Wednesday, July 30, 2014

Nigerian 419 scammers diversifying into Trojan malware, finds Palo Alto

A Nigerian cybercrime gang versed in 419 social engineering scams has diversified into using off-the-shelf RAT tools to attacks Taiwanese and South Korean businesses, according to researchers working for Palo Alto Networks.

Dubbed ‘Silver Spaniel’, the firm’s report on the gang offers an interesting insight into the software innovations that have turned malware attacks into a global cottage industry far beyond its assumed heartlands of Russia and China.

The group started targeting around 20 organisations in Asian countries in May using attachments and social engineering to trick people into loading popular Remote Access Trojans (RATs), including the multi-platform NetWire and DarkComet as well as the DataScrambler AV evasion tool. The object appears to be to steal logins for anything and everything.

This isn’t a sophisticated MO but it doesn’t have to be; according to Palo Alto only two of 51 anti-virus engines on VirusTotal detected the attachment’s executable as being suspicious thanks to automated polymorphism that cranks out numerous variants of the same malware.

It’s also slapdash in ways that would have practiced cybercriminals frowning, revealing command and control IP addressed leading to Nigerian mobile networks. The company hasn’t traced these to specific individuals but concludes that the perpetrators feel that there is little chance of detection and so don’t bother to hide their general origin.

This brazen attitude is demonstrated by the example of a named Nigerian (not necessarily connected to Silver Spaniel but who has allegedly used 419s) who feels confident enough to post queries about specific RATs using a real Facebook profile.

“These Silver Spaniel malware activities originate in Nigeria and employ tactics, techniques and procedures similar to one another. The actors don’t show a high level of technical acumen, but represent a growing threat to businesses that have not previously been their primary targets,” said Palo Alto’s Unit 42 intelligence director, Ryan Olson.

The gang either wasn’t particularly techie or simply didn’t care whether people knew who they were because their chances of being caught were slim, he said.

The larger point is that the tools on offer are powerful enough to evade AV, can be rented on one PC for as little as $40 for six months and can be used to pave the way for more complex payloads. Low-level criminals tiring of trying to make a living using well-rehearsed but increasingly ineffective 419 email scams have noticed the new opportunity.

Named after the section of the Nigerian penal code covering fraud crime, people wrote off 419 scams as ludicrous and yet they worked for years. Now the same Nigerian industry seems to be trying its hand at more complex malware.


View the original article here

HP invests in Hortonworks' Hadoop

Hewlett-Packard is betting $50 million that its customers will find value in the Hadoop data processing platform, by investing in Hadoop distributor Hortonworks.

The two companies will also partner on sales calls and formulate an architecture for incorporating the Hortonworks' Hadoop distribution into HP's data processing stack, called HAVEn.

"We've never really sold Hadoop, nor supported it directly. To date, we'd meet with a Hadoop vendor and take the deal to market. What's different about this strategic partnership is that we're now committing to resell the Hortonworks Data Platform as part of HAVEn, and support it as well," said Colin Mahony, HP general manager for the company's Vertica analytic database management software.

When implementing a large-scale data processing platform, enterprises would prefer to have a single vendor to deal with, rather than multiple vendors that each contribute a piece to the overall system, Mahony said.

In addition to the investment and joint engineering work, HP Chief Technology Officer Martin Fink will join Hortonworks board of directors , so the two companies can work closely when formulating Hadoop strategies.

First developed at Yahoo, Hadoop provides a way to store massive amounts of unstructured data that can be analyzed on the fly. It has found a home in many large Internet services, which collect so much data from users that it would be infeasible to store and analyze that data through the traditional technologies of SQL databases and commercial data warehouses.

One of the chief distributors of Hadoop, Hortonworks was founded by a number of engineers who worked on the original Yahoo implementation of Hadoop. Since its creation in 2011, Hortonworks has formed partnerships with Microsoft, SAP and Red Hat, among other enterprise software vendors.

The partnership will give Hortonworks a broader potential customer base, said Hortonworks CEO Rob Bearden.

The partnership will fill out the HP's HAVEn stack. HAVEn stands for Hadoop, Autonomy, Vertica and enterprise security. The "n" stands for any number of enterprise applications that can be built on top of the data processing platform.

HP will also start working on connectors to better pair Vertica with the Hadoop YARN (Yet Another Resource Negotiator) management console. HP already has software that allows users to run Vertica commands against data stored on Hadoop systems and this work will ensure that Vertica's view of Hadoop data will stay fully synchronized with what the Hadoop console sees.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com


View the original article here

EE aims for 6m 4G customers by end of 2014

EE announced today that it doubled its 4G customer base to 4.2 million in the first half of 2014, adding that it wants to get six million 4G subscribers on its books by the end of the year.

The UK mobile giant, which revealed the numbers in its half-year report out today, added that it acquired 1.3 million new 4G customers in the second quarter of 2014 - the most ever by a European operator, it claimed.

The surge in 4G customers was attributed as one of the key drivers for a 1.3 percent rise in the company’s operating revenue in the first half of the year, which climbed to £3 billion.

EE also claimed that 5,500 corporates are now using its 4G network, including a handful of new customers such as Deloitte and Essex Police. 

On new B2B customers, EE said 88 percent had opted for contracts on its faster 4G network in the first half of the year.

As the company published its results, it was keen to tout the beneifts that can be recognised by businesses that move to 4G. Drawing on evidence from a survey carried out by market researcher Taylor Nelson Sofres (TNS), EE said 77 percent of its 4G business customers believe they are more productive than they are on 3G, while 38 percent get at least a quarter more done and 16 percent said 4G doubled their productivity. 

“Today’s results demonstrate that consumers and businesses are responding to our strategy to provide the UK’s biggest, fastest and most reliable network,” said EE CEO Olaf Swantee. “We are delivering on our goals to rapidly transition our pay monthly customer base to 4G, generate significant merger cost savings and improve our EBITDA margin performance.”  

Earlier this year, EE was voted as the UK’s leading mobile operator by mobile performance analysts, Rootmetrics.


View the original article here

Apple losing its grip as top tablet company

Apple's grip on the tablet is loosening, with the iPad losing ground during the second quarter this year to Android and Windows tablets.

Meanwhile, total tablet shipments declined by 1.5 percent from the first quarter, though IDC said that it "believes the market will experience positive but slower growth in 2014 compared to the previous year."

Worldwide tablet shipments totaled 49.3 million units during the second quarter, increasing by 11 percent compared to the same quarter the previous year, according to research released by IDC on Thursday.

Apple held on to the top spot, but Samsung, Lenovo and Asus are slowly creeping up in market share. Apple tablet shipments totaled 13.3 million units, declining by 9.3 percent year over year. The company held a 26.9 percent market share.

The tablet market is entering a "new phase" in which smaller vendors are levelling the playing field and market share, said Jitesh Ubrani, a research analyst at IDC, in a statement.

Apple and analysts have attributed the iPad decline to economically weak markets and slow refreshes of tablets on the part of users, who are on to devices for longer-than-expected periods.

Last week Apple and IBM struck a deal to jointly sell the iPhone and iPad to big companies. Enterprise-specific tablet offerings could boost iPad sales in the second half, said Jean Philippe Bouchard, research director for tablets at IDC.

Apple's biggest threat is Samsung, which sold 8.5 million tablets during the second quarter, raising its market share by 1.6 percent year over year. Shipments from third place Lenovo rose year over year by 64 percent to 2.4 million units, overtaking fourth place Asustek, whose shipments totaled 2.3 million units, rising by 13.1 percent. In fifth place was the struggling Acer, whose shipments declined by 36.3 percent.

Outpacing the top five tablet companies combined, in terms of market share growth, was the group of "other" companies, which includes Google, Amazon and other no-name vendors selling unbranded tablets at low prices. The shipments of low-cost Android tablets has grown in developing countries, and has been instrumental in bringing tablet prices down.

IDC's quarterly tablet numbers also count hybrids with detachable screens that can function as tablets.

Agam Shah covers PCs, tablets, servers, chips and semiconductors for IDG News Service. Follow Agam on Twitter at @agamsh. Agam's e-mail address is agam_shah@idg.com


View the original article here

Baidu reports strong mobile ad sales, echoing Facebook

Chinese search giant Baidu reported a 34 percent jump in profit for the second quarter, with mobile ad sales accounting for almost a third of revenue for the first time.

Baidu's profit reached 3.5 billion yuan (US$571 million) for the quarter, while revenue soared 59 percent to 12 billion yuan, at the upper end of its forecast.

Mobile made up 30 percent of revenue, which was a first for the company, CEO Robin Li said in a statement. A day earlier, Facebook said it more than doubled its profit in the second quarter, with mobile a big factor.

The results show Baidu's profit engine moving back into high gear. Last year its earningsgrowthslowed as the company increased spending to develop and promote new products.

Most of Baidu's revenue comes from online ads, and it's trying to squeeze more from mobile as more Chinese turn to smartphones to get online.

