflow app, I can just 3D Touch on the Workflow app icon on my iPhone's home screen, select Log My Weight, type the number, and then I'm done.  The whole process takes maybe three seconds.  In iOS 12, I'll be able to assign a voice command to start this workflow, making it even faster to trigger.

Last week, however, I suppose I should have spent more than three seconds to avoid being careless.  It turns out that I had somehow tapped the wrong buttons and entered the wrong weight, and apparently my iPhone had no trouble accepting that I suddenly weighed half as much.  (Um, thanks?)  My Apple Watch also noticed, and as a result it decided that I must be burning far less calories for the same amount of activity.

Fortunately, this is an easy problem to fix.  When you are looking at any health data source in the Health app, you can always tap Show All Data to see a list of every single entry.  If you see an entry that is wrong, you can delete that entry.  So to fix my problem, I just removed the incorrect weight, and the problem was solved.

Categories: iPhone Web Sites

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Google Project Zero - Tue, 08/14/2018 - 13:00
Posted by James Forshaw, Project Zero
And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged process. Once again by detailing how I’d exploit a particular vulnerability I hope that readers get a better understanding of the complexity of the Windows operating system as well as giving Microsoft information on non-memory corruption exploitation techniques so that they can mitigate them in some way.Quick Overview of the VulnerabilityObject Manager directories are unrelated to normal file directories. The directories are created and manipulated using a separate set of system calls such as NtCreateDirectoryObject rather than NtCreateFile. Even though they’re not file directories they’re vulnerable to many of the same classes of issues as you’d find on a file system including privileged creation and symbolic link planting attacks.
Issue 1550 is a vulnerability that allows the creation of a directory inside a user-controllable location while running as SYSTEM. The root of the bug is in the creation of Desktop Bridge applications. The AppInfo service, which is responsible for creating the new application, calls the undocumented API CreateAppContainerToken to do some internal housekeeping. Unfortunately this API creates object directories under the user’s AppContainerNamedObjects object directory to support redirecting BaseNamedObjects and RPC endpoints by the OS.
As the API is called without impersonating the user (it’s normally called in CreateProcess where it typically isn’t as big an issue) the object directories are created with the identity of the service, which is SYSTEM. As the user can write arbitrary objects to their AppContainerNamedObjects directory they could drop an object manager symbolic link and redirect the directory creation to almost anywhere in the object manager namespace. As a bonus the directory is created with an explicit security descriptor which allows the user full access, this will become very important for exploitation.
One difficulty in exploiting this vulnerability is that if the object directory isn’t created under AppContainerNamedObjects because we’ve redirected its location then the underlying NtCreateLowBoxToken system call which performs the token creation and captures a handle to the directory as part of its operation will fail. The directory will be created but almost immediately deleted again. This behavior is actually due to an earlier issue I reported which changes the system call’s behavior. This is still exploitable by opening a handle to the created directory before it’s deleted, and in practice it seems winning this race is reliable as long as your system has multiple processors (which is basically any modern system). With an open handle the directory is kept alive as long as needed for exploitation.
This is the point where the original PoC I sent to MSRC stopped, all the PoC did was create an arbitrary object directory. You can find this PoC attached to the initial bug report in the issue tracker. Now let’s get into how we might exploit this vulnerability to go from a normal user account to a privileged SYSTEM account.ExploitationThe main problem for exploitation is finding a location in which we can create an object directory which can then be leveraged to elevate our privileges. This turns out to be harder than you might think. While almost all Windows applications use object directories under the hood, such as BaseNamedObjects, the applications typically interact with existing directories which the vulnerability can’t be used to modify.
An object directory that would be interesting to abuse is KnownDlls (which I mentioned briefly in the previous blog in this series). This object directory contains a list of named image section objects, of the form NAME.DLL. When an application calls LoadLibrary on a DLL inside the SYSTEM32 directory the loader first checks if an existing image section is present inside the KnownDlls object directory, if the section exists then that will be loaded instead of creating a new section object.

