plug2play

Most DDoS Attacks Originate From China

2011-11-22T03:03:00.000-08:00

A company that protects against DDoS attacks, Prolexic Technologies, released its attack report for Q3 2011. There’s a lot to the report, including that Prolexic mitigated what it claims is the largest event in 2011 (in terms of packet-per-second volume). That attack occurred between November 5-12 and, according to Prolexic, portends the increasing scale and complexity of DDoS attacks.

Indeed, the report shows that DDoS attacks are increasing in terms of bandwidth (up 66% from Q3 2010) and packets-per-second, which is up nearly four-fold from the same time period a year ago.

What is perhaps most notable, however, is where the attacks are coming from. The report found that China was the biggest offender, responsible for over half (55%) of all DDoS attacks. For perspective, number two on the list is India, with 8.69% of the attacks.

Further, China is responsible for most of the botnets being sent out; it’s the country of origin for the two largest ASNs. One accounts for 43.88% of them, and the other 21.79%. Again, for perspective, the third-largest botnet is from Turkey and gobbles up just 9%.

Original post found at: http://hothardware.com/News/Most-DDoS-Attacks-Originate-From-China-Says-Report/

CSET: The Cyber Security Evaluation Tool!

2011-10-11T08:21:00.000-07:00

with the recent surge in vulnerabilities related to the SCADA systems, it is highly imperative by organizations to securely manage their setups. CSET, the Cyber Security Evaluation Tool by Department of Homeland Security (DHS) aids organizations in properly securing their digital property. This tool will help organizations to better evaluate their network safety structure, enabling them to detect their weaknesses so that remote attackers can be prevented and combated.

CSET

The Cyber Security Evaluation Tool (CSET) can provide you with a systematic and repeatable approach for assessing the cyber security posture of your industrial control systems (ICS) networks and IT systems. It also includes both highlevel and detailed questions related to all ICS, so that organizations can protect their key cyber assets. CSET is an easy to install desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

Download CSET:

CSET v4.0 – CSET_4.0.iso – http://us-cert.gov/control_systems/csetdownload.html

Government Use GPS to Track Your Moves on your own car.

2011-05-10T08:46:00.000-07:00

Government agents can sneak onto your property in the middle of the night, put a GPS device on the bottom of your car and keep track of everywhere you go. This doesn't violate your Fourth Amendment rights, because you do not have any reasonable expectation of privacy in your own driveway — and no reasonable expectation that the government isn't tracking your movements.

That is the bizarre — and scary — rule that now applies in California and eight other Western states. The U.S. Court of Appeals for the Ninth Circuit, which covers this vast jurisdiction, recently decided the government can monitor you in this way virtually anytime it wants — with no need for a search warrant.

read more here : http://www.time.com/time/nation/article/0,8599,2013150,00.html

One of these devices was torn down here:

Tracking Device Teardown

The crazy thing is it is totally legit.

How unique are your usernames?

2011-02-14T01:20:00.000-08:00

* Monday, February 14, 2011
* By Robert Lemos

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users.

"These results show that some users can be profiled just from their usernames," says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. "More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim."

A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website. The INRIA researchers developed a way to determine how unique a username is, and a method of connecting usernames based on the information published to different sites.

Those who have more unique usernames are more vulnerable. "The other 50 percent of users are more difficult to link because their usernames have 'low' entropy and could in fact be linked to multiple users," says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person.

Lost iPhone? - Lost passwords!

2011-02-11T02:16:00.000-08:00

OPENBSD backdoored by FBI?

2010-12-15T05:14:00.000-08:00

List: openbsd-tech
Subject: Allegations regarding OpenBSD IPSEC
From: Theo de Raadt
Date: 2010-12-14 22:24:39
Message-ID: 201012142224.oBEMOdWM031222 () cvs ! openbsd ! org
[Download message RAW]

I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products. Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.

The mail came in privately from a person I have not talked to for
nearly 10 years. I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this. Therefore I am
making it public so that
(a) those who use the code can audit it for these problems,
(b) those that are angry at the story can take other actions,
(c) if it is not true, those who are being accused can defend themselves.

Of course I don't like it when my private mail is forwarded. However
the "little ethic" of a private mail being forwarded is much smaller
than the "big ethic" of government paying companies to pay open source
developers (a member of a community-of-friends) to insert
privacy-invading holes in software.

----

From: Gregory Perry
To: "deraadt@openbsd.org"
Subject: OpenBSD Crypto Framework
Thread-Topic: OpenBSD Crypto Framework
Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
Date: Sat, 11 Dec 2010 23:55:25 +0000
Message-ID: <8D3222F9EB68474DA381831A120B1023019AC034@mbx021-e2-nj-5.exch021.domain.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Status: RO

Hello Theo,

Long time no talk. If you will recall, a while back I was the CTO at
NETSEC and arranged funding and donations for the OpenBSD Crypto
Framework. At that same time I also did some consulting for the FBI,
for their GSA Technical Support Center, which was a cryptologic
reverse engineering project aimed at backdooring and implementing key
escrow mechanisms for smart card and other hardware-based computing
technologies.

My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
the same.

This is also why several inside FBI folks have been recently
advocating the use of OpenBSD for VPN and firewalling implementations
in virtualized environments, for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

Merry Christmas...

Gregory Perry
Chief Executive Officer
GoVirtual Education

"VMware Training Products & Services"

540-645-6955 x111 (local)
866-354-7369 x111 (toll free)
540-931-9099 (mobile)
877-648-0555 (fax)

http://www.facebook.com/GregoryVPerry
http://www.facebook.com/GoVirtual

FOUND HERE : http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

Skype's Biggest Secret Revealed

2010-12-15T05:12:00.000-08:00

For eight years, Skype enjoyed selling the world security by obscurity. We must admit, really good obscurity. I mean, really really good obscurity. So good that almost no one has been able to reverse engineer it out of the numerous Skype binaries. Those who could, didn’t dare to publish their code, as it most certainly looked scarier than Frankenstein.

The time has come to reveal this secret. http://cryptolib.com/ciphers/skype contains the greatest secret of Skype communication protocol, the obfuscated Skype RC4 key expansion algorithm in plain portable C. Enjoy!

Why publish it now? - It so happened that some of our code got leaked a couple of months ago. We contacted Skype reporting the leak. Only weeks later, our code is already being used by hackers and spammers and we are abused by Skype administration. I do not want to go into any finger-pointing details here, but naturally, we do not wish to be held responsible for our code being abused. So we decided that the time has come for all the IT security experts to have it. Why let the hackers have the advantage? As professional cryptologists and reverse engineers, we are not on their side. Skype is a popular and important product. We believe that this publication will help the IT security community help secure Skype better.

However, for the time being, we are not giving away a licence to use our code for free in commercial products. Please contact us if you need a commercial licence.

It is not all security by obscurity of course. There is plenty of good cryptography in Skype. Most of it is implemented properly too. There are seven types of communication encryption in Skype: its servers use AES-256, the supernodes and clients use three types of RC4 encryption - the old TCP RC4, the old UDP RC4 and the new DH-384 based TCP RC4, while the clients also use AES-256 on top of RC4. It all is quite complicated, but we’ve mastered it all. If you want to know more, come to Berlin for 27C3 to hear all the juicy details on how to use this function to decrypt Skype traffic.

With best regards,
Skype Reverse Engineering Team

Facebook: 20% of users' news feeds, links to malicious software

2010-11-25T06:26:00.000-08:00

One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers.

Security firm BitDefender said it had detected infections contained in the news feeds of around 20% of Facebook users.

By clicking on infected links in a news feed, users risk having viruses installed on their computer.

Facebook said it already had steps in place to identify and remove malware-containing links.

BitDefender arrived at its figures by analysing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site.

In the month since safego launched, it has analysed 17 million Facebook posts, said BitDefender.

The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware, BitDefender said.
Trusted community

These apps would then either install malware used for spying on users or to send messages containing adverts to the users' contacts.

Facebook has a thriving community of independent developers who have built apps for the social network.

The vast majority enable users to tweak their Facebook pages, adding widgets, games or extra functions, such as delivering daily horoscope predictions.

Facebook said it had processes and checks in place to guard against the risk of malware.

"Once we detect a phony message, we delete all instances of that message across the site," the site said in a statement.

Crooks have targeted social networks, such as Facebook and Twitter because of their vast number of users, said Rik Ferguson, a security researcher for anti-virus maker Trend Micro.

"Because social networks are based on a community of people you trust, they're an attractive target for malware writers," said Ferguson. "You're more likely to click on a link from someone you trust."

http://www.bbc.co.uk/news/technology-11827856

INSIGHT: Virtual Battlefield in Cyber War

2010-11-06T16:13:00.000-07:00

GPU vs CPU

2010-09-11T10:33:00.001-07:00

Street Slide: Browsing Street Level Imagery

2010-07-29T04:20:00.002-07:00

WikiLeaks

2010-07-20T00:50:00.001-07:00

Animated 3D models extracted from single-camera video

2010-07-11T14:39:00.001-07:00

Diaspora demo

2010-07-02T05:18:00.000-07:00

Diaspora Message Propagation (pre-alpha!) from daniel grippi on Vimeo.

Demo video using a bunch of different diaspora seeds. They are all on different servers, and all friended with the same person. When you have that person send out 10 messages in rapid succession, you can see how fast their friends are updated.

Augment my Card. Live beta

2010-06-30T10:59:00.000-07:00

Check my new website:

http://www.augmentmycard.com/

about Augmented Reality Business Cards.

3d_data_with_a_gesture TED

2010-06-02T02:48:00.000-07:00

Facial Expression Test

2010-05-19T00:57:00.001-07:00

From Zero to Million Users

2010-05-17T15:03:00.000-07:00

From Zero to a Million Users - Dropbox and Xobni lessons learned

View more presentations from Adam Smith.

RSA Animate - Drive

2010-05-17T00:27:00.000-07:00

Text 2.0

2010-05-12T00:46:00.001-07:00

Google Chrome Speed Test

2010-05-06T03:47:00.001-07:00

BumpTop

2010-05-04T00:54:00.001-07:00

10/GUI

2010-05-04T00:50:00.001-07:00

10/GUI from C. Miller on Vimeo.

Good Samaritanism

2010-05-03T01:27:00.000-07:00

Google: Fake antivirus is 15 percent of all malware

2010-05-03T00:52:00.000-07:00

(Credit: Google)

A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.
Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.
That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.
Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.
Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.
Researchers also found that over the course of the study, domains used for distributing the malware were online for shorter and shorter periods of time in the face of Google's Safe Browsing technology. Used in Chrome and Firefox, Safe Browsing helps alert Web browsers to sites hosting malware, Provos said.
"As early as 2003, malware authors prompted users to download fake AV software by sending messages via a vulnerability in the Microsoft Messenger service. We observed the first form of fake AV attack involving Web sites, e.g. Malwarealarm.com, in our systems on March 3, 2007," the report says. "At that time, fake AV attacks employed simple JavaScript to display an alert that asked users to download a fake AV executable."
"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," the report continues. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."
Fake antivirus is easy money for scammers, Provos said.
"Once it is installed on the user system, it's difficult to uninstall, you can't run Windows updates anymore or install other antivirus products, and you must install the [operating] system," rending it unusable until it is cleaned up, he said.
Provos said when encountering a fake antivirus message, Web surfers should close the browser and restart the program. People who are duped by the scam may have to get professional help in cleaning up the computer, he said. They should also monitor their credit card accounts because scammers can use the credit card information for identity fraud.

by Elinor Mills
http://news.cnet.com

Torturing the Secret out of a Secure Chip

2010-04-20T05:02:00.000-07:00

A new chink has been found in the cryptographic armor that protects bank transactions, credit-card payments, and other secure Internet traffic. And although programmers have devised a patch for it, clever hackers might still be able to break through.

The hack, presented in March at a computer security conference in Dresden, Germany, involves lowering the input voltage on a computer’s cryptography chip set and collecting the errors that leak out when the power-starved chips try and (sometimes) fail to encode messages. Crooks would then use those errors to reconstruct the secret key on which the encryption is based. More important, say the hack’s creators, the same attack could also be performed from afar on stressed systems, such as computer motherboards that run too hot or Web servers that run too fast.

The attacks would succeed because the standard cryptographic functions (called OpenSSL) don’t always double-check their work before sending it out into the world. The researchers found that an encrypting chip running on low voltage might not scramble the digits thoroughly, leaving instead the digital relics of four to eight bits of the secret key that encoded the message. With the right kind of guesswork and some clever math, the researchers say, those snippets could be picked off, one at a time, until the entire 1024-bit crypto key was decoded.

By manipulating a crypto chip on their lab bench, the research team cracked the commonplace RSA 1024 computer security standard (which typically uses OpenSSL) in 104 hours. As a result, the authors of the new study say, even supposedly ironclad secure crypto systems could be broken—at least in laboratory environments—if persistently attacked for hundreds of hours. Compared to the ”age of the universe” timescales supposedly needed for brute force to guess the codes that could crack standard Internet security protocols, the new attack represents a step forward for evil.

