Archive for PEBKAC

The root to serfdom

Quite reasonably, we fear computer attacks from without. But the worst ones, sometimes, come from within:

A man appears to have deleted his entire company with one mistaken piece of code.

By accidentally telling his computer to delete everything in his servers, hosting provider Marco Marsala has seemingly removed all trace of his company and the websites that he looks after for his customers.

Mr Marsala wrote on a forum for server experts called Server Fault that he was now stuck after having accidentally run destructive code on his own computers. But far from advising them how to fix it, most experts informed him that he had just accidentally deleted the data of his company and its clients, and in so doing had probably destroyed his entire company with just one line of code.

That’s one heavy line of code. This is it:

The problem command was “rm -rf”: a basic piece of code that will delete everything it is told to. The “rm” tells the computer to remove; the r deletes everything within a given directory; and the f stands for “force”, telling the computer to ignore the usual warnings that come when deleting files.

Together, the code deleted everything on the computer, including Mr Masarla’s customers’ websites, he wrote. Mr Masarla runs a web hosting company, which looks after the servers and internet connections on which the files for websites are stored.

Oops.

I once deleted 9,000 or so files, and it was pretty scary to watch them dissolve. Then again, I started in a subdirectory down low enough to insure that the important stuff would remain untouched.

Potential amusement value: Mr Marsala ran this command from Bash, a standard *nix shell. Guess what’s being added to Windows 10.

Update, 18 April: The whole story is starting to unravel a bit.

Comments (3)




Deprecated squirrel

Actually, that sounds like a swell Twitter username: @DeprecatedSquirrel. It’s here because my mail service is switching away from SquirrelMail to something different:

Atmail was chosen as it is a step up from former DreamHost Webmail clients in that it’s faster, offers more features, and is in constant development.

Of the features mentioned, two might be of use: drag-and-drop attachments, and a mobile user interface.

There are a couple of downsides, and they’ll admit to them:

Requires more bandwidth to send complex HTML interface compared to SquirrelMail (approximately 100x to get from login screen to empty inbox; about 15 KB in 8 HTTP requests for SquirrelMail versus 1,500 KB in 35 HTTP requests for Atmail.)

Yeah, a hundred times as much bandwidth. Mobile users will just love that.

And there’s this:

Atmail needs more maintenance because it is less mature and more complex: it has more bugs. SquirrelMail has not required a fix since June 12, 2011.

Noteworthy: originally, “Atmail” (typically styled “atmail”) was known as “@mail.” Imagine that.

Comments (7)




The running dead

Just as I walked past the computer that runs the office phone system, a popup appeared, the same one I’ve seen several times in the last two years:

Windows XP nnd of life

I hit OK, but didn’t bother with “Don’t show this message again,” since someone else down the line may need it:

Even though Microsoft retired Windows XP two years ago, an estimated 181 million PCs around the world ran the crippled operating system last month, according to data from a web metrics vendor.

Windows XP exited public support on April 8, 2014, amid some panic on the part of corporations that had not yet purged their environments of the 2001 OS. Unless companies paid for custom support, their PCs running XP received no security updates after that date.

Consumers were completely cut off from patches, with no alternatives other than to switch to a newer operating system or continue running an insecure machine.

But two years after XP’s support demise, nearly 11% of all personal computers continue to run the OS, data for March from U.S.-based analytics vendor Net Applications showed.

Since the first of the year, 2.8 percent of the traffic to this Web site has been from XP boxes. Scary? Not as scary as the 0.9 percent on Vista, newer but deader. (There were still a couple of Windows 98 users as of last year, but they seem to have gone away.)

And the lack of patches might be a selling point to some:

Sometimes, she just nails it.

Comments (3)




Why Microsoft doesn’t rule the Web

People trying to save Word documents as HTML end up with garbage like this:

And that’s before you ever get to any of the actual document.

Upside: at least it isn’t Flash.

(Via @SwiftOnSecurity.)

Comments (1)




Shazamination

Shazam is one of those smartphone apps that is supposed to be able to recognize an unknown song and tell you what it is. Saturday night — into Sunday morning, because that’s how dumb I am — I put it to work on my tablet.

