Archive for PEBKAC

You do not know this number

And even if you did, you would be wise not to say so:

There are ways to get in trouble with the law for just about everything: smoking weed, theft, horse theft, stealing a horse and teaching it to smoke weed, and even shouting “fire” in a crowded not-on-fire stable full of stoned horses. But numbers are pure and theoretical and definitely exempt from legal action, right?

Wrong, buddo. And the reason is that in the digital age, huge prime numbers are really, really important for encryption, as pointed out by YouTuber Wendoverproductions. So important, in fact, that having or sharing some of them could get you prosecuted under the Digital Millennium Copyright Act, which prohibits people from subverting copyright-prevention measures.

Please note how many of our Presidential candidates have declared themselves in opposition to DMCA, and then read on:

Back when people still bought DVDs, those discs were encrypted with a content scrambling system to keep people from ripping and burning them. Software to copy DVDs started circulating soon after the DMCA passed, and movie studios sued those distributing the software not long after that — and won. The court issued an injunction, and thereafter linking to or representing the decryption software was considered a breach of DMCA. People made shirts or poems that represented the software in protest. The silliest part? Phil Carmody discovered a 1,401-digit prime number — no, we’re not going to post it — that (with the right know-how) was executable as the very same illegal software — hence, an illegal prime number.

Not to worry. You do not know this number. (But it starts with 8.)

(Via Jennifer Ouellette.)

Comments (4)




There’s a Start button here somewhere

Presenting the Apple Watch running, um, Windows 95:

The chap who did it explains one of the pitfalls:

Apple’s WatchKit SDK wasn’t good enough, since it doesn’t allow you to access user touch locations directly — it only lets you use Apple’s stock controls. Long story short, it’s possible to patch certain files within a WatchKit app to load your own application code rather than Apple’s.

And there is this minor detail:

Due to the fact that it is emulated (not virtualized), it takes about an hour to boot.

This is about twice as long as it took for an old Win95 box of mine to boot after its Cyrix 5×86 CPU melted down. Of course, the miraculous thing is that it would boot at all.

(Via The Verge.)

Comments (1)




Security on the cheap

Too often, it turns out to be no security at all:

Rudimentary security procedures at Bangladesh Bank are being blamed for the massive online banking heist that saw the country’s central bank lose $80 million in unauthorised wire transfers.

In early February hackers tried to transfer around $1 billion from Bangladesh Bank’s account with the NY Fed, successfully stealing more than $80 million.

According to a report from Reuters, police investigating the attack say the central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 routers to network computers connected to the Swift payment network.

Swift was apparently appalled, albeit after the fact:

A spokesman for Bangladesh Bank said Swift officials told the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist.

It isn’t ransomware, technically, but the effect is pretty much the same.

(Via @SwiftOnSecurity [no relation].)

Comments




Sort of like Defrag

About every third time I boot up the tablet — if you’ve just arrived here, it’s the bottom-of-the-line Amazon Fire boxlet, a fifty-buck stripper of a machine — it spits out a message: “Optimizing system storage and applications.” This will take, the screen warns, approximately 10 minutes.

Now the longest it’s taken in the four months I’ve had the device is about 20 seconds. I assume that this operation is comparatively quick because it has relatively little to do: even with the standard complement of bloatware, about a third of the 8 GB factory-installed storage remains empty, and a 64 GB microSD card awaits when necessary. So I’m wondering if this so-called “optimization” is a cover for something else, like downloading more ads. (After periods of idleness, the screen blanks, and when you bring it back, there’s an offer to sell you something; you can decline these polite little intrusions, of course, by sending Amazon some money. You don’t get smooth and seamless for fifty bucks.) It’s certainly consistent with the machine’s simulated panic when it can’t find WiFi.

Comments (1)




Slower time

Apple’s QuickTime was an early acquisition when I clambered aboard the great ship Windows: it was necessary to play clips in the .mov format, and iTunes wouldn’t run on Wintel boxes (or their AMD cousins) without it. In fact, I ponied up $29.95 for the Pro version, which is now for all intents and purposes, or for Apple’s intents and purposes anyway, dead in the water:

Apple has announced that they’re no longer supporting QuickTime on the Windows platform. That means there won’t be any new updates coming, which is especially bad news since two fresh QuickTime vulnerabilities have just been discovered.

