Arstechnica

Syndicate content
The Art of Technology
Updated: 2 hours 20 min ago

Mozilla: data stolen from hacked bug database was used to attack Firefox

9/4/2015 7:04pm

An attacker stole security-sensitive vulnerability information from the Mozilla's Bugzilla bug tracking system and probably used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

In an FAQ published (PDF) alongside Mozilla's blog post about the attack, the company added that the loss of information appeared to stem from a privileged user's compromised account. The user appeared to have re-used their Bugzilla account password on another website, which suffered a data breach. The attacker then allegedly gained access to the sensitive Bugzilla account and was able to “download security-sensitive information about flaws in Firefox and other Mozilla products.”

Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.

Read 6 remaining paragraphs | Comments

Chrome becomes a bit less of a memory hog with version 45

9/4/2015 5:55pm

While the Chrome browser is extremely popular, it has gained something of a reputation. What hippos are to little plastic balls, Chrome is to memory: hungry, hungry.

Chrome 45, released earlier this week, should make Google's browser a little lighter. The company described some improvements yesterday that should reduce the browser's footprint.

Perhaps the most significant change for tab hoarders such as myself is new behavior when reloading all your tabs when you first launch the browser. Chrome 45 does a couple of things differently. First, it loads the tabs from most to least recently used. This should mean that the tabs you're most interested in and want to use first will be the first to load. Second, if your system is low on memory, it will stop restoring tabs in the background. Clicking the tab to view it will, of course, load it, but otherwise it'll remain dormant.

Read 4 remaining paragraphs | Comments

Man who helped code highly destructive financial malware pleads guilty

9/4/2015 3:40pm

The Latvian man accused of helping create the Gozi virus, which United States prosecutors dubbed "one of the most financially destructive computer viruses in history," has pleaded guilty.

As the original indictment stated: "The Gozi Virus has caused, at a minimum, millions of dollars in losses."

According to Reuters, Deniss Calovskis made the admission in federal court in Manhattan on Friday.

Read 9 remaining paragraphs | Comments

Ex-Tesla engineer accused of illegally accessing former boss’ e-mail

9/4/2015 2:55pm

A former Tesla mechanical engineer is facing two counts of felony computer intrusion, according to a Thursday press release from the FBI.

Nima Kalbasi, a 28-year-old Canadian citizen, is accused of illegally accessing his former boss’ e-mail account nearly 300 times during a period of about 30 days in late 2014 and early 2015.

The 28-year-old Canadian citizen appeared before a federal judge in San Jose, California late last month. He was arrested days earlier while crossing the border from Canada into Vermont.

Read 4 remaining paragraphs | Comments

The guns of (this) August: Ars gets a demo of digitally enhanced artillery

9/4/2015 2:33pm
Video shot and edited by Nathan Fitch. (video link)

Shooting things you can see is hard enough. Shooting things you can't see based on directions someone being shot at is giving you over a staticky radio is even harder. But a digital addition to the Army's most nimble of artillery pieces is making the job of delivering explosive packages accurately and on time a lot easier.

Over the past two years, the US Army has been applying technology that was once the province of submarines and strategic bombers to a piece of weaponry with a somewhat more humble history: light field artillery. The M119 howitzer, the modern descendant of the towed cannons that have been used to lob shells at enemies since the Middle Ages, has been upgraded with a digital inertial navigation system that makes it possible for a gun crew to set it up within minutes and start firing in support of soldiers in the field.

The M119, technically speaking, is a "gun-howitzer"—a cannon that can be used both for direct fire (aimed at the target with an optical sight or radar) and indirect fire aimed based on positions provided by a spotter. Howitzers were originally guns with shorter barrels relative to their shell caliber that were used to lob shells in a high arc, at greater distances than the even shorter-barreled mortar.

Read 2 remaining paragraphs | Comments

Federal bust of long-running escort site Rentboy.com leads to protests

9/4/2015 2:24pm

Rentboy.com isn't the first website to be shut down for allegedly promoting an illegal business. But federal prosecutors may not have expected the backlash stemming from last week's bust of the 19-year-old gay escorting site.

Six Rentboy employees, including the company's CEO Jeffrey Hurant, have been charged with violating the Travel Act by promoting prostitution. They each face up to five years in prison.

In describing the bust, acting US Attorney Kelly Currie denounced the site as a thinly veiled "Internet brothel," that made millions promoting prostitution.

Read 11 remaining paragraphs | Comments

Verizon sale of FiOS and DSL network in three states clears FCC hurdle

9/4/2015 1:05pm

Verizon's proposed sale of wireline facilities in three states to Frontier Communications was approved by the Federal Communications Commission in an order issued Wednesday.

