Given the hype surrounding Apple's iPhone, we're actually surprised that we haven't seen more holes to plug over the years. In fact, the last major iPhone exploit to take the world by storm happened right around this time two years ago, and now -- thanks to OS X security expert Charlie Miller -- we're seeing yet another come to light. Over at the SyScan conference in Singapore, Mr. Miller disclosed a hole that would let attackers "run software code on the phone that is sent by SMS over a mobile operator's network in order to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet." Charlie's planning to detail the vulnerability in full at the upcoming Black Hat conference, but Apple's hoping to have it all patched up by the end of this month.

[Via HotHardware]

It's one thing to bury something like developer mode -- a mode that the average Pre user will never need -- behind a cute-but-exhausting throwback Konami code, but it's quite another to hide useful stuff that way. A PreCentral tipster discovered that entering "RocknRollHax" on the keyboard (and yes, capitalization is important here) while in the email app enables the previously missing capability to use it in landscape mode; presumably Palm hid it from end users because they thought it was too buggy or weird for mainstream use, but it certainly works alright for us. Worst part is that the code needs to be re-entered each and every time the email app starts, so you'd better really want it -- but at least you don't have to root to get it.

Way back in the heady days of 2007, there was an iPhone without 3G data (hard to believe, we know, but trust us -- we were there). This iPhone, though revolutionary in some ways, was marred by the love-hate relationship its users suffered for missing out on some very basic features that they'd grown used to on mobiles of yore. One of those missing features, of course, was MMS -- and now, some two years later, here we are with a truly integrated MMS experience courtesy of the all-powerful hacking community. Granted, there have been MMS apps available for ages, but there's a difference: this is the same action 3G and 3GS owners are getting in conjunction with OS 3.0, which Apple curiously decided to hold back from original iPhone owners. As you might imagine, getting this going on your own phone is marginally more complicated than downloading from the App Store, so here's the question, you non-upgraders: just how badly do you want it?

[Thanks, Paul]

According to Dieter over at PreCentral, real, honest-to-goodness usable apps are starting to "trickle out" for the Pre / webOS. Apparently utilizing a loophole in the operating system which allows unsigned apps to be sideloaded through email, homebrewers have taken to the interwebs with small utilities like the tip calculator (pictured above). This comes just a day after a group of DIY'ers figured out a workable solution for getting software onto the phone without rooting, so obviously Pre hacking is moving along at a healthy clip. These are -- of course -- very early applications, so don't expect perfection, and there seems to be some concern that Palm might want to patch up this hole, as it leaves the phone vulnerable to less altruistic endeavors. While the latter point is reasonable to consider, we do have a piece of advice for the folks at the front of this movement: don't wait and worry on how Palm will react to this stuff. It's important to push platforms like webOS, and the Pre needs all the love it can get on the development side right now.

Read - Right now: Install a Homebrew App without Hacking
Read - Homebrew Apps Tricking Out, but be careful

That iPhone OS 3.0 jailbreak we saw the iPhone Dev-Team pull off earlier this week? It's out now, or at least, part of it is. Pwnage Tool is now flooding torrents, but there's lots of caveats here. Most importantly, this isn't Ultrasn0w, which means if you're wanting to use your toy on T-Mobile or another unofficial carrier, be patient -- it's also worth noting that the jailbreak doesn't jibe with yellowsn0w, so those who rely on it should stay away for the time being. No compatibility with the 3G S, or at least, it probably hasn't been tested... we wouldn't recommend anyone setting the precedent here. You'll need Mac OS X to run it, with QuickPwn for Mac and Windows coming further down the line. Ultrasn0w is also due out at some indeterminate future, so that all said, if you're just needing right now a jailbroken device with spotlight functionality, hit up the read link for all the pertinent details. It should goes without saying, but they're might a few negative side effects to it, and one of the big ones we heard is that YouTube might be fubar'd at the moment.

Read - trois, drei, три, három! (Pwnage Tool released)
Read - No YouTube On Jailbroken iPhone 3.0?