Trend Micro published details of the vulnerabilities in a pair of security alerts this week, ZDI-16-241 and ZDI-16-242. They actually reported them both to Apple all the way back in November. By the end of February, Trend still hadn’t gotten much more back from Apple than a read receipt for their original report.

In March, Trend checked in again and Apple responded by inviting them to a conference call. That’s when they announced that QuickTime for Windows was being deprecated. Two weeks after the call, Trend pinged Apple one more time to say they’d be publishing the vulnerability. Apple responded by saying “go for it,” and pointing them toward this handy article that helps Windows users uninstall QuickTime.

Curiously, Apple seems to be recommending that those hardy few of us with QT Pro registration keys hold on to them, for whatever reason. Or maybe that’s just something they haven’t edited out yet.

Comments




The root to serfdom

Quite reasonably, we fear computer attacks from without. But the worst ones, sometimes, come from within:

A man appears to have deleted his entire company with one mistaken piece of code.

By accidentally telling his computer to delete everything in his servers, hosting provider Marco Marsala has seemingly removed all trace of his company and the websites that he looks after for his customers.

Mr Marsala wrote on a forum for server experts called Server Fault that he was now stuck after having accidentally run destructive code on his own computers. But far from advising them how to fix it, most experts informed him that he had just accidentally deleted the data of his company and its clients, and in so doing had probably destroyed his entire company with just one line of code.

That’s one heavy line of code. This is it:

The problem command was “rm -rf”: a basic piece of code that will delete everything it is told to. The “rm” tells the computer to remove; the r deletes everything within a given directory; and the f stands for “force”, telling the computer to ignore the usual warnings that come when deleting files.

Together, the code deleted everything on the computer, including Mr Masarla’s customers’ websites, he wrote. Mr Masarla runs a web hosting company, which looks after the servers and internet connections on which the files for websites are stored.

Oops.

I once deleted 9,000 or so files, and it was pretty scary to watch them dissolve. Then again, I started in a subdirectory down low enough to insure that the important stuff would remain untouched.

Potential amusement value: Mr Marsala ran this command from Bash, a standard *nix shell. Guess what’s being added to Windows 10.

Update, 18 April: The whole story is starting to unravel a bit.

Comments (3)




Deprecated squirrel

Actually, that sounds like a swell Twitter username: @DeprecatedSquirrel. It’s here because my mail service is switching away from SquirrelMail to something different:

Atmail was chosen as it is a step up from former DreamHost Webmail clients in that it’s faster, offers more features, and is in constant development.

Of the features mentioned, two might be of use: drag-and-drop attachments, and a mobile user interface.

There are a couple of downsides, and they’ll admit to them:

Requires more bandwidth to send complex HTML interface compared to SquirrelMail (approximately 100x to get from login screen to empty inbox; about 15 KB in 8 HTTP requests for SquirrelMail versus 1,500 KB in 35 HTTP requests for Atmail.)

Yeah, a hundred times as much bandwidth. Mobile users will just love that.

And there’s this:

Atmail needs more maintenance because it is less mature and more complex: it has more bugs. SquirrelMail has not required a fix since June 12, 2011.

Noteworthy: originally, “Atmail” (typically styled “atmail”) was known as “@mail.” Imagine that.

Comments (7)




The running dead

Just as I walked past the computer that runs the office phone system, a popup appeared, the same one I’ve seen several times in the last two years:

Windows XP nnd of life

I hit OK, but didn’t bother with “Don’t show this message again,” since someone else down the line may need it:

Even though Microsoft retired Windows XP two years ago, an estimated 181 million PCs around the world ran the crippled operating system last month, according to data from a web metrics vendor.

Windows XP exited public support on April 8, 2014, amid some panic on the part of corporations that had not yet purged their environments of the 2001 OS. Unless companies paid for custom support, their PCs running XP received no security updates after that date.

Consumers were completely cut off from patches, with no alternatives other than to switch to a newer operating system or continue running an insecure machine.

But two years after XP’s support demise, nearly 11% of all personal computers continue to run the OS, data for March from U.S.-based analytics vendor Net Applications showed.

Since the first of the year, 2.8 percent of the traffic to this Web site has been from XP boxes. Scary? Not as scary as the 0.9 percent on Vista, newer but deader. (There were still a couple of Windows 98 users as of last year, but they seem to have gone away.)

And the lack of patches might be a selling point to some:

Sometimes, she just nails it.

