Tag

tech

Browsing

Forbes has done some outstanding writing on their article about inside China’s iphone jailbreaking industrial complex:

It was a bizarre trip hosted by an equally bizarre and secretive entity called TaiG (pronounced “tie-gee”), which flew the hackers to China to share techniques and tricks to slice through the defences of Apple’s mobile operating system in front of an eager conference-hall crowd. Why such interest and why such aggrandisement of iOS researchers? In the last two years, jailbreaking an iPhone – the act of removing iOS’ restrictions against installing unauthorized apps, app stores and other features by exploiting Apple security – has become serious business in China. From Alibaba to Baidu, China’s biggest companies are supporting and even funding the practice, unfazed at the prospect of peeving Apple, which has sought to stamp out jailbreaking ever since it became a craze in the late 2000s.

Any hacker who can provide the full code for an untethered jailbreak, where the hack continues to work after the phone reboots, can expect a big pay check for their efforts. “Many experts agree the price for an untethered jailbreak is around $1 million,” says Nikias Bassen, aka Pimskeks, a lanky 33-year-old iOS hacker who is part of the evad3rshacker collective. More often, sellers of iOS zero-day vulnerabilities – the previously-unknown and unpatched flaws required for jailbreaks – make thousands if not hundreds of thousands of dollars from Chinese firms, private buyers or governments, in particular three-letter agencies from the US.

Such big sums are on offer due to the explosion of the third-party app store industry in China. There are at least 362 million monthly active mobile app users in China, according to data provided by iResearch. Whilst smartphone owners in Western nations are content within the walled gardens of Apple and Google app stores for their games, media and work tools, the Chinese are fanatical about apps and want the broadest possible choice from non-Apple app stores. Jailbreaks, which do away with Apple’s chains and allow other markets on the device, are thus vital to meeting that demand.

I had no idea jailbreaking was such big money in China, however somehow I am not surprised at all by this development.

PC World on an almost completed Google-backed project for a 60Tbps undersea cable between Oregon and Japan exponentially increasing networking capacity between the two countries:

The 9,000-kilometer FASTER cable will have a peak capacity of 60 terabytes per second (Tbps) when it enters operation next year, joining Japan with Oregon on the West Coast of the U.S.

Apart from Google, the project is backed by telecom carriers KDDI of Japan, SingTel of Singapore, Global Transit of Malaysia, China Mobile International and China Telecom Global.

At the landing site in Shima, Mie Prefecture, east of Osaka, a machine pulled the cable onto the beach from an offshore cable-laying ship while stacks of armored pipes, which shield the link from anchors near the shore, were piled nearby.

A Shinto ritual was held to pray for the success of the project, which will cost roughly US$300 million. The cable was routed into a landing station building that houses optical equipment.

The FASTER cable will also be connected to existing infrastructure offshore at Chikura, Chiba Prefecture, southeast of Tokyo, next month. With six fiber pairs and 100 wavelengths, it will have a peak capacity 300 million times greater than the TAT-1 transatlantic cable of 1956, which could handle 36 telephone calls, or roughly 200kbps, Google said.

KDDI said it was 3000 times faster than the 20Gbps TPC-5 cable system, which began service in 1995.

Consumers on either side of the Pacific, however, won’t have the option of choosing which of the several undersea cables their data goes through.

It will be interesting to see how this affects internet speeds for the average home and mobile user.

Ars Technica on an horribly thought out support feature that now has Cisco warning of a default SSH key exploit on their appliances:

The common default key was apparently inserted into the software, Fisher reported, for “support reasons.”

The second vulnerability on the same set of virtual appliances is “a preinstalled set of SSH host keys that allow access to communication secured by those keys,” Cisco’s security team warned in the advisory. These keys are used to protect appliance-to-appliance communications. “Because all deployments of WSAv or ESAv use the same set of default SSH host keys, accessing any of the private keys on a single deployment could allow an attacker to decrypt communication on WSAv, ESAv, or SMAv,” the advisory stated. “At attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack.”

TheNextWeb on Samsung jackassery whereby they are surreptitiously disabling Windows Update on their computers, preventing users from leveraging the standard automated security patch installation feature Windows has offered for quite some time:

The app, conspicuously named Disable_Windowsupdate.exe, is installed automatically without the owner’s knowledge. According to a support representative, it’s there to stop the computer from automatically downloading drivers from Windows Update that could be incompatible with the system or cause features to break.

Unfortunately for Samsung it also appears to change the user’s update settings and disables Windows Update entirely. Once installed, the app even disables Windows Update after the user re-enables it.

Samsung’s software update service doesn’t actually ship with the application installed, it’s silently downloaded in the background at a later time from a non-HTTPS server and installed without asking the user.

Disable_Windowsupdate.exe is signed with Samsung’s security certificate, confirming the company did create it.

There is no worldly reason why a computer manufacturer should prevent users from installing security updates. None. At. All.

This is more as a reminder for myself than anything, but if you want to know howto opt-out of Tynt, a crappy piece of advertising and tracking technology, then this is how you can turn that shit off. If you use multiple browsers, you will have to hit the site in each one to turn tracking off.

