Looks very cool. Would have been interesting to play on Wii U, but PC works.
Or a PS3 or 360 edition, for that matter
Coolest one he's done in a while
The official mobile application for the ongoing RSA Conference contains a half-dozen security vulnerabilities, according to an analysis performed by researchers from the security service provider IOActive.
IOActive chief technical officer Gunter Ollmann claims the most severe of the vulnerabilities could give an attacker the ability to perform man-in-the-middle attacks, injecting malicious code and stealing login credentials.
“If we were dealing with a banking application,” Ollmann writes, “then heads would have been rolling in an engineering department, but this particular app has only been downloaded a few thousand times, and I seriously doubt that some evil hacker is going to take the time out of their day to target this one application (out of tens-of-millions) to try phish credentials to a conference.”
While Ollmann notes that the man-in-the-middle vulnerability mentioned above is the most severe, he says the second most sever bug is actually more interesting. The application apparently downloads a SQLite database file that is then used to populate the app’s user interface with various conference information, like speaker profiles and schedules. Seems innocuous enough, but that database – for reasons that remain a mystery to Ollmann – contains the first and last names, employers, and titles of every user that has downloaded and registered with the application.
Ollmann admits he’s taking a bit of potshot at one of the premiere security industry conferences, but the point he is really trying to make, he claims, is a bigger one.
“Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications,” he said.
Ever wanted to run your N64 through HDMI, DVI or VGA?
I think sync would have been fine if they had committed to reasonable software updates. Holding software updates behind a firewall and only putting on newer car years with the same hardware is shit.
Man, giant robots are such a hassle. They break everything, have no regard for my pristine white polar bear rug, and – oh yeah – they’re really goddamn big. Too big to fit in closets, on airplanes, or, apparently, on hard drives. That’s the only explanation I can muster for Titanfall‘s whopping 48 gigabyte hard drive requirement, given that it’s multiplayer-only, not exactly the nexest of “next-gen” games from a graphical standpoint, and isn’t utterly ridden with cut-scenes like, say, Max Payne 3. But then, maybe I’m jumping the sedan-sized gun on this one. After all, the exact nuts and bolts of Titanfall’s multiplayer story are still shrouded in mystery. Which is to say, a giant robot is standing in front of them, and it won’t get out of the way.
This is pretty awesome
Kenguru's electric car has no seats, and you drive it by putting your hands on motorcycle-style handlebars. It's built for wheelchair users, who can roll right through the rear hatch of the car into the driver's area. The Austin-based company is preparing to launch its first product, which has an estimated range of 60 miles on an eight-hour charge. When it finally goes into production in 12-18 months, the vehicle will cost you $25,000, but that's before factoring in green energy and mobility tax incentives from the government.
Kenguru, which is Hungarian for "kangaroo," was founded in Hungary but moved to the US when it struggled to find venture capital. No word yet on the actual safety credentials of the car, which at 7 feet by 5...
So the Comcast CEO stated: "It is pro-consumer, pro-competitive, and strongly in the public interest."
How the hell is do those words come out of someone's mouth?
After rumors broke late last night, Comcast announced this morning that it had reached an agreement to acquire rival Time Warner Cable in a deal worth around $45 billion. The news brings months of machinations to a close: Comcast ended up besting the efforts of the much smaller Charter Communications, which had been trying to advance its own hostile takeover of Time Warner as recently as yesterday.
But with the prospect of a combined Comcast and Time Warner on the horizon, the question turns to what a merger would actually mean — both for consumers and the industry at large. If the move is approved by federal regulators, it could cement the kind of monolithic monopolies that have plagued cable subscribers all along, raising concerns...
Looks pretty decent, first third party Exchange app I've seen that doesn't have a terrible interface.
Two days ago I took a look at CloudMagic's Android email client, and I have to admit, it's a well-designed piece of software. Its blazing fast searching is its claim to fame, but even without this functionality, it's an attractive, holo-friendly app with support for multiple accounts and a unified inbox. But - and for many, this is a big but - the app indexes your mail on CloudMagic's servers.
[Hands-On] Nine Is A Clean And Attractive Email Client Aimed At Exchange Users And Very Few Others was written by the awesome team at Android Police.
I'm sort of expecting a shortage of cash bills in the country after people get all of the ATMs cleaned out on April 8th.
Google’s intentions with its Chromebooks have always been clear: disrupt Microsoft’s Windows monopoly. The approach of low-cost devices and a modern cloud-powered OS has left Microsoft a little nervous, but Google is now launching the next stage of its continued attack: the enterprise. In a deal announced quietly this week, Google is partnering with VMWare to bring traditional Windows apps to its Chromebooks. The apps will appear in Chrome OS "similarly to how they run today" according to Google, and VMWare’s cloud-based infrastructure will help companies run their essential apps on servers and stream them to Chrome OS and other devices. The announcement comes just days after Google announced a Chrome-powered teleconferencing...