Comments (3)




Why Microsoft doesn’t rule the Web

People trying to save Word documents as HTML end up with garbage like this:

And that’s before you ever get to any of the actual document.

Upside: at least it isn’t Flash.

(Via @SwiftOnSecurity.)

Comments (1)




Shazamination

Shazam is one of those smartphone apps that is supposed to be able to recognize an unknown song and tell you what it is. Saturday night — into Sunday morning, because that’s how dumb I am — I put it to work on my tablet.

And, of course, I tested it on stuff in my own collection first. Correctly identified on the first try:

On “Kaiser Bill’s,” the title was rendered in German, but that makes a certain amount of sense.

I did manage to stump Shazam on “Mr. Turnkey,” Zager and Evans’ followup to “In the Year 2525.”

And there’s one track it consistently misidentified, the unknown backing track from this video:

I got two different answers, one “Kompression” by Albion, one “Ethno Love” in the Vaffa Superstar Mix, for which I found no link. (Shazam did play a few seconds for me for comparison purposes.)

Comments




Simulated exhilaration

Today’s virtual reality is simultaneously utterly mind-boggling and wholly unpersuasive; you can crank up the “virtual” all you like and you’ll still fall short of “reality.” For now, anyway. And maybe, just maybe, for the rest of our days:

I get that the move is to make everything virtual, so we can all go live in our Tiny Houses and be happy with having no actual stuff, because then we can … have ‘experiences’? Which seems to be the big thing the tiny house people talk about. Well, I’m nearly 50. I’m learning I’m kind of physically fragile in some ways — I can’t canoe any more, I don’t like to camp, my balance is too poor for long-distance bicycle riding. I’m not a big fan of traveling to strange places (the logistics, when you are a single woman, can be complicated, unless you do tours). I don’t have a lot of friends to play music with or “game” with or go out dancing with … my comfort in life, honestly, is coming home at the end of the day to a nice, properly climate controlled house and sit in a comfortable chair and either read a book or knit or sew. Or play my piano, which is a by-God, acoustic, made-nearly-100-years-ago wood and wire piano that still requires tuning and can be temperamental when it’s humid. (Just like I can be, in fact)

I suspect that this No Actual Stuff stance is at least slightly informed by the notion that we don’t actually make Stuff where we can see it being made anymore; it’s all fabricated in some Stuff-Generating Facility in a featureless building ten thousand miles away. And so we compensate — inadequately.

Comments (1)




Hit ’em where they drive

Nothing, I suspect, makes a bogus email more persuasive than the inclusion of something actually (sort of) true. This particular scam, by that reckoning, is utterly convincing in its presentation:

A new malware scam is posing as a speeding ticket email with a fake link that is said to load malicious code onto users’ computers. The emails, sent to at least few local residents in Tredyffrin, Pennsylvania, purport to come from the local police department. Malware emails that masquerade as something official are not rare, but these messages are fairly unique: they are said to contain accurate speeding data, including street names, speed limits, and actual driving speeds, according to the Tredyffrin Police Department, located close to Philadelphia.

It’s suspected that the data is coming from an app with permission to track phone GPS data. That could either be a legitimate app that has been compromised, or a purpose-built malicious app that was uploaded online. As anyone who has used a GPS navigator knows, location data can be used to roughly calculate your travel speed. The emails ask for payment of the speeding ticket, but no apparatus is set up to receive such fines. Instead, a link that claims to lead to a photo of the user’s license plate instead loads malware onto the user’s device.

“Citations,” says the PD, “are never emailed or sent in the form of an email attachment.” Still, people believe that banks and such will send you email to ask you your email address — which they obviously already have.

“Tredyffrin,” incidentally, is Welsh; it only looks like a J. K. Rowling place name.

Comments




You did Nazi this coming

Yet another reason why you do not want Everything In The Fricking World connected to the Internet:

The notorious hacker and troll Andrew Auernheimer, also known as “weev,” just proved that the Internet of Things can be abused to spread hateful propaganda. On Thursday, Auernheimer used two lines of code to scan the entire internet for insecure printers and made them automatically spill out a racist and anti-semitic flyer.

Hours later, several people started reporting the incident on social media, and eventually a few local news outlets picked up on the story when colleges and universities all over the United States found that their network printers were spilling out Auernheimer’s flyer.