KnownDlls is restricted to only being writable by administrators (not strictly true as we’ll see) because if you could drop an arbitrary section object inside this directory you could force a system service to load the named DLL, for example using the Diagnostics Hub service I described in my last blog post, and it would map the section, not the file on disk. However the vulnerability can’t be used to modify the KnownDlls object directory other than adding a new child directory which doesn’t help in exploitation. Maybe we can target KnownDlls indirectly by abusing other functionality which our vulnerability can be used with?
Whenever I do research into particular areas of a product I will always note down interesting or unexpected behavior. One example of interesting behavior I discovered when I was researching Windows symbolic links. The Win32 APIs support a function called DefineDosDevice, the purpose of this API is to allow a user to define a new DOS drive letter. The API takes three parameters, a set of flags, the drive prefix (e.g. X:) to create and the target device to map that drive to. The API’s primary use is in things like the CMD SUBST command.
On modern versions of Windows this API creates an object manager symbolic link inside the user’s own DOS device object directory, a location which can be written to by a normal low privileged user account. However if you look at the implementation of DefineDosDevice you’ll find that it’s not implemented in the caller’s process. Instead the implementation calls an RPC method inside the current session’s CSRSS service, specifically the method BaseSrvDefineDosDevice inside BASESRV.DLL. The main reason for calling into a privileged service is it allows a user to create a permanent symbolic link which doesn’t get deleted when all handles to the symbolic link object are closed. Normally to create a permanent named kernel object you need the SeCreatePermanentPrivilege privilege, however a normal user does not have that privilege. On the other hand CSRSS does, so by calling into that service we can create the permanent symbolic link.
The ability to create a permanent symbolic link is certainly interesting, but if we were limited to only creating drive letters in the user’s DOS devices directory it wouldn’t be especially useful. I also noticed that the implementation never verified that the lpDeviceName parameter is a drive letter. For example you could specify a name of “GLOBALROOT\RPC Control\ABC” and it would actually create a symbolic link outside of the user’s DosDevices directory, specifically in this case the path “\RPC Control\ABC”. This is because the implementation prepends the DosDevice prefix “\??” to the device name and passes it to NtCreateSymbolicLink. The kernel would follow the full path, finding GLOBALROOT which is a special symbolic link to return to the root and then follow the path to creating the arbitrary object. It was unclear if this was intentional behavior so I looked in more depth at the implementation in CSRSS, which is shown in abbreviated form below.
NTSTATUS BaseSrvDefineDosDevice(DWORD dwFlags,
                               LPCWSTR lpDeviceName,
                               LPCWSTR lpTargetPath) {
   WCHAR device_name[];
   snwprintf_s(device_name, L"\\??\\%s", lpDeviceName);
   UNICODE_STRING device_name_ustr;
   RtlInitUnicodeString(&device_name_ustr, device_name);
   InitializeObjectAttributes(&objattr, &device_name_ustr,                               OBJ_CASE_INSENSITIVE);

   BOOLEAN enable_impersonation = TRUE;
   HANDLE handle;
   NTSTATUS status = NtOpenSymbolicLinkObject(&handle, DELETE, &objattr);①

   if (NT_SUCCESS(status)) {
       BOOLEAN is_global = FALSE;

       // Check if we opened a global symbolic link.
       IsGlobalSymbolicLink(handle, &is_global); ②
       if (is_global) {
           enable_impersonation = FALSE; ③
           snwprintf_s(device_name, L"\\GLOBAL??\\%s", lpDeviceName);
           RtlInitUnicodeString(&device_name_ustr, device_name);

       // Delete the existing symbolic link.

   if (enable_impersonation) { ④

   // Create the symbolic link.
   UNICODE_STRING target_name_ustr;
   RtlInitUnicodeString(&target_name_ustr, lpTargetPath);

   status = NtCreateSymbolicLinkObject(&handle, MAXIMUM_ALLOWED,                                objattr, target_name_ustr); ⑤