Verizon had already gotten approval from the Department of Justice. Now the company just needs the green light from regulatory authorities in California, Florida, and Texas, the states where it's selling off copper and fiber networks to Frontier.

"With these approvals in hand, we look forward to promptly receiving the remaining regulatory approvals in the coming months," Verizon said. Frontier said it expects to close the deal in the first quarter of 2016.

Read 8 remaining paragraphs | Comments

MS researchers claim to crack encrypted database with old simple trick

9/4/2015 12:40pm

A team of Microsoft researchers led by Seny Kamara claims to have been successful at recovering a substantial amount of data from health records stored in CryptDB (PDF), a database technology that uses layers of encryption to allow users to search through encrypted data without exposing its contents.

CryptDB was originally developed at MIT. It functions as an addition to a standard, unmodified SQL database and is intended to allow applications to interact with encrypted data using Structured Query Language. By using layers of encryption, CryptDB can allow certain properties of data to be revealed to applications processing the queries while keeping the data itself protected. In theory, the encryption prevents the database administrator (or anyone who attacks the database by gaining trusted access) from being able to view the contents of the database. Data from different users is encrypted with different keys.

CryptDB has been used with the open-source MySQL and PostgreSQL databases, and Google uses it to provide an encrypted version of its BigQuery cloud database. SAP and other large database vendors are looking to apply the technology to their own databases as well. And the federally funded MIT Lincoln Laboratory (PDF) has worked with CryptDB as an additional interface to the Apache Accumulo NoSQL database—the same database originally developed by the National Security Agency to store NSA's multi-level security "big data."

Read 6 remaining paragraphs | Comments

Report: Google will comply with censorship laws to get Play into China

9/4/2015 12:00pm

Android devices sold in mainland China aren't the same as Android devices sold in the US and elsewhere. Chinese devices often run a forked version of Android derived from Android Open Source Project (AOSP) code but without the Google apps and services that are usually included in other countries. That's because the Google Play store and related services aren't officially available in China—the company left China back in 2010 following the "Operation Aurora" cyber-attacks that have been attributed to the Chinese government. Google vowed to stop censoring Chinese search results and later began redirecting Chinese searches through Hong Kong, and its services in China have either been spotty or completely unavailable ever since.

Today The Information reports that Google is making plans to get a version of Google Play back into China and that it's willing to work within Chinese censorship law to do it. The company "will follow local laws and block apps that the government deems objectionable" in the interest of regaining control over its own operating system. Google also wants to help Chinese developers distribute their apps outside of China and help international developers sell their apps within China.

The company wants to make the move to a Google-blessed version of Android attractive by offering "new incentives to phone makers to upgrade Android phones to the latest versions of the operating system," though the exact incentives aren't mentioned. Similar Google initiatives like the Android Update Alliance and Android One have fared poorly in other countries, so it's not clear what Google can do in China to get different results.

Read 2 remaining paragraphs | Comments

California passes bill to kick coal out of its pension funds

9/4/2015 11:41am

Earlier this week, the California State Assembly approved a bill that would order the state's employee pension funds to eliminate investments in companies that make the majority of their revenue from coal. The bill has already passed the State Senate, and if signed by Governor Jerry Brown, it will make California the first state to take this step.

The bill focuses on the use of coal for electricity generation; production of coal for metallurgical uses is exempt. The board that oversees the investment funds will also have two options for maintaining their investments. One is simply if selling off the investments will violate its financial responsibilities. The second is if the companies involved provide evidence that they are transitioning away from a reliance on coal.

California oversees two pension funds: one for teachers and the second for all other state employees. Combined, the two have nearly half a trillion dollars in assets. A spokesman for the funds told Reuters that up to $240 million of that amount could be invested in coal companies.

Read 2 remaining paragraphs | Comments

FCC accused of locking down Wi-Fi routers, but the truth is a bit murkier

9/4/2015 11:30am

The Federal Communications Commission is considering new restrictions that would make it harder for users to modify Wi-Fi routers, sparking controversy and an apparent misunderstanding over the FCC’s intentions.

The FCC's stated goal is to make sure routers and other devices only operate within their licensed parameters. Manufacturers release products that are certified to operate at particular frequencies, types of modulation, and power levels but which may actually be capable of operating outside of what they’ve been certified and tested to do.

The extra capabilities can sometimes be unlocked through software updates issued by the manufacturer, or by software made by third parties. Lots of users install open source firmware on routers to get a better user interface and better functionality than what is provided by the vendor, and the wording of the FCC’s proposal has some worried that such software will effectively be outlawed.