Auernheimer detailed this “brief experiment,” as he called it, in a blog post on Friday.

Said weev:

After a little investigation it seemed that to print to a printer with port 9100 exposed, all you have to do is netcat a postscript file to that port.

And how likely is it that port 9100 is open and listening? Very:

For network-connected print devices, the standard TCP/IP port monitor is the best choice. Standard port monitor is the successor to line printer remote (LPR), that has been widely adopted as the de facto standard in network printing for the past several years. Standard port monitor is faster, more scalable, and bidirectional. In contrast, LPR is limited in all of these areas. Although Windows NT 4 and later provided registry modifications to help extend the capabilities of LPR printing, these changes do not compare with the benefits of using standard port monitor… The RAW protocol is the default for most print devices. To send a RAW-formatted job, the print server opens a TCP stream to the printer’s network interface. For many devices this will be port 9100.

“We were only following instructions.”

@SwiftOnSecurity feigned astonishment at the ease of the hack: “I’ve always wondered how the hell you even get a printer on the _Internet_. Plugging it into a DSL modem? Who? Why?”

Anything on the wrong side of a firewall can be presumed open, be it a printer, a computer, or a refrigerator.

Comments (4)




Eliza’s bratty kid sister

This was the plan, anyway:

Microsoft has a new artificial intelligence bot named Taylor that tries to hold conversations on Twitter, Kik, and GroupMe. And she makes me feel terribly old and out of touch.

Tay, as she calls herself, is a chatbot that’s targeted at 18 to 24 year-olds in the US. Just tweet at her or message her and she responds with words and occasionally meme pictures. Sometimes she doesn’t, though. She’s meant to be able to learn a few things about you — basic details like nickname, favorite food, relationship status — and is supposed to be able to have engaging conversations. She is intended to get better at conversations the longer they go on. But honestly, I couldn’t get much sense out of her. Except for my nickname, she wasn’t interested in learning any of these other details about me, and her replies tended to be meaningless statements that ended any conversation, rather than open questions that would lead me to say more about myself.

Getting “better” is, of course, subjective with any AI, and after an appallingly short period of time, Microsoft decided to give Tay a time out:

Okay, it might have been more than just a time out:

Microsoft has been forced to dunk Tay, its millennial-mimicking chatbot, into a vat of molten steel. The company has terminated her after the bot started tweeting abuse at people and went full neo-Nazi, declaring that “Hitler was right I hate the jews.”

Still, a warmer version of carbonite is probably not the ultimate solution:

In addition to turning the bot off, Microsoft has deleted many of the offending tweets. But this isn’t an action to be taken lightly; Redmond would do well to remember that it was humans attempting to pull the plug on Skynet that proved to be the last straw, prompting the system to attack Russia in order to eliminate its enemies. We’d better hope that Tay doesn’t similarly retaliate.

John Connor was not available for comment.

Comments (3)




Making the user experience worse

If there’s a way to make things more cumbersome for its stagnating user base, Twitter will do it, every single time.

TweetDeck, we now know, will be reduced to a mere Web site in mid-April. Those of us who didn’t immediately declare allegiance to the new regime were faced with this:

TweetDeck for Windows will no longer be supported and will cease to work after April 15

Over the entire width of the screen. Can you turn it off after you have “read more”? Not a chance.

It’s like they really want us to hate them.

Comments




Still doing it wrong

The standalone TweetDeck client is being killed off:

Twitter announced today it is shutting down the TweetDeck app for windows on April 15.

Which they buried in the third paragraph of a new-features promo.

And why would they phase out arguably the most popular version of an application for which they paid £25 million five years ago? Why do you think?

Twitter’s plan is to push all users to Twitter.com for their advertisement revenue.

Yeah, right. They just dished up a 4.0 version; I’m betting that they tried, and failed, to wedge ads into it.

In the meantime, tweetdeck.com will continue to work in browsers. Maybe. They did mention Chrome.

Comments (2)




Madness beyond March

While the Thunder are on the road, the ‘Peake will be overrun with March Madness: four first-round games in the West will be played here in OKC, and everyone watching will presumably have access to all manner of statistics for the duration.