And, of course, I tested it on stuff in my own collection first. Correctly identified on the first try:

On “Kaiser Bill’s,” the title was rendered in German, but that makes a certain amount of sense.

I did manage to stump Shazam on “Mr. Turnkey,” Zager and Evans’ followup to “In the Year 2525.”

And there’s one track it consistently misidentified, the unknown backing track from this video:

I got two different answers, one “Kompression” by Albion, one “Ethno Love” in the Vaffa Superstar Mix, for which I found no link. (Shazam did play a few seconds for me for comparison purposes.)

Comments




Simulated exhilaration

Today’s virtual reality is simultaneously utterly mind-boggling and wholly unpersuasive; you can crank up the “virtual” all you like and you’ll still fall short of “reality.” For now, anyway. And maybe, just maybe, for the rest of our days:

I get that the move is to make everything virtual, so we can all go live in our Tiny Houses and be happy with having no actual stuff, because then we can … have ‘experiences’? Which seems to be the big thing the tiny house people talk about. Well, I’m nearly 50. I’m learning I’m kind of physically fragile in some ways — I can’t canoe any more, I don’t like to camp, my balance is too poor for long-distance bicycle riding. I’m not a big fan of traveling to strange places (the logistics, when you are a single woman, can be complicated, unless you do tours). I don’t have a lot of friends to play music with or “game” with or go out dancing with … my comfort in life, honestly, is coming home at the end of the day to a nice, properly climate controlled house and sit in a comfortable chair and either read a book or knit or sew. Or play my piano, which is a by-God, acoustic, made-nearly-100-years-ago wood and wire piano that still requires tuning and can be temperamental when it’s humid. (Just like I can be, in fact)

I suspect that this No Actual Stuff stance is at least slightly informed by the notion that we don’t actually make Stuff where we can see it being made anymore; it’s all fabricated in some Stuff-Generating Facility in a featureless building ten thousand miles away. And so we compensate — inadequately.

Comments (1)




Hit ’em where they drive

Nothing, I suspect, makes a bogus email more persuasive than the inclusion of something actually (sort of) true. This particular scam, by that reckoning, is utterly convincing in its presentation:

A new malware scam is posing as a speeding ticket email with a fake link that is said to load malicious code onto users’ computers. The emails, sent to at least few local residents in Tredyffrin, Pennsylvania, purport to come from the local police department. Malware emails that masquerade as something official are not rare, but these messages are fairly unique: they are said to contain accurate speeding data, including street names, speed limits, and actual driving speeds, according to the Tredyffrin Police Department, located close to Philadelphia.

It’s suspected that the data is coming from an app with permission to track phone GPS data. That could either be a legitimate app that has been compromised, or a purpose-built malicious app that was uploaded online. As anyone who has used a GPS navigator knows, location data can be used to roughly calculate your travel speed. The emails ask for payment of the speeding ticket, but no apparatus is set up to receive such fines. Instead, a link that claims to lead to a photo of the user’s license plate instead loads malware onto the user’s device.

“Citations,” says the PD, “are never emailed or sent in the form of an email attachment.” Still, people believe that banks and such will send you email to ask you your email address — which they obviously already have.

“Tredyffrin,” incidentally, is Welsh; it only looks like a J. K. Rowling place name.

Comments




You did Nazi this coming

Yet another reason why you do not want Everything In The Fricking World connected to the Internet:

The notorious hacker and troll Andrew Auernheimer, also known as “weev,” just proved that the Internet of Things can be abused to spread hateful propaganda. On Thursday, Auernheimer used two lines of code to scan the entire internet for insecure printers and made them automatically spill out a racist and anti-semitic flyer.

Hours later, several people started reporting the incident on social media, and eventually a few local news outlets picked up on the story when colleges and universities all over the United States found that their network printers were spilling out Auernheimer’s flyer.

Auernheimer detailed this “brief experiment,” as he called it, in a blog post on Friday.

Said weev:

After a little investigation it seemed that to print to a printer with port 9100 exposed, all you have to do is netcat a postscript file to that port.

