I'm sort of expecting a shortage of cash bills in the country after people get all of the ATMs cleaned out on April 8th.
Google’s intentions with its Chromebooks have always been clear: disrupt Microsoft’s Windows monopoly. The approach of low-cost devices and a modern cloud-powered OS has left Microsoft a little nervous, but Google is now launching the next stage of its continued attack: the enterprise. In a deal announced quietly this week, Google is partnering with VMWare to bring traditional Windows apps to its Chromebooks. The apps will appear in Chrome OS "similarly to how they run today" according to Google, and VMWare’s cloud-based infrastructure will help companies run their essential apps on servers and stream them to Chrome OS and other devices. The announcement comes just days after Google announced a Chrome-powered teleconferencing...
Those mountains on the landscape.. wow
I'd be surprised if this colored Nexus thing was profitable.. Doesn't seem like the right mix of demographics.
Google has long offered Nexus devices in black, with only occasional white options. The Nexus 5 is the first one that has been available in both colors from the start. Perhaps because of this, rumors of different colors for the Nexus 5 have been circulating for a while now, but a new cache of photos is the best evidence yet that a red version of Google's flagship is on the way.
The Red Nexus 5 Surfaces In Leaked Photos, May Actually Be A Real Thing [Update: More Pics] was written by the awesome team at Android Police.
Oh god. Nothing good can become of this.
I’ve yet to put on some Oculus Rift goggles, which rather annoys me. I imagine March’s GDC will see that cherry popped for me, but I suspect not in a way as innovative or intriguing as is offered by Gender Swap. As part of The Machine To Be Another, an ongoing experimental art project, this uses the virtual reality headset to give users the experience of being someone else – and in this case, someone of a different sex.
I have received some wonderful feedback from some of my managers. Back when I was a young engineer, one of my managers gave me the feedback at an annual review that I didn’t quite finish my projects.
“Oh, you mean on the project I just finished last week?” I wanted to know if it was just that one. I thought I could go back and finish it.
“No, I mean the one 9 months ago, the one 6 months ago, the one 3 months ago, and the one last week,” my boss said.
I became angry. “Okay, I understand why you saved last week’s project for my performance review. That’s okay. Why on earth did you “save” my feedback for the other three projects?? I could have fixed them!”
He shrugged. “I thought I was supposed to wait for the performance review.”
“Don’t wait that long!” I told him. I vowed that when I became a manager, I would never surprise people with feedback.
I now know about finishing projects. As I said, it was great feedback.
I’ve also received feedback about how I needed to let people on a project come to me with bad news. That was really helpful, and I didn’t receive it at a performance review, thank goodness. That would have been way too late. I was able to change my behavior.
When I became a manager, I had to write performance evaluations for my staff. I didn’t like it, but I did it. I thought it was crazy, because, even though we weren’t agile back then, the people worked in cross-functional teams where the people on the teams knew more about what “my” people did than I did. Yes, even though I had one-on-ones. Yes, even though I asked everyone for a list of accomplishments in advance. But, it was the way it was. Even I thought I couldn’t buck city hall.
But now, agile has blown the idea of performance evaluations wide open. And ranking people? Oh my.
I one worked in an organization where a new VP wanted to rank everyone in the Engineering organization, all 80 people. I thought he wasn’t serious, but he was. He wanted to rank everyone from 1 to 80. Us directors had to take an entire day to do this. What was he going to do with the ranking? Cut the bottom 10%. This was serious.
I asked him, “Who’s going to rank us?”
He answered, “I will.”
I asked, “Based on what information?” He’d been there a week.
He replied. “I have my sources.”
Yeah, I bet he did.
The results of that ranking exercise? He managed to take a team of directors who had worked together well before that day, and make us a group of individuals. We were out for ourselves, because this was a zero-sum game.
At the end, no one was happy. Everyone was unhappy with the ranking, with the process, with everything about the day. This was no way to run an organization where people have to work together.
I’ve been a consultant for almost 20 years now. I have not received a formal performance review in that time. I’ve received plenty of feedback. Even when I haven’t enjoyed the feedback, I have liked the fact that I have received it.
And, that is the topic of this month’s management myth, Management Myth 25: Performance Reviews Are Useful.
Remember, I was inside organizations for almost 20 years. I received fewer than 15 performance reviews. Somehow, my bosses never quite got around to them. They hated doing them. I know that one of my bosses wrote them with help of Scotch; he admitted it.
Feedback is useful. Performance reviews? Not so much.