Then again, that’s the men’s tournament. The women’s tournament, not being held here but going on at the same time, presumably won’t draw as much interest. But what’s maddening, to me at least, is that so many of the metrics are gone:

Until recently, the one repository for advanced statistics such as usage, true shooting percentage, pace-adjusted player statistics and adjusted team ratings for women’s college ball was WBBState.com, a vertical of data company National Statistical. But that source disappeared Feb. 29, when ServerAxis, the company that provided server space to National Statistical’s hosting company, suddenly took all its equipment offline. There are reports that ServerAxis was having financial problems, but the company has so far not responded to requests for comment. National Statistical also declined to comment on the situation on the advice of lawyers as it works to recover its data and bring the site back online.

Exactly how a web hosting company pulls up anchor, ditches its Miami headquarters, and ends up 1,300 miles away in Chicago, allegedly waiting for its servers to find their way home, is almost certainly a fascinating story, but it’s secondary to the reality that an entire sport’s advanced metrics wing can be wiped off the map by a few nerds absconding with a few hard drives and turning off their phones. This is a corollary to the more global lack of statistical interrogation of women’s basketball — the data isn’t just shallow, it’s scarce, and that scarcity makes it fragile.

Okay, you may not be a stats freak. I’m not that much of one. But I have to believe that there’s a demand for this sort of distaff data:

In the landscape of women’s sports, college basketball in general and the NCAA Tournament in particular are enormously important. The nation’s attention has turned to college basketball, expecting rich, compelling and thorough analysis, and the women’s side, already handicapped by neglect, has lost one of its legs to a freak woodchipper accident. This leaves the writers who cover the tournament, missing servers be damned, in quite the lurch.

One might argue, perhaps, that if the audiences were equal, statistical availability would be maintained in some sort of equal measure. But if these numbers aren’t available, it becomes harder to build that audience.

Comments




For certain values of “retro”

From The Seattle Times, yesterday:

Pizza perfectionist Brandon Pettit has done it again. Dino’s Tomato Pie opened just last week on the curve of Capitol Hill’s Olive Way, and it’s already a mob scene. Unlike Pettit and partner Molly Wizenberg’s revered, restrained Delancey in Ballard, Dino’s is also a scene fit for the mob: old-school, East Coast all the way, with pebbly-textured red plastic water glasses, booths with fake-marble Formica tables and a custom-carved oak bar back. (The figures on the latter are Bacchus and Venus, not Pettit and Wizenberg, though some might say, same difference.) Specialty cocktails include Long Island iced tea, and even the website is a retro eyesore/delight.

A word about that Web site: it says it’s best viewed with Netscape 4.72. Don’t have Netscape 4.72? There’s a download link. Which works.

With my own 20th anniversary coming up, I am sorely tempted to retrieve one of the yecchy designs that used to exist here, because retro.

Comments (3)




For best results, follow directions carefully

Now $59.95 might seem high for a fan, but it’s not just a fan you’re getting:

What? No, Linux doesn’t do this. I think.

Comments (1)




Thieves, honor, and so forth

Incoming comment spam, in the WordPress system, always has an email address attached, and almost always carries the URL of some alleged site. WordPress, if it’s not otherwise occupied, will actually attempt to display that alleged site in a frame if you hover over it. Often as not, the “site” comes up 404, and most of the time that it doesn’t, it’s not worth looking at.

Last night, though, was a first: a site that scolded me for having an ad blocker turned on.

Understand this. A spammer scolded me for blocking his ads. On the Gall Spectrum, this places right around Purely Unmitigated.

Rather than drop an email into the proffered address, which is probably bogus anyway, I have decided simply to block the miscreant’s IP address. And no, I’m not giving him a link either.

(Oh, you wanted to know the offending IP? Well, it is subject to change. However, I’m pretty sure you’ll never, ever get anything useful from 95.105.127.113.)

Comments




The shape of rooms to come

I have yet to see one of these in a hotel room, but I figure they’re bound to spread, at least at some of the price points I can handle:

This would almost, though not quite, make up for the absence of a desk.

Comments (1)




You don’t know Jack, yet

Perhaps the world was waiting for an instant-messaging app that’s not all that instant:

[W]ith the ability to instantly send, there’s come an expectation to instantly reply and sometimes the vibration of our phones can feel like an annoying and persistent knock on the door rather than a communicative joy. The idea of patiently waiting for a response to something in a world where we’re all connected has understandably started to fade as slower methods of communication are phased out.

