Tag: techeye

Government hackers take down Tor

glastonbury-torOne of the last refuges of dissidents in oppressive regimes has been taken down by hacker agencies working for the US government.

The Tor system, which was often the only way that dissidents could communicate in repressive regimes or that whistle blowers could leak their information, warned that many of its users might have been identified by government-funded researchers.

Tor Project leader Roger Dingledine said the service had identified computers on its network that had been altering Tor traffic for five months in an attempt to unmask users connecting to what are known as “hidden services.”

Dingledine said it was “likely” the attacking computers were operated on behalf of two researchers at the Software Engineering Institute, which is housed at Carnegie-Mellon University, but funded mainly by the US Department of Defence. The computers have been removed from the network, but the damage has already been done.

The pair had been scheduled to speak on identifying Tor users at the Black Hat security conference next month. After Tor developers complained to Carnegie-Mellon, officials there said the research had not been cleared and cancelled the talk.

Dingledine said that users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Those navigating to ordinary websites should be in the clear.

Hidden services include underground drug sites such as the shuttered Silk Road, as well as privacy-conscious outfits such as SecureDrop, which is designed to connect whistle blowers with media outlets.

Dingledine said the physical locations where the hidden services were housed could have been exposed, although probably not the content on them that was viewed by a visitor.

All that matters now is if the spooks will just pop around to the researchers with a warrant and ask that they hand over all the details.

The FBI had no immediate response to questions about whether it would seek the data and the Defence Department was not sure if it had the right to raw research from the Institute.

Dingledine advised users to upgrade to the latest version of its software, which addresses the vulnerability that was exploited. He warned that attempts to break Tor were likely to continue.

 

 

 

Apache flaw scalps Android

apacheA four year-old hole in a critical part of Google’s Android OS could leave mobile devices that use it susceptible to attack.

Researchers at the firm Bluebox Security said that Android verifies mobile applications using the Apache Harmony module. This module has a flaw in it.

The vulnerability affects devices running Android versions 2.1 to 4.4.

According to Bluebox, Apache Harmony affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications.

Application signatures are the basis of the Android application trust model and link different applications with a reputable certificate authority.

Mobile application signatures on Android are secured using a Public Key Infrastructure (PKI) with certificate authorities.

But the package installer component of older versions of Android do not attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates.

This means that a hacker can build a certificate and claim it has been issued by another identity, and the Android cryptographic code will not check.

If a hacker faked an Adobe Systems certificate vulnerable versions of Android will treat the application as if it was actually signed by Adobe.

It would give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual ‘sandbox’ environments.

Apache Harmony was abandoned in 2011 and was supposed to offer an open source alternative to Oracle’s Java technology. Google turned to Harmony as an alternative means of supporting Java after failing to strike a deal with Oracle to license Java.

Google continued to use Android libraries that were based on Harmony code even after the project was abandoned.

Google said that it is working with Bluebox to fix the vulnerability and has quickly issued a patch that was distributed to Android partners.

 

Consoles doomed says Doom man

doomJohn Romero, best known for his on Wolfenstein 3D, Doom and Quake says that consoles are being killed off by PCs and mobile consoles.

Speaking to GamesIndustry.biz   at the Strong National Museum of Play in Rochester, New York, Romero said that free-to-play is shaking up the industry.

He said that with a PC you have free-to-play and Steam games for five bucks,” said Romero. “The PC is decimating console, just through price. Free-to-play has killed a hundred top studios.

Romero’s games involve providing the first episode free and if play more, then you pay up.

He said that everyone was getting better at free-to-play design, and it is going to lose its stigma at some point. People will settle into the mindset that there is a fair way of doing it, and the other way is the “dirty way.”

Romero said that with this model there were some technological advantages of PC over consoles.

“With PCs if you want a faster system you can just plug in some new video cards, put faster memory in it, and you’ll always have the best machine that blows away PS4 or Xbox One,” he said.

Romero also thinks that VR headsets are unlikely to make a significant impact on the gaming world.

He said that before using Oculus, he had heard many vets in the industry saying this is not like anything they had seen before.