And how likely is it that port 9100 is open and listening? Very:

For network-connected print devices, the standard TCP/IP port monitor is the best choice. Standard port monitor is the successor to line printer remote (LPR), that has been widely adopted as the de facto standard in network printing for the past several years. Standard port monitor is faster, more scalable, and bidirectional. In contrast, LPR is limited in all of these areas. Although Windows NT 4 and later provided registry modifications to help extend the capabilities of LPR printing, these changes do not compare with the benefits of using standard port monitor… The RAW protocol is the default for most print devices. To send a RAW-formatted job, the print server opens a TCP stream to the printer’s network interface. For many devices this will be port 9100.

“We were only following instructions.”

@SwiftOnSecurity feigned astonishment at the ease of the hack: “I’ve always wondered how the hell you even get a printer on the _Internet_. Plugging it into a DSL modem? Who? Why?”

Anything on the wrong side of a firewall can be presumed open, be it a printer, a computer, or a refrigerator.

Comments (4)




Eliza’s bratty kid sister

This was the plan, anyway:

Microsoft has a new artificial intelligence bot named Taylor that tries to hold conversations on Twitter, Kik, and GroupMe. And she makes me feel terribly old and out of touch.

Tay, as she calls herself, is a chatbot that’s targeted at 18 to 24 year-olds in the US. Just tweet at her or message her and she responds with words and occasionally meme pictures. Sometimes she doesn’t, though. She’s meant to be able to learn a few things about you — basic details like nickname, favorite food, relationship status — and is supposed to be able to have engaging conversations. She is intended to get better at conversations the longer they go on. But honestly, I couldn’t get much sense out of her. Except for my nickname, she wasn’t interested in learning any of these other details about me, and her replies tended to be meaningless statements that ended any conversation, rather than open questions that would lead me to say more about myself.

Getting “better” is, of course, subjective with any AI, and after an appallingly short period of time, Microsoft decided to give Tay a time out:

Okay, it might have been more than just a time out:

Microsoft has been forced to dunk Tay, its millennial-mimicking chatbot, into a vat of molten steel. The company has terminated her after the bot started tweeting abuse at people and went full neo-Nazi, declaring that “Hitler was right I hate the jews.”

Still, a warmer version of carbonite is probably not the ultimate solution:

In addition to turning the bot off, Microsoft has deleted many of the offending tweets. But this isn’t an action to be taken lightly; Redmond would do well to remember that it was humans attempting to pull the plug on Skynet that proved to be the last straw, prompting the system to attack Russia in order to eliminate its enemies. We’d better hope that Tay doesn’t similarly retaliate.

John Connor was not available for comment.

Comments (3)




Making the user experience worse

If there’s a way to make things more cumbersome for its stagnating user base, Twitter will do it, every single time.

TweetDeck, we now know, will be reduced to a mere Web site in mid-April. Those of us who didn’t immediately declare allegiance to the new regime were faced with this:

TweetDeck for Windows will no longer be supported and will cease to work after April 15

Over the entire width of the screen. Can you turn it off after you have “read more”? Not a chance.

It’s like they really want us to hate them.

Comments




Still doing it wrong

The standalone TweetDeck client is being killed off:

Twitter announced today it is shutting down the TweetDeck app for windows on April 15.

Which they buried in the third paragraph of a new-features promo.

And why would they phase out arguably the most popular version of an application for which they paid £25 million five years ago? Why do you think?

Twitter’s plan is to push all users to Twitter.com for their advertisement revenue.

Yeah, right. They just dished up a 4.0 version; I’m betting that they tried, and failed, to wedge ads into it.

In the meantime, tweetdeck.com will continue to work in browsers. Maybe. They did mention Chrome.

Comments (2)




Madness beyond March

While the Thunder are on the road, the ‘Peake will be overrun with March Madness: four first-round games in the West will be played here in OKC, and everyone watching will presumably have access to all manner of statistics for the duration.

Then again, that’s the men’s tournament. The women’s tournament, not being held here but going on at the same time, presumably won’t draw as much interest. But what’s maddening, to me at least, is that so many of the metrics are gone:

Until recently, the one repository for advanced statistics such as usage, true shooting percentage, pace-adjusted player statistics and adjusted team ratings for women’s college ball was WBBState.com, a vertical of data company National Statistical. But that source disappeared Feb. 29, when ServerAxis, the company that provided server space to National Statistical’s hosting company, suddenly took all its equipment offline. There are reports that ServerAxis was having financial problems, but the company has so far not responded to requests for comment. National Statistical also declined to comment on the situation on the advice of lawyers as it works to recover its data and bring the site back online.

