The first worm to infect the Apple iPhone has been discovered spreading ‘in the wild’ in Australia.
The self-propagating program changes the phone’s wallpaper to a picture of 80s singer Rick Astley with the message ‘ikee is never going to give you up’.
The worm, known as ikee, only affects ‘jail-broken’ phones, where a user has removed Apple’s protection mechanisms to allow the phone to run any software.

The news of this worm is likely to attract the attention of some anti-Apple and anti-iPhone crowds and used as an argument as to why the iPhone isn’t secure, and Apple people should no longer feel safe and so on and so on.

To those who would seek to lose a sense of perspective on this story:

This worm works only on jailbroken iPhones (an unsupported procedure), where the user did not change the default root password and left the remote login SSH service running.

This attack says nothing about the security of the iPhone software — it exploits little more than very poor configuration on the user’s part. If you choose to jailbreak your device, you have a responsibility to understand the implications that has. Which means, change the damn root password to something other than ‘alpine’. While you’re at it, also change the password for the user mobile too.

Despite having defended the iPhone thus far, I’m not in the business of assuming Apple get every aspect of security right all the time and I’m not in the business of declaring the Mac or the iPhone to be ιsecure’, or more secure than anything else. As hope I made clear in my previous post, a simplistic black-and-white approach to looking at computer security doesn’t make any sense or do anyone any favours.

I’m not complacent about security because I use a Mac*. I am confident because I feel I have grasped a good understanding of the risks and of trust.

* or Linux, or anything that I perceive as being more secure.

Secure. by Wysz on Flickr

I can’t stand the attitude of “there’s nothing important on my computer, so I don’t care about whether it is secure or not”. The simple fact of the matter is that any infected computer connected to the internet is probably at the mercy of a malicious third party. Even if you don’t care about the impact of your computer being infected, your lazy attitude is affecting innocent other people’s computers, potentially in the form of sending mass spam and attacking unwitting websites.

Computer security is hard and very complex.

How we explain computer security and insecurity to average computer users, non-geeks if you will, is really important. And I really think that we are taking the wrong approach at the moment.

We teach computer users that in order to keep their computer secure and clean, they must have:

• An anti-virus program
• A firewall
• Up-to-date software
• … and other practical, simple steps

While these are all very important steps to encourage (especially keeping software up-to-date, in my mind), I think that we are making this advice a bit too practical. We’re ignoring complexity and only ever offering the most basic practical steps.

In my mind, a lot of computer security comes down to a model of trust. For example, I feel confident that a conversation with my internet bank is secure because:

• I trust the integrity of the SSL connection for the purposes of keeping my information private and untampered with as it goes across the internet
• I trust my local machine to be ‘clean’
• I trust the remote machine at the bank is genuine and set up properly

All three of those things must be in place for me to have that ‘safe’ feeling. A safe SSL connection to your bank is meaningless if there’s nasty software on your local machine sending your keystrokes to a third party.

I’d like to see this model of trust be encouraged amongst all computer users. It maybe does take a little bit more time and effort to understand the basic principles of what is going on, but looking at security this way round, rather than from an entirely practical viewpoint, allows people to make informed security decisions, rather than blindly trusting some ‘security’ software to do everything.

Social engineering is a very easy way to get some nasty inside someone’s computer. It’s disappointing, but oftentimes you can trick the human into deliberately giving permission to something more easily than you can find a hole in software to do the same thing. Instead of relying on ‘last resort’ antivirus programs to catch known malicious programs running at the last minute, we should encourage people to ask questions:

• Why am I being asked to run this software?
• Where did it come from? Do I trust the group of people that wrote this program?
• Is there anything suspicious or unusual about this? Is it really coming from who it says it is?

Obviously, you need to combine this with practical advice and some knowledge to enable people to spot things that are ‘out of place’. But I think if we did, people would be in a much better position to make sensible informed decisions and to understand better what is actually going on.

This rant only really covers one aspect of computer security. As I said at the start, computer security is really complex and really hard to get right. So this approach isn’t necessarily the answer and it isn’t going to be applicable everywhere. There are going to be groups of people for whom this will be too complex, and groups of people that ‘won’t care’. But I’d like to see it done more often.

Photo is Secure. by Wysz from Flickr. Licensed under Creative Commons BY-NC.

I just wrote a review of Tweetie 2 for iPhone OS on the App Store. I republish it here; I’m extremely impressed with the new release.

Tweetie 2 has an impressive feature set, including retweeting, image and video (3GS only) uploading and almost every built-in Short-Form “Bird” Social Media Site Before It Went Terrible feature that is exposed by the API.

