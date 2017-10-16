Connect with us

Tech News

‘Close Encounters of the Third Kind’ reimagined in 8-bit for 40th anniversary

Published

50 mins ago

on

Close Encounters of the Third Kind is 40 years old, which is a bit hard to believe, so this ‘retro’ 8-bit recreation of the seminal Steven Spielberg sci-fi movie is actually modern compared to its actual release date. I think.

Still, it’s a fun homage from fan Christopher Harrison, and one that Close Encounters is using to promote its 4K UHD and Blu-ray release. Both those versions are available now, so you can share in the collective vision of our companions from beyond the stars.

Also, if you haven’t seen this classic and you’re a Stranger Things fan, it’s definitely an influence, and of course a very worthwhile watch in its own right.

© 2017, Paul Umoh. All rights reserved.

Related Topics:
Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published.

Tech News

Mobile phone companies appear to be providing your number and location to anyone who pays

Published

29 mins ago

on

October 16, 2017

By

Interconnected data flows and downloading You may remember that last year, Verizon (which owns Oath, which owns TechCrunch) was punished by the FCC for injecting information into its subscribers’ traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily.
The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
It appears to be similar to the Unique Identifier Header used by Verizon. The UIDH was appended to HTTP requests made by Verizon customers, allowing websites they visited to see their location, billing data and so on (if they paid Verizon for the privilege, naturally). The practice, in common use by carriers for a decade or more, was highlighted in the last few years and eventually the FCC required Verizon (and by extension other mobile providers) to get positive consent before implementing.
Now, this is not to say that the whole thing is some huge scam: that data could be very useful for, for instance, an administrator who wants to be sure that an employee’s phone is actually in the location their IP seems to indicate. Why bother with a text-based one time password if a service can verify you’re you by querying your mobile provider? It’s at least a reasonable possibility.
And that’s what companies like Payfone and Danal are using it for; furthermore, users of their services would by definition be opting into this kind of tracking, so there’s no problem there.
I asked Payfone CEO Rodger Desai for a little clarification. He wrote back in an email:
There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in… For example, if you download a mobile banking app today, the bank is not sure if it is you on your new phone or someone acting as you – the fraudster only needs your bank password. PC techniques like certificates and device printing don’t work well – since it is a new phone.
But as Neustrom found out, mobile providers don’t appear to be working very hard to verify that consent. Both sites provide demos of their functionality, pinging mobile providers for data and presenting it to you.
Of course, if you want the demo to work, you kind of opt into the tracking as well. But where’s the text or email from the mobile provider asking you for verification? It seems that this kind of request could be made fraudulently by many means, since the providers don’t verify them in any way other than a few programmatic ones (matching IPs, etc).
Without rigorous consent standards, mobile companies may as well be selling the data indiscriminately the same way they were before advocacy groups took them to task for it. For now there doesn’t appear to be a way to officially opt out — but there also doesn’t appear to be a clear and present danger, such as an obvious scammer or wholesaler using this technique.
I’ve asked T-Mobile, AT&T, and Verizon whether they participate in this kind of program, providing subscriber details to anyone who pays — and who, in turn, may provide to to others. I’ve also asked the FCC if this practice is of concern to them. I’ll update this post if I hear back.streams superimposed over a virtual electronic gridscape of New York City

© 2017, Paul Umoh. All rights reserved.

Continue Reading

Tech News

WPA2 shown to be vulnerable to key reinstallation attacks

Published

1 hour ago

on

October 16, 2017

By

A key reinstallation attack vulnerability in the WPA2 wi-fi protocol has been made public today. Security researcher Mathy Vanhoef has identified what he dubs a “serious weakness” in the wireless protocol.

The tl;dr is that an attacker within range of a person logged onto a wireless network could use key reinstallation attacks to bypass WPA2 network security and read information that was previously assumed to be securely encrypted — thereby enabling them to steal sensitive data passing over the network, be it passwords, credit card numbers, chat messages, emails, photos, and so on.

“The attack works against all modern protected Wi-Fi networks,” according to Vanhoef.

Depending on network configuration, he says the vulnerability can also allow for an attacker to inject and manipulate data — such as by adding ransomware or malware to a website, for example.

Here’s the relevant para from the abstract of his research paper:

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPATKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected,” he further writes. “To prevent the attack, users must update affected products as soon as security updates become available.

“Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.”

In the research paper he describes the attack as “exceptionally devastating” against Android 6.0.

“Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices,” he writes on the Krackattacks site explaining the flaw. “Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.”

He further writes that while some of the attacks detailed in the paper may seem hard to pull off, follow-up work has shown that attacks against — for example — macOS and OpenBSD are “significantly more general and easier to execute”, adding: “So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks cannot be abused in practice.”

(Although OpenBSD has already released a patch, in July, after being informed of the vulnerability by Vanhoef before he made this public disclosure.)

Vanhoef further demonstrates how the attack can still work against websites and apps that are using HTTPS, showing how this added encryption layer can be bypassed in what he describes as “a worrying number of situations” (he flags multiple previous instances of HTTPS being bypassed “in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps“).

He’s also made the below video demo showing the man in the middle technique working on Android and Linux against a dummy user of Match.com as the sample target — to grab their username and password in plain text.

© 2017, Paul Umoh. All rights reserved.

Continue Reading

Tech News

Elon Musk banters and answers rocketry questions on Reddit

Published

1 hour ago

on

October 16, 2017

By

Elon Musk did an AMA on Reddit yesterday, and while he didn’t provide every missing detail on SpaceX’s ambitious BFR program, he was (as always) engaging and informative in a more general way. Here are the highlights of the Q&A.

SpaceX plans to put satellites around Mars before any manned mission

Musk’s talk at IAC a few weeks ago raised a lot of eyebrows — the rumored BFR, or “Big Fucking Rocket,” was documented at least in concept, as was a plan for colonizing Mars. But while the rosy hued predictions of a massive city resupplied by countless rockets was compelling, there’s a lot that has to happen first.

One step is putting SpaceX orbiters around Mars to collect the kind of specific data the company needs in order to do repeated landings. Asked if he has plans to launch multiple such satellites, Musk merely replied “yes,” confirming speculation but obviously not much more.

Some found Musk’s idea of using rockets to go from point to point on Earth rather unrealistic, but hey, why not at least try it? Musk said that full scale tests will begin in the next couple years, first with rockets staying low (a couple hundred kilometers) and eventually working their way up to orbital flights.

He noted that multiple rocket stages will be continue to be necessary, at least on this planet: “Earth is the wrong planet for single stage to orbit. No problemo on Mars.”

There’s a “kinda weird” space tanker coming

In the IAC presentation, Musk showed two BFRs refueling by putting their engine ends together and having fuel flow between them.

At first, Musk explained, the BFR tankers will just be the same thing as passenger and cargo versions of the craft, but without a payload in the front. But the company is working on dedicated tanker craft with “an extremely high full to empty mass ratio” — by which he means they’ll be mostly empty space.

“Warning: it will look kinda weird,” he added.

© 2017, Paul Umoh. All rights reserved.

Continue Reading

Advertisement




“Beautiful Ones (Acoustic)” from Beautiful Ones (Acoustic) – Single by Hurts. Released: 2017. Track 1 of 1. Genre: Pop.

Trending