Shared posts

16 Apr 14:02

The Expand Home Screen

by Eric Ravenscraft

The Expand Home Screen

Android: Themer has a ton of neat home screen themes, and Expand is no exception. This design features four collapsible sections with all the links, shortcuts, and widgets you'll ever need.

The design is very basic, divided into four sections: Home, Categories, Music Player, and Weather. Each one unfolds to show shortcuts or informative widgets. There's also a bar of quick links along the bottom for frequently used apps. This design is available directly in Themer.

Do you have an awesome, tweaked-into-oblivion home or lock screen of your own that you'd like to share? Post it in the comments below, or on your own Kinja blog with the tag "home screen showcase" (no quotes). Be sure to include a description of how you made it so we can feature it as the next featured home screen.

Expand for Themer | My Color Screen

16 Apr 14:00

Amazon merging Kindle documents and Cloud Drive, 10GB combined free storage

by Richard Devine

Good news this morning for Kindle owners; it seems you're likely to be waking up to some changes in the way your cloud documents storage works that results in a combined 10GB of free Amazon Cloud Drive. We've received a tip that this is pushing out, and that the merger of 5GB of Kindle documents and 5GB of Amazon Cloud Drive is now amounting to a combined 10GB account that covers everything. Pretty neat.

We've also confirmed that this is only applying to Kindle customers. Indeed, those of us without a Kindle are still languishing back on the 5GB free tier. The new combined account means that your previously Kindle exclusive 5GB can be used for other files such as images and videos. And that's just great.

Customers are being notified by email it seems, but if you've not seen one yet fire up your Cloud Drive and take a look!

Thanks Alex for the tip!








15 Apr 21:12

Yahoo's earnings aren't about Yahoo anymore: all hail Alibaba

by Ben Popper

Yahoo has been under the leadership of CEO Marissa Mayer for almost two years now, but during today's earnings, all eyes were focused elsewhere. The company reported a quarterly revenue of $1.13 billion with earnings of 38 cents per share. That was slightly better than analysts predicated, but it doesn't matter much. As Cantor Fitzgerald analyst Youssef Squali says, the consensus was for Yahoo "to report another muted quarter ... in line with expectations."

What investors were really concerned about was the action happening on the other side of the world; Chinese e-commerce giant Alibaba is expected to go public in the US this year with the biggest IPO since Facebook. Yahoo, which has a 24 percent stake in the company, provides some of...

Continue reading…

15 Apr 19:28

An ultra-cheap Wi-Fi router wants to solve your streaming music woes

by Ben Popper

Streaming music through your home entertainment system should be simple, but like many forms of media, it often becomes hopelessly tangled in a morass of broadly incompatible standards the moment you try to stream it from device A to device B. It’s a mess. And of all the incompatibility hells we deal with on a daily basis, the sad state of audio affairs can be particularly tragic: nothing kills a party faster than 60 seconds of awkward silence. All it takes is one would-be DJ with a Galaxy Note trying to connect through an Apple TV to crush the vibe.

Continue reading…

15 Apr 16:44

Top 10 most popular Android apps from last week: Huey, Automatic

by Steve Raycraft

Every week we cover new Android apps with Fresh Meat on Wednesday, followed by Android Gaming on Thursday and Top 10 App Updates on Friday. When Monday rolls around, we look back to see which apps were the most appealing to our audience. Read on for the 10 most popular Android apps from last week.

1. The Walking Dead: Season One

Walking DeadApp info: The Walking Dead is a five-part game series (Episode 2-5 can be purchased via in-app) set in the same universe as Robert Kirkman’s award-winning series.

 

2. Elegante UCCW skin

EleganteApp info: Elegante has a beautiful clock display and has been one of our readers’ favorite UCCW skins to download.

 

3. Cute Kids Eye Clinic

Cute Kids EyeApp info: Try your hands at being an eye doctor with this game.

 

4. Knock Lock

Knock LockApp info: Knock Lock is a simple application that allows you to select an area on your display to enable a “knock to sleep” feature.

 

5. Javelin Browser

Javelin BrowserApp info: Javelin is the #1 browser with built-in ADBLOCK. It is also the first browser with READING MODE.

 

6. A Better Camera

A Better CameraApp info: A Better Camera combines features found in many other apps to provide you with the best, all-purpose, full featured camera app.

 

7. Automatic

AutomaticApp info: Automatic is your Smart Driving Assistant. It wirelessly connects your car and your Android using Bluetooth, allowing you to drive smarter and save money on gas.

 

8. Zoe

ZoeApp info: Zoe gives you up to 20 photos and a 3-second video to make a unique gallery to share with friends and family.

 

9. First Strike

First StrikeApp info: FIRST STRIKE is a great strategy simulation featuring snappy gameplay and an intuitive interface that makes dropping the big one as easy as ABC.

 

10. Huey

HueyApp info: Watch your lights come to life with Huey! The first camera application for the Philips Hue that allows you to create amazing “point and shoot” ambient light effects with no effort.

 

Note:  To ensure that all apps receive a fair chance to make the list, we will retire any app that has made the list for 3 consecutive weeks and will place it in our Android and Me App Hall of Fame. We will post this Hall of Fame list in a dedicated series. Any app with * next to the title indicates it will now be added to our Hall of Fame list and will no longer be listed in this article.