The real star of the show here, however, is the interface. It feels iPhone-native and intuitive while also introducing some innovative features such as the flick-to-reload mechanism. The app’s simplicity isn’t hampered by the sheer volume of functions and features — things are kept out of the way until and unless you want access to them.

I’m not a fan of the somewhat bland icon, but otherwise I can’t fault this beautiful little app.

You may be reluctant to pay for a Short-Form “Bird” Social Media Site Before It Went Terrible app, even at £1.79 — but if you appreciate great UI, you really should consider it.

» Read the rest of this post…

I’ve been busy beavering away in Xcode and I am now proud to release version 0.3 of DfontSplitter for Mac.

So, here are the release notes:

New Features and Bugfixes

• Now supports the splitting and extracting of TrueType Collection (TTC) files in addition to traditional Mac Datafork (dfont) files.
• The conversion of a .dfont will no longer fail if there is already a TTF of the same name in the same directory; it will now overwrite the existing file.
• Users of Snow Leopard on Intel Core 2 and Xeon Macs will now be running the DfontSplitter application in 64-bit mode.
• Improved error message text.

Known Issues

• Converting TTC files on Mac OS X Leopard (10.5) does sometimes run into problems, where the TTC splitting script can’t open the TTC file. The reason for this is currently unclear.
• Moving TTF files that have been extracted from a .dfont over to Windows — please see this workaround.

As always, go across to the DfontSplitter project page to download the new release.

If you’re already using DfontSplitter for Mac, simply go to DfontSplitter > Check for Updates within the application to upgrade to the new release.

Thanks to a great suggestion by Nick Charlton, I decided to put together a screencast demonstrating how to set up public key authentication for logging into SSH servers on the Mac.

Setting up a keypair and then using it to log in to remote systems, instead of remembering separate usernames and passwords, can be a bit of a fiddly business, but I hope that in this screencast I can show how to get it set up.

Set Up Public Key Authentication for SSH on the Mac from Peter Upfold on Vimeo.

Take a look and let me know what you think!

Find this tutorial useful?

I appeared alongside Hugo Poon and Jodi Spangler as guests on a roundtable episode of Matt Hillyer’s Stealth Mac Podcast. We talked for over an hour about Snow Leopard and particularly our install experiences and first week of using the new Mac OS.

It was great fun just to have a chat about Mac stuff with some great people. If you want to take a listen, go over to the podcast page or listen directly to the audio file.

I’ve been sitting on this new version of DfontSplitter 0.2 for Windows until I had a solution to the corrupt font error. With a solution found, I feel ready to offer this improved version of the Windows product.

The new release has been rewritten from the ground up in C#, rather than Visual Basic and the interface completely redesigned in Visual Studio 2008. Compared to the previous 0.1 revision, this release has:

• The ability to convert more than one .dfont at once (batch converting), using a similar interface to the Mac version
• Runs fondu in a background thread so the user interface does not lock up during a convert operation with lots of files
• Rudimentary drag and drop support — in most cases you can drag and drop .dfont files from an Explorer window on top of the list box to add them, as well as using the Add Files button.

It’s cleaner, hopefully more stable and brings the Windows feature set roughly in line with that of the Macintosh version. Remember, if you have issues with the TTF files being reported as corrupted, the FontForge workaround will help in almost all cases.

You can download this release from the DfontSplitter project page.

Let me know what you think and feel free to spread the word about this new version to people still using 0.1.

UPDATE 2011-05-09: While some particularly stubborn fonts do require this process, users who have previously experienced difficulty with older versions of DfontSplitter should first try with DfontSplitter 0.3.1 or later, which include a possible fix for this issue.

I think I’ve finally found a solution to this annoying error message that Windows gives when you use DfontSplitter to convert some fonts and then try and use those converted fonts in Windows.

It involves using a third-party open source application called FontForge to convert the TTFs that DfontSplitter gives you from a Mac-specific TTF format into ‘regular’ TTF format.

A full tutorial on using this method is included as a YouTube video screencast below.

If you can’t or don’t want to watch the video, essentially the process is:

• Use DfontSplitter on the .dfont file as normal
• Open the resulting TTF files you want in FontForge
• Export each TTF file from FontForge with File > Generate Fonts. Make sure TrueType format is selected.
• Import the resulting TTF files into Windows fonts folder.

Please do let me know if this process works for you and give any feedback — especially if you’d previously had problems using a .dfont you had wanted to use on Windows.