   if (enable_impersonation) { ⑥
   if (NT_SUCCESS(status)) {
       status = NtMakePermanentObject(handle); ⑦
   return status;
We can see the first thing the code does is build the device name path then try and open the symbolic link object for DELETE access ①. This is because the API supports redefining an existing symbolic link, so it must first try to delete the old link. If we follow the default path where the link doesn’t exist we’ll see the code impersonates the caller (the low privileged user in this case) ④ then creates the symbolic link object ⑤, reverts the impersonation ⑥ and makes the object permanent ⑦ before returning the status of the operation. Nothing too surprising, we can understand why we can create arbitrary symbolic links because all the code does is prefix the passed device name with “\??”. As the code impersonates the caller when doing any significant operation we can only create the link in a location that the user could already write to.
What’s more interesting is the middle conditional, where the target symbolic link is opened for DELETE access, which is needed to call NtMakeTemporaryObject. The opened handle is passed to another function ②, IsGlobalSymbolicLink, and based on the result of that function a flag disabling impersonation is set and the device name is recreated again with the global DOS device location \GLOBAL?? as the prefix ③. What is IsGlobalSymbolicLink doing? Again we can just RE the function and check.
void IsGlobalSymbolicLink(HANDLE handle, BOOLEAN* is_global) {
   BYTE buffer[0x1000];
   NtQueryObject(handle, ObjectNameInformation, buffer, sizeof(buffer));
   RtlInitUnicodeString(&prefix, L"\\GLOBAL??\\");
   // Check if object name starts with \GLOBAL??
   *is_global = RtlPrefixUnicodeString(&prefix, (PUNICODE_STRING)buffer);
The code checks if the opened object’s name starts with \GLOBAL??\. If so it sets the is_global flag to TRUE. This results in the flag enabling impersonation being cleared and the device name being rewritten. What this means is that if the caller has DELETE access to a symbolic link inside the global DOS device directory then the symbolic link will be recreated without any impersonation, which means it will be created as the SYSTEM user. This in itself doesn’t sound especially interesting as by default only an administrator could open one of the global symbolic links for DELETE access. However, what if we could create a child directory underneath the global DOS device directory which could be written to by a low privileged user? Any symbolic link in that directory could be opened for DELETE access as the low privileged user could specify any access they liked, the code would flag the link as being global, when in fact that’s not really the case, disable impersonation and recreate it as SYSTEM. And guess what, we have a vulnerability which would allow us to create an arbitrary object directory under the global DOS device directory.
Again this might not be very exploitable if it wasn’t for the rewriting of the path. We can abuse the fact that the path “\??\ABC” isn’t the same as “\GLOBAL??\ABC” to construct a mechanism to create an arbitrary symbolic link anywhere in the object manager namespace as SYSTEM. How does this help us? If you write a symbolic link to KnownDlls then it will be followed by the kernel when opening a section requested by DLL loader. Therefore even though we can’t directly create a new section object inside KnownDlls, we can create a symbolic link which points outside that directory to a place that the low-privileged user can create the section object. We can now abuse the hijack to load an arbitrary DLL into memory inside a privileged process and privilege elevation is achieved.
Pulling this all together we can exploit our vulnerability using the following steps:
  1. Use the vulnerability to create the directory “\GLOBAL??\KnownDlls”
  2. Create a symbolic link inside the new directory with the name of the DLL to hijack, such as TAPI32.DLL. The target of this link doesn’t matter.
  3. Inside the user’s DOS device directory create a new symbolic link called “GLOBALROOT” pointing to “\GLOBAL??”. This will override the real GLOBALROOT symbolic link object when a caller accesses it via the user’s DOS device directory.
  4. Call DefineDosDevice specifying a device name of “GLOBALROOT\KnownDlls\TAPI32.DLL” and a target path of a location that the user can create section objects inside. This will result in the following operations:
    1. CSRSS opens the symbolic link “\??\GLOBALROOT\KnownDlls\TAPI32.DLL” which results in opening “\GLOBAL??\KnownDlls\TAPI32.DLL”. As this is controlled by the user the open succeeds, and the link is considered global which disables impersonation.
    2. CSRSS rewrites the path to “\GLOBAL??\GLOBALROOT\KnownDlls\TAPI32.DLL” then calls NtCreateSymbolicLinkObject without impersonation. This results in following the real GLOBALROOT link, which results in creating the symbolic link “\KnownDlls\TAPI32.DLL” with an arbitrary target path.
  5. Create the image section object at the target location for an arbitrary DLL, then force it to be loaded into a privileged service such as the Diagnostics Hub by getting the service to call LoadLibrary with a path to TAPI32.DLL.
  6. Privilege escalation is achieved.

Abusing the DefineDosDevice API actually has a second use, it’s an Administrator to Protected Process Light (PPL) bypass. PPL processes still use KnownDlls, so if you can add a new entry you can inject code into the protected process. To prevent that attack vector Windows marks the KnownDlls directory with a Process Trust Label which blocks all but the highest level level PPL process from writing to it, as shown below.