While he thought that it was amazing, Romero could not see a good future for VR right now.

“It encloses you and keeps you in one spot – even the Kinect and Move are devices I wouldn’t play because they just tire you out,” Romero said.

“VR is going away from the way games are being developed and pushed as they go back into multiplayer and social stuff. VR is kind of a step back, it’s a fad.”

Man beat Apple 42 times

gala_appleA 24 year old managed to scam the fruity cargo cult Apple more than 42 times – at least in Florida.

The Tampa Bay Times  said that Sharron Laverne Parrish tricked Apple Store employees in 16 states starting around December 2012 into accepting fake authorisation codes to buy $309,768 worth of Apple goods.

He was arrested by the US Secret Service special agents working alongside Apple and Chase Bank security. US spooks often get involved in cases involving currency scams.

Parrish visited Apple Stores and tried to buy products with four different debit cards, which were all closed by the banks. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank.

He did not call the bank, of course. He would just give the Apple Store employees a fake authorisation code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.

What Parrish had worked out was that as long as the number of digits is correct, the override code itself does not matter.

However because Apple employees overrode the initial declination against the instructions of Chase Bank, Apple suffered the loss because of this fraud.

Applied Micro Circuits frightens Intel

godApplied Micro Circuits has begun shipping a new kind of low-power server chip that might cause its rival Intel a headache in the data centre business.

Applied Micro Circuits announced it is shipping its new X-Gene “microserver” 64-bit chips, made with ARM designs. X-Gene is being touted as a Server-on-a-Chip which combines 10/40g mixed signal I/O with top-of-class, ARMv8 64-bit cores running at up to 2.4 Ghz, with an enterprise-class memory subsystem.

The company said that it has already made a million dollars from the chips and expects “meaningful” revenue from the chips in the quarters ending in December and March as shipments build.

Chief Executive Officer Paramesh Gopi told analysts on a conference call that there was a backlog for X-Gene, both in the September quarter and December quarter, as well as the March quarter.

Microservers have yet to be meaningfully adopted, but the belief is that data centres can be made more cost effective and energy efficient by using them.

Chipzilla will lose shedloads if the server market moves towards such technology and cannot lose even a few percentage points of market share.

Intel spokesman Bill Calder said that while Intel was not taking the competition lightly, he thought that the much-hyped threat of ARM servers getting any significant market segment share any time soon has been vastly overplayed.

Microservers will probably end up in data centres run by major Internet companies and for use in high-performance computing.

Intel executives in the past have said microserver chips being developed by Applied Micro Circuits, Advanced Micro Devices and other small rivals were unproven and not a serious threat to its server chip business.

In the past couple of years, Intel has launched its own low-power chips, designed with its own architecture, in anticipation of a potential move toward microservers.

Apple and Samsung lose out

1920s-telephone-advertApple and Samsung’s European bottom lines are being kicked by a surge of interest in local smartphones.

A report from Netbiscuits suggests that customers are becoming increasingly frustrated at the mobile market monoculture and Apple and Samsung are experiencing their first major challenge from disruptive European vendors.

Head of global research at Netbiscuits Duncan Clark said that his report marks a dramatic shift in mobile market share which are mirrored in Asia were emerging local vendors in Asia have been doing well.

French company Wiko and bq in Spain have muscled a “Top 50 devices” spot in their own countries for the first time ever.

Coupled with increased fragmentation in Asian markets as cheaper brands enter the market, it seems that smaller, companies are gaining popularity around the world and disrupting dominant players.

It is still early days yet, but it does show that the Golden Age where Apple and Samsung rule the smartphone world is coming to a close.

 

 

 

 

Intel builds custom chips for Oracle

oracleIntel’s new business building custom chips for punters who build their own servers appears to have been gaining some momentum.

Last year, Intel started offering custom chip designs to Facebook and eBay and now it has managed to get Oracle signed up.

The difference with the Oracle deal is that Chipzilla is making custom processors to sell to customers.

According to DatacenterDynamics  Oracle wanted a processor whose performance profiles could be changed on demand based on workload.