Not sure what Tynt is? Chances are you have run across it in your travels on the internets but just never realized or recognized Tynt. If you have ever copy-and-pasted content from the web and seen the “if you would like to read the full article, visit {link}”, that is Tynt. It is a method for publishers to track visitors, and simultaneously annoy the hell out of people by adding unnecessary poop to the clipboard.

Tent looks something like this when you copy-and-paste from a web-based publisher using their crappy Javascript application:

Tynt is the worst piece of web software on the market today.

Read more: http://jark.us/1BzTXIt/#abcde01234

Another simple, system-wide method to turn off tracking is to modify your hosts file so the important Tynt host is no longer reachable. You can do that by adding this simple line:

127.0.0.1 tcr.tynt.com

Theoretically, this should prevent Tynt from working on your system no matter which browser you use. It is probably a good idea to add this hosts file entry and use the aforementioned opt-out method.

I had been meaning to turn Tynt off for quite some time but was just plain lazy until recently. Now that I know how, I wanted to both put this here as a reminder for myself for the future, as well as help anyone else in need of this information.

Privacy Online News on creepy ass Google Chrome secretly installing audio listening software and transmitting audio data back to Google:

This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.

Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.

Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places.

It seems like almost weekly we read a new story about how much creepier and more invasive Google is becoming, for the noble goal of helping us get the results we need so we can work smarter, quicker, and easier.

The question remaining is this: is this privacy invasion trade-off worthwhile in the longrun?

Interop Tokyo 2015
Just a nice quick wide-angle shot of Interop Tokyo 2015 at Makuhari Messe on Friday June 12, the final day of the three-day yearly event. It was a long day of standing at the Intel Security booth but overall a lot of fun.

The WSJ on how utterly caught off-guard BlackBerry was by the iPhone, how top management was unsure what was sitting in front of them, and how Apple basically inadvertently crippled the entire company:

“It’s OK—we’ll be fine,” Mr. Balsillie responded.

RIM’s chiefs didn’t give much additional thought to Apple’s iPhone for months. “It wasn’t a threat to RIM’s core business,” says Mr. Lazaridis’s top lieutenant, Larry Conlee. “It wasn’t secure. It had rapid battery drain and a lousy [digital] keyboard.”

If the iPhone gained traction, RIM’s senior executives believed, it would be with consumers who cared more about YouTube and other Internet escapes than efficiency and security. RIM’s core business customers valued BlackBerry’s secure and efficient communication systems. Offering mobile access to broader Internet content, says Mr. Conlee, “was not a space where we parked our business.”

The iPhone’s popularity with consumers was illogical to rivals such as RIM, Nokia Corp. and Motorola Inc. The phone’s battery lasted less than eight hours, it operated on an older, slower second-generation network, and, as Mr. Lazaridis predicted, music, video and other downloads strained AT&T’s network. RIM now faced an adversary it didn’t understand.

“By all rights the product should have failed, but it did not,” said David Yach, RIM’s chief technology officer. To Mr. Yach and other senior RIM executives, Apple changed the competitive landscape by shifting the raison d’être of smartphones from something that was functional to a product that was beautiful.

“I learned that beauty matters….RIM was caught incredulous that people wanted to buy this thing,” Mr. Yach says.

I love reading these types of stories, especially when they present the utter confusion of top executives who think their market positions are incapable of changing in an instant. The iPhone took the wind out of RIM’s sails, and the company has yet to make any movement since. It is likely this way because BlackBerry misunderstands what makes the iPhone so compelling.

PC World on a nifty little $2.50 gadget called the Batteriser, which is designed to extend the lifespan of disposable batteries by 800 percent:

Voltage boosters are nothing new, but Batteriser scales down the technology to the point where it can fit inside a stainless steel sleeve less than 0.1 mm thick. Roohparvar says the sleeves are thin enough to fit inside almost every battery compartment imaginable, and the combined package can extend battery life between 4.9x for devices like remote controls and 9.1x for various electronic toys.

“The Batteriser has boost circuitry that will boost the voltage from 0.6 volts to 1.5 volts and will maintain voltage at 1.5—which is a brand new battery,” Roohparvar says. “There’s actually no IP [intellectual property] in the boost circuitry. Our technology is really a miniaturization technique that allows us to build the sleeve. We have some IP in some of the IC circuits that are in there, but the key is we’ve been able to miniaturize the boost circuit to a point that no one else has been able to achieve. “

Quite cool, assuming it’s not snake oil.

Ars Technica on Wikileaks releasing 17 secret global Trade in Services Agreement (TISA) negotiation documents:

For example, the question of data flows—specifically the flow of European citizens’ personal data to the US—is at the heart of disputes over the EU’s proposed Data Retention rules, the Safe Harbouragreement, and TTIP. Here’s what Article 2.1 of TISA’s e-commerce annexe would impose upon its signatories: “No Party may prevent a service supplier of another Party from transferring, [accessing, processing or storing] information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.”