How does our exploit work then? CSRSS actually runs as the highest level PPL so is allowed to write to the KnownDlls directory. Once the impersonation is dropped the identity of the process is used which will allow full access.
If you want to test this exploit I’ve attached the new PoC to the issue tracker here.Wrapping UpYou might wonder at this point if I reported the behavior of DefineDosDevice to MSRC? I didn’t, mainly because it’s not in itself a vulnerability. Even in the case of Administrator to PPL, MSRC do not consider that a serviceable security boundary (example). Of course the Windows developers might choose to try and change this behavior in the future, assuming it doesn’t cause a major regression in compatibility. This function has been around since the early days of Windows and the current behavior since at least Windows XP so there’s probably something which relies on it. By describing this exploit in detail, I want to give MS as much information as necessary to address the exploitation technique in the future.
I did report the vulnerability to MSRC and it was fixed in the June 2018 patches. How did Microsoft fix the vulnerability? The developers added a new API, CreateAppContainerTokenForUser which impersonates the token during creation of the new AppContainer token. By impersonating during token creation the code ensures that all objects are created only with the privileges of the user. As it’s a new API existing code would have to be changed to use it, therefore there’s a chance you could still find code which uses the old CreateAppContainerToken in a vulnerable pattern.
Exploiting vulnerabilities on any platform sometimes requires pretty in-depth knowledge about how different components interact. In this case while the initial vulnerability was clearly a security issue, it’s not clear how you could proceed to full exploitation. It’s always worth keeping a log of interesting behavior which you encounter during reverse engineering as even if something is not a security bug itself, it might be useful to exploit another vulnerability.
Categories: Security

Lawyer iPad stories: Paul Kiesel

iPhone J.D. - Sun, 08/12/2018 - 21:48

I love to hear how other attorneys are using an iPhone or iPad in their law practice, so I always appreciate it when one of you is willing to share what you are using with the rest of the readers of iPhone J.D.  Today I am happy to share a submission from Paul Kiesel of Kiesel Law LLP, a plaintiff trial attorney in Beverly Hills, California.  Paul is a co-author of two legal treatises:  California Pretrial Civil Procedure and California Civil Discovery.

Paul loves to use technology in his law practice, and the ABA Journal even named him one of the Techiest Lawyers.  Paul has had a number of paperless jury trials over the last few years thanks to his iPad.  In just a few days on August 16, 2018, Paul will be teaching a CLE Webinar hosted by the Federal Bar Association called How the iPad Can Be a Litigator's Best Friend.  It is a two-hour CLE and starts at 2:00 Eastern. 

Here is what Paul told me about some of the ways that he uses his iPad Pro in his law practice::

- - - - -

Ten years ago, as files began to overwhelm our firm's working space and as our offsite archive service costs exceeded thousands of dollars each month, I thought there has to be a better way.  Necessity being the mother of invention, our firm began its journey to being paperless.  We started to scan each and every correspondence, pleading, medical record and other piece of paper entering our front door.

Five years ago, as our building office space became limited, a decision was made to eliminate our file "room" and actually remove the paper files.  I was able to recapture 20% of our building’s usable space by removing file cabinets.  At the same time, each attorney at the firm was provided an iPad in lieu of case files.

Now, five years later, the iPad is the single vehicle, with the exception of one partner who is partial to his Surface Pro, we use to review and annotate all materials.  For years I traveled with both a laptop and an iPad but with the advent of the iPad Pro 12.0" and the Apple Pencil, this is the single device I use and travel with.  Whether it be at my home reading the morning NY Times, LA Times, Wall Street Journal, or reviewing pleadings, the iPad is the single device.

In order to use the iPad for this purpose, I originally used PDF Expert to review and annotate documents.  Today, my go-to annotation program is Liquid Text.  Prior to using the iPad Pro 12.9", my go-to tablet was the original 9.7" version of the iPad, but for using Liquid Text the 12.9" size is a must.  Why?  Liquid Text splits the screen in two sections, one for the document and the other for notes.  Using the split screen really requires the additional real estate (screen size) the 12.9" iPad Pro provides.  I tested the 10.5" iPad Pro but still found it wasn’t a big enough screen to do the job.  So, my first recommendation is Liquid Text.