Intel built Oracle’s E7-8890 v2 on the Xeon E7-8895 v2 processor but gave it the ability to put its cores into ultra-low power states and then bring them back up as needed.

The 8890 v2 model is the top of the Xeon line, the only one with RAS capabilities and other high-end functions found in the Itanium and other RISC processors.

The 8890 has 15 cores running at 2.8 GHz and 37.5 MB of cache per core for high performance analytics or in-memory databases.

With the 8895, Intel allowed the processor to act like an 8890, 8891 or 8893 while in operation and without having to shut down and restart.

The technology was already there. Intel already does something similar with its consumer Core processors called Turbo Boost. If a dual core, 3.0GHz processor is running a single-threaded app, it will shut down one core and run the other at 3.4Ghz, for example.

The 8895 is used in Oracle’s Exadata Database Machine X4-8,an 8-processor rack system with up to 12 TB of system memory 672 terabytes of disk, 44 terabytes of high-performance PCI Flash, 240 database CPU cores, and 168 CPU cores in storage to accelerate data-intensive SQL.

There are limits to the deal. Intel will not be open to chip suggestions from Oracle’s hardware competitors like HP and Dell. The Oracle deal was oriented around its database and other business application software.

Samsung delays Tizen

tizen-(1)Samsung’s plans to get its Tizen phone into the shops have been delayed, with the initial planned third quarter launch in Russia abandoned.

The Korean electronics maker had been hoping that Tizen would cut its dependency on Android.

The phone was supposed to be tried out in Russia sometime in the third quarter, but Samsung said it needed more time to enhance the “Tizen ecosystem.”

This comes as no real surprise as there had been rumblings at a recent Tizen developer’ conference two weeks ago, but this was put down to a dodgy fish supper.

Samsung did not say exactly what was wrong with Tizen but it would appear to be concerns about the availability of apps and related services that are needed to make the product sell.

Network operators NTT DoCoMo and France’s Orange pulled out of promotional campaigns launching the Tizen phone because of a lack of Apps.

Samsung has already launched Tizen smartwatches and cameras, but wants to get it into smartphones so that it has greater control over its phones operating system. Its license agreement with Google restricts its freedom to make more than cosmetic changes to the Android system.

 

Hackers hack Amazon’s cloud

Amazon-Cloud-OutageHackers have worked out a way to break into Amazon’s cloud and install DDoS malware.

The hole is thanks to a vulnerability in distributed search engine software Elasticsearch which is a popular open-source search engine server. The software was  developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface).

Elasticsearch is commonly used in cloud environments and is used on the Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms.

Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. For some reason this does not require authentication which is how the malware writers have broke into the systm.

Elasticsearch’s developers have not released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default.

Kaspersky Lab has found variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks.

One of the new Mayday variants was found running on compromised Amazon EC2 server instances.

Kaspersky Lab researcher Kurt Baumgartner said that it was not the only victim. The attackers break into   virtual machines run by Amazon EC2 customers by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x, which is still being used by some organisations in active commercial deployments despite being superseded by Elasticsearch 1.2.x and 1.3.x.

Baumgartner saw the early stages of the Elasticsearch attacks and that the hackers modified publicly available proof-of-concept exploit code for CVE-2014-3120 and used it to install a Perl-based Web shell. This gave them a backdoor script that allows remote attackers to execute Linux shell commands over the Web. The script, downloads the new version of the Mayday DDoS bot, detected as Backdoor.Linux.Mayday.g.

Linus Torvalds wades into the GCC 4.9.0 compiler

torvaldsAn Open Source compiler has been blasted by Linus Torvalds as being ‘pure and utter s***’ and ‘terminally broken’ after a random panic was discovered in a load balance function in Linux 3.16-rc6.

GCC was designed by Open Source Pope Richard Stallman to provide a free software compiler for open saucy projects. It has been through many different incarnations and the latest hit the streets earlier this month.

The new version has upset the King of Linux, Linus Torvalds, after it appeared to break the 3.16-rc kernel. Torvalds did not mince his words at his disgust describing the compiler as retarded as a sloth that was dropped on the head as a baby.

