I'm actually wondering if it'd be possible to get this to work over 3G without jailbreaking. Can somebody smarter than me tell me if this would work:
- Installing root CA.
- Setting up the proxy on ec2 instance.
- Setting up a custom DNS server on that instance, to override the Siri domain.
- Setting up the iPhone to use that DNS server, or if not possible, setting it up to use a VPN and through the custom DNS.
And the end result is a Siri that always works and that you can use to run code on an ec2 instance. You'd be able to hook it up to third parties APIs, like Twitter or Facebook.
I've been trying to figure this out too... I think the VPN is the only way to get it working over 3g, as there's no way to override the DNS on the cell connection. Thanks for that idea, VPN hadn't occurred to me! I'm going to give it a shot; I'll report back if successful.
Edit: Success! I'm not running it on EC2 yet, just my home network. Basically I've got dnsmasq on my router redirecting guzzoni.apple.com to my home fileserver with SiriProxy running. The router is also running a PPTP VPN server. I can use the VPN over 3g to make Siri requests and see the output on my local machine. Thanks again for the VPN idea; that's gold. Next step - to the cloud!
"I have become convinced that this “principle of least privilege” is fundamentally wrong. Minimizing privilege might reduce the damage done by some security holes but almost never fixes the holes. Minimizing privilege is not the same as minimizing the amount of trusted code, does not have the same benefits as minimizing the amount of trusted code, and does not move us any closer to a secure computer system."
I feel that fixing the security holes has little to do with reducing the damage done due to increased attack surface.
If you're a software developer who is not doing security research, and who is mainly interested in some functionality offered by a module, you'd be better off giving the module exactly the privileges it needs, not more and not less. If not, wouldn't OS's run all user-space programs in ring-0? (Maybe I am stretching it a bit)
If Bernstein meant that this principle has been misquoted/abused/understood in all wrong ways (like most of the "premature optimization" quotes), then perhaps it makes some sense. :)
There's no consensus that "reducing the damage done by some security holes" is a good thing? Bernstein mentions it as a distraction (which may be true), but it's better than doing nothing.
Nothing against Ruby specifically, 'though I guess I do have a prejudice (in terms of security) against interpreted languages in general compared to something written in C.
That's actually a good question. The lack of buffer overflow vulnerabilities does make interpreted languages safer to a point. Still anything that listens on an open port shouldn't run as root, there are still plenty of vulnerabilities besides buffer overflows out there.
Can anyone explain to me how does relaying in a proxy like this work?
Since you're not tampering with the iPhone's hosts file, and use, let's say, your home PC for handling the guzzoni.apple.com dns + CA for level certs.. I'm wondering how you send the request to the actual guzzoni.apple.com? I mean, if you do $ curl -s https://guzzoni.apple.com on the home PC, it would respond with the localhost server as you've rerouted it to 127.0.0.1 in the home PC's hosts file - or am I missing something here?
Should I use two PC's, one for handling the iPhone interaction, and one as "backbone" which can reach the real guzzoni.apple.com?
Or am I suppose to run a dns service which responds <internal ip of home PC> for SOME devices, but real dns for others (e.g. home PC)?
There is only so much they can do to lock it down; like all DRM, the system is inherently insecure since the client can't be trusted.
In any case, I don't see why would they care unless more than one person starts using the same UUID. If you bought an iPhone to use the service, they already got the money.
That is one way of looking at it. Consider the hardware your ticket to Siri, and as long as you don't place abnormal demand on the service, there's really no reason Apple should care.
Nothing is really free if you're getting from a large publicly traded company. They also don't use Siri to target ads towards the user such as Google and Facebook.
Excuse my direct language, I should've phrased it more clearly as a thoughtful guess. Seems like an obvious bet too.
At some point in the past they hadn't broken into the phone market, or had a music store, right? Think of it a bit like how Google created AdWords/AdSense alongside their search engine.
I got a 4s the other day and outside of the US at this point, Siri is pretty basic. Can't ask for directions. Can't find a business. Too many things get directed to a basic web search which I could've pulled up myself in the time being. Didn't take too long to realise how quickly they could monetise the experience my charging for third-party involvement, for data, etc. "When's the next SportsTeam game?" "April 1, do you need tickets?"
Apple is a company. They're there to make money. I can't see how they could not take that route if they handled it very carefully.
It's not possible to do that from the security point of view, you are the owner of the device. They can make it difficult to massively "scrape" Siri using the same device identification.
The session validation data expires after a few hours, and at least one of the other identifiers is subject to being changed by the server. As of now there's no practical way to share your authorization info.
Why would Android (3rd party developers) want to be so obviously using Apple's hard work? In the middle of a patent trial? I'd expect all the big markets to not allow the app.
> Why would Android (3rd party developers) want to be so obviously using Apple's hard work?
Unlike iOS develoeprs, Android developers are not a homogenous group with a single vision. They are a diverse group of people, and there will no doubt be someone amongst them who will make such an app.
> In the middle of a patent trial?
I don't see the relevance of "a patient trial" to a 3rd party developer unaffiliated with Google making an app to harness Siri on Android.
> I'd expect all the big markets to not allow the app.
Fortunately, unlike iOS, Android doesn't suffer from a locked down app installation procedure that prevents sideloading. So the developer could just offer the .apk file on his site for all and sundry to download and use.
Unless user-based authentication is necessary to use Siri (and the unofficial version "breaks into" the Siri servers), I don't see how this is any different from a website saying you can only use one browser to access the site, and you choosing to use another.
However, IANAL, and I would definitely wait for at least a few weeks after release before trying it out myself.
- Installing root CA. - Setting up the proxy on ec2 instance. - Setting up a custom DNS server on that instance, to override the Siri domain. - Setting up the iPhone to use that DNS server, or if not possible, setting it up to use a VPN and through the custom DNS.
And the end result is a Siri that always works and that you can use to run code on an ec2 instance. You'd be able to hook it up to third parties APIs, like Twitter or Facebook.