So, if you have  (or are “stuck”) with an iDevice other than an iPad 2 or iphone 4S, you most undoubtedly heard about the Spire port to these older, albeit iOS 5.x compatible devices in order to enable that lovely feature called Siri.

I’m sure the developer has vetted that their work is all well and legal, and in itself is a great exercise of stretching the boundary of what could be construed as acceptable use of technology licenses. THe cool thing is, it’s a great hack, and their caveat was… you still need one of the newer devices to proxy, or utilize a few other methods in order to authenticate these devices to Apple’s Siri servers.

So, immediately, the lemmings came to sites where “how to’s” were posted and started asking about open proxies for utilizing this Cydia package (I’ll go more into Jailbreaking and issues there in another blog post) effectively. So, slowly, over the last week proxies have been piling up on websites.

The smart thing the developer put up, noting that a lot of their work was reverse engineering, that potentially PII (personally identifiable information) may be getting sent over these authentication sessions to Apple. In the case of Spire, the RE’ed Siri activator, that information would pass through the proxy in a “man in the middle” format (which essentially a proxy is). In this case it also occurs over SSL.

What I’ve noted here, reversing the IP addresses of the proxies out there (list here – http://www.ijailbreak.com/spire-proxy-host-list/) is that the latest pile originate in Bahrain (not one to treat privacy with any level of respect) and require  you to install a self-signed SL certificate on your device. in order for it to work, you have to “trust” that certificate. Unfortunately, Apple doesn’t allow you to control certificates at such a low level from the “average user” side of things on iDevices like they do on their desktops, so in essence, this SSL certificate can be used to sign and trust other applications and encrypt other channels. In short, it’s a good way to get malicious code that you “trusted” in order to get this proxy feature to work.

Now, being the paranoid person I am, I regularly back up, and of course, you already takek the risk of 1) using an Apple device and trusting Apple, and 2) opening up your device by jailbreaking it (legal as of Summer 2010 in the US of A) and bypassing a major security feature to install code you, well, trust a 3rd party developer has written and not so maliciously.

This is the catch-22 in both Apple’s model (their trust of developers, who all they need to do is join ADC, pay their fee, and write an app that doesn’t raise eyebrows during their “examination”) and those 3rd Party developers who list their stuff on easily expandable repository lists on Cydia.

So, in short, beware, be careful, and think about who you trust to get the newest whiz-bang hack on your phone… you don’t know who is listening.

Well, in my career, and just what I like to do, I do a LOT of writing. My job now has me writing on the taxpayers dime, so, for items I feel do not constitute information embargoed or specific to any agency I will be releasing papers, drafts, presenations, and other stuff I’ve plopped out of my head here on the dite. I

ll do my best to put them in digestible formats. I think I’ll also get back to doing some idea generating and some security research stuff again… mainly because I miss it… so hopefully over the next few days, I’ll redact what I can and edit others and get some things up here for you allt o enjoy…

If the stuff is wrong, off base, or otherwise, feel free to note it int he comments… I’d hope that this provides a discussion forum for these topics. All of these are my own ideas and research, and usually are sole authorship…

That is so lame… however, if you have talked to me in the past year… things have changed significantly in my life… so I figure I’d restart this blog and start getting my life in order and share with folks who care to read, what’s been going on in my life. I’m deciding what to possibly transfer from the old site, as well as from some other places where I was posting… some stuff is incredibly personal, other content maybe not so much. So, we’ll see. Stay Tuned.