In a rant which is vaguely like a John Cleese parrot sketch  Torvalds said that: “Lookie here, your compiler does some absolutely insane things with the spilling, including spilling a constant. For chrissake, that compiler shouldn’t have been allowed to graduate from kindergarten. We’re talking “sloth that was dropped on the head as a baby” level retardation levels.”

Torvalds said there is no way that the problem is within his kernel, and claims that the compiler is creating broken code while also warning that those testing the kernel shouldn’t compile it with gcc-4.9.0.

He said that the problem is in the latest version, because the compiler was reliable until now.

 

 

Linux in Spain causes Microsoft pain

ValenciaIt has been a couple of bad weeks for Microsoft as more anti-Volish governments have been announcing successful open source operations.

Last week we had the British cabinet office moving away from Microsoft’s open document standard, and this week we have the Spanish praising Linux.

The government of the autonomous region of Valencia (Spain) has been waxing lyrical about Lliurex, a customisation of the Edubuntu Linux distribution.

Lliurex is used on more than 110,000 PCs in schools in the Valencia region, saving some 36 million euro over the past nine years, the government says.

The Lliurex distribution is managed through the Ministry of Finance and Public Administration. During installation, users can choose between several variants, tailored for example for use at home, in schools or by small and medium-sized enterprises.

Sofia Bellés, Director General of the region’s Information Technologies Department said that the new version will ease maintenance and management of PC equipment in schools in the region.

The software has also been optimised to save time in creating PC labs and is allowing better control over printing, reducing printing costs.

Liurex is one of several free software projects used by Valencia. It is using LibreOffice, a free and open source suite of office productivity applications, is used on all the 120,000 desktop PCs of the administration, including schools and courts. Using LibreOffice will help save the administration 1.5 million euro per year, the government said last year.

Last week, the administration of Extremadura, another Spanish region, revamped the website of its Linex distribution, also used in schools. Linex is installed on about 70,000 PCs and laptops in schools.

 

Russian scientists save spaced out randy lizards

Tlizardhe Russian space agency Roscosmos has managed to gain control over a satellite crewed by randy lizards who are keen to test out sex in zero gravity.

Mission control said that it has manage to gain positive control over the agency’s orbiting Foton-M4 satellite. Launched a week ago, Foton-M4 carries a primarily biological payload made up of geckos, flies, plant seeds, and various micro-organisms which was supposed to test out how lower orders of life bonk when there is no gravity.

The satellite made headlines late last week when just a few days after launch, ground control lost communication with the satellite and could no longer send it commands.

Apparently the satellite’s five-gecko crew, four females and one male, were sent aloft by Russian scientists in order to study the effects of microgravity on sex and reproduction are safe. Scientists are spying on the geckos and then slice up the randy couples when the satellite returns to Earth at the conclusion of its two-month mission.

If they had not fixed Foton-M4 it would remain in its 357-mile orbit for about four months—two months longer than the provisions for its biological payload would last. The Geckos having bonked themselves to exhaustion would have run out of food and begun to eat each other, and not in a good way. The survivors would have been burnt to a crisp on re-entry.

Now that the spacecraft is functioning normally, the lizards can get to it safe in the knowledge that their death will not take place until they are safely in a Russian lab back on the planet.  Now all that can go wrong is a reptile dysfunction.

 

 

 

 

Apple misses a Beats. Buys lemon

head10When Apple bought the groovy headphone maker Beats for $3 billion, legions of fanboys in the press rushed to claim that it was the deal of the century.

It seems that Apple might have bought itself a bag of pain after Bose filed a lawsuit that accuses the headphone maker of infringing upon several of its patents.

The suit claims that Bose lost sales because Beats nicked its patented noise-cancelling technology in its Studio and Studio Wireless headphone lines.

To make matters worse, Beats advertises that the technology “can also be used for noise cancellation when no music is played” which is something Bose has a patent on. “Thus, Beats specifically encourages users to use the infringing functionality. Beats advertises no method to turn off features that cause end users to directly infringe.”