Those mountains on the landscape.. wow
I'd be surprised if this colored Nexus thing was profitable.. Doesn't seem like the right mix of demographics.
Google has long offered Nexus devices in black, with only occasional white options. The Nexus 5 is the first one that has been available in both colors from the start. Perhaps because of this, rumors of different colors for the Nexus 5 have been circulating for a while now, but a new cache of photos is the best evidence yet that a red version of Google's flagship is on the way.
The Red Nexus 5 Surfaces In Leaked Photos, May Actually Be A Real Thing [Update: More Pics] was written by the awesome team at Android Police.
Oh god. Nothing good can become of this.
I’ve yet to put on some Oculus Rift goggles, which rather annoys me. I imagine March’s GDC will see that cherry popped for me, but I suspect not in a way as innovative or intriguing as is offered by Gender Swap. As part of The Machine To Be Another, an ongoing experimental art project, this uses the virtual reality headset to give users the experience of being someone else – and in this case, someone of a different sex.
I have received some wonderful feedback from some of my managers. Back when I was a young engineer, one of my managers gave me the feedback at an annual review that I didn’t quite finish my projects.
“Oh, you mean on the project I just finished last week?” I wanted to know if it was just that one. I thought I could go back and finish it.
“No, I mean the one 9 months ago, the one 6 months ago, the one 3 months ago, and the one last week,” my boss said.
I became angry. “Okay, I understand why you saved last week’s project for my performance review. That’s okay. Why on earth did you “save” my feedback for the other three projects?? I could have fixed them!”
He shrugged. “I thought I was supposed to wait for the performance review.”
“Don’t wait that long!” I told him. I vowed that when I became a manager, I would never surprise people with feedback.
I now know about finishing projects. As I said, it was great feedback.
I’ve also received feedback about how I needed to let people on a project come to me with bad news. That was really helpful, and I didn’t receive it at a performance review, thank goodness. That would have been way too late. I was able to change my behavior.
When I became a manager, I had to write performance evaluations for my staff. I didn’t like it, but I did it. I thought it was crazy, because, even though we weren’t agile back then, the people worked in cross-functional teams where the people on the teams knew more about what “my” people did than I did. Yes, even though I had one-on-ones. Yes, even though I asked everyone for a list of accomplishments in advance. But, it was the way it was. Even I thought I couldn’t buck city hall.
But now, agile has blown the idea of performance evaluations wide open. And ranking people? Oh my.
I one worked in an organization where a new VP wanted to rank everyone in the Engineering organization, all 80 people. I thought he wasn’t serious, but he was. He wanted to rank everyone from 1 to 80. Us directors had to take an entire day to do this. What was he going to do with the ranking? Cut the bottom 10%. This was serious.
I asked him, “Who’s going to rank us?”
He answered, “I will.”
I asked, “Based on what information?” He’d been there a week.
He replied. “I have my sources.”
Yeah, I bet he did.
The results of that ranking exercise? He managed to take a team of directors who had worked together well before that day, and make us a group of individuals. We were out for ourselves, because this was a zero-sum game.
At the end, no one was happy. Everyone was unhappy with the ranking, with the process, with everything about the day. This was no way to run an organization where people have to work together.
I’ve been a consultant for almost 20 years now. I have not received a formal performance review in that time. I’ve received plenty of feedback. Even when I haven’t enjoyed the feedback, I have liked the fact that I have received it.
And, that is the topic of this month’s management myth, Management Myth 25: Performance Reviews Are Useful.
Remember, I was inside organizations for almost 20 years. I received fewer than 15 performance reviews. Somehow, my bosses never quite got around to them. They hated doing them. I know that one of my bosses wrote them with help of Scotch; he admitted it.
Feedback is useful. Performance reviews? Not so much.
P.S. I know there is a comment on that article already. I am writing a response. The comment deserves more than an off-hand reply.
Neat, emulator evasion.
A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser.
Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday by Hitesh Dharmdasani, a mobile malware researcher with FireEye.
The malware apparently comes disguised as a security update (“Android Security”) for the phone’s operating system and once it’s set in place, it contacts the command-and-control server and conducts surveillance on incoming SMS messages. The command-and-control server responds with a list of phone numbers that “are of interest to the malware author,” according to Dharmdasani. If one of those numbers sends an SMS or makes a call to a compromised device, the malware intercepts it, refrains from sending the device a notification and removes the message from the SMS history.
While text messages are logged and sent to the C&C, phone calls are outright silenced and rejected.
Other information, like the phone’s International Mobile Station Equipment Identity (IMEI) number, its phone number, SMS address and channel ID are also collected, converted into JSON, then a string and sent off to the C&C as well.