15 Apr 16:43

BBC iPlayer Users Can Now Download Videos On Any Android Device Running Android 4.0 Or Higher

by Bertel King, Jr.

BBCiPlayer-ThumbBack in September, the BBC iPlayer jumped to version 2.0 and introduced the ability for users to download full episodes and store them for up to 30 days. At the time, the feature only worked on the eleven devices that the developers tested. Now it should work on any Android device running Ice Cream Sandwich or above.

BBCiPlayer

Video downloads still function the same as before. Stored media will automatically delete itself seven days after first being viewed.

Done With This Post? You Might Also Like These:

BBC iPlayer Users Can Now Download Videos On Any Android Device Running Android 4.0 Or Higher was written by the awesome team at Android Police.



15 Apr 16:43

Amazon Enables Single Sign-On For Apps Running On Kindle Fire

by Sarah Perez
SSO2 Amazon this morning announced a small, but significant change to its “Login with Amazon” service which currently offers an alternate way to sign up for and authenticate with mobile applications on both the Android and iOS platforms. Starting today, Amazon Appstore developers taking advantage of this option on apps designed for Kindle Fire will no longer need to ask their customers to… Read More
15 Apr 16:42

Amazon's first smartphone revealed in leaked photos

by Chris Welch

Amazon's long-awaited smartphone is apparently right around the corner, and today images of what looks to be an early prototype have been leaked by BGR. Unfortunately the pictured device is surrounded by a protective, screwed-on case that conceals the phone's true physical design. BGR claims the phone's screen measures 4.7 inches, which would make it noticeably smaller than the latest flagships from Samsung and HTC. It's also said to be a 720p display, which falls a bit short of the now-standard 1080p resolution found on the Galaxy S5 and HTC One. Amazon's smartphone is reportedly powered by an unspecified Qualcomm Snapdragon processor and 2GB of RAM.

Interestingly, the shots reveal a total of five front-facing cameras. One will...

Continue reading…

15 Apr 16:40

After Heartbleed, "Forward Secrecy" Is More Important Than Ever

by Selena Larson

Internet users have spent the last week changing their passwords and checking their online accounts for potential hacks resulting from Heartbleed, a bug in the open-source security software OpenSSL that left nearly two-thirds of the Web vulnerable to malicious attacks. 

Heartbleed has caused security nightmares for dozens of websites, especially since companies initially thought it was impossible to steal private certificate keys from servers. That assessment was quickly debunked—just ask the 900 Canadians that had their taxpayer data stolen by hackers over a six-hour period after the bug was publicly announced. 

There is a silver lining to the madness, however: If websites are using encryption called perfect forward secrecy, there is no way for hackers to retroactively decrypt your data, even if they get control of your server’s private key. 

What's Wrong With HTTPS?

First, let's get to know HTTPS, the connection that protects your data on most secure websites.

When you’re on a secure website using traditional HTTPS encryption, your username, password, and all other personal communications are supposedly safe from being intercepted and decrypted by hackers (or the NSA). OpenSSL made it possible for websites to deliver that secure connection, locking down the data sent to and from the browser and server.

Normally, when a secure connection is created, a website generates a master key between the browser and server—this master key is used to encrypt millions of sessions, not just yours. Since only the holder of the private key can “unlock” your session key, all your information is secure. But by exploiting the Heartbleed vulnerability, an attacker could access the website’s private key and then decrypt the information hidden in your session key. 

That’s not all: Any recorded data from HTTPS servers can be retroactively decrypted using private keys exposed by Heartbleed, so if an eavesdropper has been recording website traffic for some reason, they could access the private keys for those sites thanks to Heartbleed.

Why Does Forward Secrecy Matter?

Now we know why HTTPS isn't good enough to stop Heartbleed. So what can websites do about it?

Perfect forward secrecy is an encryption technique that prevents people from “unlocking” your private information history, even if they get their hands on the server’s private key. With forward secrecy, a new temporary session key is created each time you access a secure website, instead of relying on one master key. Essentially, it creates ephemeral encryption—where the keys disappear—so hackers can't decrypt your data like they would with HTTPS. 

“Forward secrecy gives you client and server that use a different method for agreeing on a session key,” said Timo Hirvonen, senior researcher at security firm F-Secure. “The main point there is the key that is used for decrypting that session is a short-lived key used only for that session.”

If we compare security to messaging apps, forward secrecy would be similar to Snapchat—once you’re done with the session, your key disappears. Websites that enabled forward secrecy disallowed hackers from unlocking any of the information they previously connected.

But it’s not just software vulnerabilities users have to worry about. Documents released by Edward Snowden reveal the National Security Agency vacuums up troves of encrypted data with the hopes of one day being able to crack it. Luckily for users, forward secrecy even prevents NSA agents from reading your email—a fear that no doubt pushed companies to rethink their encryption methods. (The NSA reportedly knew about Heartbleed before it was made public, a claim the agency flatly denies.) 

Who Uses Forward Secrecy? 

Forward secrecy is over 20 years old, but most websites don’t implement it. According to SSL Labs, over half of the most popular websites on the Web don't implement forward secrecy, and just 42% of popular websites have some forward secrecy suites enabled.