P.S. I know there is a comment on that article already. I am writing a response. The comment deserves more than an off-hand reply.
Neat, emulator evasion.
A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser.
Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday by Hitesh Dharmdasani, a mobile malware researcher with FireEye.
The malware apparently comes disguised as a security update (“Android Security”) for the phone’s operating system and once it’s set in place, it contacts the command-and-control server and conducts surveillance on incoming SMS messages. The command-and-control server responds with a list of phone numbers that “are of interest to the malware author,” according to Dharmdasani. If one of those numbers sends an SMS or makes a call to a compromised device, the malware intercepts it, refrains from sending the device a notification and removes the message from the SMS history.
While text messages are logged and sent to the C&C, phone calls are outright silenced and rejected.
Other information, like the phone’s International Mobile Station Equipment Identity (IMEI) number, its phone number, SMS address and channel ID are also collected, converted into JSON, then a string and sent off to the C&C as well.
Further information like the phone’s model, operating system version, associated network (GSM/CDMA) are sent off to the C+C in the same fashion.
While the C&C has since gone offline, FireEye researchers were still able to analyze how the server processed responses.
While FireEye’s blog post goes into the malware much more in depth, including a technical discussion of the malware’s “sandbox-evasion tactic,” it’s further proof that threats against Android – and even more variants of those threats – are continuing to stack up.
It never fails. No matter what vendor I’m talking to. Storage, DNS, printers, mobile development, PAPER CLIPS. This is what I end up feeling like within roughly ninety seconds:
I’d love to credit the original artist of the Samuel L. Jackson piece on the left, but can’t find any information. I certainly had nothing to do with it. I just tossed the text up in GIMP. Click the image for a sufficiently large version that could be used for a desktop background. Image ratios might be skewy. Also, if you use it, be a dear and send me a pic of it in the wild so I can have a giggle.
And seriously, folks. Stop with the cloud already.
This is starting to feel weird..
The Android custom ROM community is a relatively small one, but it's about to be shaken up in a big way. Roman Birg, founder and leader of the Android Open Kang Project (better known as AOKP), has been hired by Cyanogen Inc., the company that's now formally developing and promoting the CyanogenMod ROM. The move has been confirmed on AOKP's homepage.
AOKP founder Roman Birg, via Google+
Birg hasn't said what he'll be doing for Cyanogen Inc., though the company has been advertising job openings for software engineers.
Android Open Kang Project Founder Roman Birg Joins Cyanogen Incorporated was written by the awesome team at Android Police.
Coincidentally, the Google Site Reliability Engineering team did an AMA this afternoon during the outage. They mentioned an issue that occurred in the past that was very interesting:
"A particularly tricky problem to debug was the time that some of our serving jobs became unresponsive intermittently. At certain times of the day they would block for awhile, and then start serving again, stop, and start, and so on. After a long and tricky debugging process, we found that a big MapReduce job was firing up every few hours and, as a part of its normal functioning, it was reading from /dev/random. When too many of the MapReduce workers landed on a machine, they were able read enough to deplete the randomness available on the entire machine. It was on these machines that our serving binaries were becoming unresponsive: they were blocking on reads of /dev/random! This is when I realized that randomness is one of the finite and exhaustible resources in a serving cluster. Embracing randomness and trickiness is part of the job as an SRE!"
Deplete the randomness? Woah..
If you tried reaching one of Google's popular services, such as Gmail, Google+, or Play Music in the last 30 minutes and failed because they're either unavailable, very slow, or have broken in some other way, don't go blaming your ISP - it's one of those rare occasions when Google itself is having some major hiccups.
The company finally updated the Apps Status Dashboard after a surprisingly long delay of over 20 minutes showing all green and is now looking into the issues:
PSA: Do Not Blame Your ISP This Time - Gmail, Google+, And Other Google Services Are Down Or Very Slow [Update: Back Up] was written by the awesome team at Android Police.
You'd think Asus would really want to gouge people at launch. They can't be making more on Nexus devices than they could on the accessories.
Nexus devices might be a great deal compared to other devices in the market, but you pay the price when it comes to accessories. They're either horrendously expensive or take so long to go on sale it's almost time for a new version of the device. We might be lining up for the second one here, as Asus has just now posted English listings for the wired and wireless charging docks for the 2013 Nexus 7.
Asus Now Lists Wired And Wireless Charging Docks For 2013 Nexus 7 Online, No Word When You Can Buy One was written by the awesome team at Android Police.