Exactly how a web hosting company pulls up anchor, ditches its Miami headquarters, and ends up 1,300 miles away in Chicago, allegedly waiting for its servers to find their way home, is almost certainly a fascinating story, but it’s secondary to the reality that an entire sport’s advanced metrics wing can be wiped off the map by a few nerds absconding with a few hard drives and turning off their phones. This is a corollary to the more global lack of statistical interrogation of women’s basketball — the data isn’t just shallow, it’s scarce, and that scarcity makes it fragile.

Okay, you may not be a stats freak. I’m not that much of one. But I have to believe that there’s a demand for this sort of distaff data:

In the landscape of women’s sports, college basketball in general and the NCAA Tournament in particular are enormously important. The nation’s attention has turned to college basketball, expecting rich, compelling and thorough analysis, and the women’s side, already handicapped by neglect, has lost one of its legs to a freak woodchipper accident. This leaves the writers who cover the tournament, missing servers be damned, in quite the lurch.

One might argue, perhaps, that if the audiences were equal, statistical availability would be maintained in some sort of equal measure. But if these numbers aren’t available, it becomes harder to build that audience.

Comments




For certain values of “retro”

From The Seattle Times, yesterday:

Pizza perfectionist Brandon Pettit has done it again. Dino’s Tomato Pie opened just last week on the curve of Capitol Hill’s Olive Way, and it’s already a mob scene. Unlike Pettit and partner Molly Wizenberg’s revered, restrained Delancey in Ballard, Dino’s is also a scene fit for the mob: old-school, East Coast all the way, with pebbly-textured red plastic water glasses, booths with fake-marble Formica tables and a custom-carved oak bar back. (The figures on the latter are Bacchus and Venus, not Pettit and Wizenberg, though some might say, same difference.) Specialty cocktails include Long Island iced tea, and even the website is a retro eyesore/delight.

A word about that Web site: it says it’s best viewed with Netscape 4.72. Don’t have Netscape 4.72? There’s a download link. Which works.

With my own 20th anniversary coming up, I am sorely tempted to retrieve one of the yecchy designs that used to exist here, because retro.

Comments (3)




For best results, follow directions carefully

Now $59.95 might seem high for a fan, but it’s not just a fan you’re getting:

What? No, Linux doesn’t do this. I think.

Comments (1)




Thieves, honor, and so forth

Incoming comment spam, in the WordPress system, always has an email address attached, and almost always carries the URL of some alleged site. WordPress, if it’s not otherwise occupied, will actually attempt to display that alleged site in a frame if you hover over it. Often as not, the “site” comes up 404, and most of the time that it doesn’t, it’s not worth looking at.

Last night, though, was a first: a site that scolded me for having an ad blocker turned on.

Understand this. A spammer scolded me for blocking his ads. On the Gall Spectrum, this places right around Purely Unmitigated.

Rather than drop an email into the proffered address, which is probably bogus anyway, I have decided simply to block the miscreant’s IP address. And no, I’m not giving him a link either.

(Oh, you wanted to know the offending IP? Well, it is subject to change. However, I’m pretty sure you’ll never, ever get anything useful from 95.105.127.113.)

Comments




The shape of rooms to come

I have yet to see one of these in a hotel room, but I figure they’re bound to spread, at least at some of the price points I can handle:

This would almost, though not quite, make up for the absence of a desk.

Comments (1)




You don’t know Jack, yet

Perhaps the world was waiting for an instant-messaging app that’s not all that instant:

[W]ith the ability to instantly send, there’s come an expectation to instantly reply and sometimes the vibration of our phones can feel like an annoying and persistent knock on the door rather than a communicative joy. The idea of patiently waiting for a response to something in a world where we’re all connected has understandably started to fade as slower methods of communication are phased out.