My second recommendation is to purchase a virtual private network (VPN) application.  A VPN provides a secure "pipe" for you to access the internet when on a public WiFi without fear that bad guys or gals are hacking into your communications.  The VPN app that I use is called Encrypt.Me, and it works magically.  [Jeff notes:  I reviewed this app back when it was called Cloak, and I agree that it is a fantastic app.]  The cost is minimal and the benefits, potentially massive.  The only caveat is that several public WiFi networks will not allow you to use a VPN when accessing.  An example is the GoGo WiFi network on commercial flights.  The GoGo network will not allow you to access their system if you have the VPN active.  It took me hours to figure out why I couldn’t log on to the network until I tried disabling the VPN and then I was able to get on.  So, you need to make a trade, at times, between access and security.

The next app I would recommend is TripIt.  This is a fantastic program that allows you to aggregate all of your travel plans in one spot.  [Jeff adds:  I reviewed the free version of TripIt in 2013 and I reviewed TripIt Pro in 2017.  I continue to pay for TripIt Pro because I find it so valuable when I travel.]

My final use of the iPad, although a bit unconventional and a wee bit pricey, is to send each of my settlement demand packages by way of an iPad.  My firm creates, for about 90 percent of my cases, a settlement "brochure" including a video depicting our liability analysis, the client’s injuries and damages, along with attached medical records and other documentary evidence.  I typically send between one and six iPads depending on the number of counsel, adjusters, and decision makers involved.  I have been doing that since the iPad was first introduced. 

There are dozens of other applications and uses that I don’t have time to share here, but feel free to view my webinar on "using your iPad" in trial.  Here’s the link.  Enjoy.

- - - - -

Thanks again, Paul, for taking the time to share with us some of the ways that you use your iPad.  Sending an iPad as a digital settlement brochure is a very interesting approach!

If any of you are willing to share your own experiences using an iPhone or iPad in your law practice with other iPhone J.D. readers, I'd love to hear from you.  In case you missed any of them, here are stories that I previously shared from other attorneys:

Categories: iPhone Web Sites

In the news

iPhone J.D. - Thu, 08/09/2018 - 23:55

If you will be in the New Orleans area two weeks from today, I will be presenting a one hour CLE at Noon on Friday, August 24 with tips for using an iPad in your law practice.  The CLE is free if you are a member of the New Orleans Bar Association.  Click here for more information.  We still have about a month to go before mid-September, when I expect Apple to announce the 2018 versions of the iPhone and iPad Pro, and considering that it is also the end of Summer, things are pretty slow in the land of iOS right now.  But there have been a few interesting developments, and here is the news of note from the past week:

Categories: iPhone Web Sites

IBM Power System E980 Technical Overview and Introduction

IBM Redbooks Site - Mon, 08/06/2018 - 09:30
Draft Redpaper, last updated: Mon, 6 Aug 2018

This IBM® Redpaper™ publication gives a broad understanding of a new architecture of the IBM Power System E980 server that support IBM AIX®, IBM i, and Linux operating systems.

Categories: Technology

IBM Power System E950 Technical Overview and Introduction

IBM Redbooks Site - Mon, 08/06/2018 - 09:30
Draft Redpaper, last updated: Mon, 6 Aug 2018

This IBM® Redpaper™ publication gives a broad understanding of a new architecture of the IBM Power System E950 server that support IBM AIX®, and Linux operating systems.

Categories: Technology

Lawyer iPhone stories: Jay Brinker

iPhone J.D. - Sun, 08/05/2018 - 19:42

I love to hear how other attorneys are using an iPhone or iPad in their law practice, so I always appreciate it when one of you is willing to share what you are using with the rest of the readers of iPhone J.D.  Today I am happy to share a submission from Jay Brinker, an estate planning attorney in Cincinnati, OH.  Jay also has a blog, which he uses to share interesting estate planning-related stories.  When I first started talking to Jay about the apps that he uses, he told me that he didn't use anything special, and said that because he is not a litigator, he doesn't use many of the well-known legal apps.  But I find that I always learn something no matter what kind of law practice someone has, and I am sure that most of you would agree.  So with no further ado, take it away, Jay:

- - - - -

When Jeff asked me if I could share my iPhone experiences with his readers, I was hesitant to do so because my use of iOS apps is limited compared to the litigators who use apps in trial and for trial prep.  Jeff persuaded me that my more non-power user approach could be useful nonetheless.  So here goes.