”We work in resilient system design; we spend most of our time trying to fix faults,” says the paper’s coauthor Todd Austin, who is a professor of electrical engineering and computer science at the University of Michigan. ”So we know how to inject [faults] in so they’re really evil and can’t be found.”

Austin, along with Michigan colleagues Valeria Bertacco and Andrea Pellegrini, designed and publicized their hack so that the forces of good could prevent it from falling into the wrong hands. The researchers also wrote a patch for OpenSSL that ensures it always double-checks its encryption before transmitting any encrypted message.

On the other hand, even if system administrators all over the world patched every Web server running OpenSSL tomorrow, Austin says, there are still millions of other computer chips (smart cards, mobile phones, motherboards on pay-TV boxes) that come with OpenSSL hard-coded. These would be more difficult to patch or update.

Things may not be quite so bad, suggests Paul Kocher, a consultant in San Francisco and the coauthor of SSL (the precursor to OpenSSL). Real-world Web servers—even overheated or overclocked ones—are not going to reliably kick out the calculation errors by the thousands required for an attack.
An attacker would effectively need to have physical access to a system to make this attack work, Kocher says. ”For a Web server, you don’t let in any bad guy who wants to come in and play with the power supply,” he says. ”You keep it behind locked doors for reasons that go far beyond just this kind of attack. Practical consequences for Web servers I would say are pretty slim.”
University of Massachusetts professor of computer science Kevin Fu says he doubts that the attack, which was staged in a lab with an easily manipulated crypto chip, could easily be executed by real-world hackers.
”In order for this attack to work in practice, the adversary needs to have access to...the electricity to a specific pin on a chip,” Fu says. ”There’s a big difference between a power outage of a building and controlling precise micropower fluctuations.”

by Mark Anderson
http://spectrum.ieee.org/

Bluetooth RFID

2010-04-07T02:51:00.001-07:00

Bluetooth RFID

First Energizer, Now Vodaphone: More Malware Found in Store Bought Consumer Electronic Products

2010-03-22T01:37:00.000-07:00

ComputerWeekly has a story today about UK security researchers accidentally discovering that a new out-of-the-box Vodafone HTC Magic smartphone running Google's Android software contained a Mariposa bot client. Once the smartphone was attached to the owner's PC, the bot would have "phoned home" with the user's credentials and passwords.
Vodafone says that it is the " world's leading mobile telecommunications company."
The researchers say that the malware is in the Vodafone smartphone's memory card and not in the Android software.
Speculation is that either an employee installed the malware, or that it was in a returned phone and its memory card was reused.
Today's ComputerWeekly story says that more Vodafone HTC Magic smartphones are going to be checked by the researchers to see if this was a one-off incident or something more widespread.
Either way, the researchers say, Vodafone needs to improve its quality control.
This news follows that of a similar incident this week involving the announcement by US CERT security researchers that the Energizer Duo USB battery charger, Model CHUSB, has contained a backdoor Trojan program that allows unauthorized remote system access. This eWeek.com story says that it may have been around for possibly three years. The news has prompted Energizer Battery to:

"discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory."

The company also stated that it "is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software."
Installing malware at the factory is becoming a less isolated incident, unfortunately. Last May, for instance, new M&A Companion Touch netbooks were found to contain malware. Kaspersky Labs, which found the malware, warned users that they should scan virgin systems for malware before connecting them to the Internet.
Very good advice, indeed.
A few more incidents like this and it won't be long before we start to see companies needing to tout their electronic products as being not only wonderful but "virus free".

Found at http://spectrum.ieee.org/riskfactor/computing/it/malware-found-in-store-bought-consumer-electronics

WARNING: Do NOT Open Password Reset Email From Facebook, Fake/Contains Virus.

2010-03-18T09:30:00.000-07:00

There’s an email going round asking Facebook users to reset their password. The email is a fake and contains a virus, do not open or follow any of its instructions.
Facebook is reportedly in the process of letting its users know, but be sure to let anyone you know be aware of the email.
The message says the following:

The message appears to come from Facebook Support with help@facebook.com as the email address.If you use a web based email client, you shouldn’t be too concerned with the viral part of this but if you download your email, it’s worth virus checking your computer to be safe. The attachment contains a password stealer that can potentially access any username and password combination used on the computer, not just the login credentials for Facebook reports CNet.

Surfing with privacy

2010-03-16T02:24:00.000-07:00

Duck Duck Go might be the most private place to search the Internet right now. Here's why:

* No IP addresses. I no longer store IP addresses at all. Not hashes of them. Not remnants of them. Nothing. I don't even log them.

* No cookies. I don't track you with cookies. If you just come to the site and search, no cookies are set. In fact they're only set if you use the settings page.

* Https. You can now search on an encrypted connection (using https). And nothing in the logs tells me you are using the https site.

* No contractors. Actually, it's just me right now, and there are no plans to change this in the foreseeable future. So you don't have to worry about anyone with access stealing the non-IP address logs we do have.

* No third-party feedback. Our feedback page is powered by me. No Google docs or other third party site. In fact, it really just emails me so if you want you can just email me directly at yegg@alum.mit.edu. This may not seem like a big deal, but when we were using third-party feedback I had people writing in many times asking if they could trust the third-parties and to ditch it. So I did.

* No cloud. I run my own servers and network. However, we do have the capability to run on EC2 if needed (in case of network failure). Yet under normal circumstances, your search traffic is running on servers I can actually see :).

* No Google. I don't use any Google APIs. No Google search. No Google Analytics. No Google ads. I have no problem with Google, but if you're concerned with how much information they have on you, I offer you a viable alternative.

The World's First Commercial Brain-Computer Interface

2010-03-10T01:14:00.001-08:00

Patch Patch Patch

2010-03-05T01:22:00.000-08:00

The average Microsoft Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely, according to an insightful new study released this week.

The figures come from security research firm Secunia, which looked at data gathered from more than two million users of its free Personal Software Inspector tool. The PSI is designed to alert users about outdated and insecure software that may be running on their machines, and it is an excellent application that I have recommended on several occasions.

Stefan Frei, Secunia’s research analyst director, said the company found that about 50 percent of PSI users have more than 66 programs of installed.

“Those programs come from more than 22 vendors, so as a first order estimate the number of different vendors you have on your box is the number of different update mechanisms you have to master,” Frei said. “This is doomed to fail.”

Secunia CEO Thomas Kristensen said his company is just a few months away from releasing a free, new tool that will automate the installation of software updates for dozens of commonly-installed third party programs. Kristensen said the tool will allow users to exclude certain applications, in the event that they don’t want to automatically update specific programs.

Such an application, if done right, broadly adopted, and not resisted by third-party software vendors, could well reduce the number of Windows users whose machines get trashed by drive-by downloads, as all of these malicious or hacked sites try to silently install malware by targeting security holes in third-party software, such as Flash and Adobe Reader.

If I seem excited about the availability of a free meta-patching tool, it’s probably partly for selfish reasons. Such a tool would almost certainly spell relief for anyone who is unlucky enough to be the appointed tech support guy for their family and friends, since fewer vulnerable applications means fewer compromised PCs, and hopefully less frequent pitiful pleas for help.

A copy of the Secunia study is available here (.pdf)

found at http://www.krebsonsecurity.com

Gåågle BOT

2010-03-04T01:47:00.000-08:00

Short about Gåågle

GåågleBot (pronounced /google-bot/) is a "home crawler" consisting of a vacuum roomba with an on board webserver and camera. While the vacuum goes about its business, it extracts text from the images it takes. The text is later put in a database on the roomba and searchable through a web interface. To try it out, click here.

The name Gåågle Bot is a play on the words gå and google bot. The Swedish word for go is gå. Googlebot, is the name of Google's web indexer. If you don't know what Google is, you are either lying or out of luck. Hence Gåågle Bot is a "going" indexer, indexing the real world around us while vacuuming your home at the same time! Can't find that library book that is due tomorrow? Relax, just gåågle it!

With GåågleEye you can remote control the roomba in realtime using AJAX and using a small onboard camera. Perfect if you feel like vacuuming while you're at the coffee shop, or for checking what your wife is up while you are at work , or if you forgot to close the back door, or check upon the baby sitter.

Skinput: Appropriating the Body as an Input Surface (CHI 2010)

2010-03-03T01:28:00.001-08:00

Bulgarian Military Personnel & Families Can Access Electronic Health Records Via Smart Cards

2010-03-02T01:57:00.001-08:00

Bulgaria has started deploying smart cards to secure access to personal health records for the country's military personnel and their families.

This private firm along with a local company specialised in eHealth projects which also acts as a prime contractor for the electronic health record system - commissioned by the Military Medical Academy - have delivered double-slot readers and smart cards.

The smart card complies with the European standards of the Identification Authentication Signature (IAS) ensuring the highest level of security for accessing personal electronic health records. The healthcare professionals are able to insert their own card into the reader and type in their PIN code in order to view or modify a medical file, which is stored on a highly secure IT infrastructure. The patients can also view their personal data online, using the smart card reader and a card to authenticate themselves. This innovative system optimises medical treatments, simplifies and modernises procedures and increases security for accessing health information.

The personal electronic health record is a complete electronic archive of the patient's medical history. It stores all existing medical documentation, including laboratory tests and results, X-ray pictures, all visual tests, electronic prescriptions, etc. It also contains the patient's blood group, allergies and genetic predisposition to diseases, health check-ups, surgical interventions and all useful medical information.

The personal electronic health record enables healthcare professionals to immediately access patients' medical data and therefore, make more accurate decisions, especially in emergency situations, for which there is a special section in the electronic health record, containing the most important information.

Leaked intelligence documents: Here's what Facebook and Comcast will tell the police about you

2010-03-02T01:46:00.000-08:00

Wonder what information Facebook and Comcast will turn over to police and intelligence agencies about you? Cryptome, the site that last week posted the leaked Microsoft "spy" manual, has posted company documents that purport to describe what those companies will reveal about you. As with the Microsoft document, the information is eye-opening.

Keep in mind that what the companies turn over to police and intelligence agencies is not illegal. The companies are all, in their own ways, following the law. Still, it's disconcerting to see all that's available about you, if the documents are real and to be trusted. Here's the rundown on each.

Facebook

The "Facebook Subpoena/Search Warrant Guidelines" from the Cryptome site are dated 2008, so there's a chance they've been superseded. The document spells out how law enforcement and intelligence agenices should go about requesting information about Facebook users, and details what information is turned over.

Following is what Facebook will turn over about you, taken verbatim from the guide:

Types of Information Available

User Neoprint

The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.

User Photoprint

The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.

User Contact Info

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website

With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting "Contact information of user specified by [some other piece of contact information]". No historical data is retained.

Group Contact Info

Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.

A request should specify that they are requesting "Contact information for group XXXXXX".

No historical data is retained.

IP Logs

IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the "IP log of user Id XXXXXX" or "IP log of IP address xxx.xxx.xxx.xxx".

The log contains the following information:

* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with "profile.php"

* Scriptget – additional information passed to the script. In the above example, scriptget would contain "id=29445421"

* Userid – The Facebook user id of the account active for the request

* View time – date of execution in Pacific Time

* IP – source IP address

IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.

Special Requests

The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.

Comcast

The Comcast document is labeled "Comcast Cable Law Enforcement Handbook," and is dated 2007, so there's a possibility that it, too, has been superseded. As with the other documents, it explains how law enforcement agenices can get information, and details what information is available.

There's a great deal of detail in the 35-page document, which describes what Internet, phone, and television information will be turned over. For example, here's the IP information it will make available:

Comcast currently maintains Internet Protocol address log files for a period of 180 days. If Comcast is asked to respond for information relating to an incident that occurred beyond this period, we will not have responsive information and can not fulfill a legal request. (Comcast can process and respond to preservation requests as outlined below in this Handbook.)

As expected, Comcast will also turn over the emails, including attachments, of those who use Comcast's email service, but "In cases involving another entity’s email service or account, Comcast would not have any access to or ability to access customer email in response to a legal request."

Information Comcast turns over to law enforcement agencies varies according to the request. For example, a grand jury subpoena will yield more information than a judicial summons, as you can see in the excerpt below. Comcast notes, though, that this is just a sample, and that "Each request is evaluated and reviewed on a case by case basis in light of any special procedural or legal requirements and applicable laws." So the examples "are for illustration only."

Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena

Law enforcement agencies are eligible to receive subscriber identification including items (1)-(6) without notice to the subscriber:

1) Subscriber's name

2) Subscriber's address

3) Length of service including start date

4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address

5) Subscriber's email account names;

6) Means and source of payment for such service (including any credit card or bank account number); and

7) In certain instances, email communications older than 180 days with notice.

For those who worry about privacy, though, all of this information is small potatoes. The real worry is about the use of what are called pen registers or trap-and-trace devices, which essentially capture all of your Internet activity --- the Web sites you visits, the emails you send and receive, IM traffic, downloads, and so on. Here's what the document says about them:

Pen Register / Trap and Trace Device

Title 18 U.S.C. § 3123 provides a mechanism for authorizing and approving the installation and use of a pen register or a trap and trace device pursuant to court order. All orders must be coordinated prior to submission to Comcast. Law enforcement will be asked to agree to reimburse Comcast's reasonable costs incurred to purchase and/or install and monitor necessary equipment. See "Reimbursement," below.