A vulnerability in the Android mobile operating system could allow hackers to write applications that would bypass a secure virtual private network connection and redirect traffic in clear text to an attacker.
Researchers from Israel’s Ben Gurion University claim that the vulnerability can be exploited by a specially crafted, malicious application that bypasses a VPN configuration and redirects device traffic to separate network address.
In a write-up on the university’s cyber security blog, Dudu Mirman, the department’s chief technical officer, writes that a potentially malicious application capable of bypassing a VPN would not require root permissions. Furthermore, he claims, there is no indication to the user that his or her data is being captured during the exploit process.
In a video demonstration, the researcher tests his exploit on a Samsung Galaxy S4 device, though he says he tested the exploit on a number of devices from various vendors. In the background of the video, the researcher is running a packet capturing tool on a desktop machine connected to the same network. As Mirman opens his malicious application, presses the exploit button, turns on the VPN, and sends an email, you can see computer monitor in the background begin collecting information in transit from the Android device.
The vulnerability will reportedly leak transport layer security (TLS) and secure sockets layer (SSL) traffic as well, though that information will remain encrypted after it is captured. Mirman says that the bug is confirmed on the most widely deployed Android version: 4.3 Jelly Bean. The researchers are in the process of testing the exploit on the newer, 4.4 KitKat variety of Android.
Mimran says he reported the vulnerability to Google’s Android security team on Jan. 17 and that he will publish the full bug details as soon as Google resolves the issue. A request to Google to confirm the existence of the flaw was not returned by the time of publication. This research is part of Ben Gurion University Cyber Security Labs’ ongoing effort to uncover mobile security vulnerabilities. Late last year, another researcher there uncovered a serious security flaw in Samsung Knox.
Below is a video demonstration of the hack:
Nice! I wonder if there was actually some support logic about including the CLSLog methods in production release.
A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk.
The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file there are “multiple instances” where the credentials are stored in clear text, something that could allow attackers to recover and later leverage the information to access a users’ account, either on the device in question or online at Starbucks’ account log-in page.
The vulnerability exists in the most recent build of the app, version 2.6.1 for iOS.
Starbucks’ app lets users connect their Starbucks card to their smartphone, reload funds via Paypal or credit card and allows them to treat the device like cash in stores worldwide. Ardent java fans can manage their card through the app and accrue Rewards with each purchase.
Daniel Wood, a Minneapolis-based security researcher and pen tester discovered the vulnerability last year, reported it to Starbucks in December but has yet to hear from the company regarding a fix.
It wasn’t until Monday however that Wood went public and published his findings on seclists.org’s Full Disclosure.
According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.
In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.
Wood also found the app’s OAuth token and the OAuth signature attached to the device in question.
“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service,” Wood said in his write-up.
It’s unclear if a fix is in the works for the app but Starbucks hasn’t released an update since May 2, 2013.
Wood, a member of Open Web Application Security Project (OWASP), recommends future versions of the app adhere to best practices.
In this case, Starbucks should filter and sanitize data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all,” Wood writes in his disclosure.
When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.
Crashlytics Cofounder Wayne Chang said via email that the issue appears to involve one of the service’s plaintext logging features and that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”
Wood admits he’s only done static analysis of the application so far and has yet to examine network traffic but suspects there is a privacy issue.
“During my static analysis I noticed some JSON requests which contain some sensitive data in the request,” Wood said, suggesting a vulnerability could be present.
Maggie Jantzen, a spokeswoman for Starbucks claimed the company was aware of Wood’s research and what it has deemed “theoretical vulnerabilities” but insisted Wednesday that there isn’t a direct impact to its customers at this time.
“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way,” Jantzen said.
I played this game at a LAN, it was the stupidest thing I've ever played. But, it was a sort of interesting stupid.
I know a classic when I see it. There it is, near the top of Steam’s list of new games: Woodcutter Simulator 2013. Sure, it’s already out-of-date, and likely won’t feature 2014′s most exciting range of woodcutting innovations, but I was prepared to suck that up and get on. I, as a woodcutter, am burly, powerful, able to take on anything. Look at my rugged frame! My bushy woodsman beard! LOOK AT ME HOLDING A CHAINSAW!
I would be so much more impressed with a well spec-ed 4.3-4.5" phone.
The likes of HTC and Samsung have been pushing phones to larger and larger dimensions for years, but humble Chinese manufacturer Hisense is about to shoot for the moon. Their high-end X1 prototype is being shown off at CES 2014, and it's big enough to comfortably fit in a form factor that was previously reserved for "small" tablets. Its 6.8-inch screen makes almost every other phone look small.