Baidu says it's China's top provider for mobile search, mobile mapping and app distribution. But it faces increased competition from local rivals like Alibaba Group and Qihoo 360, whose search products are growing in popularity.

Since last year, Baidu has spent a lot more on research and development and on marketing. In the quarter just ended, R&D expenses increased 85 percent year over year, while general and administrative expenses doubled. Most of that G&A increase was for promoting mobile products, it said.

In the current quarter, Baidu expects revenue to reach as high as 13.8 billion yuan, an increase of 55 percent from last year.


View the original article here

Tuesday, July 29, 2014

US Social Security Administration spent nearly $300M on IT project 'boondoggle,' lawmakers say

The U.S. Social Security Administration has spent nearly US$300 million on a software system for processing disability claims that still isn't finished and has delivered limited useful functionality, according to an independent report on the project.

The U.S. House Oversight and Government Reform Committee this week released a copy of the study, which the SSA commissioned McKinsey to develop.

While the report was finished in June, SSA officials placed "a very close hold on the report with the goal of ensuring details about its findings remain secret until after Senate confirmation of Acting Commissioner Carolyn W. Colvin as Commissioner," three Republican members of the committee alleged in a letter, citing unnamed "whistleblowers." The letter was signed by committee Chairman Darrell Issa of California, James Lankford of Oklahoma, and Jim Jordan of Ohio.

The committee member's sources also said Colvin's chief of staff warned SSA employees "not to inquire about the report or even discuss its existence until later this year," the letter adds. "We find these allegations deeply disturbing."

"It is concerning that while you and other agency officials routinely testify that the agency needs more funding from Congress, the agency wasted nearly $300 million on an IT boondoggle," the letter adds.

The SSA didn't respond to a request for comment Thursday. But Terrie Gruber, whom Colvin appointed leader of the project last month, told the Associated Press that the SSA "asked for this, this independent look, and we weren't afraid to hear what the results are."

"We are absolutely committed to deliver this initiative and by implementing the recommendations we obtained independently, we think we have a very good prospect on doing just that," Gruber told the AP.

The SSA has spent $288 million during a six-year period on the project, which is called DCPS (Disability Case Processing System), according to the McKinsey report.

It cites a number of reasons for the project's woes, including "suboptimal system design" and little engagement with users after the initial design phase, resulting in "substantial quality and usability problems."

As of its beta release 4, the system will still have more than 380 outstanding problems, according to the study.

The project has seen years of delays, with the current projected date for a 1.0 product now sometime in 2016, according to a chart in the report.

However, without a "significant reset" of the project, even that time frame is likely underestimated, the report states.

On the other hand, DCPS "has the potential to drive tremendous value" by cutting costs and improving disability case processing, it adds. There's also "palpable" excitement for the project among the individuals involved in it, according to the report.

McKinsey suggested a number of changes and fixes to the project, including the appointment of a "single accountable executive" and the adoption agile software development methodologies. The firm also suggested the SSA determine a "next best alternative" to the current system, including commercial off-the-shelf software.

Lockheed Martin was selected as the prime contractor on DCPS in 2011. At the time, the contract was valued at $200 million. A Lockheed Martin spokesman didn't immediately respond to a request for comment Thursday.

The House Oversight Committee's letter is "sensationalized" and tinged with political overtones that obscure a broader truth about wasteful government spending on IT, said analyst Michael Krigsman, CEO of consulting firm Asuret and an expert on why software projects struggle and sometimes fail altogether.

"I agree that it needs to be investigated," Krigsman said. "But it's a witch hunt, looking for an individual witch in a city of witches. Why this one? There are a lot of bigger fish to fry."

Krigsman pointed to the Air Force's now-defunct ERP project, which rang up some $1 billion in costs before being tossed on the scrap heap. A Senate panel announced last year that it would launch a probe into that project.

"I think it's wonderful the committee is taking a close, hard look at [DCPS]," he said. "But I wonder why. If you want to make an example of something, this may not be the best choice."

In any case, "the real question is, when will overseers adopt a systematic and consistent approach to reducing IT-related waste, rather than the ad hoc examinations that seem to be the case today," Krigsman added.

Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com


View the original article here

Wolfram fortifies SystemModeler with more libraries

Hydraulic actuators, battery stacks, biochemical systems and disease propagation are but a few things that now can be modeled more easily, thanks to a number of libraries and a library store that Wolfram Research has created for a new edition of its SystemModeler software package.

Wolfram SystemModeler 4.0, also comes with improved interfaces for building models, as well as better documentation and integration with Wolfram's flagship Mathematica mathematical computing software.

SystemModeler provides a way for engineers and designers to create models of complex systems, as well as to simulate how such systems could run, using time-lapse visualizations. Wolfram obtained the SystemModeler code from MathCore Engineering, a company it purchased in 2011.

The company has since been building up the libraries to cover the many potential engineering and scientific uses for the software. A library provides the functionality for describing specific physical or mathematical properties, so they can be rendered correctly in a visual model.

In the field of electronics for instance, the updated software now has libraries for modeling digital electronics in the VHDL standard, for modeling multiphase electrical machines, and for the approximate modeling of large analog circuits.

Wolfram has also opened an app store of sorts, an online repository of paid and free third-party libraries for SystemModeler. Each library has been tested by Wolfram.

At the SystemModeler Library Store, you will find a US$995 library for modeling hydraulics in pumps, motors, actuators, cylinders, valves and other components. Another library, priced at $7,185, can aid in the design of automotive cooling systems.

SystemModeler is one of a number of software programs designed to help engineers visually model complex systems. Others include Maplesoft's MapleSim and Simulink, from MathWorks.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com


View the original article here

LTE network for US public safety taking it one step at a time

The organizers of the FirstNet LTE public safety network have the frequencies and standards they need to build the system, and they know where the money's coming from. They know how to get there from here, but it won't be a quick trip.

FirstNet will realize a vision that emerged in the wake of the 9/11 terror attacks, using technology that didn't exist until years later. It will be a single network linking all federal, state and local public-safety agencies in the U.S., based on the same radio spectrum and technology throughout. Though it won't replace every public-safety radio system in use today, FirstNet will help to eliminate the crazy quilt of incompatible radio systems and frequencies that makes it hard for different teams to coordinate their efforts.

That's no small matter when the news is bad enough to send first responders from multiple cities, counties or states converging on one area. For example, the many firefighting forces that battle summer blazes around the West often can't communicate directly with each other because they use different types of radios and different frequency bands, said TJ Kennedy, acting general manager of the First Responder Network Authority (FirstNet), which is in charge of making the network a reality.

The systems that first responders use now, including more than 10,000 separate LMRS (land mobile radio system) networks, also fall short of many users' needs. Some public-safety employees have to use their own smartphones in order to use apps, send photos and make calls in the field, according to Kennedy. Once FirstNet's built, all agencies will be able to sign up for the same national service, built on modern mobile broadband technology. It will span not just the 50 states but also U.S. territories, such as Puerto Rico, Guam and the Virgin Islands, and is intended to cover as much land as possible. In some cases that will probably require satellite, but most wireless will go over land-based LTE.

As with any effort to coordinate across 50 states and six territories, spanning about 60,000 public safety agencies, the network won't happen overnight. In fact, FirstNet isn't committing to any precise timeline or budget for getting it done. To give an idea how long the effort might take, there's a 46-step process that has to be carried out for each state and territory. The group is making progress: In many states, it's on step 7, Kennedy said.

That long process is designed to make sure the FirstNet system serves the needs of each state. FirstNet is meeting with local agencies and others involved with the issue, educating them about the technology and finding out what they want out of it.

"The geography and the needs of public safety in Maryland are probably very different from the needs in Alaska," Kennedy said.

Ultimately, each state and territory will choose whether to build the local wireless portion of the network themselves or have FirstNet do it. They can't opt out of the system altogether. Once the wireless infrastructure is in place, individual police departments, fire departments and other agencies will sign up and pay for service on FirstNet in much the same way they now buy service from a commercial mobile operator. FirstNet expects the service to be competitively priced, Kennedy said.

The network itself will be built and operated by carriers or other bidders that respond to FirstNet RFPs (requests for proposals), which will lay out the requirements for the system. Those criteria are still being set.

There's better news on the funding and technology for FirstNet.

Though not all the money is there yet, the funding sources for the system are secure, Kennedy said. The law that authorizes the network says the money to build it will come from three national auctions of wireless spectrum, which are forecast to bring in about US$7 billion. One of those, the so-called H Block auction, has already generated about $1.5 billion. Still to come are the sale of a band called AWS-3 to mobile operators, coming in November, and later the so-called incentive auctions to convert TV frequencies to mobile broadband.

FirstNet is also likely to be an easy fit with other networks and devices. It's designed to run entirely on IP (Internet Protocol), with a fast wired backbone in the core and LTE wireless networks at the edge. Because all the major commercial carriers in the U.S. use LTE, any gear that goes into the network or into first responders' hands can be based on the same mass-produced technologies, keeping costs down.