Comcast also details how law enforcement agencies can get details about subscribers on an emergency basis:

Emergency Disclosure

18 U.S.C. § 2702(b)(8) and § 2702(c)(4) contain provisions for the expedited release of subscriber information in situations where there is an immediate danger of death or an immediate risk of serious physical injury. Law enforcement agencies need only to adequately complete Comcast’s Emergency Situation Disclosure Request form (Reference Attachment #1) and they will receive accelerated subscriber identification.

As for your voice calls made via Comcast, here's what the company will turn over:

Call Detail Records

- Comcast maintains two years of historical call detail records (records of local and long distance connections) for our Comcast Digital Voice telephone service. This includes local, local toll, and long distance records. Comcast also currently provides traditional circuit-switched telephone service branded Comcast Digital Phone. Call detail records for this service are collected by AT&T and are available for approximately two years as well. To determine which type of service is involved, contact the Legal Demands Center—Voice and Video at 800-871-6298.

Account Records

- Account records are generally stored for approximately two years after the termination of an account. If the account has an outstanding balance due, records may be retained for a longer period of time.

As with Internet information, what phone information will be turned over depends on the specific kind of legal request, and the examples "are for information only." Here's an excerpt:

Grand Jury, Trial or Administrative Subpoena

Law enforcement agencies can receive subscriber identification including:

1) Subscriber's name

2) Subscriber's address

3) Length of service including start date

4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address

5) Subscriber's social security number (if requested)

6) Means and source of payment for such service (including any credit card or bank account number)

7) Call Detail (records of local and long distance connections)

And, as you would expect, there is the same pen register/trap-and-trace device language as in the section about the Internet.

Oddly enough, it appears that when it comes to information about your television viewing habits, you have more privacy rights than you do when it comes to information about your Internet and voice use, because it can only be turned over in response to a court order, not a subpoena. Here's what the document has to say about TV information:

Subscriber Account Identification and Related Records

For subscribers to our cable television service, the Cable Act requires Comcast as a cable operator to disclose personally identifiable information to a governmental entity solely in response to a court order (and not, for example, a subpoena) or with the subscriber's express written consent. The Cable Act requires that the cable subscriber be afforded the opportunity to appear and contest in a court proceeding relevant to the court order any claims made in support of the court order. At the proceeding, the Cable Act requires the governmental entity to offer clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case. See 47 U.S.C. § 551(h).

Why does the law give you more privacy protection over your television viewing habits than your Internet or phone use? I haven't a clue --- ask your congressman.

by Preston Gralla

Leaked Microsoft intelligence document: Here's what Microsoft will reveal to police about you

2010-03-02T01:42:00.000-08:00

copy of the leaked, confidential Microsoft "Global Criminal Compliance Handbook," which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.

The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.

The handbook is available at the Wikileaks site. That's where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.
Related:
Microsoft retreats from demand that killed whistleblower site

The report, published in March 2008, is labeled "U.S. Domestic Version," which makes one wonder whether there's also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don't know whether such a document exists. Also, the document may have been superseded by a later one, although I don't know that, either.

The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:

Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves "the danger of death or physical injury to any person…" as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299.

The report describes what information is available from Microsoft Online services for police and ingelligence services, including:

E-mail Services

Authentication Service: Windows Live ID

Instant Messaging: Windows Live Messenger

Social Networking Services: Windows Live Spaces & MSN Groups

Custom Domains: Windows Live Admin Center & Office Live Small Business

Online File Storage: Office Live Workspace & Windows Live SkyDrive

Gaming: Xbox Live

What's available is the actual content of your communications --- for example, copies of your emails --- as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here's an excerpt that details what emails are available from people who are MSN Premium subscribers:

Stored E-mail Records for MSN Premium Customers:

Microsoft's systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the "Folders on MSN" section of a user's account.

Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail servers.

The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.

Interestingly, the document contains just about no information about Windows Live SkyDrive, which is Microsoft's free online file storage service. The document only has a single-sentence description of the service, along with a screenshot. I assume that the files on the service can be gotten by police and intelligence agencies, but there are no details about that, so for me at, least, it's an open question.

Quite a bit of information is available about XBox Live users. Here's what the document says can be gotten by police and intelligence officials:

What records are retained and for how long?

Both registration and IP connection history records are retained for the life of the gamertag account. Because the volume of IP connection history records may be large, when possible please ask for the specific date range of records you are specifically interested in receiving. A full listing of retained records is below:

* Credit card number

* First/last name with zip code

* Serial number but only if box has been registered online. "Console ID" is better.

* Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)

* E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)

* IP history for the lifetime of the gamertag (only one gamertag at a time)

If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.

Especially noteworthy is the final section of the document, which spells out in detail what information Microsoft is required by law to provide to police and intelligence agencies. Here, for example, is a small section:

Information that may be disclosed with a subpoena. Basic subscriber information includes name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705.)

The document goes on to explain that a court order is required for the rest of a customer's profile. It also spells out when search warrants are required.

None of this should be a surprise. All companies, not just Microsoft, comply with laws that require them to turn over information to police and intelligence agencies. So Microsoft is not to blame. But it's certainly eye-opening to see what they turn over, and how they do it.

For more details, check out Gregg Keizer's story on Computerworld.

Microsoft, by the way, has released a statement about the affair. Here's what the company has to say:

"Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal."

Preston Gralla

VeriSign to offer "Trust Seal" certification for websites

2010-03-02T01:17:00.000-08:00

VeriSign, a prominent vendor of SSL certificates, has announced a new validation service for websites. Companies that sign up for the service will undergo a corporate background check and have their websites scrutinized by VeriSign. Websites that meet with VeriSign's standards will be entitled to post the company's Trust Seal insignia.

VeriSign already offers a similar service to some of its SSL customers. The new service is intended for website operators that offer commercial products and services, but don't need an SSL certificate because they rely on third-parties for processing transactions and performing other activities that require encryption.

The company says that it will conduct daily malware scans of the websites that bear the Trust Seal in order to ensure that they remain trustworthy after the initial examination. According to VeriSign, the $299 per year Trust Seal service will help websites boost traffic and increase customer loyalty. The company claims that the existing SSL variant of its Trust Seal service has generated an average traffic increase of 24 percent for its customers.

Although trust seals might give a warm fuzzy feeling to regular end users, there is little evidence that such validation programs actually guarantee security or trustworthiness. A researcher published a study in 2006 revealing that websites validated by TRUSTe were actually "more than twice as likely to be untrustworthy" compared to unvalidated sites.

The researcher speculated that private validation organizations were reluctant to sacrifice revenue by revoking validations, even in the most egregious cases of abuse. There is also the risk that untrustworthy sites will convey a false sense of legitimacy by displaying a forged seal.

The automated daily scanning that is included in VeriSign's service could give it a leg up in security over some of the alternatives.

By Ryan Paul, ARS TECHNICA

Cellphones, Privacy and Data Leaks

2010-03-02T01:11:00.001-08:00

Via: Cell Phones

Censoring facts

2010-02-18T02:19:00.000-08:00

Keep your 20-sided dice, I have D&D on the Surface

2010-02-12T01:49:00.001-08:00

Intel Solid-State Drive Crash Test

2010-02-09T23:39:00.001-08:00

Security chip that does encryption in PCs hacked

2010-02-09T00:26:00.000-08:00

SAN FRANCISCO – Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google Inc.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.

Jeff Moss, founder of the Black Hat security conference and a member of the U.S. Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"

Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation. Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.

When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.

Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it. If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.

"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, Calif., and demonstrated his hack last week at the Black Hat security conference in Arlington, Va.

The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft Corp.'s Xbox 360 game console and smart phones.

That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorized accessories that circumvent security protocols are not certified to meet our safety and compliance standards."

The technique can also be used to tap text messages and e-mail belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.

Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.

"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption."

The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack — given enough time, specialized equipment, know-how and money — was impossible. No form of security can ever be held to that standard."

It stood by TPM chips as the most cost-effective way to secure a PC.

It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory. Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defense.

"This chip is mean, man — it's like a ticking time bomb if you don't do something right," Tarnovsky said.

Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio Inc., saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.

"His work is the next generation of hardware hacking," Grand said.
By JORDAN ROBERTSON, AP Technology Writer

Prepeat inkless and tonerless rewritable printer

2010-02-03T04:59:00.001-08:00

Seven "Corporations of Interest" in Selling Surveillance Tools to China

2010-02-02T03:13:00.000-08:00

The "Corporations of Interest"

Drawing from published news articles, here is a list of seven corporations that are reportedly selling surveillance technology to the Chinese government and related entities. We're designating them "corporations of interest".

Of course, news articles alone are not absolute evidence that these companies are indeed fostering repression in China. But it's clear that China uses technology to employ rampant censorship, invasive data collection and intimidation. Learning exactly what is going on, especially in the Chinese environment of state secrecy and propaganda, is difficult. But news reports, especially those that include admissions of some level of involvement from company officials, are a sufficient basis to begin asking further questions.

1. Cisco: Cisco's deep involvement in the building of China's Golden Shield Project has been admitted by the company. Cisco's involvement has even already been raised before Congress, including the fact that Cisco engineers gave a presentation acknowledging the repressive uses for their technology that quoted their Chinese government buyers as saying that Cisco's products could be used to "combat 'Falun Gong' evil religion and other hostiles." The UK's Guardian reports that Cisco provides over 60% of all routers, switches, and network gear to China and estimates that Cisco makes $500 million annually from China.

2. Nortel: Rolling Stone and The Guardian report that Nortel has sold hardware to aid the Golden Shield Project for surveillance and censorship purposes, including working with Tsinghua University to develop speech recognition software to monitor telephone conversations.

3. Oracle: Business Week reports that Oracle has sold software to the Chinese Ministry of Public Security for criminal and ideological investigations. Oracle admits that one-third of its business in China is with the government.

4. Motorola: Business Week also reports that Motorola sold the Chinese authorities handheld devices for street cops to tap into "sophisticated data repositories" on Chinese citizens.

5. EMC: Business Week also reports that EMC sold "sophisticated data repositories" to the Chinese public security authorities. The top EMC executive in Beijing is quoted as saying, "We can expect big revenue from public security agencies" in China.

6. Sybase: Business Week also reports that Sybase sells database programs to the Shanghai police.

7. L-1 Identity Solutions: Rolling Stone reports that this Connecticut-based biometrics company sold software to Chinese companies that aids government officials in identifying individuals for purposes of criminal investigations.

Commentary by Danny O'Brien
http://www.eff.org

Sikuli Automates Almost Anything with Screenshot Ease

2010-02-01T01:32:00.000-08:00

Windows/Mac/Linux: Ever wanted to write a script for some repetitive task, but don't know how to code? Sikuli makes it possible for pretty much anyone to automate tasks, by telling it what to do with just some screenshots and simple commands.

If it has a GUI, you can probably use it with Sikuli. Sikuli is an open source scripting app that uses a combination of very simple commands like click, type, and wait, and screenshots to tell Sikuli what to manipulate. There's no internal API support, it just searches the screen for the image in the screenshot—meaning you can use it with pretty much anything. Seriously, the world is your oyster.

If any of that sounds at all confusing, watch the video—and if you think it's just too good to be true, try it out. They have tons of tutorials and examples of useful scripts in their documentation, as well, to get your imagination rolling. Although you've probably already thought of at least one thing you want to use this for.

Sikuli is a free download for all platforms.
Sikuli

Augmented (hyper)Reality

2010-01-27T01:01:00.001-08:00

Augmented (hyper)Reality: Domestic Robocop from Keiichi Matsuda on Vimeo.

by Keiichi Matsuda

Flexible Notebooks, TVs, and Smartphones

2010-01-26T04:53:00.000-08:00

PlayStation 3 'hacked' by iPhone cracker

2010-01-26T04:41:00.000-08:00

A US hacker who gained notoriety for unlocking Apple's iPhone as a teenager has told BBC News that he has now hacked Sony's PlayStation 3 (PS3).

George Hotz said the hack, which could allow people to run pirated games or homemade software, took him five weeks.

He said he was still refining the technique but intended to post full details online soon.

The PS3 is the only games console that has not been hacked, despite being on the market for three years.

"It's supposed to be unhackable - but nothing is unhackable," Mr Hotz told BBC News.

"I can now do whatever I want with the system. It's like I've got an awesome new power - I'm just not sure how to wield it."

Sony said it was "investigating the report" and would "clarify the situation" when it had more information.

'Open curiosity'

Mr Hotz said that he had begun the hack last summer when he had spent three weeks analysing the hardware.

After a long break, he spent a further two weeks cracking the console, which he described as a "very secure system".

He said that he was not yet ready to reveal the full details of the hack but said that it was "5% hardware and 95% software".

"You can use hardware to inject an insecurity and then you can build on that," he said.

He admitted that he had not managed to hack the whole system, including the protected memory, but had worked out ways to trick the console into doing what he wanted.