That’s why messaging app Jack is trying to do something a little different by taking the instant out of instant messaging. Jack works by allowing you to send someone a message, image, video clip, or audio clip that they’ll receive instantly but gives you the ability to decide when the recipient can open it, whether it’s one hour, one day, or one year in the future. The recipient can see the time counting down to when they can open their message and the developers hope that this will bring “the pleasure of anticipation” back into communication.

I am pleased to note that behind Jack there really is a Jack.

One thing I’m wondering: can you adjust the time once the message has been sent?

Comments (2)




Hack this, pal

Who knows what might be lurking in the firmware?

It seems Tesla is set to bump the battery capacity of its Model S sedan up to a hefty 100kWh some time in the near future. We know this thanks to the work of a white-hat hacker and Tesla P85D owner named Jason Hughes. Hughes — who previously turned the battery pack from a wrecked Tesla into a storage array for his solar panels — was poking around in the latest firmware of his Model S (version 2.13.77) and discovered an image of the new car’s badge, the P100D.

In not exactly a humblebrag, Hughes tweeted what he’d found — as an encrypted hash. Said hash was quickly decrypted. Tesla’s response was quick: they rolled Hughes’ firmware back to an earlier version. (“We get sauce too?” asked the gander, plaintively.)

Hughes complained; Elon Musk himself said that he hadn’t asked for the rollback. And Hughes wasn’t particularly put out, since — you knew this was coming, right? — he’d already backed up that newest incremental upgrade.

Damn, but cars are getting complicated.

Comments




Your mind is mined

The truth is often even worse than you think it is. I quit hanging around Forbes.com once they got whiny about ad blockers and promised, if you turned them off, an “ad-light” experience. It is, of course, nothing of the kind:

The “ad-light experience” employs 38 trackers consuming 83.1 MB of memory. What does the non-light experience look like? For reference, Google Maps’ scripts take 52.7 MB and they actually do something useful.

Well, so do the trackers, if your definition of “useful” stretches enough to include “follows me around like a lost puppy”:

The tracking isn’t done with cookies; those are too easy to delete. Trackers identify you with a browser fingerprint: Your operating system, browser version, time zone, plug-in versions, screen resolution, installed fonts, IP address, and other things you thought were private.

Or if not private, certainly irrelevant, right? Wrong:

The more uniquely-configured your system, the more identifiable you are. (How identifiable? Check here.)

Which I did. Apparently my browser fingerprint is unique among the 130,000 or so that have been tested, and I ought not to be surprised by that.

It doesn’t matter if you use incognito mode and block cookies; that’s just another data point to add to your profile. It’s called a fingerprint because every one is unique. And each time you load a tracker, your fingerprint is captured and the activity is added to your browsing profile.

Hardly seems worth the bother for NSA to monitor me, if the private sector is already gathering this much data.

Comments (3)




Not at all hiding in plain sight

The “security question,” as an institution, is “superbly moronic,” says Jack Baruth:

[T]here is no reason for the security question to exist. Not the way it’s implemented at most websites. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, “What’s the pinkest brown?” and the answer could be “867-5309”. It’s a true shared secret. Of course, it’s stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that’s asking you to reboot a server or add a credential, it’s not bad.

The typical security question implementation, however, is not anything like that.

Oh, hell no. Instead, it’s something you’ve probably already posted on Facebook that anyone keen on stealing your identity has already read and filed away for reference.

I admit to having outsmarted myself once, with the requested item being the “name of your high-school sweetheart.” Like rather a lot of women of this era, she has a first and a middle name; unlike most, she was going by the middle name back then. So I plugged in the first name, which I’m pretty sure I’ve never mentioned anywhere, even here on this site. (Don’t mention this: it’s pseudonyms all the way down.) You can guess what happened next, or more precisely after a year or two.

Incidentally, I live in what has been known in the neighborhood as the Brown House. But it’s the pinkest brown you’ve ever seen.

Comments (2)




Not really dead tech

I was there the night Prodigy died. If you’d told me at the time that this obsolete technology would be the subject of a lawsuit a decade and a half later, I’d have broken out into guffaws, or at least snickers.

Well, tee-hee:

IBM has sued online deals marketplace Groupon for infringing four of its patents, including two that emerged from Prodigy, the online service launched by IBM and partners ahead of the World Wide Web.