Read 18 remaining paragraphs | Comments

Serious bug causes “quite a few” HTTPS sites to reveal their private keys

9/4/2015 11:00am

According to a security researcher for Linux distributer Red Hat, network hardware sold by several manufacturers failed to properly implement a widely used cryptographic standard, a data-leaking shortcoming that can allow adversaries to impersonate HTTPS-protected websites using the faulty equipment.

A nine-month scan that queried billions of HTTPS sessions from millions of IP addresses was able to obtain leaked data for 272 keys, reports Red Hat security researcher Florian Weimer in a research paper published this week. Because the scan surveyed only a very small percentage of the overall number of transport layer security protocol handshakes, many more keys and manufacturers are likely to be affected by the leakage. Vulnerable hardware includes load balancers from Citrix as well as devices from Hillstone Networks, Alteon/Nortel, Viprinet, QNO, ZyXEL, BEJY, and Fortinet.

The results of Weimer's nine-month scan. Florian Weimer Enter Chinese Remainder Theorem

The leakage is the result of insecure implementations of the RSA public key cryptosystem, which is one of several that HTTPS-protected websites can use to exchange keys with visitors. A 1996 research paper by researcher Arjen Lenstra warned that an optimization based on what's known as the Chinese Remainder Theorem sometimes causes faults to occur during the computation of an RSA signature. The errors cause HTTPS websites that use the perfect forward secrecy protocol to leak data that can be used to recover the site's private key using what's known as a side-channel attack.

Read 6 remaining paragraphs | Comments

New York City teacher arrested hours after drone crash at US Open

9/4/2015 8:03am

A New York City teacher was arrested early Friday morning, hours after he allegedly crashed a small quadcopter drone into an empty seating area during a match at the US Open tennis tournament in Queens.

According to the New York Daily News, Daniel Verley, 26, was arrested and charged with “reckless endangerment, reckless operation of a drone and operating a drone outside the prescribed area.”

The newspaper also reported that Verley is a teacher at the Academy of Innovative Technology, a public school in Brooklyn.

Read 5 remaining paragraphs | Comments

People with intellectual disabilities are being given antipsychotics

9/4/2015 8:00am

Both mental illnesses and intellectual disabilities can make it difficult for someone to function in society. But they're distinct groups of problems, and the treatments you'd use for one simply won't be effective for the other.

A new study suggests that doctors in the UK haven't kept those facts in mind when writing prescriptions. The study found that antipsychotics were frequently being prescribed to those with intellectual disabilities, even if the patients had never been diagnosed with symptoms of a mental illness. Evidence suggests that this may have been done simply to deal with behavioral problems.

Intellectual disabilities interfere with a person's ability to process information. While this would obviously interfere with academic achievement, it also limits a person's ability to develop social and practical skills. As a result, you might expect some behavioral issues when these individuals interact with society at large.

Read 8 remaining paragraphs | Comments

Android Wear on iOS: A hobbled, Google-centric smartwatch experience

9/4/2015 7:00am

You can use Android Wear smartwatches with iPhones now. You shouldn't, but you can.

That's not a value judgment of Android Wear relative to the Apple Watch or WatchOS—both platforms do a lot of the same things, at least when paired to a phone running the same OS. It's more about what Google (or any third-party wearable vendor) can actually do on Apple's platform, which despite recent progress still restricts third-party hardware and software from doing many of the things that first-party hardware and software can do.

Read 21 remaining paragraphs | Comments

Fresno teen arrested after he allegedly posts Eminem lyrics on Instagram

9/3/2015 9:24pm

Earlier this week, a teen in Fresno, California, was arrested by police after a search of his family's house, which turned up a cache of guns and ammunition. What prompted the search? The day before, the teen had posted lyrics from an Eminem track called “I'm Back.”

In the track, Eminem raps, “I take seven kids from Columbine, stand ’em all in a line / Add an AK-47, a revolver, a nine / A MAC-11 and it oughtta solve the problem of mine / And that’s a whole school of bullies shot up all at one time / I’m just like Shady and just as crazy as the world was over this whole Y2K thing.”

But confusing the matter, in a press conference, the police mistook the teen's post for lyrics from Eminem's track “Rap God,” which simply use the lines, “I take seven kids from Columbine, stand ’em all in a line / Add an AK-47, a revolver, a nine.”

Read 11 remaining paragraphs | Comments

FBI, DEA and others will now have to get a warrant to use stingrays

9/3/2015 6:58pm

The Department of Justice (DOJ) announced sweeping new rules Thursday concerning the use of cell-site simulators, often called stingrays, mandating that federal agents must now obtain a warrant in most circumstances.