Well, that was fast. Just a couple hours after we noted Palm warning against hacking webOS to allow data tethering on the Pre, the first set of instructions has popped up. It's not the cleanest hack we've ever seen -- you need to root your phone, enable SSH, and then configure your browser to run through a SOCKS proxy -- but it'll certainly get the job done in a pinch. Just don't go crazy, alright? We've got a feeling Sprint's watching Pre accounts with an eagle eye.

We've seen a tremendous explosion in the webOS hacking scene ever since the Pre's firmware image leaked out -- between the easily-accessible restore more, Linux foundations and the directly-accessible HTML / CSS / Javascript application code, we've already seen everything from minor tweaks to full on NES emulation to Sprint activation hacks. In short, things are wide open at the moment, and people (including us) are excited by the possibilities -- but that doesn't mean Palm has to play along. In fact, two recent developments have us worried for the future of this happy little scene -- first, Palm's apparently forbidding the Pre Dev Wiki from posting any information about data tethering during the Sprint exclusivity period, and apparently threatening to have the site shut down if it happens:

We have been politely cautioned by Palm that any discussion of tethering during the Sprint exclusivity period (and perhaps beyond-we don't know yet) will probably cause Sprint to complain to Palm, and if that happened then Palm would be forced to react against the people running the IRC channel and this wiki.

Yeah, that's pretty aggro for a company that needs to court all the developer support it can. We're not sure what'll happen after Sprint's exclusivity runs out, but we can't imagine any other carriers are going to be thrilled about hacked tethering options either, so we'd say Palm's going to keep the pressure on until unlocked GSM webOS devices hit the scene -- and we can almost guarantee that tethering hacks are going to make it into the wild regardless of Palm's actions.

Even worse for hackers, Palm's taking an unusually aggressive approach to webOS system updates -- they're mandatory. According to the support docs, webOS updates are automatically downloaded in the background within two days of being available, and they're required to be installed within a week of the download -- after seven days and four install prompts, the phone will give you a ten-minute countdown and then automatically begin installing the update. Sure, we can understand why Palm would want all of its devices to be updated, and we know that a lot of webOS system foundations are in flux while the Mojo SDK is being finalized, but forced updates seem extremely heavy-handed to us -- it's one thing to try and maintain control over a platform, it's another to keep it with an iron fist. Of course, it's probable that we'll see a hack to bypass all of this extremely soon, so maybe it'll all work itself out, but we'd really like to see Palm develop an official policy friendly towards hacking and homebrew and stick to it -- the Pre and webOS have attracted a lot of talent in the past two weeks, and it'd be a shame to lose it.

[Via PreThinking; thanks, Justin]

Read - Pre Dev Wiki tethering policy
Read - Palm webOS updates support doc

If you were to put the Pre on a scale of hacker friendliness from 1 to 10, where 1 is the iPhone (remember how long it took for the first jailbreaks back in the day?) and 10 is, say, OpenMoko, we're starting to get the impression that Palm's latest effort falls somewhere way past the 5 mark. We got out first hint that they're being good sports about letting developers play with the Konami code access to developer mode, and now we've got news that it's easy -- nay, trivial -- to run whatever firmware you'd like on the phone. It seems all you've got to do is hold down the volume up key when connecting the Pre to your computer via USB, then you can flash the phone 'til you're blue in the face; even better, the enterprising dev who found the trick says that it's mega simple to modify the stock build and he'd wiped out the activation check with minimal effort. This can only be good news for tweakers and anyone wanting to walk off the App Catalog's beaten path, and if this ultimately means we're a few solid steps closer to a Pre running WinMo 6.1, sign us up. Way up.

[Via Daring Fireball]

Looks like Palm's webOS Reset Doctor, intended for resetting Pre smartphones with a mangled system, has been outed to the public at large along with a very special bonus for hackers and other programming enthusiasts: a complete 195MB root image of webOS itself. Code-inclined individuals on the PreCentral forums have already cracked open the ROM and are getting an unfettered glimpse at the Palm's new platform, which for the layman means it should open the doors for some crazy Pre hacking and possibly hint, by way of unfinished / unused code, of what's to come for the platform -- and if we're really lucky, maybe someone will be able to look at this and move us one step closer to an unlocked Pre that could jump onto Verizon's network. Amusingly, you also get to see all the comments left by the devs in the code, guaranteeing a few good chuckles from others who can relate. Intrepid computer science-ers can hit up the read link to find the appropriate .jar file or just follow along with all the fun in the forum discussion.