That’s why messaging app Jack is trying to do something a little different by taking the instant out of instant messaging. Jack works by allowing you to send someone a message, image, video clip, or audio clip that they’ll receive instantly but gives you the ability to decide when the recipient can open it, whether it’s one hour, one day, or one year in the future. The recipient can see the time counting down to when they can open their message and the developers hope that this will bring “the pleasure of anticipation” back into communication.

I am pleased to note that behind Jack there really is a Jack.

One thing I’m wondering: can you adjust the time once the message has been sent?

Comments (2)




Hack this, pal

Who knows what might be lurking in the firmware?

It seems Tesla is set to bump the battery capacity of its Model S sedan up to a hefty 100kWh some time in the near future. We know this thanks to the work of a white-hat hacker and Tesla P85D owner named Jason Hughes. Hughes — who previously turned the battery pack from a wrecked Tesla into a storage array for his solar panels — was poking around in the latest firmware of his Model S (version 2.13.77) and discovered an image of the new car’s badge, the P100D.

In not exactly a humblebrag, Hughes tweeted what he’d found — as an encrypted hash. Said hash was quickly decrypted. Tesla’s response was quick: they rolled Hughes’ firmware back to an earlier version. (“We get sauce too?” asked the gander, plaintively.)

Hughes complained; Elon Musk himself said that he hadn’t asked for the rollback. And Hughes wasn’t particularly put out, since — you knew this was coming, right? — he’d already backed up that newest incremental upgrade.

Damn, but cars are getting complicated.

Comments




Your mind is mined

The truth is often even worse than you think it is. I quit hanging around Forbes.com once they got whiny about ad blockers and promised, if you turned them off, an “ad-light” experience. It is, of course, nothing of the kind:

The “ad-light experience” employs 38 trackers consuming 83.1 MB of memory. What does the non-light experience look like? For reference, Google Maps’ scripts take 52.7 MB and they actually do something useful.

Well, so do the trackers, if your definition of “useful” stretches enough to include “follows me around like a lost puppy”:

The tracking isn’t done with cookies; those are too easy to delete. Trackers identify you with a browser fingerprint: Your operating system, browser version, time zone, plug-in versions, screen resolution, installed fonts, IP address, and other things you thought were private.

Or if not private, certainly irrelevant, right? Wrong:

The more uniquely-configured your system, the more identifiable you are. (How identifiable? Check here.)

Which I did. Apparently my browser fingerprint is unique among the 130,000 or so that have been tested, and I ought not to be surprised by that.

It doesn’t matter if you use incognito mode and block cookies; that’s just another data point to add to your profile. It’s called a fingerprint because every one is unique. And each time you load a tracker, your fingerprint is captured and the activity is added to your browsing profile.

Hardly seems worth the bother for NSA to monitor me, if the private sector is already gathering this much data.

Comments (3)




Not at all hiding in plain sight

The “security question,” as an institution, is “superbly moronic,” says Jack Baruth:

[T]here is no reason for the security question to exist. Not the way it’s implemented at most websites. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, “What’s the pinkest brown?” and the answer could be “867-5309”. It’s a true shared secret. Of course, it’s stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that’s asking you to reboot a server or add a credential, it’s not bad.

The typical security question implementation, however, is not anything like that.

Oh, hell no. Instead, it’s something you’ve probably already posted on Facebook that anyone keen on stealing your identity has already read and filed away for reference.

I admit to having outsmarted myself once, with the requested item being the “name of your high-school sweetheart.” Like rather a lot of women of this era, she has a first and a middle name; unlike most, she was going by the middle name back then. So I plugged in the first name, which I’m pretty sure I’ve never mentioned anywhere, even here on this site. (Don’t mention this: it’s pseudonyms all the way down.) You can guess what happened next, or more precisely after a year or two.

Incidentally, I live in what has been known in the neighborhood as the Brown House. But it’s the pinkest brown you’ve ever seen.

Comments (2)




Not really dead tech

I was there the night Prodigy died. If you’d told me at the time that this obsolete technology would be the subject of a lawsuit a decade and a half later, I’d have broken out into guffaws, or at least snickers.

Well, tee-hee:

IBM has sued online deals marketplace Groupon for infringing four of its patents, including two that emerged from Prodigy, the online service launched by IBM and partners ahead of the World Wide Web.

Groupon has built its business model on the use of IBM’s patents, according to the complaint filed Wednesday in the U.S. District Court for the District of Delaware. “Despite IBM’s repeated attempts to negotiate, Groupon refuses to take a license, but continues to use IBM’s property,” according to the computing giant, which is asking the court to order Groupon to halt further infringement and pay damages.