Google, ever a pioneer in securing user information, made forward secrecy mandatory in November 2011. The company then published its work on OpenSSL with the hopes that other companies would follow suit.

Unfortunately, it took two more years for other tech giants to get on board.

In mid-to-late 2013, Facebook, Microsoft, and Twitter began expanding security to include forward secrecy, and earlier this year (just one week before Heartbleed was made public), Yahoo announced it would implement forward secrecy across many of its properties. Apparently it didn’t move quick enough: Yahoo Mail was one of the biggest services affected by Heartbleed.

One of the main reasons websites don’t use forward secrecy, according to Hirvonen, is because there is a performance penalty—it requires more CPU resources. If you think of a server like a human, enabling perfect forward secrecy requires more brain power than what it takes to enable HTTPS encryption. 

Network engineer Vincent Bernat notes that forward secrecy can use up to 30% more CPU than traditional HTTPS security. 

“Configuration shouldn’t be that difficult,” Hirvonen said. “It’s more about the CPU resources, hardware requirements, and the impact on performance.”

It also takes someone with knowledge of configuring website encryption to deploy forward secrecy. Assuming you have the desire and skill to implement it, you have to configure your server to select forward secrecy, and place the two most common cipher suites at the top of your list. Help Net Security provides a tutorial here

Heartbleed reminded us all that our secure data is never as secure as we think it is on the Internet, and it will still be a while before the mess created by Heartbleed is entirely cleaned up. 

As we’ve learned, however, there are some simple but significant steps that can improve how users are protected, and most of the big tech companies are leading the charge. Hopefully Heartbleed can act as a catalyst to prompt more websites to adopt forward security and make the Web—and our data—safe from harm. 

Lead image courtesy of Alonis on Flickr

15 Apr 13:35

The photos from your phone, now one click away

by The Gmail Team
Posted by Thijs van As, Product Manager

Unless you’re a budding Ansel Adams, odds are you take most of your photos using your phone. And whether it’s photos of your hiking trip or a night out, sending photos to friends and family just got easier. Starting today, you can save time and insert your Auto Backup photos from your phone into Gmail messages on the web using the new Insert Photo button.

When you click the button, you'll instantly access all the photos that are backed up from your mobile devices, starting with the most recent.
If you upload and organize your photos into albums on Google Photos, you can also share entire albums. Plus, you can now resize images while composing messages by dragging on any corner to make your snapshot picture perfect.
These new features will be rolling out today in Gmail on the web. If you haven’t already, turn on Auto Backup so you can easily include photos from your latest adventures in emails to family and friends.
15 Apr 12:43

LastPass Now Auto-Fills Login Info for Your Android Apps

by Whitson Gordon

The most recent LastPass app for Android adds an incredible new feature: now, it can autofill your login and password information for you, both in Chrome and in other Android apps.

Previously, the LastPass app only allowed you to view your passwords or use them inside the LastPass browser, but now it works more like it does on the desktop. When you launch an app or open a web site in Chrome, it'll check if you have an account and autofill your information for you. If it doesn't detect the app properly, you can help it associate the correct account with the app to help make the app better for others. These features work on Android 4.3 and above, though 4.1 and 4.2 users can get the option to copy their password, which at least makes things a little faster than before.

Just install or update the Android app, then enable the feature when prompted. Check out the video above from LastPass to see it in action. You can trial the app for two weeks, after which it will require a LastPass Premium subscription as it always has (which is only $12 per year—well worth it for what you get).

LastPass | Google Play Store via LastPass Blog

15 Apr 12:42

25 Best (And 2 WTF) New Android Games From The Last 2 Weeks (4/2/14 - 4/14/14)

by Michael Crider

gameroundup_icon_largeWelcome to the roundup of the best new Android applications, games, and live wallpapers that went live in the Play Store or were spotted by us in the previous 2 weeks or so.

Please wait for this page to load in full in order to see the widgets, which include ratings and pricing info.

Looking for the previous roundup editions? Find them here.

Featured App

Passport Photo ID Studio

This week's roundup is brought to you by Passport Photo ID Studio from Handy Apps.

Done With This Post? You Might Also Like These:

25 Best (And 2 WTF) New Android Games From The Last 2 Weeks (4/2/14 - 4/14/14) was written by the awesome team at Android Police.



15 Apr 12:41

Original HTC One to get Sense 6 by the end of May

by Jerry Hildenbrand

HTC America President Jason Mackenzie has taken to Twitter to give a rough date about the HTC Sense 6 update for the original M7 model HTC One. According to Mackenzie, users in the U.S. and Canada should expect to have received the update by the end of May.

Reminder that Sense 6 will push to current HTC One users by end of May. #htcadvantage

— Jason Mackenzie (@JasonMacHTC) April 14, 2014

There was no mention of when the rest of the world should expect the update, but previously HTC promised to have devices updated this spring. Get ready for another interesting round of sparring between HTC and the carriers to get these updates pushed out in time!