Further information like the phone’s model, operating system version, associated network (GSM/CDMA) are sent off to the C+C in the same fashion.
While the C&C has since gone offline, FireEye researchers were still able to analyze how the server processed responses.
While FireEye’s blog post goes into the malware much more in depth, including a technical discussion of the malware’s “sandbox-evasion tactic,” it’s further proof that threats against Android – and even more variants of those threats – are continuing to stack up.
It never fails. No matter what vendor I’m talking to. Storage, DNS, printers, mobile development, PAPER CLIPS. This is what I end up feeling like within roughly ninety seconds:
I’d love to credit the original artist of the Samuel L. Jackson piece on the left, but can’t find any information. I certainly had nothing to do with it. I just tossed the text up in GIMP. Click the image for a sufficiently large version that could be used for a desktop background. Image ratios might be skewy. Also, if you use it, be a dear and send me a pic of it in the wild so I can have a giggle.
And seriously, folks. Stop with the cloud already.
This is starting to feel weird..
The Android custom ROM community is a relatively small one, but it's about to be shaken up in a big way. Roman Birg, founder and leader of the Android Open Kang Project (better known as AOKP), has been hired by Cyanogen Inc., the company that's now formally developing and promoting the CyanogenMod ROM. The move has been confirmed on AOKP's homepage.
AOKP founder Roman Birg, via Google+
Birg hasn't said what he'll be doing for Cyanogen Inc., though the company has been advertising job openings for software engineers.
Android Open Kang Project Founder Roman Birg Joins Cyanogen Incorporated was written by the awesome team at Android Police.
Coincidentally, the Google Site Reliability Engineering team did an AMA this afternoon during the outage. They mentioned an issue that occurred in the past that was very interesting:
"A particularly tricky problem to debug was the time that some of our serving jobs became unresponsive intermittently. At certain times of the day they would block for awhile, and then start serving again, stop, and start, and so on. After a long and tricky debugging process, we found that a big MapReduce job was firing up every few hours and, as a part of its normal functioning, it was reading from /dev/random. When too many of the MapReduce workers landed on a machine, they were able read enough to deplete the randomness available on the entire machine. It was on these machines that our serving binaries were becoming unresponsive: they were blocking on reads of /dev/random! This is when I realized that randomness is one of the finite and exhaustible resources in a serving cluster. Embracing randomness and trickiness is part of the job as an SRE!"
Deplete the randomness? Woah..
If you tried reaching one of Google's popular services, such as Gmail, Google+, or Play Music in the last 30 minutes and failed because they're either unavailable, very slow, or have broken in some other way, don't go blaming your ISP - it's one of those rare occasions when Google itself is having some major hiccups.
The company finally updated the Apps Status Dashboard after a surprisingly long delay of over 20 minutes showing all green and is now looking into the issues:
PSA: Do Not Blame Your ISP This Time - Gmail, Google+, And Other Google Services Are Down Or Very Slow [Update: Back Up] was written by the awesome team at Android Police.
You'd think Asus would really want to gouge people at launch. They can't be making more on Nexus devices than they could on the accessories.
Nexus devices might be a great deal compared to other devices in the market, but you pay the price when it comes to accessories. They're either horrendously expensive or take so long to go on sale it's almost time for a new version of the device. We might be lining up for the second one here, as Asus has just now posted English listings for the wired and wireless charging docks for the 2013 Nexus 7.
Asus Now Lists Wired And Wireless Charging Docks For 2013 Nexus 7 Online, No Word When You Can Buy One was written by the awesome team at Android Police.
A vulnerability in the Android mobile operating system could allow hackers to write applications that would bypass a secure virtual private network connection and redirect traffic in clear text to an attacker.
Researchers from Israel’s Ben Gurion University claim that the vulnerability can be exploited by a specially crafted, malicious application that bypasses a VPN configuration and redirects device traffic to separate network address.
In a write-up on the university’s cyber security blog, Dudu Mirman, the department’s chief technical officer, writes that a potentially malicious application capable of bypassing a VPN would not require root permissions. Furthermore, he claims, there is no indication to the user that his or her data is being captured during the exploit process.
In a video demonstration, the researcher tests his exploit on a Samsung Galaxy S4 device, though he says he tested the exploit on a number of devices from various vendors. In the background of the video, the researcher is running a packet capturing tool on a desktop machine connected to the same network. As Mirman opens his malicious application, presses the exploit button, turns on the VPN, and sends an email, you can see computer monitor in the background begin collecting information in transit from the Android device.
The vulnerability will reportedly leak transport layer security (TLS) and secure sockets layer (SSL) traffic as well, though that information will remain encrypted after it is captured. Mirman says that the bug is confirmed on the most widely deployed Android version: 4.3 Jelly Bean. The researchers are in the process of testing the exploit on the newer, 4.4 KitKat variety of Android.