Groupon has built its business model on the use of IBM’s patents, according to the complaint filed Wednesday in the U.S. District Court for the District of Delaware. “Despite IBM’s repeated attempts to negotiate, Groupon refuses to take a license, but continues to use IBM’s property,” according to the computing giant, which is asking the court to order Groupon to halt further infringement and pay damages.

What the heck sort of Nineties-style code would even be relevant in 2016?

To develop the Prodigy online service that IBM launched with partners in the 1980s, the inventors of U.S. patents 5,796,967 and 7,072,849 developed new methods for presenting applications and advertisements in an interactive service that would take advantage of the computing power of each user’s PC and reduce demand on host servers, such as those used by Prodigy, IBM said in its complaint against Groupon.

“The inventors recognized that if applications were structured to be comprised of ‘objects’ of data and program code capable of being processed by a user’s PC, the Prodigy system would be more efficient than conventional systems,” it added.

Which system, of course, they abandoned in 1999, under the pretext of Y2K concerns.

(Via Consumerist.)

Comments




Encrypt-kickers

As an actual Amazon Fire tablet owner, I knew some of this, but of course not all of it:

Amazon’s Fire OS is a fork of Android, based on the Android Open Source Project (AOSP) code but without Google’s apps and services or guaranteed compatibility with apps developed for Google-approved Android. Amazon has heavily customized the UI and provides its own app store, but it typically leans on AOSP code for under-the-hood, foundational features — in older Fire OS versions, the optional device encryption was handled the same way it was on any Android device. However, according to user David Scovetta and others on Amazon’s support forums, that encryption support has been deprecated and removed in recent releases of Fire OS 5, both for new Fire tablets and for older devices that have been upgraded.

We contacted Amazon for comment, and the company told us that local device encryption support was removed in FireOS 5 because the feature wasn’t being used:

“In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using,” Amazon told Ars. “All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption.”

Which is fine and dandy, if your signals are confined to the Bezosphere. Otherwise:

[E]ncrypted connections between the Fire tablets and external servers are safe (or, as safe as the server involved and the method of encryption being used will allow for), but thieves and law enforcement officials will be able to grab user data stored locally without much trouble.

And is it my imagination, or are those two parties gradually becoming less distinguishable from one another?

(Via @SwiftOnSecurity.)

Comments (3)




Brave new storage

Tam needed to move a whole bunch of files, and acted appropriately:

I go to Amazon and order a 128GB USB 3.0 Flash Drive. Huh. Same day delivery available. I mention it to Bobbi and she asks me to order one for her, too.

A couple hours later, there’s a thump on the front porch, caused by the impact of a box containing probably more storage space than every computer I owned before 2010 combined, delivered to my doorstep in hours on a Saturday for less than the price of dinner & drinks for two at a middlin’ fair restaurant.

And close to what I paid in 2006 for a drive containing a single gigabyte.

Note from the description:

The 128GB Turbo USB 3.0 Flash Drive can hold approximately 23,674 songs.

By now, there are probably that many covers of “All About That Base.”

Comments (1)




An overdose of PHP

Not that you asked, but the servers behind the scenes here are running PHP 5.6. This is “Recommended” by the host; they still support 5.5, but no earlier version.

But they’re now offering 7.0, which they describe as “new and scary.” Maybe it is; I wouldn’t know. It’s been out since December, and is considered a stable release; the current install is 7.0.3. The shade of Ned Ludd tells me I probably should wait until 7.1, but what the hell does he know? And besides, I’m on a new server as of yesterday, so none of the statistics are statistically significant, at least for a little while.

(Before you ask: there is no PHP 6.)

Comments (3)




The remotest remote car hack

Once upon a time, it was discovered that if you can splice your way into the car’s wiring, you can do all sorts of wicked things to the computers that run everything. But that was over five years ago. Last year, it was revealed that such things can be done remotely, if you know how to take advantage of certain vulnerabilities in the operating system.

Which brings us to this year:

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I’ve become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.

One of the guys was a bit inspired by what we’d done and just happened to own … the world’s best-selling electric car, a Nissan LEAF. What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs.

The guy’s experiments proved to be reproducible:

Nissan, of course, will have to implement a fix.