14 Apr 21:04

Google Gets In On Ground Level With Drone Maker Titan Buy

by Sarah Perez
S50_DesertBrown_1366 (1) Titan Aerospace, the drone maker Facebook had been in acquisition talks with prior to being bought by Google (as we've now confirmed following The WSJ's initial report), was a name that took many in the industry by surprise. How was it that a company that reportedly has solar-powered drones that can fly at 65,000 feet above sea level for five years without needing to land, did not have more public… Read More
14 Apr 21:01

Cinefi Streams Movie and TV-Torrents Straight to Your Browser

by Ernesto

cinefiA few weeks ago a new piece of software called “Popcorn Time” made headlines around the world.

The key to this success was the app’s sheer simplicity, something that was missing from most of the earlier torrent streaming services. Today, a new torrent streaming service launched, one that’s just as simple, but doesn’t require any extra software.

Using only HTML5 technology, Cinefi can stream video torrents directly to a browser. There is no need to install any software or plugins and it works on every platform. This is not limited to PCs and laptops either, since it also includes mobile devices and game consoles.

TorrentFreak caught up with the main developer Rich, who says that the main motivation to develop the service was to see if it was possible to make a torrent streaming tool without any additions.

“We started the project for the sheer challenge of seeing if we could stream torrents directly to the browser without any other software,” Rick explains to TF.

The result is a web service that looks awfully simple, but works as advertised. Similar to Popcorn Time, it taps into a database of YTS movies, but users can also stream other videos by pasting a magnet link into the search box.

“Right now you can search for movies, which come from YTS, but Cinefi will play any torrent or magnet link, except videos encoded in AVI. Just paste and click,” Rich says.

As can be seen below, a trailer of the fourth Game of Thrones season plays just fine after a few seconds of loading time. As with any torrent streaming service, the playback is the smoothest for files that have relatively many seeders.

Cinefi: Game of Thrones Trailer
cinefy-gottrailer

Cinefi is closed source and uses a “patent-pending technology” which blends several HTML5 technologies. According to the developer, this makes it the first torrent streaming service of its kind, and since it doesn’t depend on extra software, it can be used by pretty much anyone, anywhere.

Of course, the entertainment industries are not going to cheer on this development, but the technology itself isn’t infringing on any copyrights according to the Cinefi team. In fact, they advise people not to use the service in any way that might break the law.

“As stated on the site, the site is legal to use, but downloading illegal torrents isn’t. We don’t encourage any illegal activity on the site. We do not host or store any torrents,” Rich tells TF.

“We merely provide the technology and it is up to the user’s discretion,” he adds.

Those who are interested can head over to Cinefi.com and take the service for a spin, with this torrent for example. It’s free to use, and will remain so for the foreseeable future.

Update: Cinefi appears to have some trouble loading every now and then, probably due to the sudden increase in vsitors.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

14 Apr 16:53

Netflix streaming speeds on Comcast jump 65 percent after controversial deal

by Chris Welch

Netflix customers on Comcast are already seeing the benefits of a controversial pact between the streaming service and cable provider. Comcast jumped five spots in Netflix's ranking of ISP performance for the month of March. It now sits in fifth place, delivering an average streaming speed of 2.5Mbps — up from the 11th place spot it held in February, when Comcast delivered a pitiful 1.15Mbps average to Netflix subscribers.

"This month’s rankings are a great illustration of how performance can improve when ISPs work to connect directly to Netflix," said Netflix. It's also a great illustration of what happens when Netflix pays off cable providers to speed things up: Comcast now charts above Verizon FiOS and even Time Warner Cable,...

Continue reading…

14 Apr 15:34

7 Heartbleed Myths Debunked

by Adriana Lee

People are on edge thanks to Heartbleed, a coding mistake that inadvertently laid waste to the security of many big online services.

The revelation this week shocked the world. And new reports coming out about Heartbleed only seem to inspire more worries, not less. The unfortunate result is a lot of misinformation going around. 

Care to join me in a little debunking session? Here are some of the doozies I heard this week, and why they’re not true.

Myth #1: Heartbleed Is A Virus

This OpenSSL bug is not a virus. It's a flaw, a simple coding error in the open-source encryption protocol used by many websites and other servers.

When it works as it should, OpenSSL helps ensure networked communication is protected from eavesdropping. (One clue that a website may be using it is when there’s a “HTTPS” in the Web address, with the extra “s”—although other forms of security do the same thing.) 

So it’s a bug, a security hole that was accidentally left open, allowing others to surveil a communication or login event, as well as pull confidential data or other records out. 

Myth #2: The Bug Only Affects Websites

Potential security breaches for servers and routers are massive issues, as they allow for the greatest amount of data to leak. And so, websites, online services and network servers tend to get the lion’s share of press. But they’re not the only potential targets. 

The clients that communicate with those servers—i.e. your phones, laptops and other devices used to jump online or connect to other networks—are at risk too due to what’s increasingly being called “reverse Heartbleed.” What that means is that the data stored in your device’s memory could be up for grabs.

“Typically on the client, the memory is allocated just to that process that’s running. So you don’t necessarily get access to all the processes,” David Chartier, CEO of Codenomicon—the Finnish security firm that co-discovered Heartbleed—told ReadWrite. “[But] you can still leak contents of emails, documents and logins.” 

The idea of unauthorized account and systems setting access can be particularly disconcerting for  smart home users. I reached out to startups like SmartThings and Revolv, as well as Zonoff—the company powering Staples Connect’s smart home system—and iControl, which supplies the technology for services like Time Warner Cable, ADT, Comcast, Cox, Rogers and others. 

