Apple IDs and Passwords in Plain Text

Lex Friedman for Macworld has a report on the in-app purchases hack that’s been circulating. The most amazing part:

iOS users who try the hack may find that, in addition to robbing the developers behind apps that they enjoy, they’ve put themselves at risk. “I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.

According to Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

Anyone who has done this is fortunate that the first person who found the hack seems to be a pretty nice guy.

And this being the case is shocking.

Scaling Lessons Learned at Dropbox

Rajiv Eranki:

I was in charge of scaling Dropbox for a while, from roughly 4,000 to 40,000,000 users. For most of that time we had one to three people working on the backend. Here are some suggestions on scaling, particularly in a resource-constrained, fast-growing environment that can’t always afford to do things “the right way” (i.e., any real-world engineering project ;-). If people find this useful, I’ll try to come up with more tips and write a part 2.

I don’t understand the majority of the information presented here, but it’s still interesting to read. I was particularly interested in this bit though:

Security is really important for Dropbox because it’s people’s personal files. But all services are different, and many security decisions will inconvenience someone, whether it’s a programmer or a user.

For instance, almost every website has a thing where if you enter in a wrong username OR wrong password it’ll tell you that you got one wrong, but not tell you which one. This is good for security because you can’t use the information to figure out usernames, but it is a GIANT pain in the ass for people like me who can’t remember which username they registered under. So if you don’t actually care about exposing usernames (maybe on something like a forum or Pinterest where they’re public anyway), consider revealing the information to make it more convenient for users.

New pet peeve: checkers in grocery stores who see that I am purchasing alcohol and say, “looks like you’re going to have FUN tonight!”

If only you knew! Every night is a blast at casa de Markel! I AM WEARING A LAMPSHADE ON MY HEAD RIGHT NOW WHOOOOOOOO

Relativistic Baseball

XKCD:

What would happen if you tried to hit a baseball pitched at 90% the speed of light?

A careful reading of official Major League Baseball Rule 6.08(b) suggests that in this situation, the batter would be considered “hit by pitch”, and would be eligible to advance to first base.

Fantastic.

Max Payne 3 Uses a Multiplayer Cheater Pool

Rockstar Blog:

As promised, we’ve taken steps to quarantine confirmed cheaters in Max Payne 3 Multiplayer. Starting today, anyone we’ve found using hacked saves, modded games, or other exploits has officially been cordoned off in a dedicated cheater pool, confined to wallow with other unscrupulous reprobates.

This is the best solution to multiplayer cheating I have seen in a while. And if they are smart, they can use it as a honeypot to catch even more cheaters.

But the best quote is from the FAQ:

How will I know if I’m in the Cheater Pool?

If you know you have cheated and you find yourself either in empty lobbies or always matched with games full of other cheaters, you are likely in the Cheater Pool.