The policy, which takes effect immediately, applies to its agencies, including the FBI, the Bureau of Alcohol, Tobacco and Firearms (ATF), the Drug Enforcement Administration, and the United States Marshals Service, among others.

"Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases," Deputy Attorney General Sally Quillian Yates said in a statement. "This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties."

Read 15 remaining paragraphs | Comments

2 North Carolina teens hit with child porn charges after consensual sexting

9/3/2015 5:56pm

Later this month, a North Carolina high school student will appear in a state court and face five child pornography-related charges for engaging in consensual sexting with his girlfriend.

What’s strange is that of the five charges he faces, four of them are for taking and possessing nude photos of himself on his own phone—the final charge is for possessing one nude photo his girlfriend took for him. There is no evidence of coercion or further distribution of the images anywhere beyond the two teenagers’ phones.

Similarly, the young woman was originally charged with two counts of sexual exploitation of a minor—but was listed on her warrant for arrest as both perpetrator and victim. The case illustrates a bizarre legal quandry that has resulted in state law being far behind technology and unable to distinguish between predatory child pornography and innocent (if ill-advised) behavior of teenagers.

Read 21 remaining paragraphs | Comments

Ubiquiti revamps its enterprise UniFi gear, and we’ve got some to review

9/3/2015 4:30pm

In early July, Ars ran a syndicated piece from The Wirecutter on the best consumer-grade Wi-Fi extender. Ars readers as usual were quick on the comment button, and a number of folks left feedback on the article saying that even the best consumer-grade Wi-Fi extender is barely functional trash, and that if you really need to expand beyond a single access point, the way to do it is with enterprise-grade gear. Cisco gear came up a couple of times, but more than anything else Ars commenters kept bringing up Ubiquiti Networks and its UniFi line of wireless access points.

Being a site that likes technology, we reached out to Ubiquiti to see if they might be willing to loan us some UniFi gear to formally review, and as it turns out, our timing was fortuitous. Ubiquiti has just announced a re-vamp of the UniFi wireless access point product line, with new models all featuring 802.11ac as standard. Three of the four new models are priced extremely competitively even when considered for home use (the fourth model is for educational institutions only):

UAP-AC-LITE UAP-AC-LR UAP-AC-PRO UAP-AC-EDU Radio 802.11ac/n/b/g/a 802.11ac/n/b/g/a 802.11ac/n/b/g/a 802.11ac/n/b/g/a 2.4GHz MIMO 2x2 3x3 3x3 3x3 5GHz MIMO 2x2 2x2 3x3 3x3 Power over Ethernet 24V passive 24V passive 802.3af / 802.3at 802.3at MSRP $89 $109 $149 $399

What does this kind of gear do that consumer-grade Wi-Fi extenders don’t? We’ve got review samples of the new hardware in hand right now, and it’s a pretty earth-shaking upgrade. The dead-easy configuration and extremely granular customization options are hella neat; the level of control over your WLAN and the clients on it is even better. This is the exact same system often used by small businesses or hotels when building out a large WLAN, and it even lets you customize a guest portal and generate vouchers to hand out to your friends for access (or force them to pay you $8 for using your Wi-Fi for a few hours), and it turns out that it makes a hell of a home system as well.

Read 2 remaining paragraphs | Comments

Acer’s Arduino-based Cloud Professor wants to get kids into the IoT

9/3/2015 3:45pm

BERLIN—How do you get a younger generation, one raised on a seemingly endless supply of smartphones, tablets, and PCs, into not just using such devices, but finding out how they work too? Small development boards like the Raspberry Pi have done wonders for getting kids (and curious adults) into creating all manner of interesting hardware and software. The upcoming BBC Micro:bit promises to go a stage further by giving every Year 7 student in the UK their own Micro:bit board to play with.

But there's another take on the development board, and it's come from the unlikeliest of places: electronics giant Acer. Buried deep within its stand at IFA 2015 in Berlin is a unique development kit called Acer Cloud Professor. It contains the obligatory Arduino board, as well as a variety of accessories, including a USB to GPIO adaptor, a control LED, and even a dust sensor. But rather than just offer yet another way to program things on an Arduino board, the Acer kit also contains a separate module that allows the board to talk to other devices over the Internet.

Essentially, it's an Internet of Things development kit that links into Acer's cloud platform, allowing tinkerers to control various aspects of their connected device via a smartphone or tablet. Because that's often a complex task (particularly for the younger age group the kit is aimed at), Acer is providing a set of apps that automatically communicate with the Cloud Professor module. This lets users concentrate on creating cool stuff, rather than mucking about with cloud protocols.

Read 4 remaining paragraphs | Comments

novalug.com