SmartThings and Revolv have both patched the bug by updating their software to the latest version of OpenSSL. iControl reported back to me, saying that it doesn’t use OpenSSL. At press time, Zonoff wasn’t available for comment. 

(Update: Zonoff also uses OpenSSL, but the company confirmed to ReadWrite that it has updated affected servers with the most recent software, thereby patching the vulnerability.) 

Myth #3: Hackers Can Use It To Remote Control Your Phones

By all indications so far, a hacker can’t tunnel in directly using Heartbleed and take over control of your smartphone. Again, what’s at stake is the data stored in its memory, at least for those devices that haven't been patched with the latest version of OpenSSL. 

Even if it was possible, iPhones and most Androids are immune to Heartbleed, with one big exception—Android 4.1.1. Google, however, says patches will go out to cover this version of its mobile operating system. Overall, the fact that iOS and Android are largely unaffected must come as a relief, particularly given recent iOS security concerns on other fronts.  

Of course, the apps these phones run might be another story. BlackBerry acknowledged that BBM for iOS and Android, for example, is vulnerable to Heartbleed. Attackers still wouldn't be able to get into the device memory itself using it, but they might be able to listen in on insecure chats in progress. (Update: Blackberry says it is readying a BBM update to address Heartbleed.)

Myth #4: Windows XP Users Are Screwed Because Microsoft Abandoned Them

Completely false. Sure, the timing is bad. Microsoft said it won't be supporting Windows XP just as Heartbleed panic set out across the land. But the tech company does not use OpenSSL.

That’s great news for the loads of PCs out there that still use the 14-year-old Windows operating system—which, at press time, made up more than a quarter of all running desktops. Because if it affected them, they'd be stranded with Heartbleed with no hope of a security update. 

People running XP, indeed all Windows users, get the company’s own encryption component called Secure Channel (aka SChannel), and it's not susceptible to this particular bug. However, it’s worth noting that XP users won’t get any further software support or updates for SChannel either. 

The exceptions are Windows Azure users running Linux in Microsoft's cloud service. These distributions rely on OpenSSL, so Microsoft urges these users to contact the distribution providers for the updated software. As for Mac OS X, Apple has officially declared it is not vulnerable to Heartbleed. 

Myth #5: All Of Our Banks Are Open For Heartbleeding

The security flaw is serious, but it can't pry open the virtual vaults at our top banks. In fact, American Banker, a news site for bank technologies, reports that no major banks are susceptible

These companies have all announced that they don’t use OpenSSL, so they aren’t at risk:

  • Bank of America
  • Capital One Financial
  • JPMorgan Chase
  • Citigroup
  • TD Bank
  • U.S. Bancorp
  • Wells Fargo
  • PNC Financial Services Group 

Of course, there are many more banks and credit unions out there, which is why the Federal Financial Institutions Examination Council (FFIEC) urged "financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability." 

Furthermore, CNET’s check of high-trafficked websites shows that PayPal is not vulnerable to Heartbleed either. Neither are these major retailers, where people may store debit or credit card information: 

  • Amazon.com
  • eBay
  • Groupon
  • Target
  • TripAdvisor
  • Walmart

(Looks like Target learned a thing or two from its major security breach late last year.) 

So no, the Heartbleed glitch doesn't throw open the doors of these banks and major stores, at least not directly. However, just because these sites and accounts aren’t subject to these hacks, it doesn’t mean that data is entirely safe. (See below.) 

Myth #6: My ____ Site/Service Wasn’t At Risk Or Issued A Patch! I’m Safe Now. 

Not quite. Heartbleed is insidious because it leaves no trace. That means there’s no way to tell if your information was stolen previously from a site or service that has now fixed it. 

As for places that weren’t vulnerable to begin with, your accounts there may still be at risk, if that login information was stored or sent somewhere that was breached. 

Here’s what it boils down to: You’ll want to change passwords everywhere, except on affected sites or services that haven’t patched the hole yet. But be sure to do it once they’ve updated their software. You'll also want to check your credit, account statements and online activity to make sure no unauthorized entries appear. 

Myth #7: NSA Has Been Using Heartbleed To Spy On Us

Citing unnamed sources, Bloomberg accused the National Security Agency of knowing about Heartbleed and keeping it quiet. But that's not all. The agency wasn’t simply aware of the bug, says the report—it allegedly exploited the flaw for two years, using it to spy on Americans. 

In light of the PRISM revelations, it’s all too easy to believe. Even before Bloomberg's accusation, suspicions were high that the NSA was involved, with plenty of tweets flooding Twitter questioning the agency's knowledge. It was as if a chorus of "Of course the NSA's involved" rang throughout the Web. 

But the NSA flatly denies it. The agency said it didn't use the security hole—in fact, it claimed to be completely ignorant of the bug's existence prior to the announcement going out.

There's no way to know if the NSA is being honest with its denial; the agency's credibility isn't exactly at an all-time high. But there’s no hard proof that it has actually exploited Heartbleed for surveillance. So, for now anyway, it's going in the "myth" pile. 