Once again, T-Mobile has released a statement regarding the alleged hack into its systems last weekend, and it's backtracked a bit from the last one -- now, it's starting to sound like no data was stolen at all. Here's what we've got this time around from a company spokesperson:

"Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers' information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible."

We're taking this as a good sign for customers at this point, but it's hard to say how many more statements we'll get before the matter's fully closed, so stay tuned.

After news broke of a possible breach into T-Mobile's systems over the weekend, subscribers were understandably concerned over claims that personal information (among other things) may have been pilfered by the offenders who later offered the data for sale to the carrier's competitors. An investigation has been launched, and so far, it sounds like T-Mobile is admitting some data was taken -- but that it wasn't enough to be of any concern to its customers. Work is ongoing to determine exactly what the hackers got their hands on and how, but it's a promising sign that subscribers don't need to step up fraud monitoring on their accounts. The full statement is below:

"To reaffirm, the protection of our customers' information and the security of our systems is paramount at T-Mobile. Regarding the recent claim on a Web site, we've identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers. We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers' information and our systems are protected. At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible."

T-Mobile has yet to issue an official statement on the matter, but word on the street is that hackers have found their way into T-Mobile USA's inner workings and made off with a treasure trove of information, including subscriber data, which would make sense considering that parts of T-Mobile's website have been down for most of the day today. The exact nature of the breach is unclear, but the alleged hackers say they "have everything, their databases, confidential [sic] documents, scripts and programs from their servers, financial documents up to 2009." They go on to say that they've been in touch with the carrier's competitors trying to sell the data, but have (thankfully) been turned away, so now they're looking to hawk it to the highest bidder. If this is legit, we can't imagine that trying to sell the data in a public forum is the wisest plan -- but then again, we're not criminal masterminds, so maybe this is standard operating procedure. Here's hoping they're brought down quickly and T-Mob gets to the bottom of the breach.

[Via Slashdot]

Update: We've gotten an official comment from T-Mobile, and in brief, they're actively looking into the claim but can't confirm or deny whether it's actually happened. "The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Careful analysis of a Pre's identity to its host system when connected via USB has now confirmed what's been suspected for a few days now -- the way it hooks to iTunes is very shady indeed. Turns out that the Pre identifies itself as an iPod when it's in Media Sync mode, but only on the system's mass storage interface; the root USB node still comes through as a Palm Pre, which Apple could easily tease out and block if it so chose. We're still up in the air on whether Cupertino would actively move to do that, but regardless, you've got to give a tip of the ol' hacker hat to Palm for its wild ways on this one.

In case you weren't already convinced of a certain model of Nokia 1100's hackability by the exponential surge in its aftermarket value, fraud investigation firm Ultrascan has successfully recreated a virtual bank heist by reprogramming one of the devices to receive another phone number's text messages. Using this trick, shady characters in fancy suits can get your mobile transaction authentication number -- provided you live in a country like Germany or Holland that use mTANs -- and use it to get into your bank account and transfer funds. They'd also need your account name and password, mind you, but obtaining that data isn't nearly as complex when there's plenty of people clicking on the wrong emails and signing into fake website with all those deets and the associated digits. It all sounds a bit like the stuff of crime novels, doesn't it? And before you go running to eBay with that 1100 you stashed away in a drawer years ago, please note that it only works if the candybar was produced at a very specific plant in Bochum, Germany.

Not that we've never had the pleasure of seeing an NES phone mod before, but there's just something especially elegant about this one. The not-at-all-ancient Samsung a867 Eternity was chosen by one Taylor Merrill to be shoved inside of a now-defunct Nintendo Entertainment System controller. The result, naturally, is what you see above -- er, half of it, anyway. For a look at the whole thing in its entirety, hop on past the break and mash play. Per usual, we take no responsibility for damage dealt to your retro game consoles, existing handsets or pride should you attempt to replicate.

[Thanks, stagueve]