What that means in practice, is that the EU would be forbidden from requiring that US companies like Google or Facebook keep the personal data of European citizens within the EU—one of the ideas currently being floated in Germany. Article 9.1 imposes a more general ban on requiring companies to locate some of their computing facilities in a territory: “No Party may require a service supplier, as a condition for supplying a service or investing in its territory, to: (a) use computing facilities located in the Party’s territory.”

Article 6 of the leaked text seems to ban any country from using free software mandates: “No Party may require the transfer of, or access to, source code of software owned by a person of another Party, as a condition of providing services related to such software in its territory.” The text goes on to specify that this only applies to “mass-market software,” and does not apply to software used for critical infrastructure. It would still prevent a European government from specifying that its civil servants should use only open-source code for word processing—a sensible requirement given what we know about the deployment of backdoors in commercial software by the NSA and GCHQ.

This sounds like yet another secret trade agreement the world does not need.

Ben Thompson on his experience with an Apple watch and continuous computing in terms of a constant stream of notifications:

Indeed, for now I think it likely that one of Apple’s oldest and most cherished skills — its ability to make beautiful, desirable objects — will make the Watch exactly what Tim Cook promised: another tentpole product that rivals the Mac, the iPod, the iPad, and even the iPhone. Framed as nothing more than A Watch that Does Stuff — and that you actually don’t mind wearing — Apple will rightly sell enough to kick-start a world that gets just a little bit smarter and little bit better when it knows who and where we are.

Moreover, the Watch may even help Apple to rival Google when it comes to Siri and the cloud: the best way to improve a service like Siri is to have millions of customers using it constantly, and I for one have used Siri more in the last two weeks than I have the last two years. Multiply that by millions of Watch users and you have the ingredients for a rapidly improving service. Perhaps more importantly, the fact that Siri is critical to the Watch’s success in a way it isn’t to the iPhone’s may finally properly align Apple’s incentives around improving its cloud services.

Ultimately, the Apple Watch has exceeded my quite high expectations. The complications and notifications fit into all the slivers of my life the iPhone has not, and the criticism I’ve levied at Siri has been primarily fueled by the appreciation of just how powerful it is to have a virtual assistant on my wrist instead of my pocket. As for apps, speed is the most easily solved issue in technology, thanks to Moore’s Law. I’m confident apps will be fully performant sooner rather than later.

According to a report by Blue Coat Systems, the Israeli military networks have been breached by what appears to be Arabic-speaking malicious actors:

Waylon Grange, a researcher with the Blue Coat [PRJCBB.UL who discovered the campaign, said the vast majority of the hackers’ software was cobbled together from widely available tools, such as the remote-access Trojan called Poison Ivy.

The hackers were likely working on a budget and had no need to spend much on tailored code, Grange said, adding that most of their work appeared to have gone into so-called social engineering, or human trickery.

The hackers sent emails to various military addresses that purported to show breaking military news, or, in some cases, a clip featuring “Girls of the Israel Defense Forces.” Some of the emails included attachments that established “back doors” for future access by the hackers and modules that could download and run additional programs, according to Blue Coat.

The White House has ostensibly been compromised by Russian hackers and the U.S. believes it make know how this attack occured:

The White House in October said it noticed suspicious activity in the unclassified network that serves the executive office of the president. The system has been shut down periodically to allow for security upgrades.

The FBI, Secret Service and U.S. intelligence agencies are all involved in investigating the breach, which they consider among the most sophisticated attacks ever launched against U.S. government systems. ​The intrusion was routed through computers around the world, as hackers often do to hide their tracks, but investigators found tell-tale codes and other markers that they believe point to hackers working for the Russian government.

National Security Council spokesman Mark Stroh didn’t confirm the Russian hack, but he did say that “any such activity is something we take very seriously.”

“In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity,” he said. “As has been our position, we are not going to comment on [this] article’s attribution to specific actors.”

If true, this is a huge blunder and quite serious. It is about time for the White House to reconsider their current security architecture because it is obviously in need of an overhaul.

According to a report by the Government Accountability Office, the Federal Aviation Administration has a severe deficit in how it secures its own computer networks:

The Federal Aviation Administration has fallen short in its efforts to protect the national air traffic control system from terrorists or others who might try to hack into the computers used to direct planes in flight, according to a government report released Monday.

The Government Accountability Office report credited the FAA with taking steps to deter hackers but concluded that “significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace.”

This should come as no surprise to those in the industry, but probably would scare the average layman. It is amazing how much work the U.S. government needs to do to properly security its own networks.

According to a Department of Homeland Security report, the U.S. energy sector tops the list of industries under cyber attack:

A report issued today by the US Department for Homeland Security says that in 2014 the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 incidents reported by asset owners and industry partners.

The energy sector, says Jeremy Cowan, led all others again in 2014 with 79 reported incidents, followed by manufacturing at 65 and worryingly healthcare at 15 reported incidents. ICS-CERT’s continuing partnership with the Energy sector reportedly provides many opportunities to share information and collaborate on incident response efforts.