It's difficult to imagine any federal authority or agency not being aware of such a serious security weakness that affects so many. But it's not totally impossible. Just ask the Canada Revenue Agency. That government branch, which also used OpenSSL, had to shut down parts of its website temporarily because it was found to be vulnerable to Heartbleed as well. This just weeks before the Canadian tax deadline, to boot.  

Have you heard any Heartbleed myths or untruths? Deposit them in the comments, so we can all debunk them. 

Images courtesy of Flickr users David Goehring (feature image),  Lee Davy (malware), greyweed (Android zombie), Anonymous Account (bank vault), and Tony Fischer (spies). 

14 Apr 15:17

Children confused by Walkmans

by Rob Beschizza
Oldness now officially begins with the dawn of the iPod. Today's youngsters no longer find portable cassette players amusingly old-fashioned; they now have no clue whatsoever about any music gadget old enough to contain moving parts. Just to rub it in, they nevertheless understand the historical context and say very funny, insightful things about consumer technology! [Video Link]






14 Apr 15:11

Cortana v Siri v Google Now: The voice assistant showdown!

by Richard Devine

There's a new voice assistant in town, and it's called Cortana. With the release of the Windows Phone 8.1 developer preview today, Cortana is in public hands for the first time. It's new to the Windows Phone kids, but Cortana arrives to competition from not only Siri but also Google Now. So what's the best way to check it out? Why, with a head to head, of course!

Daniel Rubino over at Windows Phone Central has been knee deep in all things Windows Phone 8.1, and has taken the time to put together a quick shootout of the three major voice assistants across the Mobile Nations. So grab a beverage and head on over to Windows Phone Central to check it out!








14 Apr 11:15

First Look At Spooks: The Greater Good

First Look At Spooks: The Greater Good

Exclusive: 'The canvas is huge on this one'

The Spooks movie – Spooks: The Greater Good – is underway, and as you can see from this exclusive first-look still, it’ll be tauter than Hawkeye's bowstring. Fans of the long-running BBC show will be keen for a few morsels on what to expect from the feature-length spy thriller and director Bharat Nalluri was happy to oblige. "The canvas is huge on this, he told Empire. “We’re running from Moscow to Berlin to London. It’s a story of the old world and new world.”{First Look At Spooks: The Greater Good}

Written by show veterans Jonathan Brackley and Sam Vincent, Spooks: The Greater Good sees embattled M-alike Harry Pearce (Peter Firth) taking the fall when a terrorist slips through MI5’s fingers and vanishes into thin air. With his agency mired in scandal and his professional reputation in tatters, Pearce is seen jumping from a bridge into the Thames, presumably clutching a particularly huge tumbler of his favourite malt whisky.

Enter Kit Harington as Will Crombie, a former member of Harry's team, to find out what really happened during Pearce’s Reichenbach Falls moment. Crombie could be just the man to take the mantle of agency defender as the truth around Pearce’s disappearance and the crisis at the heart of Britain’s counter-terrorism team is gradually laid bare. Captain America: The Winter-Is-Coming Soldier, then? Somehow MI5’s budget seem unlikely to stretch to a helicarrier.

“You could say that Harry is having a Nick Fury moment”, laughs Nalluri, “although Captain America is set against a very fictionalised world. Spooks, at its best, has always plucked from the headlines.”

So which headlines will the feature-length version be plucking from? “When we closed the show in 2011, thinking we’d mined everything”, he explains, “but then it kick-started again. You’ve got Julian Assange hanging out in the Ecuadorian embassy, Chelsea Manning, guys grinding computer discs in The Guardian’s basement, home-grown Jihadists, email hacking, spying on the Germans, Syria... it’s an unbelievable stew.”

Joining Firth and Harington in this espionage mix are Tuppence Middleton, an actress with previous in this field with MI5 thriller Cleanskin, Spooks veteran Tim McInnerny (Oliver Mace in the show), and World War Z’s ill-fated doctor Elyes Gabel. Jennifer Ehle will also star, but will there be a reappearance from Matthew Macfadyen as old fan favourite Tom Quinn, last seen in the garb of a private contractor? Nalluri isn’t ruling it out. “We brought him back in the very last episode of the last season,” he hedges. “Make of that what you will...”

And what of the move from small to big screen? “The toy box is out for this one,” says Nalluri of the likely action. “We’ve got motorbikes, attacks on convoys, huge sniper sequences in the middle of London. It’s set piece after set piece.”

He promises to deliver the shocks that made early Spooks famous – that chip-fat incident, in particular – albeit within a likely 12A framework. “It’s hard and it’s unsparing and certainly no-one in safe in the film,” he explains. “There’ll be lots of twists.” No more trips to the chippie then? “Maybe a salad bar this time,” he laughs. “Tossed to death!”

The two-and-a-bit month shoot will see them all in action in London, Berlin’s Potsdamer Platz and Alexanderplatz, and Moscow, as well as Pinewood Studios. Yes, they’re sharing a city with Jack Bauer. Play nice, kids.

Spooks: The Greater Good is planned for release by Pinewood Pictures/Altitude sometime in 2015. More in Empire magazine as we get it - and aren't you impressed we got the whole way through this story without a Hot Fuzz reference?