I am a solo estate planning attorney who just passed the five year anniversary of my first iPhone purchase.  I was slow to adopt because my prior cell phone provider offered a stupidly low rate ($100 or so for three lines) but did not sell iPhones nor support them, so I suffered through with a BlackBerry until the limitations became untenable.  Expectedly, that carrier is now out of business.

I view my iPhone as a life convenience device rather than a work tool, although it does assist with the large part of my life that is my law practice.

Some Apps for Work

SugarSync is my preferred file syncing and file sharing service because it plays well with my file organization.  It has a nice app for iOS which allows me to easily access any document on my office PC from my phone.  Twice in a six month period, I was out of the office (Marco Island and Prague) when I received an email requesting a client’s living will.  I was able to send the document to the requesting person almost immediately from my phone.

Square is my credit card processing app.  I appreciate its simplicity and relatively low cost.  The customer satisfaction of a client paying with a credit card and getting airline miles is worth the 2.75% or haircut I take.  A quote from a client:  “You take credit cards?  This gets better all of the time.”  That is worth $50 in reduced fees.

Office Lens from Microsoft is a free scanning app that I have been using recently to scan documents on the go.  I can scan and send the document to a myriad of cloud based services.

OneDrive by Microsoft is my cloud storage provider of choice for miscellaneous documents like travel itineraries, tickets, reservations, and other personal documents I want to access quickly.  The iOS app is easy to use.

Apple Pay Cash.  I love Apple Pay.  If Kroger accepted Apple Pay, my grocery shopping experience would be sublime.  Apple Pay Cash allows you to transfer funds to friends and others via text without the privacy concerns of Venmo nor transaction costs of other methods.  A younger out of town client wished to pay an invoice expeditiously last year, so I gave her my cell phone number and she paid via Apple Pay Cash.  I then transferred the funds to my office checking account.

Other Apps I Like

Overcast is my preferred podcast app thanks to Jeff.  I can build playlists and skip ahead or rewind in time allotments of my choice.  You can use the app for free.

Spotify is my music streaming app of choice.  The $240 annual family plan allows my children and me to access nearly any album ever released, build playlists of favorites, and listen to new CDs the day they are released.  I can download playlists onto my phone for offline playback in my car while also controlling music on my PC from the phone.  I am not sure how sustainable this business model is long term, but I love it.  There is also a free version if you do not mind commercials every fourth song.

Key Ring allows me to keep my loyalty cards on my phone and avoid having to carry a “Costanza wallet."  This app is free.

Banking app.  I love the convenience of mobile banking.  I have greatly reduced the number of bank trips for personal check deposits due to the app for my bank.  If my business bank had a larger monthly mobile deposit limit, life would be really sweet.

I also use the Zelle app to send money directly to a family member’s bank account which easily beats writing a check. 

Most Indispensable App

Starbucks Mobile App with its order ahead feature saves me between five and ten minutes every time I visit Starbucks.  I also accumulate rewards points for free drinks.  The app is free.

Deleted Apps

To save space, I recently deleted all of the free Microsoft Office apps.  I never use my phone to edit documents so there was no point in having them.

Apps Never On My Phone (or iPad)

Any social media app.  Pox on all of their houses.


I have a home iPad and an office iPad.  The home iPad is primarily for newspaper and blog reading.  I take the office iPad into meetings so I can quickly answer a question such as how a house is titled or the status of an estate.  I also use it to schedule the follow up meeting for clients to sign their estate planning documents.  I find it less intrusive than having a laptop for the same purposes.

Thanks for reading and thanks to Jeff for asking me to write.  I hope there was something helpful here.

- - - - -

Thanks again, Jay, for taking the time to share some of your favorite apps!  I had never heard of the Key Ring app, so I'll have to check that one out.

If any of you are willing to share your own experiences using an iPhone or iPad in your law practice with other iPhone J.D. readers, I'd love to hear from you.  And no, you don't have to be a litigator!  In case you missed any of them, here are stories that I previously shared from other attorneys:

Categories: iPhone Web Sites


Subscribe to www.hdgonline.net aggregator