Liliputing has an initial hands-on with the device, which has some high-end hardware to match the big frame.
[CES 2014] Hisense Blurs The Line Between Phone And Tablet With The Massive 6.8-Inch X1 was written by the awesome team at Android Police.
Very nice case design, kind of just want that.
Razer’s latest bit of PC mad science might look like an alien ribcage, but it aspires to big things. For those of us who worship at The Impossibly Tall Altar Of Horace, building a PC is a routine task, but those who’ve yet to realize the stars in the sky are merely his universe-nourishing teats aren’t as keen on it. There are cards and motherboards and cooling systems and cases and wires. Sure, the process might be easier than ever, but it’s still not the sort of thing you see grandmothers doing in place of jigsaw puzzles (well, except for really, really cool grandmas). With Project Christine, Razer wants to make PC upgrades simple for everyone. But also, you know, probably proprietary.
$63, hmm. I just built a similar magnetic car qi charger for about $30 in materials that integrates into my dash a bit better.
As even a brief survey of the world could tell you, we live in the future. As such, isn't it about time to stop plugging wires into all your devices? Qi-compatible charging is showing up in more phones and tablets to make it easier to get some juice by just setting your phone down. Still, there isn't a good wireless solution for the car, but the Air Dock might be the first.
[Hands-On] The Air Dock Wireless Car Charger Might Get Everything Right was written by the awesome team at Android Police.
How much human productivity is lost every day due to the horrible debugging messages in SSH? I bet it is thousands of hours world-wide. It isn't just sysadmins: programmers, web developers, and many non-technical users are frustrated by this.
I'm pretty good at debugging ssh authentication problems. The sad fact is that most of my methodology involves ignoring the debug messages and just "knowing" what to check. That's a sad state of affairs.
The debug messages for "ssh -v" should look like this:
HELLO! I AM TRYING TO LOG IN. I'VE TOLD THE SERVER I CAN USE (method,method,method). I AM NOW TRYING TO LOG IN VIA (method). I AM SENDING (public key). THAT DID NOT WORK. I AM SAD. I AM NOW TRYING TO LOG IN VIA (method). I AM SENDING USERNAME foo AND a password of length x. THAT DID WORK. I AM LOGGING IN. I AM HAPPY.</code>
Similarly on the server side, "ssd -d" should look more like:
HELLO! SOMEONE HAS CONTACTED ME FROM IP ADDRESS 18.104.22.168. THEY HAVE TOLD ME THEY CAN LOG IN USING THE FOLLOWING METHODS: (method1,method2,method3). THEY ARE NOW TRYING (method) THEY GAVE ME (first 100 bytes of base64 of public key) THAT DID NOT WORK. TIME TO TRY THE NEXT METHOD. THEY ARE NOW TRYING (method) THEY GAVE ME A PASSWORD OF LENGTH x THAT DID WORK. I WILL LET THEM LOG IN NOW.
Instead we have to look at messages like:
debug1: monitor_child_preauth: tal has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 0x801410a80(150) debug2: mac_setup: found email@example.com debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x801410a80(150)
I actually started looking at the source code to OpenSSH today to see how difficult this would be. It doesn't look too difficult. Sadly I had to stop myself because I was procrastinating from the project I really needed to be working on.
I'd consider paying a "bounty" to someone that would submit a patch to OpenSSH that would make the debug logs dead simple to understand. Maybe a kickstarter would be a better idea.
If anyone is interested in working on this, I'd be glad to give input. If someone wants to do a kickstarter I promise to be the first to donate.
Earlier this month, NASA released this unprecedented clip of the Moon orbiting Earth. The footage reminded me of another image captured more than thirty years ago by Voyager 1 when it was still just 7.25-million miles from Earth: the first photo to feature Earth and its moon, in their entirety, in the same frame.
Oh, man. Christopher Lee is so old, you guys. Which is partially why it's so wonderful that's he's still churning out awesome holiday music like this new heavy metal cover (with accompanying metal lyrics!) of "Jingle Bells" titled, of course, "Jingle Hell." The other reason is that his singing voice is still amazing.
Over at 3D printing marketplace Shapeways.com, inspired individuals are free to post their 3D-printable creations for all the world to buy. And sure, there's some more benign items like art and iPhone cases littered among the clutter, but dig a little deeper and you'll find what Shapeways masses really want: Goatse. Twerking. Fresco Jesus—the whole gang's right here.