14 Apr 11:15

UK Prime Minister Asked for Permanent Police Anti-Piracy Unit Funding

by Andy

cityoflondonpoliceLast summer it became evident that police in the UK would be taking a greater interest in the activities of torrent, streaming and other sharing sites. Announcing the creation of the Police Intellectual Property Crime Unit (PIPCU), last year City of London Police said that sites would be pressured to step into line, close, or face the consequences.

The unit, which has already claimed the scalps of several smaller domains, including the forced shutdown last week of a handful of sports-stream related sites, has been active on various fronts. In addition to putting registrars under pressure to close domains, the unit is also working with advertisers in an attempt to cut off advertising revenue.

PIPCU is good news for rightsholders in several ways, not least since the anti-piracy battles of groups such as the BPI and FACT are now being partly financed by the UK taxpayer. PIPCU is currently funded by the Department for Business, Innovation & Skills’ Intellectual Property Office, to the tune of £2.56m over two years.

The funding, which was allocated on a temporary basis, will expire in 2015 if the government doesn’t allocate additional finances. It could fall back into private hands, but that would mean a significant loss of ‘clout’ for the companies relying on PIPCU’s authority. However, if the UK Prime Minister’s Intellectual Property Adviser has anything to do with it, that won’t happen.

In a letter to David Cameron and Home Secretary Theresa May, Mike Weatherley MP praised the “excellent work” of PIPCU and urged the funding of the unit on a permanent basis.

“I appreciate that funding for this new unit is not permanent. However, I would like to put on record my support for committing future funding to fighting IP crime and boosting the current level of financial support that is available for PIPCU,” Weatherley wrote. “As I am sure that you are aware, the creative industries add over £70 billion to our economy each year and so it really is in our national interest to protect that revenue.”

As previously reported, PIPCU is currently focusing on cutting off ad revenue to ‘pirate’ sites. Speaking to fellow Conservatives, Weatherley said if that could be done the effects would be dramatic.

“If we stop advertisers from shoveling money into illegal sites, we can stop a lot of the content. Possibly as much as 95 per cent according to the newly formed national Police Intellectual Property Crime Unit (PIPCU),” Weatherley said.

“If you value the NHS [National Health Service], you should also value IP and our creative industries, as together they help pay for the services in this country that we all cherish. If we take the wrong approach, national services that we take for granted will have a huge budget shortfall.”

There are currently no formal indications that PIPCU will get the permanent funding it needs to continue its work but considering the backing it has among the music and movie industries (not to mention the Prime Minister’s top IP advisor) it seems unthinkable that a couple of million a year won’t be found from somewhere.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

14 Apr 11:13

The hometown of British surveillance gets the Banksy treatment

by Aaron Souppouris

A new a piece believed to be the work of street artist Banksy has emerged in the English town of Cheltenham. It touches on themes Banksy has explored before, namely the "surveillance state," with all the subtlety of a sledgehammer. The untitled artwork subverts a phone booth and satellite dish, adding shady Dick Tracy-esque men that are assumedly listening in on phone calls. As well as appropriating existing objects to make a point, Banksy has used geography — Cheltenham is the home of the UK's surveillance agency, GCHQ.

No one has claimed responsibility for the piece yet, but its style and brash social commentary is very reminiscent of Banksy's work over the years. Should the artist take credit, it'll be his first work since his m...

Continue reading…

13 Apr 22:31

Chromebleed Notifies You if a Visited Site was Hit by Heartbleed Bug

by Mihir Patkar

Chromebleed Notifies You if a Visited Site was Hit by Heartbleed Bug

Chrome: The Heartbleed bug is among the major security vulnerabilities we have seen in recent times. It's one of those cases where precaution is the order of the day. You could manually check sites or use Chromebleed, an extension that tells you if the site you're on was affected by the bug.

Chromebleed uses Filippo Valsorda's little tool to test if the page was hit by Heartbleed and hasn't issued a patch yet. You're going to be safe on the bigger websites like Yahoo, but there's a chance that some of the smaller sites haven't yet patched their servers, so this little protection will help. If you do visit some such site, Chromebleed will throw a notification warning you, in which case it's best to exit and notify the site's developers to fix their issue.

Chromebleed | Chrome Web Store via BGR

13 Apr 22:29

Study: American policy exclusively reflects desires of the rich; citizens' groups largely irrelevant

by Cory Doctorow

In Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens [PDF], a paper forthcoming in Perspectives on Politics by Princeton's Martin Gilens and Northwestern's Benjamin Page, the authors analyze 1,779 over the past 20+ years and conclude that policy makers respond exclusively to the needs of people in the 90th wealth percentile to the exclusion of pretty much every one else. Mass-scale intervention from citizens' groups barely registers, while the desires of the richest ten percent of America dictate practically the entire national policy landscape.

In a summary in the Washington Post, Larry Bartels writes,

Alas, no. In their primary statistical analysis, the collective preferences of ordinary citizens had only a negligible estimated effect on policy outcomes, while the collective preferences of “economic elites” (roughly proxied by citizens at the 90th percentile of the income distribution) were 15 times as important. “Mass-based interest groups” mattered, too, but only about half as much as business interest groups — and the preferences of those public interest groups were only weakly correlated (.12) with the preferences of the public as measured in opinion surveys.