Mr Hotz said that he was continuing to work on the hack and, once finished, would publish details online in a similar way to his previous iPhone exploits.

In particular, he said, he would publish details of the console's "root key", a master code that once known would make it easier for others to decipher and hack other security features on the console.

He said his motivation was "curiosity" and "opening up the platform".

"To tell you the truth, I've never really played a PS3," he said. "I have one game, but I've never really played it."

Opening the system could allow people to install other operating systems on their console and play homemade games, he said.

In addition, he said, the hack would allow people to play older PS2 games on their consoles.

Recent versions of the PS3 do not have the ability to play PS2 games after Sony controversially removed a piece of hardware.

He admitted that it could also allow people to run pirated games.

"I'm not going to personally have anything to do with that," he told BBC News.

Gaming firms do not take the issue of game piracy and console modification lightly. Recently, Microsoft disconnected thousands of gamers from its online gaming service Xbox Live for modifying their consoles to play pirated games.

Mr Hotz said that the nature of his PS3 hack means that Sony may have difficulty patching the exploit.

"We are investigating the report and will clarify the situation once we have more information," said a Sony spokesman.

Mr Hotz rose to fame in 2007 at the age of 17 when he unlocked the iPhone, which could only be used on the AT&T network in the US at launch.

The hack allowed the popular handset to be used on any network.

He has since released various other hacks, allowing people to unlock later versions of the popular handset.

by Jonathan Fildes
http://news.bbc.co.uk/

The myth of the Sony 'kill switch'

2010-01-26T04:38:00.001-08:00

The mass spontaneous combustion of those batteries damaged Sony’s reputation in Japan enormously. For a nation proud of their technological innovations, burning laptops and the biggest product recall in history were not exactly easy to deal with. Since then rumours have continued to fly across the internet about the existence of the timers. Sony itself is well aware of the urban legend – its current Vice Chairman Ryoji Chubachi mentioned it in public back in 2007.

But a Sony executive in 2006 had already stirred rumours when he mentioned the timers in a talk at a major technology event. He insisted that it was totally absurd and explained that the company was making every effort to dispel the myth.

Their campaign clearly isn’t going that well: the phrase has now become so common that Sony products are often avoided in Japan due to a genuine belief that they just don't last. The Playstation 3 still remains highly popular as it is allegedly exempt from the timers’ curse, but VAIO laptops, particularly among younger Japanese, are purchased with some hesitation.

Many people believe Sony products last just long enough for the company to bring out a replacement generation. Rumours have even emerged recently that the timers are controlled remotely by the company and set off just when a new laptop is due out. Google searches in Japan add fuel to this fire with VAIO laptop breakages increasing around a year after their release. In fact a google search on the subject will return more than half a million Japanese related hits.

Of course, the "Sony Timer" has never been proved and there’s no evidence that it’s anything other than a Japanese urban legend. But things got pretty interesting when it was revealed that a bug in selected E-Series Bravia TVs meant they’d only last 1,200 hours, before refusing to power on or off. This conveniently adds up to about 3 hours watching per day for one year, the exact period of the television’s warranty. Sony issued a software patch to fix the problem.

Of course, the company is extremely keen to keep this rumour out of Europe, an area where its products’ reputation is still justifiably very good. But the legend is spreading across the internet, with Western tech forums being slowly flooded with horror stories of products breaking soon after warranties expire.

Even so, you probably don’t need to rush out to renew your VAIO's warranty.

Goodies for the 3D obsessed

3D Televisions were the hot topic of CES 2010, with the majority of lcd-tv producers announcing 3d additions to their screen line-up.
For nearly 20 years Sony in Japan has been plagued by the myth of the "Sony Timer" – but is there really a kill-switch that destroys your device just after its warranty runs out? Many Japanese genuinely believe that there is.

It was the recall of more than 4.1 million Dell laptops containing faulty Sony batteries in 2006 that jump-started a rumour that has been around for decades. From 1980 to 2006 geeks and tech-obsessed Japanese had joked about the existence of the timer, creating sarcastic manga and venting anger through online forums. But the Dell recall launched the urban legend into the public eye and angry Sony sufferers jumped at the chance to denounce the company.
Even if you do decide to invest in one of these likely to be ridiculously expensive sets, the amount of actual 3D content available to you is going to be limited. The Playstation 3 is soon to gain support for the technology along with a few television channels, but in reality the 3D concept still remains in its infancy.

Even so, Panasonic has launched the DMP-BDT350, one of four 3D bluray players shown at CES - the technology behind its 3D capabilities is being kept quiet, but some extremely complex encoding will have to be applied to 3D blu-rays. That’s likely to demand more power from the player.

If that wasn't enough LG has gone one better, producing the first ever 3D projector: the CF3D. The device features two separate projection engines working together to create the image. Unlike the Pnasonic model, however, viewers will still need geeky glasses.

By Hunter Skipworth
http://www.telegraph.co.uk

Multitouch Touchgrind gaming on a MacBook

2010-01-25T03:51:00.001-08:00

1926 :: Snowmobile ???

2010-01-25T03:39:00.000-08:00

3D maps demoed on Sony Ericsson X10

2010-01-22T08:14:00.000-08:00

Ericsson Labs is showing off an API for navigating through a three-dimensional interpretation of the world based on real imagery powered by Saab spinoff (the defense firm, not the car company) C3 Technologies on Sony Ericsson's upcoming X10 -- and in a word, it's looking impressive. The buttons for controlling the action are a bit hokey, of course, but don't worry too much about that -- this is strictly a proof of concept, and the important thing is that no matter how much panning, tilting, and swooping through the cityscape the demo-giver does, video output stays above 30 frames per second. Thank goodness for Snapdragon, eh? There's no indication that we'll see a shipping version of this app on retail X10s out of the box, but let's hope something awesome comes of this. Follow the break for video.

By Chris Ziegler
http://www.engadget.com

Youtube Disco

2010-01-22T04:46:00.000-08:00

YouTube as a Music Discovery Project and Playlist Creation Tool
at last :

http://www.youtube.com/disco

3 Hours Photoshop

2010-01-21T06:36:00.000-08:00

Mouse pointer track after 3 hours of working in Photoshop. Black circles are pointer stops (not clicks).
http://www.flickr.com/photos/anatoliy_zenkov/4271592658/

Nokia offering free turn-by-turn navigation on smartphones globally

2010-01-21T06:32:00.000-08:00

And it's official. Starting today, Ovi Maps walk and drive navigation is free across the globe. Drivers receive turn-by-turn voice guidance including lane assistance, traffic information (in 10 countries including the US), and safety camera and speed warnings while pedestrians will be guided on shortcuts through parks and pedestrian-only zones in over 100 cities across the globe. It all works offline too, which should extend battery life and keep that navigation humming even while puttering about in data dead zones without racking up international roaming charges (take that, Google). From March 2010, all new Nokia GPS-enabled smartphones will come installed with the new Ovi Maps application and pre-loaded with local country map data and walk and drive navigation with access to location-aware Lonely Planet and Michelin travel guides at no extra cost. Additional premium guides like a weather service and events / movies are also included. Just 10 devices from Nokia's massive catalog are available today -- a list that includes the N97 Mini, 5800 XpressMusic, 5800 navigation edition, E52, E55, E72, 5230, 6710 navigator, 6730 classic and X6.

Radio Station app 2.2

2010-01-20T12:01:00.000-08:00

visit at http://radio-station.gr/

Watch the iPhone Swipe a Credit Card

2010-01-19T00:47:00.001-08:00

Square, one of a few iPhone peripherals hoping to turn the iPhone into a credit card swiper, sounds promising. But how does it work? YouTube shows us!

Through its own app, Square processes a credit card, produces a receipt and even takes a signature.

Google's new mobile location based search

2010-01-15T05:33:00.000-08:00

Google's new mobile location based search is a pretty big deal.
I was on the road looking for a coffee shop to do some work at in an area I wasn't familiar with.At a stop light, I whipped out my iPhone.

You simply open 'google.com' on your iPhone browser. Google will ask you if you want to use location in your searching. You give the browser permission to use the iPhone's GPS (or Cell tower triangulation in the original iPhones) and then you search like you normally would.

The results I got gave be a list of coffee shops by distance with reviews and directions. This is something I can see myself using often.

You're probably saying right now that you can use any number of apps like Yelp to do similar things, but Google's is updated in real time and it is a web app so it could work across all devices. It currently only works on iPhone and Android.

Oh, and this service, like all other Google services probably arries a pretty big Trojan along with it as well.

Google now knows your location (scary - ahhh!). That means Google can geo-target its ads to where you are located (none have popped up yet in any of my searches). Restaurants, bakeries, hardware stores and yes coffee shops would all love to be at the top of Google's list when people search for what they offer. If they're smart, they'll obviously pay Google to be there - but of course they'll want to pick up Google's other services as well.

Google basically can now be a better location aware, hyperlinked Yellowpages.

found at blogs.computerworld.com

The eyewriter

2010-01-13T00:43:00.001-08:00

The Eyewriter from Evan Roth on Vimeo.

Microsoft Security Essentials Ranks as Best-Performing Free Antivirus.

2010-01-08T02:46:00.001-08:00

Anti-malware testing group AV-Comparatives.org not only gave Microsoft Security Essentials a top rating for malware removal, but now they've given it their best ranking in their performance test as well.

AV-Comparatives.org ran a series of real-world tests running through common scenarios like downloading, extracting, copying, and encoding files, installing and launching applications, and they also ran through an automated testing suite as well. Once the dust had settled, it became clear that not only is MSE one of only three products that both blocks and removes malware well, but it's also very light on system resources.

-----------------DOWNLOAD HERE

Hit the AV-Comparatives link for the full report in PDF form, or check out the PC Mag story for the overview—if you can deal with some irritating in-text ads.
Performance Tests [AV-Comparatives]
AV-Comparatives Rates Anti-Malware Performance [PC Mag via @edbott]

found at lifehacker

RSA crypto defiled again, with factoring of 768-bit keys

2010-01-08T00:18:00.000-08:00

Yet another domino in the RSA encryption scheme has fallen with the announcement Thursday that cryptographers have broken 768-bit keys using the widely used public-key algorithm.

An international team of mathematicians, computer scientists and cryptographers broke the key though NFS, or number field sieve, which allowed them to deduce two prime numbers that when multiplied together generated a number with 768 bits. The discovery, which took about two-and-a-half years and hundreds of general-purpose computers, means 768-bit RSA keys can no longer be counted on to encrypt or authenticate sensitive communications.

More importantly, it means it's only a matter of another decade or so - sooner assuming there's some sort of breakthrough in NFS or some other form of mathematical factoring - until the next largest RSA key size, at 1024 bits, is similarly cracked. The accomplishment was reached on December 12.

"It's an important milestone," said Benjamin Jun, vice president of technology at security consultancy Cryptography Research. "There's indisputable evidence here that 768-bit key are not enough. It's a pretty interesting way to close out a decade."

The team managed to factor the 232-digit number that RSA held out as a representative 768-bit modulus from a now-obsolete challenge. They spent half a year using 80 processors on polynomial selection. Sieving took almost two years and was done on "many hundreds of machines." Using a single-core 2.2GHz AMD Opteron with 2GB RAM, sieving would have taken about 1,500 years, they estimated.

Factoring the 768-bit key was "several thousand times harder" than factoring a 512-bit one, a feat that was first performed in 1999. By contrast, factoring a 1024-bit RSA modulus, will be about 1,000 times harder than this most recent milestone. That's more than five times easier than a 768-bit RSA modulus looked just a decade ago.

"If we are optimistic, it may be possible to factor a 1024-bit RSA modulus within the next decade by means of an academic effort on the same limited scale as the effort presented here," authors of the research wrote. "From a practical security point of view this is not a big deal, given that standards recommend phasing out such moduli by the end of the year 2010."

But Nate Lawson, a cryptographer who is principal of security consultancy Root Labs, said smaller keys continue to be used for a variety of purposes, often by smaller embedded devices that don't have the processing power to handle larger keys.

The research team includes Thorsten Kleinjung, Arjen K. Lenstra, Joppe W. Bos and Dag Arne Osvik of EPFL IC LACAL, in Lausanne, Switzerland; Kazumaro Aoki of NTT, in Tokyo; Jens Franke of the University of Bonn's Department of Mathematics; Emmanuel Thomé, Pierrick Gaudry, Alexander Kruppa and and Paul Zimmermann of INRIA CNRS LORIA, in Cedex, France; and Peter L. Montgomery, Herman te Riele and Andrey Timofeev of Microsoft. A PDF of their paper is here. ®

By Dan Goodin

Microsoft patents controller-free computer input

2010-01-07T06:06:00.000-08:00

We've seen plenty of far-fetched EMG-based input methods, like the concentration-demanding, head-based NeuroSky controller, but Microsoft Research
is asking for a patent that involves much simpler gestures -- and might actually make a bit of sense. As demonstrated in the video after the break, Microsoft's connecting EMG sensors to arm muscles and then detecting finger gestures based on the muscle movement picked up by those sensors. [via engadget]

It does away for the need of a pesky camera (or Power Glove) to read complicated hand gestures, and can even sense modified versions of the gestures to be performed while your hands are full. Microsoft's developing a wireless EMG sensor module that could be placed all over the body, and while like all Microsoft Research projects this seems pretty far from market, there's a small, optimistic part of us that could see some of the benefits here for controlling mobile devices. And boy do we love controlling mobile devices.