Unlike current public-safety systems, FirstNet will also have enough bandwidth to carry voice, video and data on mobile devices. The network has been assigned a 20MHz chunk of spectrum in the 700MHz band, comparable to what the major commercial carriers are using in that band. Carriers like 700MHz for its long-reaching signals and ability to penetrate walls.

Some devices on the market already are equipped to use FirstNet's band, and more will follow, Kennedy said. Some other countries have adopted the same band for public safety, most importantly Canada, which shares a continent-wide border with the U.S. This could allow for interoperability between U.S. and Canadian systems if needed, he said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com


View the original article here

Oracle's new in-memory database option could spark unanticipated costs, expert warns

Oracle database shops that have or are planning to download the latest version of 12c take warning: The vendor's newly launched, much-hyped in-memory processing database option is turned on by default, according to one expert.

The in-memory option costs US$23,000 per processor, according to an Oracle price list updated this week. Customers who don't realize the option has been switched on may find their next license audit "um, more entertaining," wrote Kevin Closson, a senior director in EMC's performance engineering group and a former Oracle architect who worked on its Exadata database machine, in a post on his personal blog this week.

"Please let me point out that I'm trying as hard as I can to not make a mountain out of a molehill," Closson wrote. The new version of database 12c containing the in-memory option is "hugely important," he added.

However, given the "crushing cost of this option/feature I expect that its use will be very selective," he wrote. "It's for this reason I wanted to draw to people's attention the fact that -- in my assessment -- this option/feature is very easy to use 'accidentally.' It really should have a default initialization setting that renders the option/feature nascent -- but the reality is quite the opposite."

An Oracle spokeswoman did not respond to a request for comment Friday on Closson's blog post, which was first highlighted by The Register.

Opinions on whether the option's cost is truly "crushing" may vary. Other Oracle database options, such as Real Application Clusters, are priced similarly. Oracle customers can typically negotiate significant discounts off list prices as well, although such a discussion may not be possible if any misuse of the in-memory option, accidental or not, is discovered during an audit.

Closson's blog post sparked a press release from Mark Flynn, CEO of the nonprofit organization Campaign for Clear Licensing. The group is lobbying software vendors in hopes of making licensing terms clearer.

"Oracle quite rightly deserves to make a lot of money from this innovation, but we fear that a large proportion of the additional income that it will generate (particularly in the short-term) will be through end-users being stung at their next audit because they were not aware of the change," Flynn said in the release.

Ultimately, database administrators are responsible for making sure their systems are license-compliant, Flynn noted. However, "we do not live in a perfect world," he said. "Admins have a million and one other priorities in their day -- keeping up-to-date with the latest licensing changes is rarely top of their list."

The onus is on vendors such as Oracle to better educate customers when changes like this are made, he added.

There's no question Oracle wants a large number of its database customers to use the in-memory option, which it's using as a hedge against customer defections to rival in-memory platforms from SAP, Microsoft and IBM.

Oracle's approach creates an in-memory column store, which dramatically speeds up analytic queries, while preserving the database's existing relational row store for OLTP (online-transaction-processing) workloads. The column store mitigates the overhead required to maintain row-based analytic indexes, improving OLTP performance.


View the original article here

EU, Google, Microsoft, Yahoo meet on 'right to be forgotten' but questions remain

European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.

The search engine providers have until the end of the month to answer additional questions in writing.

Google, Microsoft and Yahoo met with EU data protection authorities who are members of the EU's Article 29 Working Party (A29WP) in Brussels on Thursday to discuss the May ruling by the Court of Justice of the European Union (CJEU). The ruling gave people the right to compel search engines to remove search results in Europe for queries that include a person's name, if the results shown are "inadequate, irrelevant or no longer relevant, or excessive."

However, the implementation of the ruling has turned out to be difficult to execute. Google already described the guidelines for removing query results "very vague and subjective."

The A29WP data protection authorities (DPAs) said in a news release that they had requested the meeting with the search engine officials in order to get input for future guidelines. The aim is to ensure a consistent implementation of the take-down ruling on the part of the search engine providers as well as consistent handling of complaints lodged with the authorities by people whose requests were denied, the DPAs said.

Confusion about the ruling could lead to a large number of complaints that the DPAs would then have to deal with -- a situation they apparently want to avoid.

Google said at the meeting that it has refused about 30 percent of requests, according to the statement from the DPAs. So far, the search engine has received 91,000 take-down requests concerning 328,000 links to Web addresses, a Google spokesman confirmed. About 15 percent of requests prompted Google to ask additional information. Over half of all requests have been granted.

Other than confirming take-down figures, Google declined to comment on the meeting, as did Microsoft. Yahoo did not immediately respond to a request for comment.

During the meeting the DPAs asked the search engines to explain their delisting process, according to the news release. The DPAs said they asked what criteria search engines use when balancing their economic interest and the interest of the general public in having access to information with the right of the person who wants the search results delisted.

Search engines were also asked if they notify website publishers when links are removed -- something that Google does -- and if so, what legal basis they have for sending out notifications.

The DPAs also wanted to know on what domains search results are delisted. Google for instance removes results from its European domains but not from its .com domain. It argues that the .com domain is not covered by the ruling because it is not aimed at Europeans in particular.

Time seemed to have been too short on Thursday to discuss all the DPAs' concerns. Google, Yahoo and Microsoft were asked to answer additional questions in writing by July 31. By then, they should provide details about the proof of identify or authentication they demand from people who file take-down requests. They also were asked to describe what safeguards are in place to protect any personal data processed during the handling of delisting requests.

In addition, the search engines were asked whether they post notifications on search results pages letting users know when some results have been removed due to EU law -- which is something that Google does -- and asked what the legal basis is for showing that warning.

In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by people, the DPAs said. They asked the search engines, "Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?"

The A29WP committee said that new guidelines would be issued in the autumn and that additional meetings on implementing the right to be forgotten rules may be organized with other stakeholders.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com


View the original article here

Non-IBM Power8 servers, chips to appear early next year

The first third-party chips and servers licensed to use IBM's Power architecture will be on the market early next year.

IBM last year started licensing the architecture so other companies could build Power servers, chips and components. The first third-party Power servers will be for cloud and high-end applications, said Ken King, general manager, OpenPower alliances at IBM's Systems and Technology Group.

Ultimately, low-end servers could use Power chips, but that's for server makers to decide, King said. Derivative Power8 chips being designed outside IBM could be used in third-party servers, King said.

IBM's Power hardware has been used in the Linux-based Watson supercomputer, which beat humans in the TV quiz show "Jeopardy." But IBM's Power server shipments have declined in recent years as buyers move to commodity hardware running on x86 chips. IBM agreed to sell its x86 server business to Lenovo for US$2.3 billion and is now focusing exclusively on the Power architecture.

The non-IBM Power servers will compete with IBM's high-end System Z and customized PureSystem offerings. But King didn't seem concerned about that, saying the reason for licensing Power to other vendors is so that the architecture will proliferate in more servers.

"It's about making Power relevant in the marketplace," King said.

Mainframes and IBM's Power are fading away, so the company had to start licensing the chip architecture, said Nathan Brookwood, principal analyst at Insight 64.

"More important for the company is to get Power out into the larger IT industry, [to] show that its got a place outside its homegrown systems," Brookwood said.

IBM last year formed the OpenPower Alliance to cooperate with other companies on hardware and software development for the Power architecture. OpenPower members include Google and Tyan, which have already shown developer boards based on the Power8 architecture. Other notable members include Samsung and Micron, which are developing memory, and Nvidia, which is developing graphics chips.

IBM recognized Power's struggles and made a smart move by opening it up to other companies, said Charles King, principal analyst at Pund-IT.

IBM may lose Power server shipments to competition, but there could be revenue from licensing, services and system deployments. Power could find some acceptance in high-performance and cloud computing. Pund-IT's King said.

"One thing Power is effective at as compared to x86 is the ability to support a larger number of virtual machines in a concurrent system. Power CPUs support classic reliability, availability and serviceability features that IBM servers are well known for," King said.

Google was perhaps intrigued by the higher level of virtual machines supported by Power compared to x86 systems, King said.

"That could translate to better VM performance and responsiveness to cloud requests," King said.

But IBM still faces an uphill battle in getting server makers to move to Power, Brookwood said.

Server infrastructure is too invested in x86 and companies will be hesitant to move to a new architecture. That requires developing software, which takes time, money and resources, Brookwood said.

"The problem with computing systems on a shrinking user and application base is they go away. It happened to DEC Alpha, Tandem NonStop, it's happened to dozens of systems," Brookwood said.

Sun Microsystems, now owned by Oracle, opened up its Sparc microarchitecture through OpenSparc, but it didn't work out. Hewlett-Packard is also moving away from the Itanium chip and providing a path to migrate to x86 chips.

But if IBM plays its cards right, there's a chance Power can live on.

"To ensure the longevity of Power8 is to get other people to use it and develop on it," Brookwood said.