Mimran says he reported the vulnerability to Google’s Android security team on Jan. 17 and that he will publish the full bug details as soon as Google resolves the issue. A request to Google to confirm the existence of the flaw was not returned by the time of publication. This research is part of Ben Gurion University Cyber Security Labs’ ongoing effort to uncover mobile security vulnerabilities. Late last year, another researcher there uncovered a serious security flaw in Samsung Knox.
Below is a video demonstration of the hack:
Nice! I wonder if there was actually some support logic about including the CLSLog methods in production release.
A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk.
The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file there are “multiple instances” where the credentials are stored in clear text, something that could allow attackers to recover and later leverage the information to access a users’ account, either on the device in question or online at Starbucks’ account log-in page.
The vulnerability exists in the most recent build of the app, version 2.6.1 for iOS.
Starbucks’ app lets users connect their Starbucks card to their smartphone, reload funds via Paypal or credit card and allows them to treat the device like cash in stores worldwide. Ardent java fans can manage their card through the app and accrue Rewards with each purchase.
Daniel Wood, a Minneapolis-based security researcher and pen tester discovered the vulnerability last year, reported it to Starbucks in December but has yet to hear from the company regarding a fix.
It wasn’t until Monday however that Wood went public and published his findings on seclists.org’s Full Disclosure.
According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.
In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.
Wood also found the app’s OAuth token and the OAuth signature attached to the device in question.
“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service,” Wood said in his write-up.
It’s unclear if a fix is in the works for the app but Starbucks hasn’t released an update since May 2, 2013.
Wood, a member of Open Web Application Security Project (OWASP), recommends future versions of the app adhere to best practices.
In this case, Starbucks should filter and sanitize data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all,” Wood writes in his disclosure.
When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.
Crashlytics Cofounder Wayne Chang said via email that the issue appears to involve one of the service’s plaintext logging features and that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”
Wood admits he’s only done static analysis of the application so far and has yet to examine network traffic but suspects there is a privacy issue.
“During my static analysis I noticed some JSON requests which contain some sensitive data in the request,” Wood said, suggesting a vulnerability could be present.
Maggie Jantzen, a spokeswoman for Starbucks claimed the company was aware of Wood’s research and what it has deemed “theoretical vulnerabilities” but insisted Wednesday that there isn’t a direct impact to its customers at this time.
“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way,” Jantzen said.
I played this game at a LAN, it was the stupidest thing I've ever played. But, it was a sort of interesting stupid.
I know a classic when I see it. There it is, near the top of Steam’s list of new games: Woodcutter Simulator 2013. Sure, it’s already out-of-date, and likely won’t feature 2014′s most exciting range of woodcutting innovations, but I was prepared to suck that up and get on. I, as a woodcutter, am burly, powerful, able to take on anything. Look at my rugged frame! My bushy woodsman beard! LOOK AT ME HOLDING A CHAINSAW!
I would be so much more impressed with a well spec-ed 4.3-4.5" phone.
The likes of HTC and Samsung have been pushing phones to larger and larger dimensions for years, but humble Chinese manufacturer Hisense is about to shoot for the moon. Their high-end X1 prototype is being shown off at CES 2014, and it's big enough to comfortably fit in a form factor that was previously reserved for "small" tablets. Its 6.8-inch screen makes almost every other phone look small.
Liliputing has an initial hands-on with the device, which has some high-end hardware to match the big frame.
[CES 2014] Hisense Blurs The Line Between Phone And Tablet With The Massive 6.8-Inch X1 was written by the awesome team at Android Police.
Very nice case design, kind of just want that.
Razer’s latest bit of PC mad science might look like an alien ribcage, but it aspires to big things. For those of us who worship at The Impossibly Tall Altar Of Horace, building a PC is a routine task, but those who’ve yet to realize the stars in the sky are merely his universe-nourishing teats aren’t as keen on it. There are cards and motherboards and cooling systems and cases and wires. Sure, the process might be easier than ever, but it’s still not the sort of thing you see grandmothers doing in place of jigsaw puzzles (well, except for really, really cool grandmas). With Project Christine, Razer wants to make PC upgrades simple for everyone. But also, you know, probably proprietary.
$63, hmm. I just built a similar magnetic car qi charger for about $30 in materials that integrates into my dash a bit better.
As even a brief survey of the world could tell you, we live in the future. As such, isn't it about time to stop plugging wires into all your devices? Qi-compatible charging is showing up in more phones and tablets to make it easier to get some juice by just setting your phone down. Still, there isn't a good wireless solution for the car, but the Air Dock might be the first.
[Hands-On] The Air Dock Wireless Car Charger Might Get Everything Right was written by the awesome team at Android Police.