The 'most awesome' iPhone video game (AR).

2010-01-07T00:27:00.000-08:00

Users can fly a drone, resembling a hovering UFO, up to 50 meters away, while chasing imaginary monsters or fighter planes – all on the screen on their iPhone. The machine combines the worlds of remote-controlled helicopters with video gaming.

The game was the big hit at CES Unveiled, the first chance the press and analysts got to see some of the hot new gadgets that are to be launched at the Consumer Electronics Show in Las Vegas.

The AR Drone game comes in two parts. The first is a light drone, or 'quadricopter', powered by four small but powerful sets of blades. The machine weighs just 11 ounces and measures about 18 inches across. On the drone are two mini video cameras, which send the pictures back to the iPhone.

The second part is an application that you download to your iPhone or iPod Touch. This turns the mobile phone into not just a remote control – powered by the device's Wi-Fi – but also a video game. Tilting the mobile phone changes the direction and speed of the flying machine. And on the screen of the iPhone you not only see the footage of your house or garden filmed by the drone, but also imaginary monsters or fighter planes that jump out from behind the sofa or tree.

The AR Drone is the invention of Parrot, a French company that up to now has specialised in Bluetooth technology. It is the most sophisticated use of augmented reality in a video game so far.

Augmented reality is the concept of layering digital information and data over moving pictures of your surroundings. It is already in use on iPhones when users look at Google Maps, for instance, and see restaurants or tourist attractions – including pictures or reviews of those places – layered on top of the map.

Many video games developers have been hoping to use the technology to take games to another level and Parrot believes that it is the first to do so.

Cristina Sanz, the vice president of marketing at Parrot, said: "Kids spend ages in front of a computer or TV screen playing games and this gets them off their seats and chasing the drone around the backyard or sitting room.

"On the screen they see the tree or bush that is in the garden, and then suddenly a monster can jump out at them and they have to shoot it."

Wilson Rothman, features editor of gadget website Gizmodo, said: "It is just awesome. Augmented reality has been talked about since the 1990s as this revolutionary idea but now it has finally taken off.

"This is surely every kid's dream game made real."

If you have two AR Drones you can battle each other in dogfights.

So far just three games have been devised for the drones, but Parrot said they will allow any developer to work on games.

The gadget will go on sale this summer and is expected to cost less than £320.

CES 2009 Blogs
The Gadget Inspectors at CES 2009

GODMODE for Windows 7 and Vista

2010-01-05T02:22:00.000-08:00

Windows 7's so-called GodMode is actually a shortcut to accessing the operating system's various control settings.
(Credit: CNET News)

Although its name suggests perhaps even grander capabilities, Windows enthusiasts are excited over the discovery of a hidden "GodMode" feature that lets users access all of the operating system's control panels from within a single folder.

By creating a new folder in Windows 7 and renaming it with a certain text string at the end, users are able to have a single place to do everything from changing the look of the mouse pointer to making a new hard-drive partition.

The trick is also said to work in Windows Vista, although some are warning that although it works fine in 32-bit versions of Vista, it can cause 64-bit versions of that operating system to crash.

To enter "GodMode," one need only create a new folder and then rename the folder to the following:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Once that is done, the folder's icon will change to resemble a control panel and will contain dozens of control options. I'm not sure it's my idea of playing God, but it is a handy way to get to all kinds of controls.

by Ina Fried

new input mechanism that involves waving your fingers in front of a screen.

2010-01-03T09:39:00.000-08:00

Professor Masatoshi Ishikawa and Dr. Takashi Komuro of the Tokyo University developed a new input method they’re calling “vision-based Input Interface”. Using a forward facing camera, something that many smartphones in Europe and Asia have, even though it’s debatable whether or not video calling took off, all five fingers are recognized and can be used for typing, clicking, browsing through photos, and eventually even more things once practical applications are developed. The forward facing camera used in this demo is a high speed, 154 frame per second, sensor. It’s one step closer to Minority Report type user interfaces, but it seems kind of counter intuitive to have this sort of user interface on a mobile device.

We look at people walking down the street and talking on their Bluetooth headsets as strange and possibly mentally deficient. Imagine seeing someone walking down the street waving to their mobile phone like he was some sort of character in Harry Potter. Not cool.

Read more: http://www.intomobile.com/2010/01/03/video-japanese-demo-a-new-input-mechanism-that-involves-waving-your-fingers-in-front-of-a-screen.html#ixzz0bZXIWuTN

Citigroup Denies Massive Russian Hack Attack

2009-12-23T06:52:00.000-08:00

This morning's Wall Street Journal claims that a subsidiary of Citigroup was hacked by a Russian cyber gang which stole "tens of millions" of dollars, and that the incident is being investigated by the US Federal Bureau of Investigation (FBI), National Security Agency (NSA), along with the Department of Homeland Security (DHS). The WSJ gives US "government officials" - presumably from one or more of the above agencies - as its sources for the story.

The story also quotes Joe Petro, managing director of Citigroup's Security and Investigative Services, who said that, "We had no breach of the system and there were no losses, no customer losses, no bank losses.... Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

The WSJ also says that federal agencies will not comment about their story.

So, was Citi hacked or not?

Back in 2008 in another hacking incident, Citi also denied it was hacked, but the evidence strongly indicated that it knew about the problem all along.

Banks that get hacked are generally loath to admit it, as this 2000 story in Forbes on "How to Hack a Bank" discusses. A Computer Crime and Security Survey from 2005 indicate that only 20% of companies reported security breaches to authorities.

In fact, the Forbes story tells about how it wouldn't have been difficult to steal a $1 billion from Citi at the time because of its lax security standards.

It would not surprise me that the FBI has asked Citi to be quiet about the incident, while other government officials couldn't resist blabbing about it to the WSJ.

In other security news, the Obama Administration finally found someone to take the job as cyber czar: Howard A. Schmidt, a cyber-adviser in the Bush Administration.

According to the Washington Post, "Schmidt served as special adviser for cyberspace security from 2001 to 2003 and shepherded the National Strategy to Secure Cyberspace, a plan that then was largely ignored. He left that job also frustrated, colleagues said. "

POSTED BY: Robert Charette

Twitter Defaced

2009-12-18T04:12:00.000-08:00

Around 10 pm Twitter was hacked and defaced with the message below. The site was offline for a while.

We’re looking into this and awaiting on a response from Twitter.

The message read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
Take Care.

Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.

Twitter does not have the best record with security issues. We have previously covered a number of incidents, and as recently as two months ago their web servers were misconfigured to reveal detailed internal network information. We also previously wrote about their admin interface having a password of ‘password’ on one account, and the well-known Twitter doc incident. It was hoped that with the hiring of a new COO, Dick Costolo, as well as a number of other high-level engineers, including security experts, that Twitter had grown out of the phase of being vulnerable to security incidents on such a large scale.

We do not know a lot about the group claiming responsibility for the attack as we haven’t heard their name before and they do not show up in any defacement mirrors or security sites. Similar Iranian groups were active during the election campaign in that country. We have emailed the group (they were kind enough to leave an address on the defacement) for a comment (also added them on Gchat – worth a shot).

Update 2.: Twitter.com is down, status.twitter.com is down. Some tweets are getting through at the moment because parts of the API are up. Search also seems to be working. The Firehose is up – Tweets are coming in from FriendFeed (all those tweets about ‘is twitter down’ are from third-party sites)

Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.

Update 4.: There is a history between Iran and Twitter. It was well noted and covered in the media that Twitter was used as a tool during the Iranian election protests. The US government actually intervened to assure that Twitter was available to the protestors in Tehran and around the country. This attack may be an act of reprisal from groups who were not happy with the role that Twitter played during the protests.

by http://www.techcrunch.com/

Predator drones use less encryption than your TV, DVDs

2009-12-18T00:48:00.000-08:00

Militants have been recording video from US Predator drones in Iraq and Afghanistan using laptops and $30 software, thanks to a total lack of encryption.

What three-letter Internet acronym best fits the bizarre news out of Iraq and Afghanistan that militants there have been intercepting US Predator drone video feeds using laptops and a $30 piece of Russian software: LOL, WTF, or OMG?

Actually, all three are appropriate for something this farcical, horrible, and brain-numbing. The reason that the transmissions could be picked up easily by a cheap satellite recording program? They were broadcast in the clear between the drone and ground control. That's right—no encryption was used.

Perhaps, you might be thinking to yourself in a mental bid to make the military seem competent here, no one could have suspected this would happen. But they did suspect it, because it had been happening for a decade already. The Wall Street Journal, which broke the story, included this tidbit in its report: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The US government has known about the flaw since the US campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."

After finding various laptops containing hours of recorded drone footage, the military has at last moved to encrypt the downlink between the drone and ground control, but there are problems. Not with encryption technology, which is robust, but with the fact the military 1) did not use encryption at the beginning and retrofitting is hard, and 2) the Predator's maker uses some proprietary communications gear, so off-the-shelf encryption tools don't all work.

The sad but inevitable comparison has to be drawn here with consumer electronics. Blu-ray discs, which use the AACS control scheme, feature a new DRM scheme of bewildering complexity in an attempt to thwart pirates.

Operating system vendors have built entire "protected path" setups to guard audio and video all the way through the device chain. TVs and monitors now routinely use HDCP copy protection to secure their links over HDMI cables. Game consoles are packed with encryption schemes to prevent copied games from playing. Microsoft even goes out of its way to add encryption when Windows Media Center records unencrypted over-the-air TV content. Even the humble DVD, with its long-since-breached CSS encryption, offers more in the way of encryption.

But US drones, which spy on militants and rain down death from a distance, have none. The mind boggles, as it seems like the situation should be totally reversed: no encryption on legally-purchased content, more encryption on devices designed to watch and kill human beings.

By Nate Anderson |
found at http://arstechnica.com/tech-policy/news/2009/12/predator-drones-use-less-encryption-than-your-tv.ars

Smart CCTV learns to spot suspicious types

2009-12-17T01:29:00.000-08:00

WHAT'S the difference between a suicide bomber and a cleaner? It sounds like the opening line of a sick joke, but for computer scientists working on intelligent video-surveillance software, being able to make that distinction is a key goal.

Current CCTV systems can collect masses of data, but little of it is used, says Shaogang Gong, a computer-vision computation researcher at Queen Mary, University of London. "What we really need are better ways to mine that data," he says.

Gong is leading an international team of researchers to develop a next-generation CCTV system, called Samurai, which is capable of identifying and tracking individuals that act suspiciously in crowded public spaces. It uses algorithms to profile people's behaviour, learning about how people usually behave in the environments where it is deployed. It can also take changes in lighting conditions into account, enabling it to track people as they move from one camera's viewing field to another.

To improve the tracking of an individual at an airport, the system can also learn the routes people are likely to take - straight from the entrance to check-in, say. It can even follow a target as they move in a crowd, using the characteristic shape of the person, their luggage and the people they are walking with, to follow them as they walk between different camera views.

Samurai is designed to issue alerts when it detects behaviour that differs from the norm, and adjusts its reasoning based on feedback. So an operator might reassure the system that the person with a mop appearing to loiter in a busy thoroughfare is no threat. When another person with a mop exhibits similar behaviour, it will remember that this is not a situation that needs flagging up.

While video analysis tools already exist, they tend to operate according to rigid, predefined rules, says Gong, and cannot follow a large number of people across multiple cameras situated in busy public spaces.

The Samurai team last month demonstrated the system to commercial partners including BAA Airports in the UK. The researchers claim the prototype system successfully identified potential threats which may have been missed by human operators, using footage collected at Heathrow airport. The Samurai team has funding to continue refining their software until the end of 2011.

"The use of relevant feedback from human operators will be a very important part of these technologies," says Paul Miller, of Queen's University's Centre for Secure Information Technologies in Belfast, UK, who is leading a project to develop a video-analysis system capable of predicting assaults on buses. "The key is developing learning algorithms that work not only in the lab but that are robust in real-world applications."

Found on http://www.newscientist.com/

Who is geting rich when you buy an iphone.

2009-12-13T14:12:00.000-08:00

Google Goggles

2009-12-08T00:53:00.001-08:00

Google Goggles is a visual search app for Android phones. Instead of using words, take a picture of an object with your camera phone: we attempt to recognize the object, and return relevant search results. Goggles also provides information about businesses near you by displaying their names directly in the camera preview.

German Researchers Make Metal Objects With RFID Inside

2009-12-05T13:36:00.000-08:00

Fraunhofer's engineers demonstrate how to use selective laser sintering to integrate a standard passive tag within metal items as they are manufactured.