Agam Shah covers PCs, tablets, servers, chips and semiconductors for IDG News Service. Follow Agam on Twitter at @agamsh. Agam's e-mail address is agam_shah@idg.com


View the original article here

Monday, July 28, 2014

Phone unlocking bill clears US House, next step is president's signature

A bill that allows consumers to unlock their cellphones for use on other carriers passed its last hurdle in Congress on Friday, opening the way for it to become law once it is signed by President Barack Obama.

Senate Bill 517 overturns a January 2013 decision by the Library of Congress that ruled the unlocking of phones by consumers fell afoul of the Digital Millennium Copyright Act (DMCA). It had previously been permitted under an exception to the anti-circumvention provisions of the DMCA, which are generally aimed at cracking of digital rights management technology.

Cellphones and smartphones are typically supplied to consumers with a software lock that restricts their use to a single wireless carrier. Removing that lock -- the process of "unlocking" the phone -- means it can be used on the networks of competing carriers. In the U.S., this is most often done with handsets that work on the AT&T or T-Mobile networks, which share a common technology, but is also popular with consumers who want to take their phones overseas and use foreign networks rather than roaming services.

The Unlocking Consumer Choice and Wireless Competition Act has made fast progress through Congress. It was passed by the Senate on July 16, just a week after it was passed by the Senate Judiciary Committee, and on Friday by unanimous vote in the House of Representatives. It now waits to be signed into law.

In addition to making the unlocking process legal under copyright law, the bill also directs the librarian of Congress to determine whether other portable devices with wireless capability, such as tablets, should be eligible for unlocking. 

"It took 19 months of activism and advocacy, but we're finally very close to consumers regaining the right to unlock the phones they've legally bought," said Sina Khanifar, who organized an online petition that kicked off the push to have the Library of Congress decision overturned. The petition attracted more than 114,000 signatures on the White House's "We The People" site.

"I'm looking forward to seeing this bill finally become law -- it's been a long road against powerful, entrenched interests -- but it's great to see citizen advocacy work," he said in a statement.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com


View the original article here

Apple faces privacy suit following Chinese TV report

An iPhone user has filed a lawsuit for invasion of privacy against Apple, about a week after a Chinese state broadcaster raised security concerns about the device's location-tracking functions.

The U.S. class action lawsuit, filed by a woman named Chen Ma, alleges that Apple has "intentionally intruded" into her privacy with the iPhone's location tracking service. Apple has also disclosed the data to third parties, including the U.S. government, according to the claims.

In making the allegations, the lawsuit cites a July 11 report from the state-run China Central Television, which warned that Apple's location-tracking functions could be a security threat.

The function in question was the "Frequent Locations" feature found on iOS 7. The service records the places the user has visited, along with the duration, and is meant to provide tips, including nearby shops of interest and estimated commute times.

The CCTV report, however, claimed that the feature could be used to effectively spy on users. The data could reveal information about China's economy, and state secrets, according to one security researcher interviewed in the report.

Shortly after CCTV's investigation, Apple released its own statement, assuring users that the company does not track users' locations. Nor does it have access to the Frequent Locations function on users' phones, or has worked with any government agency to create backdoors in its products, it added.

Apple on Friday declined to comment about the class action lawsuit. The complaint was filed in the U.S. District Court for the Northern District of California, San Jose division.


View the original article here

IoT inspires new components for energy, wireless

The expected boom in demand for small, often isolated devices in the Internet of Things is driving developers to craft new types of components.

Two developments announced this week should help IoT come together. On Wednesday at a trade show in Tokyo, researchers showed off a prototype of a tiny power supply that harvests energy from vibrations in the air so remote sensors and other parts don't need batteries. And on Thursday, U.K. chip company Imagination Technologies announced a design for radio chips that can be used in small, power-sipping devices.

IoT promises to feed data from machines and sensors everywhere to systems that can deliver reports or automatically make changes in public or private infrastructure. To do that, the emerging network has to get into places that wires, cables and support teams can't easily reach, especially if those remote devices number in the millions. That makes size and power requirements stricter than ever.

One emerging technology to power standalone devices in the field is vibration harvesting, or generating electricity from movements in the environment. It can use a variety of sources, including wind, water, radio waves and human movement. For example, the motion of a person walking might help to power a small wearable device.

At the Techno-Frontier conference in Tokyo, researchers from Europe and Japan are showing off a prototype built around an electrostatic vibration harvester from Japanese automation vendor Omron with power management electronics from European research institution Holst Centre/imec. Combining the two technologies allowed them to build a vibration-based power supply that's much smaller than current models, the partners said. The DC power module they built measures 5 centimeters by 6 centimeters and may be able to shrink down to just 2 square centimeters.

The prototype is going through testing and customer input before volume production. It could be substituted for batteries in current designs or used in totally new products, the partners said.

The power supply is intended for wireless sensors for industrial applications such as equipment control and predictive maintenance. The sensors themselves could be "set and forget" devices with little need for maintenance because they wouldn't need replacement batteries. The researchers' design could be tuned for power output between 1.5 volts and 5 volts, the partners said.

Like Omron and Holst, chip architecture vendor Imagination is addressing small, wirelessly connected things. Its Ensigma Series4 "Whisper" RPU (radio processing unit) architecture extends the company's Ensigma line with a design geared to low power consumption more than high performance, said Richard Edgar, director of communications technology marketing. Rather than a chip itself, it's a blueprint for chip makers to design processor cores.

The Whisper architecture can be used for Wi-Fi, Bluetooth Classic, low-power Bluetooth Smart, NFC (near-field communications), GNSS (Global Navigation Satellite System) and other current or emerging wireless technologies. Imagination already sells the Ensigma Explorer architecture for devices such as set-top boxes that need high speed, but it designed the Whisper technology for equipment that will never send big streams of packets.

"For IoT, the criteria are different," Edgar said. "It's small amounts of data, occasionally." For example, a temperature sensor in a home might take readings every 15 minutes and send a few hundred bytes. Whisper might also be used in industrial sensors, wearable devices or smart electrical grids, he said.

Whisper is designed for use in chips built with the MIPS architecture, which Imagination acquired in 2012. It can be implemented in a MIPS chip specifically for communications or built into a single chip that also handles application processing and other tasks, Edgar said. The Whisper is scheduled to ship in a series of different versions starting in the fourth quarter.

It's hard to say whether the Omron-Holst vibration-harvesting design could power a device using Imagination's new architecture, because there are many ways to measure energy, Edgar said. But the voltages it could generate are within the right range.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com


View the original article here

Mystery 'Onion/Critroni' ransom Trojan evolves to use more sophisticated encryption

Kaspersky Lab has added more detail on the fiendish ‘Onion’ (aka 'Critroni') ransom Trojan that uses the Tor anonymity service to hide its command and control (C&C) as well as displaying a level of thoughtfulness about its encryption design that bodes ill for future attacks.

CryptoLocker was bad but with the program that kicked off the peak of the ransom malware age now largely neutered thanks to police intervention the criminals have already moved on to the next set of innovations.

As Kaspersky researcher Fedor Sinitsyn explains, recent crypto malware will use a cunning mixture of public key (i.e. asymmetric) RSA encryption to generate a primary key used to encrypt the AES (i.e symmetric) key used to scramble each file on a victim’s system.

That’s already quite a grown-up if logical way to attack a user’s PC because it means that even with huge amounts of processing horsepower the symmetric key can’t be attacked because anyone doing this will first have to get hold of the criminal’s private key.

Onion could have used RSA or Diffie-Hellman for the public key encryption part of its nastiness but the criminals behind it decided to showboat a bit and use the more advanced Elliptic Curve Diffie-Hellman (ECDH) instead. The significance of this? Kaspersky’s blog on the topic dodges that but the over-riding reason must have something to do with the key efficiency of elliptic curve.

Securing a 128-bit AES key using RSA would ideally require a 3,072-bit key; doing the same using ECDH drops that to 256-bits. Put another way, the same level of security can be reached with fewer cycles. The temptation for anyone exploiting this aspect of ECDH would be, one assumes, to ramp up the key sizes to boost security even further.

Or it could be that the criminals are testing their smarts for a new generation of crypto malware that will up the ante to silly levels far beyond law enforcement. That suggests a wider interest beyond conning consumers and small businesses out of a heap of Bitcoins, the currency demanded by Onion.

To make matters worse, the designers of Onion repeated this ECDH design when encrypting the traffic to and from their server which itself is hosted inside Tor. Using Tor is to cover C&C is not new for botnets although none of the common ransom Trojans have tried this approach until Onion appeared.

There are pros and cons to this. Tor should in theory slow down to the to and fro of traffic but it also buys some time. Researchers will take a lot longer to trace C&C servers if they are hidden within Tor and for the criminals that is worth a lot for a business built on milking victims in days and weeks rather than months.

“Now it seems that Tor has become a proven means of communication and is being utilised by other types of malware,” said Sinitsyn, who believed that its use had proved successful.

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server, he added.

“All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”

So far, the Trojan seems to have been picked up at a relatively early part of its release so it is not invulnerable. The number of infected system in a handful of countries numbered only a few dozen, the firm said, although different variants probably also existed.