Apple appears to have bought a company whose products infringe on five US patents: patent 6,717,537, titled “Method and Apparatus for Minimizing Latency in Digital Signal Processing Systems;” patent 8,073,150, a “Dynamically Configurable ANR Signal Processing Topology;” patent 8,073,151, a “Dynamically Configurable ANR Filter Block Technology;” patent 8,054,992, which specifies a method for high frequency compensating; and patent 8,345,888, which covers “Digital High Frequency Phase Compensation.”

Bose never mentions Apple in the 22-page complaint, and the Tame Apple Press insists that the lawsuit has come about because Jobs’ Mob paid such a high price.

Some magazines have even implied that Bose is being a patent troll saying that this is not the first time Bose has sued a competitor over patents. It sued Able Planet last year over its noise-cancelling headphones, and reached a settlement. In April, Bose sued Monster for selling headphones that infringe a Bose patent related to “fit and retention characteristics” of their in-ear headphones. That case is in its early stages.

Bose has also filed a complaint with the US International Trade Commission against Beats over the same infringement claims. That means the patent lawsuit filed in federal court will be stayed while the ITC case gets resolved first.

Either way this is going to get messy for Apple. It already paid what many considered was too much for Beats and it is going to have another expensive court battle to fight.

 

Don’t fear the Big Blue Apple Alliance

blue-appleThe glorious alliance between soft fruit Apple and Big Blue has not put the fear of Jehovah into other potential fruity alliances.

According to Reuters  top executives at Dell and BlackBerry scoffed at the deal with their best scoffing sticks.

The pair have been trying to re-invent themselves, and some of the tame Apple press claims that the glorious Apple-IBM alliance will stuff up their efforts.

John Swainson, who heads Dell’s global software business, said that the Apple-IBM made a good press release but there was nothing in it which was worth taking seriously.

Swainson, who spent over two decades in senior roles at IBM, point out that IBM reps will be unable to flog Apple gear to their client base. He said that they were rubbish at selling that sort of thing when it had an IBM logo on it, so they are going to be just as pants at trying to sell stuff with an Apple on it.

While it is true that Apple products are better marketed, Swainson said they lack the depth of security features that many large business clients like banks need.

BlackBerry Chief Executive John Chen told the Financial Times that the alliance was like when “two elephants start dancing”,

Dell and BlackBerry have declined to discuss whether they would consider teaming up, but some analysts, bankers and others have argued in the past that a partnership between the two underdogs potentially made sense.

Dell has a huge sales team, vast network of business clients and is focused on growing its security and device management capabilities which is everything that BlackBerry needs.

Dutch can outsource spying

dutch-childrenThe Dutch courts have ruled that while the government is forbidden to snoop on its citizens over the internet, it is allowed to use data stolen from them by the American spooks.

The Hague District Court Dutch ruled that intelligence services can receive bulk data that might have been obtained by the US National Security Agency (NSA) through mass data interception programs, even though collecting data that way is illegal under Dutch law.

A civil case filed by a coalition of defence lawyers, privacy advocates and journalists who sued the Dutch government wanted a court order to stop the AIVD and MIVD from obtaining data from foreign intelligence agencies that was not obtained in accordance with European and Dutch law.

NSA’s mass data collection programs violate human rights guaranteed by international and European treaties including the European Convention on Human Rights (ECHR), the lawyers argued.

However, the court said that under Dutch law, Dutch intelligence services are allowed to collaborate with the NSA. The NSA in turn is bound by US law which, in general, does not conflict with the human rights convention privacy requirements.

Since raw data is shared in bulk, less stringent safeguards are necessary than would apply when the data is examined and used, the court said. It added that there would be a big difference between receiving data and using it for individual cases.

The court said it only ruled on general grounds, assessing the actions of the state in general. It suggested the outcome could be different when individual lawsuits or complaints were filed with the relevant institutions.

The lawyers bringing the case were furious and dubbed it “incomprehensible.”

In a statement, they said that innocent citizens’ privacy rights should prevail over the interests of intelligence services. Because the data exchanged in bulk involves information on many innocent people, safeguards that are more stringent are needed.

They plan to appeal the ruling.