Dec. 4, 2009—The places where RFID tags can be placed are almost limitless. One exception has been the challenge of integrating an RFID inlay within an object composed of metal. That's because the high temperatures required to melt and shape metal can destroy the components making up an RFID tag.

However, researchers at the Fraunhofer-Institute for Manufacturing and Advanced Materials (IFAM), in Bremen, Germany, indicate they've come up with a solution enabling them to embed a standard RFID tag within a metal object as that item is being manufactured. The technique makes use of a 20-year-old process called selective laser sintering, and IFAM engineer Claus Aumund-Kopp says his team has successfully built metal parts that include an RFID tag inside. The researchers presented their work at EuroMold 2009, a trade fair focused on mold making and tooling, held this week in Frankfurt.

Fraunhofer's researchers used selective laser sintering (SLS) to produce these metallic objects, shown next to a sample of the RFID tag integrated within each item.
Working with metal powder and a laser, it is possible to produce parts straight from a 3-D model generated with a computer-aided design (CAD) application. The process is painstaking: Powder is laid down in layers 20 microns (0.0008 inch) in thickness—approximately a quarter the width of a human hair—and a laser melts it in the shape of the desired part. Layer by thin layer, the metallic object emerges from the powder. "The chip is inserted into the part when we have reached a certain height," Aumund-Kopp explains.

Traditionally, RFID tags have been unusable in parts heated above 100 degrees Celsius (212 degrees Fahrenheit), though some tag manufactures have developed versions able to withstand temperatures as high as 1,093 degrees Celsius (2,000 degrees Fahrenheit) by encasing the RFID inlays in protective materials (see William Frick & Co.'s Gen 2 UHF Tags Take the Heat for Manufacturing Apps). In metal casting or laser fusion, however, temperatures can exceed 1,400 degrees Celsius (2,552 degrees Fahrenheit).

With Fraunhofer's process, Aumund-Kopp says, only a tiny bit of the material is ever heated, because of the gradual, partial nature of the process. That allows his team to use standard RFID tags that would be destroyed in traditional metal casting. "They're standard chips, with a standard glass cover," Aumund-Kopp says. "The trick is, the laser doesn't directly hit the chip, or hits it for such a minimal time that the chip isn't destroyed in the process."

Even more important, Aumund-Kopp adds, the Fraunhofer team discovered that the chips can be completely embedded within a metal part and still function. "We have found chips which are completely covered and are still readable," he states. "This is really new—usually, you need a gap where the electromagnetic fields can couple." The findings came as a pleasant surprise to the researchers, he says, and have created a puzzle for the future. "We can't explain it ourselves. We need to do some more tests."

n the meantime, the team is working to make the findings applicable industrially. Thickness apparently matters, Aumund-Kopp says—the chips are still readable beneath 100 microns (0.004 inch) of metal, but no deeper than that. So far, he notes, the chips that work best transmit at a frequency of 125 kilohertz. "It's only readable over short distances, but that's also the frequency that is most secure," he explains. "We still have some way to go for the larger reading range."

At EuroMold, Fraunhofer's researchers presented metal finger rings in which they had embedded RFID chips. Such RFID-enabled rings could be worn, for instance, in order to gain admission to secure rooms. But as long as the technology remains fairly expensive, the most likely applications will be narrow.

Whereas an RFID chip molded within a plastic object could be removed and placed into something else, the chip inside a metal part could not be extracted from that object without destroying the chip. The most immediate application might be fraud prevention, Aumund-Kopp says, noting, "Think of aviation, where the quality of spare parts is vital."

Integrated into an aircraft component, for example, an RFID tag would not only enable a manufacturer to track that item, but also allow it to later verify that a customer used the genuine article—and not a cheaper, lower-quality counterfeit—in the event of part failure. "With these chips," Aumund-Kopp says, "you can ID the part securely."

Another potential application, Fraunhofer reports, is to create parts containing an RFID tag with a temperature or expansion sensor, in order to record data on thermal or mechanical stresses on the components.

IFAM's tag-embedding technique remains costly, Aumund-Kopp indicates, primarily because the selective laser melting process used by the researchers is not ideal for mass-manufacturing. However, that may change. "We're at the very beginning," he notes. "We're definitely looking for partners who want to further develop its potential."

By Andrew Curry
http://www.rfidjournal.com/article/view/7256/2

Intel Unveils 48-Core Single-Chip Cloud Computer

2009-12-03T00:38:00.000-08:00

Earlier today in a San Francisco press briefing Intel Chief Technology Officer, Justin Rattner took the wraps off a proof of concept and experimental product that Intel dubbed a "Single-Chip Cloud Computer". The objective this chip was designed to address is the huge opportunity that exists to reduce power consumption and space in the data center, a very real place, rather than mythical, where "the cloud" really exists and increasing user demand for online services continues to chew up bandwidth, processing resources and storage like there is no tomorrow.

The Intel Single-chip Cloud Computer or "SCC" for short, is what Intel likes to call a "many core" CPU but actually consists of a 48-core implementation using 45nm process technology. The cores on the chip are networked together in a packet-based router mesh network, where the nodes (or individual cores) behave quite similarly to a network cloud but on a monolithic silicon chip level. There are, in fact, 24 "routers" to connect and manage all 48 cores and the chip also contains an additional 4 DDR3 memory controllers to feed the network data, with 64GB total addressable memory space per SCC chip.

Microsoft says B(lack)SODs not linked to latest patches

2009-12-02T01:22:00.001-08:00

Microsoft is denying that the latest Patch Tuesday has resulted in some PCs locking up and displaying a Black Screen of Death (BSOD), calling the reports "inaccurate." Prevx, the security company that started all the hubbub, has apologized.

Microsoft is denying reports of the Black Screen of Death on a number of PCs. A fraction of Windows users have been complaining their computers were locking up and displaying a Black Screen of Death (BSOD, not to be confused with Blue Screen of Death, which is usually due to hardware or driver failure) after the last Microsoft Patch Tuesday on November 10, 2009.

"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," a Microsoft spokesperson told Ars. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."

"While we were not contacted by the organization who originally made these reports, we have proactively contacted them with our findings. Our support organization is also not seeing this as an issue. The claims also do not match any known issues that have been documented in the security bulletins or KB articles."

Security company Prevx first claimed the latest patches were making changes to the Access Control List (ACL), a list of permissions for a logged-on user, in the registry. The result was some installed applications (especially security products) failing to run properly, causing a BSOD on Windows -2000, NT, XP, Vista, and 7, according to Prevx. The security company released their own fix that reportedly makes the appropriate changes in the registry (this can also be done manually) to match the ACL settings.

Today though, Prevx has changed its stance on the issue: "Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."

"We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and taskbar."

When we contacted Microsoft yesterday, the software giant wasn't yet ready to comment on the reported issue. Instead, the company said it was investigating, and apparently that stage is now complete; Microsoft has concluded its patches are not to blame. We have not encountered computers that have had this problem, so we're not sure of the scope of affected users, but since the problem still remains, we'll follow this story closely as it unfolds.

By Emil Protalinski

Hackers outwit Windows 7 activation

2009-11-19T00:47:00.000-08:00

Software lets pirates thwart Microsoft's antipiracy technology in new OS

Hackers have figured out how to sidestep Windows 7's activation process, continuing a long-running battle with Microsoft, which has blocked such tactics in the past.

According to an article published more than a week ago on My Digital Life, hackers have devised a pair of methods that circumvent the new operating system's product activation, a key component of Microsoft's antipiracy technologies.

Microsoft said it knew about the hacks and was looking into ways to block them. "We're aware of this workaround and are already working to address it," a company spokeswoman said today.

Two utilities, called "RemoveWAT" and "Chew-WGA," remove the activation technologies or prevent them from running, said My Digital Life. Both hacking tools trick Windows 7 into reporting that it has been properly activated, preventing the nagging on-screen displays and other visual cues from appearing that Microsoft has built into its software to mark counterfeit software.

With Windows 7, Microsoft dropped the "Windows Genuine Advantage" (WGA) name for its integrated antipiracy software, and replaced it with "Windows Activation Technologies" (WAT). The end result on users' screens, however, remained similar to what Vista displayed. The most evident change to Windows 7 was the discarding of a delay during log-in on a machine with an inactivated copy of Windows. Under Vista's scheme, users had to wait 15 seconds before clicking the "Activate Later" button to proceed to the desktop. In Windows 7, users can click that button immediately.

Microsoft made dramatic changes to Vista's illegitimate software warnings nearly two years ago, then followed those with nearly identical modifications to the older Windows XP. In both operating systems, the company dumped the reduced functionality mode that essentially made the machine unusable, and instead boosted the number of on-screen messages and planted a black background on the desktop.

Microsoft has blocked anti-activation hacks in the past, using Windows Update to push changes to users. In early 2008, for example, the company stymied a pair of activation cracks with just such an update, then rolled the crack detection code into Vista Service Pack 1 (SP1) a month later. It issued another update in February 2009 to block another crack that affected Vista Ultimate.

The post on My Digital Life acknowledged that Microsoft might take the same tack with the Windows 7 workarounds. "As [the] cracks based on removal of activation component involves patching, changes and modification to many system files, it's likely to be easily detected and nullified by Microsoft, especially in [the] next WGA update or Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2," My Digital Life reported.

Space Chair Project

2009-11-17T08:07:00.000-08:00

There's something wrong when an advertisement is more memorable than the product. Nevertheless, here we have Toshiba's Space Chair ad campaign promoting its new 2010 REGZA SV LCD TV series, Toshiba's first with LED backlight and local dimming. The campaign will later expand to include a second take featuring the Satellite T Series of 11-hour CULV laptops set for introduction in 2010. The ad follows the journey of "an ordinary living room chair" to the edge of space before falling back to Earth where the ground crew relied upon a GPS beacon to locate the craft. A few facts about the shoot:

* A helium balloon lifted the chair and Toshiba's own IK-HR1S ultra-compact 1080i camera to a height of 98,268 feet above terra firma
* FAA regulations required that the weight of the rig had to be less than four pounds
* The chair is made of biodegradable balsa wood at a cost of about £2,500
* The rig was launched in Nevada's Black Rock desert
* The temperature dropped to minus 90 degrees at 52,037 feet
* The chair took 83 minutes to reach an altitude of 98,268 feet and just 24 minutes to fall back to earth.

Barack Obama tells 2.6 million Twitter followers he has never tweeted

2009-11-17T06:34:00.000-08:00

Barack Obama left his 2.6 million fans on Twitter, the social networking website, bemused, disappointed and mildly irritated by admitting on Monday that he had never used the service himself.

Let me say that I have never used Twitter," he told students in Shanghai. "I noticed that young people are very busy with these electronics. My thumbs are too clumsy to type in things on the phone."

During his election campaign, Mr Obama portrayed himself as "connected" to the people through Twitter and his ever-present blackberry phone.

Some of his more understanding fans asked if it was any real surprise that the president had little time to "tweet". "Did anyone really think he was posting on his own?"

Metasploit Framework 3.3 Released!

2009-11-17T06:30:00.000-08:00

We are excited to announce the immediate availability of version 3.3 of the Metasploit Framework. This release includes 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. In addition, the Windows payloads now support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs were fixed since last year’s release of version 3.2, making this one of the more well-tested releases yet.

Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the Apple® iPhone™. Installers are available for the Windows and Linux platforms, bundling all dependencies into a single package for ease of installation. The latest version of the Metasploit Framework, as well as images, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://www.metasploit.com/framework/.

This release of the Metasploit Framework was driven by numerous key contributors, including James Lee, Yoann Guillot, Steve Tornio, MC, Chris Gates, Alexander Kornbrust, Ramon Carvalle, Stephen Fewer, Ryan Linn, Lurene Grenier, Mike Kershaw, Patrick Webster, Max Moser, Efrain Torres, Alexander Sotirov, Ty Bodell, Joshua Drake, JR, Carlos Perez, Kris Katterjohn and many others.

The startup speed up the Metasploit Console and all utilities has been greatly improved due to performance patches by Yoann Guillot and a string processing overhaul by James Lee. Metasploit now fully supports the 1.9.1 version of the Ruby interpreter, clearing the way for support under a variety of alternate Ruby VMs in the future.

The Windows installation now includes a fully-functional console interface, using Cygwin and RXVT as a front-end to the framework. The Windows installer now runs on all supported versions of Windows, from Windows 2000 to Windows 7. The Windows version of Metasploit is now portable and can be silently installed via the /S /D=Dest parameters.

The Linux installers now include everything needed to run the Metasploit Framework on most versions of Linux released over the last five years. The official Linux installers are recommended for anyone using a Linux distribution other than Ubuntu (8.04+). These installers include Ruby 1.9.1, Subversion 1.6.6, and all dependencies, along with convenient scripts for keeping the framework updated.

Source

Windows 7 vulnerable to 8 out of 10 viruses

2009-11-13T07:07:00.000-08:00

Now that we in the northern hemisphere have had some time to digest the Windows 7 hype and settle in for the coming winter, we thought we would get some more hard data regarding Windows 7 security.

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

User Account Control did block one sample; however, its failure to block anything else just reinforces my warning prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware.