Ransom and encryption-based malware is going through a boom right now, spurred on by the toxic legacy of CryptoLocker’s success. When that was disrupted in June, police said that it might return in time. A more disturbing possibility is that it won’t return at all but a clutch of skilled imitators will.  


View the original article here

Russian government offers money for identifying Tor users

The Russian Ministry of Interior is willing to pay 3.9 million roubles, or around US$111,000, for a method to identify users on the Tor network.

The Tor software anonymizes Internet traffic by encrypting it and passing it through several random relays in order to prevent potential network eavesdroppers from identifying the traffic's source and destination. The software was originally developed as a project of the U.S. Naval Research Laboratory, but is now being maintained by a nonprofit organization called The Tor Project.

The Tor network is popular with journalists, political activists and privacy-conscious users in general, but has also been used by pedophiles and other criminals to hide their tracks from law enforcement.

The Scientific Production Association for Special-Purpose Equipment and Communications of the Russian Interior Ministry is offering a contract for researching methods of obtaining technical information about users and user equipment on the Tor anonymous network, according to an entry on the Russian government's procurement portal.

It's not clear what Tor de-anonymization would be used for, but the fact that the tender comes from the Russian Ministry of Interior suggests that it could serve law enforcement investigations.

The FBI and police agencies in other countries have shut down illegal websites hosted on the Tor network in the past and even identified some of their owners and visitors. However, in most cases they exploited vulnerabilities in those sites or followed up on digital footprints left online by their administrators.

According to media reports last year based on secret documents leaked by former U.S. National Security Agency contractor Edward Snowden, the NSA and the U.K.'s Government Communications Headquarters had some success in de-anonymizing limited numbers of Tor users. However, they exploited vulnerabilities in the Firefox-based Tor Browser, not the Tor protocol itself, or attempted to use tracking cookies that persisted after Tor sessions were closed.

This doesn't mean that there are no weaknesses in Tor that could allow third parties to unmask users. Two researchers from Carnegie Mellon University's Computer Emergency Response Team (CERT) were planning to reveal a weakness next month at the Black Hat security conference that could allow an attacker with a $3,000 budget to de-anonymize hundreds of thousands of Tor clients.

The presentation was canceled at the university's request because the information had not been approved for public release, but the weakness appears to be real. The Tor developers believe they've identified the issue and are working on a fix.

Given that reliable methods of identifying Tor users are extremely rare -- as far as what is publicly known -- and highly sought after, such a weakness would probably be worth much more than the $111,000 offered by the Russian Interior Ministry. A zero-day -- previously unknown -- remote code execution exploit for Apple's iOS mobile OS can reportedly fetch up to $500,000 on the grey market and such exploits are probably more common.

"Anyone up for making a proposal for it, getting the money and then donating it back to Tor Project to fix the exact idea you raised with the money they just given you? That'd be a laugh!" one user wrote on the official Tor-Talk mailing list.


View the original article here

Sunday, July 27, 2014

Tube to start accepting contactless payment cards

London Underground will start accepting contactless payments across its network from 16 September, Transport for London (TfL) announced today.

London Overground, the DLR (District Light Rail), and tram networks will also support the new payment method.

The move comes after London buses rolled out contactless payment technology across its network in December 2012.

Contactless payments – credit, debit, charge or pre-paid cards or devices - work in the same way as TfL’s Oyster card, charging the pay as you go fare by touching in and out on the readers at the start and end of every journey. 

All major UK banks issue contactless payment cards as standard now, meaning Oyster card holders could return their Oyster in return for the £5 deposit if they wanted to rely purely on their bank card.

Those wishing to take advantage of the possible savings offered by season passes and concessionary fares will need to keep their Oyster card, TfL said. 

The travel body added that it will cap daily usage spending on bank cards in the same way that it does for the Oyster card.

In addition to daily capping, a new Monday to Sunday cap will also apply for customers using the contactless payment option. TfL claimed the weekly cap will automatically calculate the best value contactless fare over the course of the week.

Only one charge per day will be sent to the bank or financial provider for payment - clearly referencing it as a payment to TfL for travel.

The rollout follows a trial across London Underground and the capital’s rail network, which involved 3,000 customers and has been successful, according to TfL.

Mobile operators, such as EE with its Cash on Tap app and payment system, will also have means to pay through an NFC capable smartphone.

EE's Cash on Tap for Android, announced today, allows customers to add money into a digital wallet and pay for items using their phones, including TfL services come 16 September.

Shashi Verma, TfL’s director of customer experience, said “Offering the option of contactless payments will make it easier and more convenient for customers to pay for their travel, freeing them of the need to top up Oyster credit and helping them get on board without delay.”


View the original article here

The Pirate Bay makes searching for torrents easier on mobile devices

The Pirate Bay launched a mobile site on Thursday to make it easier to navigate the search engine for torrent files on mobile devices.

Called The Mobile Bay, the mobile version of the site features bigger buttons and renders better on mobile devices than the desktop version of the site did before.

The mobile version though offers fewer options than the regular version, apparently to save some space. The links to TV shows and Music that are shown prominently on the site's regular home page are removed in the mobile version, while some other links are also cut from the already rather minimalist home page.

The mobile version also omits a large ad that is often present on the regular home page. On the rest of the site ads are still present though they seem to be somewhat less abundant than on the desktop version.

The site's operators built the mobile version because the main site renders poorly on mobile devices, The Pirate Bay team told Torrent Freak. Before, mobile users were shown a tiny version of the normal home page.

Where other sites are opting for "responsive" technologies that adapt web page layouts to the size and capabilities of the target device, The Pirate Bay is letting -- or forcing -- users to choose which version they want. Visits to thepiratebay.se are not automatically redirected to the mobile site on iOS and Android devices.

In the future, The Pirate Bay also plans to release a series of niche sites that will give the TV, music and movies section their own dedicated sites, Torrent Freak reported. The site is also working on a project called RSSbay, which can be used to generate personalized torrent RSS feeds that can be used to launch torrent downloads remotely, the report said.

There are other advantages to maintaining different domains for these services: The Pirate Bay also aims to make itself more resilient to possible legal action blocking access to a domain. If one gets taken down, there will be others left, The Pirate Bay told Torrent Freak.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com


View the original article here

Thousands of sites compromised through WordPress plug-in vulnerability

A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.

The security flaw is located in MailPoet Newsletters, previously known as wysija-newsletters, and was fixed in version 2.6.7 of the plug-in released on July 1. If left unpatched, it allows attackers to upload arbitrary PHP files on the Web server and take control of the site.

MailPoet Newsletters has been downloaded almost 2 million times from the official WordPress plug-in repository to date.

Several days ago researchers from Web security firm Sucuri spotted an automated attack that injected a PHP backdoor file into many WordPress sites. A deeper analysis revealed that the attack exploited the MailPoet file upload vulnerability patched at the beginning of the month.

"The backdoor is very nasty and creates an admin user called 1001001," the Sucuri security researchers said Wednesday in a blog post. "It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place."

The Sucuri free website scanner, which people use voluntarily, detects a few thousand sites compromised by this attack every day, according to Daniel Cid, chief technology officer at Sucuri. However, Sucuri estimates that up to 50,000 sites were infected so far, he said Thursday via email.

Some sites that didn't have MailPoet installed or were not even using WordPress were also compromised, because of what Cid calls cross-contamination. If one Web hosting account has a WordPress site vulnerable to this attack, the PHP backdoor uploaded through it can infect all sites hosted under that same account.

"On most shared hosting companies -- GoDaddy, Bluehost, etc. -- one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account," Cid said. However, in other cases, "if the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server."

The injection script used in the initial attack had a bug that damaged legitimate site files, resulting in obvious errors. That's no longer the case, as attackers fixed their code and the latest variation of the malware no longer breaks websites, Cid said.

In order to protect their WordPress websites from this attack, administrators should update the MailPoet plug-in to the latest version, which at this time is 2.6.9. Version 2.6.8 of the plug-in, released on July 4, addressed an additional security issue.


View the original article here

State Department computer crash slows visa, passport applications worldwide

The U.S. State Department's main computer system for processing passport and visa applications crashed earlier this week leading to global delays for travel documents.

The problems first surfaced after "routine maintenance" on the consular database, said Marie Harf, a State Department spokeswoman, during a televised briefing Thursday. Harf said the system has been brought back online, but it's still not back to full capacity.

"We are working urgently to correct the problem and expect our system to be fully operational soon," she said.

Because the problems occurred after maintenance work, Harf said the U.S. government doesn't believe the problems are the result of any malicious action, although she acknowledged the department hasn't identified the root cause of the problem.

"This is worldwide, it's not specific to any particular country," she said.

The State Department describes the consular database as "one of the largest Oracle-based data warehouses in the world."

"As of December 2009, it contains over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35,000 visa cases every day," according to a document describing the database.

The database provides almost real-time access to all consular activity worldwide and related activity in the U.S.