It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier — it’s profoundly trivial. As car manufacturers rush towards joining in on the “internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realising that they didn’t take it seriously enough in the first place.

And it’s a great argument for fixing up that old ’96 Maxima, which is mostly immune to stuff like this, unless you’re right there with the wires.

(Via @SwiftOnSecurity.)

Comments (2)




The macroses, they is ours, the precious

Elsewhere, Moses supposes macroses is roses, but Moses supposes erroneously.

Comments (2)




Degrees of brilliance

While Gadgette editor Holly Brockwell fangirled all over the new Samsung Galaxy S7 and S7 Edge — and let’s face it, no one fangirls better or with more technological suss — she dropped this little tidbit of information that induced Severe Jaw Drop in yours truly:

Amazingly, the S7 and S7 Edge feature water cooling, something PC users have had for a long time. It’s essentially a way of using sealed containers of liquid to cool down the components of a phone during intensive activity, and while it’s not the first time it’s been seen in a smartphone, it’s still a very impressive feature to cram into such a slimline phone. Most people won’t care, but we think it’s cool.

In the literal sense, yet.

I had no idea they were even thinking about liquid-cooled smartphones, though of course the concept makes eminently good sense. This, of course, is why she’s among the best tech writers in the known universe, and I’m still sitting here fumbling with T9 texting.

Comments




Hope for the hopeless notebook

Toshi the Road Warrior, a sturdy Toshiba Satellite which has followed me around on road trips for a decade and a half, is woefully out of date. But now I’m wondering if maybe a solution just dropped into my lap:

Earlier today we published a story about Neverware, a New York City startup that is helping schools refurbish old Windows PCs and Macs that had been abandoned as unusable, converting them into “Chromebooks” students can actually work on. Neverware charges schools a licensing fee for every machine it enables this way, but it also offers the software for free to individual users. And starting today, you can set up most computers to dual boot into their original operating system or Chrome, meaning you don’t have to get rid of anything on your machine to give it a spin as a Chrome-capable laptop.

Now these aren’t technically “Chromebooks” because that name is a trademark reserved for the laptops created by Google and its hardware partners. A Google representative suggested we call them Chrome laptops, or Chromium laptops. I’m partial to Chromiumbook myself. In any case, you’ll find that the experience is mostly indistinguishable from Chrome, and that all the Google apps and services you expect work without a hitch.

Toshi’s lack of suds may not matter in the Chrome context:

I have been using a six-year-old Dell Latitude laptop running Neverware’s CloudReady software for a few weeks. In Chrome it boots in under 30 seconds and runs fast enough for me to use it as my only computer at work. In Windows, well, not so much. As we noted in our feature, an irony of the cloud computing era is that a lot of older machines discarded as obsolete actually have far more horsepower, in terms of pure hardware, than the latest Chromebooks coming to market.

Then again, that’s a six-year-old. Toshi is sixteen. Still, the idea is tempting, and it’s not like I’m going to miss Windows XP.

Comments




Who was that improperly masked man?

@SwiftOnSecurity presents a true tale of woe, as told by Lee Hutchinson of Ars Technica:

If you have a competent network person — by which I mean “a network person who will tell a clown like this to go pound sand” — don’t let him (or her, if applicable) get away.

Comments (1)




Y1.97K

Unix/Epoch time starts at 00:00:00 UTC, 1 January 1970; as far as the various Unices are concerned, time did not exist until that moment.

Some operating systems take it more seriously than others. You set any current iPhone to that date and you have Carnation Instant Brick:

iPhone users discovered that changing the date of the phone in “Settings” to January 1st, 1970 causes the device to “brick,” or essentially turn off without ever turning back on again.

The good news is that it’s highly unlikely you could ever do this by accident. Manually changing the date of the iPhone to a time 30 years ago is pretty tedious.

And a time 46 years ago is perhaps more so.

Needless to say, this went viral rather quickly, with the usual scum-sucking geeks promoting resetting the time to reveal some iOS Easter egg. (For Windows folk: this is the equivalent of deleting the System32 folder, an instance of bad advice that never seems to go away entirely.) Apple has vowed to fix this bug — which, it says, applies to any date May 1970 or before — in the next software update.

Comments (1)