Lesson learned? You still need to run anti-virus on Windows 7. Microsoft, in the Microsoft Security Intelligence Report released yesterday, stated that "The infection rate of Windows Vista SP1 was 61.9 percent less than that of Windows XP SP3."

But let's not get complacent. Microsoft seems to be saying that Vista is the least ugly baby in its family. You can be sure the next report will highlight its even less ugly younger sibling, Windows 7.

Why do I say this? As of October 31st www.netmarketshare.com states that Windows Vista has a 19% market share against Windows XP's 70.5% and Windows 7's 2%. Approximately 1 in 5 Windows users is using either Vista or Windows 7. These users often have newer computers, automatic patching, and firewalls and anti-virus software in place.

With millions of hosts still infected with Conficker, ZBot and Bredo, it is obvious a lot of unprotected machines are still out there, and it is no surprise that most of those are XP.

As the chart above shows, Windows 7 users need not feel left out. They can still participate in the ZBot botnet with a side of fake anti-virus. Windows 7 is no cure for the virus blues, so be sure to bring your protection when you boot up.
Posted on November 3rd, 2009 by Chester Wisniewski, Sophos

AP IMPACT: Framed for Child Porn _ by a PC Virus - ABC News

2009-11-13T07:05:00.000-08:00

AP IMPACT: Framed for Child Porn _ by a PC Virus - ABC News

How to Prevent Heart Hackers From Turning Off Pacemakers

2009-11-12T00:50:00.000-08:00

Many medical devices come equipped with wireless communication systems these days, allowing doctors to customize their operations or to see their patents’ information. But fitting pacemakers or implanted defibrillators with WiFi also opens the door to hackers‘ attacks. Hackers could potentially steal personal information, remotely drain batteries, or cause a dangerous malfunction, so researchers are working on ways to block them. The approach relies on using ultrasound waves to determine the exact distance between a medical device and the wireless reader attempting to communicate with it [Technology Review]. The plan is to only allow access to a medical device from wireless reading devices within 10 feet, and only then after a series of authentication steps. However, in the event of an emergency, the medical device would grant access to anyone within a few inches of the device. In other words, to anyone close enough to assist.

The research team also has to consider how much power their security measures will drain from the devices, which is a not-so-trivial point for a battery-operated pacemaker. But Claude Castelluccia, who was involved with designing the security system, said that because the device won’t respond to requests that come from outside the predetermined distance, it would also be harder for an attacker to wear down the battery by forcing it to process one request after another [Technology Review]. To test their system, researchers recently implanted a medical device in the stomach of a cow, and they’re currently shopping their patented technology to potential developers.

SOS::Truly malicious iPhone malware now out in the wild

2009-11-12T00:41:00.000-08:00

While previous "attacks" on jailbroken iPhones were benign, a variation of the same attack quietly extracts personal data from an infected device. Please, folks, change your default passwords.

If you didn't heed previous warnings to secure your jailbroken iPhone, you may be in for some serious trouble. Computer security firm Intego has identified the first known truly malicious code which targets jailbroken iPhones with default root passwords.

The latest in a string of recent attacks, iPhone/Privacy.A uses a technique similar to previous hacks. The malware scans for phones on a given network with an open SSH port, then attempts to log in using the default root password that is the same on all iPhones. Unlike the previous versions, which merely replaced the wallpaper image to alert users that they have been cracked, the new version silently copies personal data—"e-mail, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app." It then sends the data back to the machine running the software.

Intego says that its VirusBarrier X5 can identify and remove the software if it's installed on a Mac, but the tool can also be installed on a Windows or Linux PC, or even another iPhone. "This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network," warned Intego in a statement. "Hackers could even install this tool on their own iPhones, and use it to scan for jailbroken phones as they go about their daily business."

Of course, non-jailbroken iPhones are completely unaffected by this malware. Likewise, jailbroken iPhones without a running SSH daemon won't be affected either. If you do activate SSH on your jailbroken iPhone, be sure to take the warning to change the default passwords for both the "root" and "mobile" users seriously.

Lab on a chip

2009-11-09T06:04:00.000-08:00

Medical lab tests are often expensive and slow. Thanks to microfluidics, also known as lab-on-a-chip technology, a new generation of handheld diagnostic devices may soon arrive in the world’s advanced hospitals. The new technology will perform tests with greater automation—using much smaller samples of blood or other fluids—than today’s methods. But Harvard chemist George Whitesides believes the high-tech tests can have their greatest impact in decidedly low-tech surroundings, namely poorly staffed and equipped medical facilities in developing countries. When he challenged his colleagues to create a microfluidics device for such a setting, they experimented with silicon and plastic chips, but eventually adopted a less pricey technology: paper. “Even a few cents for each device is expensive,” group member Andres Martinez says. “The overarching goal of the project was to make essentially a zero-cost device.” Not only is paper cheap and easy to produce in high volumes, but it can be incinerated after use, an advantage in poor regions where medical waste disposal is a challenge.

Paper naturally draws in liquids through tiny capillaries, eliminating the need for a typical lab-on-a-chip’s miniaturized pump. The team embeds water-shunning polymers on the paper to form channels, which can lead a drop of blood or other fluid to tiny reservoirs filled with chemical reagents. The lab’s first assay, or test, is for liver disease, a frequent side effect of AIDS medications. If blood contains alkaline phosphate, a liver-disease biomarker, the reagent turns purple. In the future, a single postage-stamp-size device might test for the presence of a number of viruses and medical conditions. To run such a test, there would be no need to draw blood from a vein, refrigerate the sample or have access to electricity. The team hopes that test results could be photographed with cellphone cameras by minimally trained workers and transmitted to doctors and nurses for analysis. And while it’s being designed for the rigors of the developing world, the technology has the potential to revolutionize diagnostics in industrialized countries as well.

'Art project' video game attacks Apple Mac machines

2009-11-05T00:28:00.000-08:00

A 1980s-style video game attacks the Mac platform, deleting users' files as they progress through the level and shoot enemies. While its creator clearly warns of the consequences, the software has been labeled a Trojan horse.

The software created by Zach Gage is described as an "art project." The "game" generates aliens based on the number of files on a user's computer, and killing them deletes a file. Upon the player's death the game is supposed to delete itself. It includes an online raking of players' scores.

"By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions," the project's creator said. "As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives. At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data? What implications does trusting something so important to something we understand so poorly have?"

While Gage sees his project as art, Symantec views it as a Trojan, though "Lose/Lose" is not seen as a great threat at the moment. The malware's creator even warns on his Web site what the application does, and upon starting the game, players are also cautioned that it will result in the deletion of files from their computer.

But the security firm cautioned that the threat, called OSX.Loosemaque, could be modified by someone with "more malicious intentions" and passed on to unsuspecting users without the current warnings.

In a video demonstrating the Trojan, Symantec showed how the game begins to delete files on the system as aliens are killed, in a top-down shooter designed in the style of classics like Galaga. After a number of aliens were killed, the program attempted to delete a critical system file, which caused the malware to crash.

"You'll notice that while I'm blowing up the ships, the files in my Documents folder are disappearing," the video states. "It looks like the game chooses users' documents first, and then it moves on to preference files contained within the very subfolders of the user's home directory."

VR Treadmill Goes In Every Direction

2009-11-02T01:48:00.000-08:00

Decades ago, we all thought that virtual reality would be the next big thing. We envisioned big VR helmets and endless worlds that we could adventure through forever where all of our senses would be engaged. There were some problems with our conception of VR, though, and it fell out of our collective future, mostly because of cost and technology constraints. But quietly, in the background, companies are still developing virtual reality technology. Just a few years ago, Sony filed a patent for technology that would allow a virtual world, complete with sounds and smells, to be projected directly into the brain. And a European research project called Cyberwalk is working on another challenging aspect of the VR environment: locomotion.
The omni-directional treadmill called CyberCarpet created by Cyberwalk would revolutionize the way virtual reality is used for therapy, training, architecture and, eventually, gaming. A traditional treadmill, of course, only moves in one direction. Walking straight ahead at all times doesn’t allow for full immersion in a virtual world. Other solutions, such as a large sphere that the user manipulates from inside, have been proposed but are plagued with problems. The omni-directional treadmill works by densely packing small balls under a walking surface and letting the friction of the user’s shoes do the moving. The kinks are still being worked out – namely stopping and starting – but based on the above video it looks like the CyberCarpet is in a pretty great place already. The device has already been used to take a few lucky individuals on a virtual walk-through of ancient Pompeii. Next stop (we hope): Lawnmower Man-type virtual worlds.

by http://gajitz.com/virtual-insanity-vr-treadmill-goes-in-every-direction/

The Moodwall

2009-11-02T00:43:00.001-08:00

New Boston Dynamics Robots

2009-10-28T13:49:00.000-07:00

Boston Dynamics is a small engineering and robotics firm spun off from MIT in 1992. According to its own Web site it "builds advanced robots with remarkable behavior: mobility, agility, dexterity and speed." Those parameters sound kinda military-like for a reason: BD has worked with DARPA, the Army, the Navy, and Marine Corps, as well as the more innocuous-sounding Sony. Their current starting lineup:

Petman

And before you think that sounds pretty Cyberdine Systems-sy, check out the video of Petman in action. It's a prototype bipedal robot from BD that walks with extraordinarily human-like gait--it even heel-toes, and does so with a dynamic sense of balance that means it can take a solid kick and still keep walking.

Makes the cute Asimo seem like the walking equivalent of a robotic grandpa doesn't it? Technically BD says its an "anthropomorphic robot for testing chemcial protection clothing [...] Unlike previous suit testers, which had to be supported mechanically an had a limited repertoire of motion, Petman will balance itself and move freely; walking, crawling [...] Petman will also simulate human physiology within the protective suit by [...] sweating when necessary." But if you didn't get a shiver from imagining the next gen of the sweaty thing with arms and a head, painted silver instead of black and wielding a gun then ... well, you've not got a very active imagination.

RiSE

The last beastie is a six-legged smart climbing robot that has adhesive feet to let it scale even the most unforgiving and sheer building walls.

All that's left for us is to wonder what Petman and Big Dog and all the rest will evolve into over time: We're pretty sure we heard Petman muttering something about his plan to "be back."

One wheel motorbike / chair

2009-10-23T03:35:00.000-07:00

Hacker High: 10 Stories of Teenage Hackers Getting into the System

2009-10-18T07:38:00.001-07:00

1. Student at Downingtown High School West — Downingtown, Pa.

A 15-year-old student was arrested and charged with felonies in May 2008 for stealing personal data from the Downingtown School District's computer system and downloading files that contained the names and Social Security numbers of more than 41,000 of district residents (including 15,000 students). The unnamed student allegedly accessed the files, which were located on the district’s server, through a school computer during a study period, and officials believe that he copied the files to his home computer. This is the second time in the 2007-2008 academic year that a student has broken into the Downingtown School District’s computer system; another student was arrested for hacking into the system in December 2007.

2. Matthew the phone phreak — Boston

In February 2008, the FBI identified the culprit in a 2005 Colorado "swatting" incident — a phone hoax involving hackers who call in fake emergencies and get SWAT teams to barrel into people’s homes. The responsible party was a 17-year-old East Boston "phreak," or phone hacker, named Matthew. The remarkable thing about him is that he’s blind. Matthew, who’s been at the game since he was 14, is considered one of the most skilled phreakers alive.

3. Jeanson James Ancheta — Los Angeles

In 2005, the FBI nabbed 20-year-old Jeanson James Ancheta, a reported member of the "Botmaster Underground," a group of script kiddies known for their bot attacks and spam inundation. His sinister cyberscheme infected computers at the United States Naval Air Warfare Center Weapons Divistion in China Lake, Calf. and the Defense Information Systems Agency, a component of the United States Department of Defense. In the first prosecution of its kind in the U.S., Ancheta was arrested and indicted on 17 federal charges for profiting from the use of "botnets."

4. Aaron Caffrey — Britain

Aaron Caffrey 19, was accused of almost destroying of North America's biggest ports, the Port of Houston in Texas, by hacking into its computer systems. Computers at the port were hit with a DoS (denial of service) attack on Sept. 20, 2001, which crashed systems at the port that contained data for helping ships navigate the harbor.

The prosecution said that the Brit’s computer contained a list of 11,608 IP addresses of vulnerable servers, along with malicious script. The attack on Houston was apparently tied to a female chat-room user called Bokkie, who had made anti-U.S. comments online. Still, a jury found Caffrey not guilty in October 2003.

5. Raphael Gray — Wales

Raphael Gray, 19, became the subject of an international investigation after he got his hands on 23,000 Internet shoppers' details and posted some of them to Web sites. The scheme, which Gray claimed was an attempt to expose security weaknesses in Internet shopping, cost users hundreds of thousands of pounds. Gray was been sentenced to psychiatric care and told reporters that he felt no regret for what he’d done.