"There is a backlog, we are working through it so we ask people to be patient," Harf said.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com


View the original article here

Government pulls £50 million Silicon Roundabout regeneration fund

The Prime Minister’s office has pulled the £50 million that was due to be spent on the regeneration of Old Street’s Silicon Roundabout in East London.

No. 10 told Techworld in March that the government was holding the money until City Hall submitted appropriate regeneration plans, but a spokesperson has revealed that the £50 million has been taken off the table.

“Given that a permanent solution for the roundabout will be technically difficult and some way off that money has gone back into general expenditure,” he said.

Another spokesperson at No. 10 added: "It is normal practice for any money that hasn’t been spent to return to the Treasury to help reduce the deficit."

The funding was going to be used by City Hall and Tech City UK to give “Silicon Roundabout” a much-needed makeover so that it could act as the poster-child for London's vibrant tech sector. As part of the investment, the government pledged to build a hi-tech institute on the site of Old Street roundabout.

Speaking at the time of the announcement, Cameron said: "We're investing in creating the largest civic space in Europe - a place for start-up companies and the local community to come together and become the next generation of entrepreneurs."

The new building, which was set to include a 400-seater auditorium with boardrooms, labs and workspaces, and high-speed T4 broadband, was going to be used to help thousands of students develop their programming and business skills. It was also going to host 3D printing services for visiting start-ups and other members of the wider community.

The government said the centre would support around 200 start-ups per year, help 1,000 young people find skilled employment and host two major international conferences for the creative and tech industries each year.

At the time of the announcement, Mayor of London Boris Johnson said the civic space would provide a "vital resource to nurture upcoming technology and creative superstars from around the world, while driving huge investment into the capital and helping to create thousands of jobs."

While many of the redevelopment plans initially outlined by David Cameron are now unlikely to come to fruition, a number of improvements are scheduled to go ahead. For example, Transport for London is set to begin work on environmental improvements including landscaping of the Old Street roundabout and improvements to the subway and station.


View the original article here

Bose sues Beats over headphone patents

Headphone maker Bose has launched a patent-infringement lawsuit against rival Beats Electronics, which Apple recently agreed to acquire in a US$3 billion deal.

In its complaint, Bose alleges that the "active noise cancellation" system in Beats Studio and Studio Wireless headphones infringes on five of its patents that relate to digital audio processing, compression and noise cancellation technology.

They are U.S. patents 6,717,537; 8,073,150; 8,073,151; 8,054,992; and 8,345,888.

In addition to the suit, which was filed in Delaware, the company also lodged a complaint with the U.S. International Trade Commission asking the trade court to ban Beats from importing the headphones into the U.S.

Companies are increasingly filing lawsuits with the ITC in addition to the domestic court system in the hopes an import injunction will provide extra leverage when it comes to negotiations over alleged infringement.

The lawsuit comes just under two months after the Apple deal was announced. The acquisition is expected to close by the end of September, and it's unknown if the lawsuit could change that schedule or the acquisition price.

Apple and Beats did not immediately respond to requests for comment.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com


View the original article here

New guide aims to remove the drama of reporting software flaws

Handling a software flaw can be messy, both for a security researcher who found it and for the company it affects. But a new set of guidelines aims to make that interaction less mysterious and confrontational.

Large companies such as Facebook, Google and Yahoo have well defined "responsible disclosure" policies that lay out what is expected of researchers if they find a vulnerability and often the terms under which a reward will be paid.

But many companies don't, which can lead to problems and confusion. Security researchers have occasionally been referred to law enforcement even when they have been up front about the issue with a company.

The guidelines were developed by Bugcrowd, which has a platform companies can use to have their applications analyzed by independent researchers in a safe way and in some cases, reward them. Bugcrowd worked on the framework with CipherLaw, a legal firm specializing in technology.

They've released a short and lucid document on Github describing how companies should approach setting up a responsible disclosure program as well a boilerplate disclosure policy that can be included on a company's website.

The framework "is designed to quickly and smoothly prepare your organization to work with the independent security researcher community while reducing the legal risks to researchers and companies," according to an introduction on Github.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


View the original article here

Saturday, July 26, 2014

SEC drops probe into Facebook's pre-IPO sales disclosures

The U.S. Securities and Exchange Commission has dropped its investigation into disclosures about Facebook advertising sales before the company went public in 2012.

Facebook said Thursday in an SEC filing that it was notified by the agency in May that the inquiry had been terminated and no enforcement action was recommended.

The SEC launched its investigation over claims that Facebook shared lowered advertising-sales projections immediately before its initial public offering with some analysts, who then shared that information with a select group of investors without disclosing it to the wider public.

Dozens of lawsuits were filed against Facebook over the matter. Many of them, however, were dismissed last year by a federal judge, who ruled that Facebook made "extensive warnings" in its registration statement around the health of its business tied to mobile trends.

Facebook's mobile advertising business now is healthy and strong.

Morgan Stanley led the underwriting of Facebook's IPO. The bank did not immediately respond to a request for comment. Facebook declined to comment beyond the filing, and the SEC declined to comment.

The events surrounding Facebook's IPO are the subject of various state and federal inquiries. There were technical glitches too, which delayed trade notices and caused some trading firms to lose money due to mismatched shares.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is zach_miners@idg.com


View the original article here

'Canvas fingerprinting' tracking is sneaky but easy to halt

A method for tracking users across the Internet called "canvas fingerprinting" is simple to stop, but average Internet users may not know how to do it.

A research paper concluded that code used for canvas fingerprinting had been in use earlier this year on 5,000 or so popular websites, unknown to most. Most but not all the sites observed used a content-sharing widget from the company AddThis.

The researchers, from KU Lueven in Belgium and Princeton University, described how companies are looking for new ways to track users in order to deliver targeted advertising and move away from cookies, which can be easily deleted or blocked.

"The cookie is dead," wrote Rob Shavell, a cofounder of Abine, a company that develops privacy tools, via email. Advertising and data collection businesses need to evidence that their targeting is working for paying clients, he wrote, but most users are unaware of how they're being tracked in new ways.

Following media coverage, AddThis admitted it ran a five-month test using canvas fingerprinting within its widget but said the canvas fingerprinting code was disabled earlier this month. Acknowledging privacy concerns, the company said it would provide more information on such tracking tests before starting one.

It worked like this: When a browser loaded the AddThis widget, JavaScript that enabled canvas fingerprinting was sent. The script used a capability in modern Web browsers called the canvas API that allows access to the computer's graphics chip, which is intended for use with games or other interactive content.

An invisible image was sent to the browser, which rendered it and sent data back to the server. That data can then be used to create a "fingerprint" of the computer, which could be useful for identifying the computer and serving targeted advertisements.

But of several emerging tracking methods, canvas fingerprinting isn't the greatest: it's not terribly accurate, and can be blocked.

Canvas fingerprinting may work best on smaller websites with stable communities, wrote Wladimir Palant, creator of AdBlock Plus browser extension, in a blog post. But it is less effective on a larger scale.

"As soon as you start talking about millions of users (e.g. if you want to track users across multiple websites) it is just too likely that different users will have exactly the same configuration and won't be distinguishable by means of canvas fingerprinting," he wrote.

Widgets such as AddThis can be entirely blocked with tools such as AdBlock Plus or DoNotTrackMe from Abine, both extensions that can block web trackers.

DoNotTrackMe, for example, can spot a browser making a request to AddThis for content and block it, meaning AddThis couldn't transmit JavaScript for canvas fingerprinting, wrote Andrew Sudbury, CTO and cofounder of Abine, via email.

AdBlock Plus can also block these kinds of JavaScript requests, but not by default, wrote Ben Williams, public relations manager for AdBlock Plus, in an email.

The extension is intended to be used with a series of filters, or lists, that enable certain kinds of blocking. Williams wrote that a user would need to install the EasyPrivacy filter. The AddThis widget would be blocked, along with any other JavaScript, he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


View the original article here

Thursday, July 24, 2014

Thrifty, Yet Nifty

nokia-phone-02 Maurizio Pesce/WIRED

Given the deep morass Nokia and Microsoft are currently slogging through—the blah earnings, the layoff plans, a still-small app store, general confusion—it’s refreshing to see that the mobile phone partnership is not all doom and gloom. The Lumia handsets are selling well and making waves in the mid-to-low-end smartphone market. Last year’s Lumia 520 in particular was a hit; Microsoft says over 12 million handsets were sold, and that success probably has very much to do with the phone’s sub-$150 price tag.

So here’s another Windows smartphone that should appeal the same crowd looking for inexpensive options: The Nokia Lumia 635. It’s among the first handsets to launch with the latest update of Windows Phone 8.1 software out of the box, along with its close relatives, the 3G-only Lumia 630 and the also-3G but smaller and weaker Lumia 530. All three are inexpensive (approaching $150, depending on the carrier) but the Lumia 635 is the only 4G phone of the bunch. There’s also the 5-inch Lumia 935 coming soon, but that’s a high-end offering with a premium price tag. As the success of the Lumia 520 has shown us, these Lumias—the cheap Lumias—are the ones to watch.