UPDATE: references to the former Bird Site of short-form social media have been adjusted to avoid providing free publicity to something that is undeserving of such promotion. This is no longer how I feel about this website, but my historical feelings are to be preserved below, with the relevant site’s name obviously altered!

Its status as a relatively novel communication medium means that Short-Form “Bird” Social Media Site Before It Went Terrible doesn’t necessarily have a clearly defined set of social expectations attached to it just yet. I think even now, post mainstream popularity, it is very much a service that you can use in the way that works best for you. Everyone doesn’t have to participate in exactly the same way.

Short-Form “Bird” Social Media Site Before It Went Terrible is a useful tool for businesses to promote their products and actually connect with their customers. I think it’s great when a brand steps into this space and really ‘gets’ the nature of the service. It can make a brand feel a lot more human, enhance how you feel towards it; it serves as a great advertisement.

There are some practices on Short-Form “Bird” Social Media Site Before It Went Terrible that I really can’t stand, however.

Now, as I said, one of the great things about the service is that there aren’t necessarily set rules which everyone follows in the same way. I don’t intend this post to be telling people what they should and shouldn’t do with the service, but I do want to point some things that really bug me. In short, this is somewhat of a rant.

Competitions Done Wrong: Hashtag Abuse

Short-Form “Bird” Social Media Site Before It Went Terrible competitions are a marketing device that is becoming increasingly common. You convince people to follow your business’ profile, or tweet about the business or product, in exchange for a chance to win said product. Simple enough concept.

Some competitions in recent weeks have encouraged Short-Form “Bird” Social Media Site Before It Went Terrible users to tweet anything they would normally tweet, but add a hashtag to that tweet relating to the product or promotion. I disagree quite strongly with this.

A hashtag is a short word or phrase starting with the # character.* You can add a hashtag anywhere in your tweet if you want to associate that tweet with that particular topic. It makes searching for tweets on a particular topic or event easier; it’s a great tool for hearing a collective voice on something.

Hashtags work because tweets that are related to the tag are the only tweets tagged with it. Encouraging users to randomly tag unrelated tweets breaks this model. And you’re ‘selling out’ your thoughts!

Short-Form “Bird” Social Media Site Before It Went Terrible competitions can be done right, and I actually don’t mind seeing people tweeting something that promotes a business or product. But I’d like it if those tweets are clearly separate from other stuff and that you actually do care about the product as well and don’t just want free stuff.

Automated and Excessive Re-Tweeting

If you have something cool you have to share, whether you made it or just stumbled across it, I’d love to hear about it via Short-Form “Bird” Social Media Site Before It Went Terrible. But once or twice a day for each cool thing is enough.

If people consistently tweet exactly the same tweet, or constantly re-promote something in case others have missed the last tweet, I get pretty frustrated, pretty quickly.

People will miss tweets. That’s the nature of the service — it’s dip in and dip out. If they do, tough. It’s not fair to keep constantly banging on about something to the people that heard you the first time and the second time and the third time!

“Please, Sir, Retweet!”

This is somewhat less of an emotive issue than the other two, but I think it’s still worth me saying.

If you put “please retweet” in your tweet, I won’t. With maybe a couple of exceptions.

If I’m going to retweet something (which is pretty rare) it will be on its own merit. I might help promote something a friend has done, but that will be because I believe in it, not because I’m told to.

Wrapping Up

These issues have been on my mind for a while. Short-Form “Bird” Social Media Site Before It Went Terrible is constantly evolving and I personally think there really are roads that we shouldn’t go down and principles that we should uphold.

Integrity, honesty and loyalty are very important to me. If I stop ranting for a moment about specific issues, what I really want is that principles like these be respected, upheld and defended in the online world, as they are offline.

* Which is most definitely pronounced ‘hash’, not ‘pound’. This is pronounced ‘pound’ — £.

UPDATE: As of iOS 4.2, you can now change the font via Settings > Notes. No hacks required!

If you don’t like Marker Felt, the default font used when writing notes in the Notes application in iPhone OS, you can actually write in a different font. It’s not a feature that is exposed via the user interface — in fact it seems to be something that is an unintended side effect rather than a feature.

First, you need to enable the Japanese QWERTY keyboard. From the home screen, go to Settings > General > Keyboard > International Keyboards. Now scroll to Japanese, tap it and switch on the QWERTY keyboard.

Now fire up Notes and make a new note, or edit an existing one. Press the globe button at the bottom left of the keyboard to switch over to the Japanese keyboard.

Then type a character — doesn’t really matter which one — and immediately press the globe again to switch back to your default keyboard. The rest of this note will be beautifully typeset in Helvetica.