6. c0mrade — Miami

In 2000, a 16-year-old from Miami known on the Internet as "c0mrade" became the first juvenile to go to jail on federal computer-crime charges for hacking into NASA. The boy admitted to attacking a military computer network used by the DTRA (Defense Threat Reduction Agency) from Aug. 23, 1999 to Oct. 27, 1999. The youth installed a backdoor access on a server that intercepted more than 3,300 electronic messages to and from DTRA staff. The backdoor also accessed at least 19 usernames and passwords of DTRA employees, including at least 10 usernames and passwords on military computers. The unnamed juvenile was sentenced to six months in a detention facility.

7. Mafiaboy — Canada

Over a five-day period in February 2000, Yahoo! Inc., CNN, eBay Inc. and Amazon.com Inc. became victims of the largest DoS attack ever to hit the Internet. The attacker? A 14-year-old Canadian named Mike Calce, who went by “Mafiaboy” online. He became the most notorious teenage hacker of all time, causing millions of dollars worth of damage on the Internet.

Calce initially denied responsibility for the assault but later pled guilty to most of the nearly 50 charges against him. On Sept. 12, 2001, the Montreal Youth Court sentenced him to eight months of "open custody," one year of probation, restricted use of the Internet and a small fine. Calce later wrote as a columnist on computer-security topics for the French-language newspaper Le Journal de Montréal.

8. Ehud Tenenbaum — Israel

Computers at the Pentagon were targeted in an attack called "Solar Sunrise" during a tense time in the Persian Gulf in 1998. The attack led to the establishment of round-the-clock, online guards at major military computer sites. At the time, U.S. Deputy Defense Secretary John Hamre called the attack "the most organized and systematic attack" on U.S. military systems.

While officials initially pointed fingers at two American teens, 19-year-old Israeli hacker Ehud Tenenbaum, who was called "The Analyzer," was identified as their leader and arrested. Tenenbaum later became the CTO of a computer-consulting firm.

9. Richard Pryce and Matthew Bevan — Britain

Two teens touched off one of the biggest ever international computer crime investigations in the U.S. when, for several weeks in 1994, they attacked the Pentagon's computer network and tried to get access to a nuclear facility somewhere in Korea. The cyberculprits were identified as 16-year-old music student Richard Pryce (known as "Datastream Cowboy") and Matthew Bevan (known as "Kuji"), who was arrested two years later at age 21. Conspiracy charges against both Pryce and Bevan were later dropped, though Pryce was ordered to pay a small fine.

10. 414s — Milwaukee

They may sound like a cheesy '80s band, but the 414s were actually a band of youthful hackers who broke into dozens of high-profile computer systems, including ones at Los Alamos National Laboratory and Memorial Sloan-Kettering Cancer Center. Later uncovered as six youths ranging in age from 16 to 22, the group met when they were members of a local Explorer Scout troop. These Scouts-turned-cybercriminals were investigated by the FBI in 1983.

The media took to the story of the youths, who met the somewhat sexy profile of early '80s computer hackers as established by Matthew Broderick's character in "WarGames," which was released the same year that the 414s rose to glory. In fact, 17-year-old Neal Patrick got more than his 15 minutes of fame when he appeared on the Sept. 5, 1983 cover of Newsweek. Most of the members of the 414s were not prosecuted, but their cybershenanigans lead to government hearings on hacking, as well as the introduction of six bills concerning computer crime in the U.S. House of Representatives.

30 years of failure: the username/password combination

2009-10-14T09:42:00.001-07:00

We've known for decades that humans have a limited ability to associate passwords with specific accounts, and compensate by using what might be termed worst practices. A new survey of IT users at a large organization shows that little has changed, and the most sophisticated users behave no different than an average one.

A lot of the effort involved in establishing a secure computing environment focuses on technological solutions, from providing warnings about phishing attacks to blocking the propagation of botnets. But, as previous research has shown, security involves a significant human component. Nowhere is that more true than the item at the heart of basic security: the humble password. Here, our best practices—something that's not in the dictionary or written down, differs for every account, etc.—ignores basic research, which shows that humans have a limited capacity to associate random text with, well, just about anything. A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices.

What is perhaps most striking about the new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, is its background section, which details just how long we've been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were "password1", "abc123", "myspace1", and "password".

But it's not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn't perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, "the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings' long-term memory." And, although our long-term memory for images and words that we've assigned meanings to is quite good, we don't do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It's another challenge entirely to remember which password to associate with a specific account.

So, there's an obvious tension between what we know what we should do, and what actually can be done when it comes to passwords. The authors of the new study conducted several focus groups with network administrators to identify likely sources of problems for users. They used this information to craft a survey of password habits, which they administered to 836 employees of an organization that handled sensitive private data and provided all employees with computer security training. Obviously, a more diverse survey population would have been nice, but the single employer at least allowed a degree of consistency in terms of the security training.

The authors condensed the results into a measure of how many deviations from ideal password practices a given user committed, such as using a short password, not mixing characters and symbols, writing the password down or reusing it, etc. All told, only 4.4 percent avoided any deviations from the rules, and the majority violated three or more. "In reality," the authors note, "the results are probably worse, because respondents do not like to admit that they deviate from the rules."

Experience made a difference, as expert and advanced computer users tended to outperform the novices. But there were limits; actual network administrators, for example, didn't behave in a manner that was significantly different from an average user. One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.

In a lot of ways, the results shouldn't surprise anyone, given what we know about the operation of human memory: if you give users a task that's nearly impossible, they won't do it. The fact that the organization involved handles sensitive data and trains its users on how to protect it doesn't change that reality. What the study may accomplish is to help drive home the need to stop expecting the impossible. The authors suggest a variety of alternative authentication systems, from biometrics and hardware-based certification to systems that rely on aspects of memory that humans handle more easily, such as image-based systems. Until IT administrators get over old habits, however, the availability of alternatives will have a limited impact.

By John Timmer

Την Τετάρτη 14 Οκτωβρίου ξεκινά το φετινό Athens Digital Week

2009-10-13T04:05:00.000-07:00

Μια πλούσια διαδραστική εμπειρία περιμένει τους επισκέπτες του Athens Digital Week που θα πραγματοποιηθεί για δεύτερη συνεχή χρονιά στην Τεχνόπολη από την Τετάρτη 14 ως την Κυριακή 18 Οκτωβρίου.

Έπειτα από την επιτυχία της περυσινής διοργάνωσης, που προσέλκυσε γύρω στους 35.000 επισκέπτες, το ανοιχτό φεστιβάλ τεχνολογίας που διοργανώνει ο Δήμος Αθηναίων περιλαμβάνει φέτος εννέα θεματικές ενότητες σε έκταση 4.820 τμ:

Gaming: Παρουσιάσεις νέων παιχνιδιών, έκθεση με παλιές κονσόλες (coin operated game machines), διαγωνισμοί στα παιχνίδια Counter-Strike, Warcraft III, Trackmania, Quake, ProEvolution.

Robotics: Ρομπότ που παλεύουν, ακολουθούν γραμμές, λύνουν γρίφους, ρομποτικά λουλούδια που αντιδρούν σε εξωτερικά ερεθίσματα, εξομοιωτές πτήσεων, αλλά και ποδοσφαιρικές αναμετρήσεις με δίποδα ρομπότ των Κουρητών, των παγκόσμιων πρωταθλητών από την Κρήτη.

Modding: Ψύξη υπλογιστών με υγρό άζωτο, overclocking και διαστημικά υλικά. PC Case Modding Section, Overclocking Section, Gadget Modding, διαγωνισμοί.

Space: Tο Celestia δίνει τη δυνατότητα παρατήρησης του Hλιακού Συτήματος σε τεράστιες οθόνες. Έκθεση φωτογραφίας με πλανήτες και αστέρια τραβηγμένα από ψηφιακές κάμερες και τηλεσκόπια. Κουιζ γνώσεων και ένα πρωτότυπο παιχνίδι Αστρονομίας.

Digital Music: Ο προαύλιος χώρος της Τεχνόπολης μετατρέπεται σε στούντιο ηχογράφησης. Ψηφιακές κονσόλες, υπολογιστές και μηχανήματα τελευταίας τεχνολογίας δίνουν σε όλους τη δυνατότητα να δημιουργήσουν το δικό τους μουσικό κομμάτι.

Open Source: Προγραμματιστές θα δώσουν το «παρών» για να αντάλλαξαν απόψεις και κόλπα και να εκπλήξουν όσους τους παρακολουθήσουν.

Visual Art: Digital (matte) Painting, Digital Illustrating - Vector Based Illustration, Art for Web: 2-D/Flash/3d – Papervision, Art Installations (VR), Local Showreel, 2-D and 3-D commercial art, Graffiti Research Lab. H ομάδα Nomass για δεύτερη συνεχή χρονιά θα παρουσιάσει το online project με θέμα «Character design».

Social Networking: Εκδηλώσεις, πάρτι και κατασκηνώσεις στο Twitter και το Facebook.

Telecom: Εφαρμογές γις κινητό Διαδίκτυο και PDA: Your office everywhere, Mobile TV, Mobile Music, Mobile Studio, Mobile Navigation / GIS Applications (SatWays), Mobile Games, SMS/MMS Games, Mobile Web 2.0.

PhotoSketch: Internet Image Montage

2009-10-06T02:28:00.001-07:00

PhotoSketch: Internet Image Montage from tao chen on Vimeo.

New mouse Generation

2009-10-06T02:22:00.001-07:00

Antivirus makers applaud, mock Microsoft Security Essentials

2009-10-04T15:34:00.000-07:00

Symantec, ESET, Avast, and AVG all have something to say about the release of Microsoft Security Essentials, Redmond's free antimalware solution. Two are fine with it, and two are not; can you guess which ones?

Four antivirus makers have weighed in on the release of Microsoft Security Essentials, and their opinions are all over the place. We asked various security companies for their opinion on MSE, which launched yesterday, and Symantec, ESET, Avast, and AVG responded with their thoughts.

Microsoft claims it is targeting consumers who currently don't have any protection on their Windows PC, but of course MSE will end up on many computers that already have third-party security software installed. Since MSE is free, the software security market is going to get a serious shake-up, and here's what Microsoft's new competitors think about what's about to happen.

Symantec, maker of the Norton line of products, says MSE doesn't stand a chance in today's market: "While we applaud any vendor that heightens consumer awareness of the need for computer security, it's clear that the threat landscape has moved on from the product Microsoft is launching," a Symantec spokesperson told Ars. "Microsoft Security Essentials (MSE) is a stripped down version of their old OneCare product which was poorly rated by industry experts and users alike. From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime. Unique malware and social engineering tricks fly under the radar of traditional signature-based technology alone—which is what is employed by free security tools such as Microsoft's"

ESET, maker of the NOD32 line of products, is unfazed by the product's launch: "Certainly basic, but free, protection is better than no protection," Christopher Dale, Public Relations Manager of ESET, told Ars. "For those whose primary concern is price, we would imagine MSE will hold great appeal while making the freeware market more competitive. The product doesn't directly impact ESET as we offer a full-featured security solution w/ more configuration choices and free phone support."

Avast is perfectly fine with Microsoft entering the market: "We are glad to see Microsoft joining us in offering free anti-virus/security protection to users," Vince Steckler, CEO of Avast, told Ars. "We have long believed that top notch security protection should be freely available—that is why nearly 100 million users around the world protect their computers and data with our free avast! antivirus. Around the world there are about 500 million home computer users that need [to be] protected while using the Internet. We believe only around 20 percent of these users are using a traditional paid security product while 250 million are using avast! or one of the other high-quality free products. Users have already decided that security should be free—there are more users of free avast! than users of all paid products combined. But, free users should not be subjected to inferior or 'basic' protection."

AVG, on the other hand, thinks Microsoft will push its product via as many anticompetitive ways as possible: "Microsoft will likely push MSE out via every automated channel available to them—which in and of itself poses all sorts of interesting anti-trust questions," Siobhan MacDermott, VP Head of Public Policy, Corporate Communications, and Investor Relations for AVG Technologies, told Ars. "They will focus on gaining consumers through the simplicity of installing the product via routine channels of connection. On paper it makes sense, but in reality, we believe this will force consumers to unwittingly enter into a situation that makes them more vulnerable. Experts agree that the biggest nemesis to Windows was not the vulnerability of its code but rather the popularity of the operating system. It is a law of numbers; large communities create large pools of opportunities for thieves. If Microsoft leverages the power of its OS market to rapidly create a large community of MSE users, we believe those customers will be doubly vulnerable."

There you have it; two antivirus makers are fine with Microsoft Security Essentials and the other two aren't. We're more surprised with the ones that are fine with it, since MSE can potentially steal customers away from them (in fact, many of our readers and users on other forums have already declared they are switching). In our first look at MSE yesterday, we were impressed with what Microsoft was offering as a free download for Windows XP, Windows Vista, and Windows 7. For those who have had a chance to install it, how do your thoughts compare to the above statements?

By Emil Protalinski

Augmented Earth

2009-10-04T11:06:00.000-07:00

Robot Violinist

2009-10-04T10:57:00.001-07:00

Augmented Reality phone

2009-09-28T01:08:00.000-07:00

Projection Pool Table System

2009-09-27T06:37:00.001-07:00

RFID Avatar Game

2009-09-24T02:56:00.002-07:00