This latest version of Microsoft’s mobile operating system adds many new capabilities to the Windows Phone platform, including a voice-powered assistant, better notifications, tighter integration of OneNote and Office, and some fitness-tracking features. Sure, all Lumia handsets will get the 8.1 update in time, but there’s no denying the draw of shiny, new hardware.

The Lumia 635 is one of the cheapest 4G-enabled handsets on the market.

Probably the biggest update is Cortana, the digital personal assistant that responds to voice commands. It’s named after the artificial intelligence character in Microsoft’s Halo videogame saga, and AI is a big part of the experience. Cortana brings you both information you explicitly ask for, and other things you don’t. Just like Google Now, the cloud-powered service shows you things like driving directions and traffic updates, or helpful information for scheduling your commute. It keeps you updated on news, sport results and weather forecasts, and can automatically block calls, texts and notifications during quiet hours. Given a few simple voice commands, it can run web researches, set up reminders, and take notes. Cortana can even identify whatever music is playing, à la Shazam.

Also new to Windows Phone is the much-awaited drop-down notification panel. By swiping down from the top of the screen as you normally do on Android and iOS devices, you can now gain access to a panel with four customizable quick actions (Wi-Fi controls, screen brightness, a camera shortcut) and a link to general settings. It also shows notifications for recent texts, emails, missed calls, and app updates. Yet another new feature gives it a leg up in the fitness-tracking game: the handset’s accelerometer and location-reporting capabilities can be used for tracking your daily steps and gathering other motion data, such as distance traveled and calories burned. The Lumia 635's GPS can also record the route you run or pedal during your workouts. All of this, right out of the box.

nokia-phone-01 Health-tracking features are built in. Maurizio Pesce/WIRED

Even with these new improvements and attractive, colorful case options, the biggest selling point of the Lumia 635 is likely to be its price. It’s available on AT&T and MetroPCS for between $99 and $130, depending on which rebates and special offers you can get. On T-Mobile, where you pay for devices over time, it’s $168. This makes the Lumia 635 one of the cheapest 4G-enabled handsets on the market, along with the Android-based Motorola Moto G.

Specs are modest, but decent enough to satiate anyone seeking LTE on a budget. The Gorilla Glass 3 display is a 4.5-inch LCD panel with 854×480 pixels resolution. This means you get an unimpressive 218-ppi pixel density. Text and social networking feel just fine, though you could find it somehow disappointing while looking at high-resolution pictures or videos. Moreover, Windows Phone 8.1 adds the Back, Home and Search virtual buttons onto the screen, further reducing its dimensions and making it feel closer to a 4-inch screen.

Packed inside, you’ll find a quad-core 1.2GHz Qualcomm Snapdragon 400 processor, 8GB of storage (expandable up to 128 GB via microSD), and 512 megabyte of RAM. All this is just enough to keep the phone responsive, even while multitasking. 4G networking is the only feature that slows the performance and drains the battery life, as the LTE radio is very demanding: it took six hours to go from fully charged to completely dead while streaming over 4G. Otherwise, the 1830 mAh battery lasts all day.

nokia-phone-03 Hi, Cortana. Maurizio Pesce/WIRED

The 5-megapixel camera on the back is not even close to the outstanding shooters on the best Nokia phones like the Lumia 925 and 1020. However, it’s exactly what you’d expect on a cheap phone. It’s decent outdoors, but has problems handling low-light scenes. There are built-in manual controls for white balance, sensitivity, brightness, focus, and shutter speed, but playing around with those settings may keep you from capturing the right moments. Oddly, there’s no dedicated camera button for quick snaps. And also: no front camera, which means no selfies and no Skype calls.

On top of Windows Phone 8.1, Nokia has included its own apps like Here Maps, Drive (with offline navigation), and Transit. You also get a bunch of dedicated imaging applications: Glam Me lets you add creative filters to your shots, while Nokia Camera has a simplified interface and grants direct access to Creative Studio editing tools. For music lovers, the Lumia 635 features also MixRadio and an FM Radio.

So it’s a very basic phone that meets almost all the requirements of a modern smartphone user (reminder: NO front-facing camera). But the 625's 4G capabilities and its low price make it something more than just another satisfactory phone. They make it a good buy.


View the original article here

Augmented Retaility

If a physical Amazon Store existed, it’d be a Barnes & Noble grafted onto a Best Buy bolted onto a Costco attached to a Wal-Mart soldered to a Sharper Image duct-taped to a Sports Authority glued to whatever store sells a tub filled with 1,500 live ladybugs. It would be bigger than the Mall of America.

Instead of building that store, Amazon has created the Fire Phone (aka AMAFON), which is only available on AT&T and costs $200 with a two-year contract. In the world of AMAFON, everything around you exists to be bought on Amazon. Just point the phone at something that you want to buy, and the phone will do its best to find it in Amazon’s store and dump it into your always-eager virtual shopping cart. The Fire phone essentially decentralizes the entire concept of a retail store. If you’ve ever wondered if Amazon has been planning a brick-and-mortar strategy, well, this is it.

The key is the phone’s marquee app: Firefly, an everything-scanner. You launch Firefly, point the phone’s camera or microphone at something, and wait a couple of seconds. When it works—which you’ll know if it did when a bunch of digital fireflies swarm the object on screen—a pop-up notification appears. If the item is available on Amazon, tapping that notification lets you buy the object ASAP and get it delivered to your house within two days. If you’re more patient than that, you can simply add the item to your cart or a wishlist.

Firefly does incredibly well at identifying book covers with its camera. It’s also very good at recognizing product packages. A jar of Gulden’s spicy brown mustard and a bottle of Tabasco sauce were immediate hits, even when I just held them up and pointed the phone at the front label. It can scan phone numbers, URLs from business cards and signs, QR codes, and bar codes. Point Firefly at a phone number or a link, and it prompts you to call or text the number, save it to your contact list, or visit the URL. When you successfully scan an item, it’s added to a queue in the Firefly app you can revisit later.

The music, movie, and TV-scanning features are excellent as well. In music mode, it provides a link to download recognized songs via Amazon Music or buy the CD or vinyl. You can also scan the audio of a TV show, which brings up the series, episode number, the time code, and the actors appearing in that scene. In the Firefly queue, you get a link to the IMDb entry for that show and, of course, the ability to buy it on Amazon Video or on Blu-ray. Impressively, it can also work for live TV shows (albeit with less info about the program) and during commercial breaks. While scanning the audio for a live baseball game and a live soccer game, Firefly correctly identified the programs as “MLB Baseball” and “Futbol Mexicano Primera Division,” but without team information. It offered to search the Web.

If you’ve ever wondered if Amazon has been planning a brick-and-mortar strategy, well, this is it.

Firefly did have trouble recognizing handwritten notes, no matter how neatly written. It also doesn’t get phone numbers right all of the time, so you’ll need to make sure to correct them if you add them to your contacts. Identifying foreign-language dubs of movies was also a weak spot. The Spanish-dubbed version of Snakes on a Plane (¡Serpentes en un Avión!) baffled Firefly.

20140718-AMAZON-PHONE-190edit Firefly does incredibly well at identifying book covers with its camera. It’s also very good at recognizing product packages. Ariel Zambelich/WIRED

Most of my Firefly scanning was done at home, but I decided to put it to the test by bringing the phone to Best Buy, scanning a bunch of random stuff, and seeing what the savings would be on Amazon. I found that Firefly had trouble when game boxes, CDs, and Blu-ray discs were in those plastic security containers, or when their covers were obscured by stickers and price tags. Of the ten items I tried to scan in the store—TVs, stereo equipment, games, movies, music, and networking gear—only three were identified by Firefly, and those required scanning the bar codes. Once I manually searched for the non-Firefly-identified items, Amazon’s price was lower for every item. I’d have saved nearly $61 if I’d bought everything on Amazon. That was only about 1 percent savings on the total scan-fest ($4,825 vs. $4,764), but Amazon did have significantly lower prices on all the CDs, DVDs, and Blu-rays I checked.

Surprisingly, I didn’t get any strange looks or comments from the Best Buy employees while I was performing my scan-fest. They must have thought I was super-into taking photos of product boxes.

But it’s unfair to peg this phone solely as a device for buying a bunch of shit on Amazon. Even if it’s largely designed for buying things, it doesn’t force you to. At its core, it’s a decent smartphone with a few unique features, some shortcomings, and major deal-sweeteners. Like Amazon’s Kindle Fire HDX tablets, the Fire Phone has “Mayday,” a video-chat help service that provides 24/7 assistance. But here’s the big perk: You get a free year’s worth of Amazon Prime—movie streaming, music streaming, some free Kindle books, and two-day shipping—and $10 worth of free apps just for buying it. If you already pay for Prime, Amazon tacks on a free year after your paid subscription expires. That’s a good deal. In fact, it’s one of the best things about this phone.