What the heck sort of Nineties-style code would even be relevant in 2016?

To develop the Prodigy online service that IBM launched with partners in the 1980s, the inventors of U.S. patents 5,796,967 and 7,072,849 developed new methods for presenting applications and advertisements in an interactive service that would take advantage of the computing power of each user’s PC and reduce demand on host servers, such as those used by Prodigy, IBM said in its complaint against Groupon.

“The inventors recognized that if applications were structured to be comprised of ‘objects’ of data and program code capable of being processed by a user’s PC, the Prodigy system would be more efficient than conventional systems,” it added.

Which system, of course, they abandoned in 1999, under the pretext of Y2K concerns.

(Via Consumerist.)

Comments




Encrypt-kickers

As an actual Amazon Fire tablet owner, I knew some of this, but of course not all of it:

Amazon’s Fire OS is a fork of Android, based on the Android Open Source Project (AOSP) code but without Google’s apps and services or guaranteed compatibility with apps developed for Google-approved Android. Amazon has heavily customized the UI and provides its own app store, but it typically leans on AOSP code for under-the-hood, foundational features — in older Fire OS versions, the optional device encryption was handled the same way it was on any Android device. However, according to user David Scovetta and others on Amazon’s support forums, that encryption support has been deprecated and removed in recent releases of Fire OS 5, both for new Fire tablets and for older devices that have been upgraded.

We contacted Amazon for comment, and the company told us that local device encryption support was removed in FireOS 5 because the feature wasn’t being used:

“In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using,” Amazon told Ars. “All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption.”

Which is fine and dandy, if your signals are confined to the Bezosphere. Otherwise:

[E]ncrypted connections between the Fire tablets and external servers are safe (or, as safe as the server involved and the method of encryption being used will allow for), but thieves and law enforcement officials will be able to grab user data stored locally without much trouble.

And is it my imagination, or are those two parties gradually becoming less distinguishable from one another?

(Via @SwiftOnSecurity.)

Comments (3)




Brave new storage

Tam needed to move a whole bunch of files, and acted appropriately:

I go to Amazon and order a 128GB USB 3.0 Flash Drive. Huh. Same day delivery available. I mention it to Bobbi and she asks me to order one for her, too.

A couple hours later, there’s a thump on the front porch, caused by the impact of a box containing probably more storage space than every computer I owned before 2010 combined, delivered to my doorstep in hours on a Saturday for less than the price of dinner & drinks for two at a middlin’ fair restaurant.

And close to what I paid in 2006 for a drive containing a single gigabyte.

Note from the description:

The 128GB Turbo USB 3.0 Flash Drive can hold approximately 23,674 songs.

By now, there are probably that many covers of “All About That Base.”

Comments (1)




An overdose of PHP

Not that you asked, but the servers behind the scenes here are running PHP 5.6. This is “Recommended” by the host; they still support 5.5, but no earlier version.

But they’re now offering 7.0, which they describe as “new and scary.” Maybe it is; I wouldn’t know. It’s been out since December, and is considered a stable release; the current install is 7.0.3. The shade of Ned Ludd tells me I probably should wait until 7.1, but what the hell does he know? And besides, I’m on a new server as of yesterday, so none of the statistics are statistically significant, at least for a little while.

(Before you ask: there is no PHP 6.)

Comments (3)




The remotest remote car hack

Once upon a time, it was discovered that if you can splice your way into the car’s wiring, you can do all sorts of wicked things to the computers that run everything. But that was over five years ago. Last year, it was revealed that such things can be done remotely, if you know how to take advantage of certain vulnerabilities in the operating system.

Which brings us to this year:

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I’ve become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.

One of the guys was a bit inspired by what we’d done and just happened to own … the world’s best-selling electric car, a Nissan LEAF. What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs.

The guy’s experiments proved to be reproducible:

Nissan, of course, will have to implement a fix.

It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier — it’s profoundly trivial. As car manufacturers rush towards joining in on the “internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realising that they didn’t take it seriously enough in the first place.

And it’s a great argument for fixing up that old ’96 Maxima, which is mostly immune to stuff like this, unless you’re right there with the wires.

(Via @SwiftOnSecurity.)

Comments (2)