One of the other unique features on the Fire Phone is “Dynamic Perspective.” Inside certain apps, this visual trick is applied to give onscreen objects a sense of depth and a 3-D look; you can “peer around” onscreen objects and peek around corners in some games without touching the screen. The Fire Phone’s menu icons, lock screens, maps, and a few games support these tricks. To do this, it uses four cameras on the front of the phone to track the position of your face relative to the screen. Tilting the phone has the same effect, and I found myself doing that instead of moving my head. It’s a gimmick now, but there is potential for future games to make better use of Dynamic Perspective’s sorcery. I wasn’t feeling the magic with the launch offerings, but some of the lock screens are pretty cool. You can turn all the effects off in the “Configure Low Motion Settings” menu.

There are gesture controls in the mix that are more useful, designed to make the phone easier to use with one hand without touching the screen. With a quick flip to the left or right, the phone displays context-sensitive menus depending on the app you’re in; the best use of it is in email, where a right-flip lists all the attachments in your inbox or shows a message thread. You can also tilt the phone slightly to surface information in some apps and the home screen: Remaining battery life, star ratings for apps and music, that sort of thing. In fact, the slight tilt is the only way to see the battery life indicator or the connection bars at all, which is odd.

20140718-AMAZON-PHONE-111edit The phone’s case is not impressive. It’s just a cheap, black rectangle with an Amazon logo on the back. Ariel Zambelich/WIRED

Its 13-megapixel camera, which has an F2.0 aperture and optical stabilization, is among the best smartphone cameras I’ve used. It excels in low light, its HDR mode is excellent, and its lens captures shallow depth of field. There’s also a “Lenticular” setting that lets you shoot a sequence of photos, and the phone creates an animated GIF out of them. You also get free cloud storage and backup for all photos shot with the phone. Those are great features. Less great is the camera’s minimum focus distance; you’ll need to be at least half a foot away from your subject for the AF system to work. It’s better for landscape shots than it is for extreme close-ups, and the shutter isn’t as fast to fire as it is on the iPhone 5s.

Like the company’s tablets, the Fire Phone runs the Fire OS operating system, which is a heavily customized version of Android. That means it has its own app ecosystem that isn’t as robust as those of iOS or Android. You download everything from the Amazon Appstore, which means you’re missing some of the big titles in the Google Play Store: Google Maps, YouTube, Google Now, and Google Drive, for example. Still, there are 185,000 compatible apps available in Amazon’s own store, and Instagram and Uber were just added to the mix.

No Google Maps means you’ll have to download MapQuest or use the phone’s built-in Maps app, which is solid. It has spoken turn-by-turn directions and public-transportation information, although the latter requires a tap to see the trains or buses that stop at each station. Dynamic Perspective effects are also enabled in the Maps app, with 3D landmarks that appear to pop out of the screen.

The phone’s case is not impressive. It’s just a cheap, black rectangle with an Amazon logo on the back. True to its name, the Fire Phone gets hot. When the battery dipped below 30 percent or I used Firefly a lot, the back of the phone heated up. Also, its side buttons—volume controls and a button to launch the camera (or with a long press, Firefly)—are too close together and similarly shaped. Different textures or shapes for each one would have helped operate the phone by feel.

The included earbuds are more ambitious. They attach together magnetically at the butt end to prevent tangling, and the scheme actually works. The earphones themselves are similar to Apple’s “EarPods” in terms of design and build materials. They sound surprisingly good, but they’re also slick plastic and are less comfortable than rubber-tipped earbuds. The phone’s built-in speakers, on the other hand, were a bit of a disappointment. There are two on the bottom and one on the top, and they get very loud. But describing them as “tinny” is an understatement. The sound like something that comes out of a clock-radio.

20140718-AMAZON-PHONE-052edit You can make (and take) calls with the Amazon Fire Phone. Ariel Zambelich/WIRED

AMAFON runs on a 2.2GHz Qualcomm Snapdragon 800 CPU with 2GB RAM—not the latest components, but plenty fast and fluid. Its 4.7-inch, 1,280 x 720 screen also won’t win any spec battles, but its 315 pixels per inch display looks sharp. Its battery life will get you through the day, but that’s about it. With heavy use, it got me around 8 to 10 hours per charge. For some reason, it does not do Bluetooth 4.0 LE, which is something to keep in mind if you were planning to use it with a fitness tracker. It does support Bluetooth 3.0, however.

As with all Amazon hardware, the Fire Phone is a conduit. That’s not a surprise. What is surprising is the cost: Amazon normally keeps prices low to woo consumers into its ecosystem, and this phone is less of a technological statement than other phones that cost $200 with a two-year contract.

You buy iPhones for the ease-of-use, the app ecosystem, and the design language. You buy Android phones for the freedom of choice and the tinkerability. You’d buy this phone for the free Amazon Prime and a quick fix for shoppin’ fever. It’s not a bad phone, it just isn’t in the same league as a top-tier Android phone or iPhone. When you look past its purchasing powers and its fringe benefits—which can’t be ignored—what you have left is a relatively unexciting handset.


View the original article here

Wednesday, July 23, 2014

Moisture Minder

Each of Wally's wireless sensors is about the size of a bar of soap. You get six of them in the kit. Each of Wally’s wireless sensors is about the size of a bar of soap. You get six of them in the kit. SNUPI Technologies, Inc.

Homeowners have a lot to worry about. Water—whether it’s a flooded basement, an overflowing toilet, leaky pipes, or the mold and mildew that can follow such mishaps—seems to be an ever-present part of these anxieties.

A new product called Wally promises to help mitigate at least some of those fears. Wally is a sensor network you install yourself. It can detect water leaks, small changes in moisture, and temperature fluctuations anywhere in the immediate vicinity of one of its sensors. It’s supposed to give you a heads-up about everything moisture-related, from the severe (water emergencies) to the slow creep (mold build-up on floors, on walls, and in rooms where dampness lays dormant).

The sensors use your web browser as a central monitoring station, but there are also free iOS and Android apps that you can use to set up and manage your sensors. The kit comes with six individual sensors. Each one looks like a lump of soap, and there are small perforations near the bottom where moisture levels and temperature changes are measured. You don’t plug the sensors in. They run on ten-year batteries—like the kind in your wristwatch—so you set each one down in a spot you want to monitor.

A hub connects to your Wi-Fi router, but is only used to communicate with the Internet and your mobile devices. The sensors themselves stay connected by talking to each other over the copper wiring in your walls. They transmit and receive signals wirelessly, basically treating the copper in your home like a giant antenna. During setup, you simply press a button on each sensor and it connects to the other sensors in your home.

I placed a sensor by the toilet in my bathroom, another under my kitchen sink, and a third near my sump pump in the basement. I also identified a few places in the home where mold has been a problem. In the web-based admin, I labeled the location of each sensor (“Bathroom,” “Kitchen”), then entered my e-mail address and phone number so I could get the alerts. The WallyHome interface on the web is clear and helpful, and the entire install process took less than 15 minutes. It’s amazingly simple, and the instructional materials in the packaging make it perfectly clear about what you are supposed to do.

Wally's iOS app. Wally’s iOS app. SNUPI Technologies, Inc.

Finally, I installed the Wally app on my iPhone 5s, which showed all of my sensor locations and the status of each unit.

Then, I started pouring cups of water on the floor. Not directly on the sensors, but near them. Within about five minutes, a text message popped up that the bathroom sensor had detected moisture. Another alert showed up a few seconds later for the kitchen sink. I poured water on a napkin on plate, then slid the wet mess under the sensor on the floor of the laundry room. I got an alert within a few minutes. All of the alerts appeared with no problems when I did these controlled tests. I was impressed.

Once, an alert told me the connection to my sump pump sensor had failed. I trekked downstairs, hit the button again on the sensor, and it reconnected. There were no other problems. The sensors are supposed to last ten years on the included batteries, and seem durable enough.

Connected-home devices are still rather new, and there are few standards, so devices can’t easily talk to each other yet. Furthermore, most of the moisture-alert devices are too expensive for households on a budget. I’ve also tested the Vivint Flood and Freeze Sensor, which installs next to your sump pump and detects water build-up. That sensor costs $120 but requires pro install, and the Vivint service costs about $50 per month. Another product called the WaterCop goes a step further: the sensor can send a wireless signal to a valve controller that shuts off the main water line. The cheapest version (as in, the one that fits the smallest pipe) costs a little under $400; that price includes only one sensor.

But Wally is within reach of most homeowners. A relatively modest $300 gets you the kit with six sensors, and you can buy more for $35 each. There are no monthly charges, plus you get free tech support and install it yourself. Even compared to a packaged connected home system like Vivint, it’s well worth the expense if it saves you from a flood, the dangers of mold, or a leak in the biffy.

The company behind Wally claims to be working on new machine-learning tech that could sense temperature changes, humidity trends, and other factors that could help with home maintenance and could be used for early mold detection. Eventually, its plans to release more products that tap into the same central hub and apps, all communicating over copper wiring. Your walls, talkin’ to ya. Imagine that.


View the original article here