Gilens and Page frame their study as a test of four broad theories of American politics: “Majoritarian Electoral Democracy,” “Majoritarian Pluralism,” “Economic Elite Domination” and “Biased Pluralism.” “Majoritarian Electoral Democracy,” with its emphasis on public opinion, elections and representation, provides the theoretical backbone of most contemporary political science (including mine). The training of most graduate students (including mine) is primarily couched in that framework. But Gilens’s and Page’s work makes that look like a bad scientific bet, wishfully ignoring most of what actually drives American policy-making.

Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens [PDF] [Martin Gilens/Benjamin I. Page, Perspectives on Politics]

Rich people rule! [Larry Bartels/Washington Post]

(via Metafilter)






13 Apr 18:10

Sperm can pass trauma symptoms through generations, study finds

by Arielle Duhaime-Ross

Researchers have put ample effort into identifying genes that help explain why cancer or heart disease run in some families. But scientists still don't know if some genes can explain why the children and grandchildren of people who've survived traumatic events are more likely to experience mental illnesses than the general population. If there is a gene, or set of genes, that make the children of survivors more likely to develop depression and schizophrenia, scientists have yet to find it. Now, new research suggests that many scientists might have been looking in the wrong place.

Continue reading…

13 Apr 16:10

How Codenomicon Found The Heartbleed Bug Now Plaguing The Internet

by Adriana Lee

You know that song lyric about the first cut being the deepest? It’s complete rubbish. Heartbleed taught us all that. Because the more we learn about this online data-security wound, the deeper that threat seems to go. 

Discovered independently by Google engineer Neel Mehta and the Finnish security firm Codenomicon, Heartbleed has been called “one of the most serious security problems to ever affect the modern web.” I spoke with Codenomicon CEO David Chartier, who led the Finnish team that named and outed Heartbleed, to find out more about how his team discovered it, and how deep those vulnerabilities could go.

(I've requested an interview with Mehta via Google. Update: The company declined my request.)

We All Bleed For Heartbleed

Codenomicon's David ChartierCodenomicon's David Chartier

Heartbleed actually started out really small. In fact, it was just a slight, accidental gaffe committed by one coder. Had it been caught immediately, it would have required just filling in a missing bit of code. But it wasn’t. And now, that error has propagated to compromise much of the Internet. 

The main problem is it that affects OpenSSL, a widespread open-source security protocol used by as much as two-thirds of Web servers. The other issue is that it went largely undetected for two years—plenty of time to perpetuate across the Web and leave sites, services and accounts big and small open to infiltration. (As the National Security Agency has reportedly done, although the White House has denied that.)

The initial flood of news reports focused on the hackability of user logins, financial information, emails, photos, medical records, and much more. But Heartbleed’s reach could be bigger than anyone imagined. The OpenSSL flaw affects any server or client that uses it, and that means it could span a huge number of things—including routers and phones, as well as citywide or municipal infrastructure, such as emergency services, transit and utilities. 

How Heartbleed Surfaced

Codenomicon first discovered Heartbleed—originally known by the infinitely less catchy name “CVE-2014-0160”—during a routine test of its software. In effect, the researchers pretended to be outside hackers and attacked the firm itself to test it. 

“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.” 

The engineers found they could burrow in despite the cryptographic security layer, and were shocked at how much was up for grabs. They could access memory and encryption certificates, and pull user data and other records. “This is when we understood that this is a super significant bug,” Chartier said. 

The revelation was startling, not only because of the access this hole could allow, but because of its insidious nature, Chartier said. “On top of that, we couldn’t find any forensic trail that we were taking this data.” The hack was completely untraceable.

But how did something this egregious and widespread go on undetected for two years? The error is buried in the code. The only reason Chartier’s team found the glitch is because Codenomicon uses a rigorous testing process using a very large number of test cases to find weaknesses, just like hardcore hackers do, Chartier explained.

“The vulnerabilities you find after many tests are often more interesting than the ones you find right away," he said. "When you find one that’s difficult, it’s more interesting [to hackers] because they can write an exploit, and it will take more time to be found.” 

The odds of finding the flaw were slight, yet Google's Mehta discovered it practically simultaneously, during a routine security check in March. Chartier chalks it up to happenstance. “Google’s one of the leading companies in the world, and it's constantly testing for vulnerabilities,” he said. The company has been known to take security testing very seriously, so much so that it even offers a bounty for exploits on projects like Chrome. This allows it to find flaws and fix them before hackers can take advantage of them. 

But not every company takes security that seriously. 

A Fail To Remember

Codenomicon, being a Finnish company, alerted the Finnish National Security Cyber Center of its findings. Commonly referred to as “CERT,” the group urged the OpenSSL Project to provide an update and release it to the public. This was just days after Mehta notified OpenSSL on April 1.

The news wasn't broadcasted after the first discovery, as OpenSSL wanted "to give time for proper processes" to let vendors patch the hole before making it public. The plan was to make an announcement on April 9. But when two independent research teams coincidentally found the error, it suggested a greater risk, which prompted OpenSSL to accelerate the announcement to April 7. 

The report blazed across both tech and mainstream media headlines. Chartier has been impressed with how online communities have disseminated the Heartbleed information. “We’re better off today than we were a week ago, because of getting the word out there,” he said. “It’s making the Internet safer and more secure.” 

Unfortunately, the Web is not where this problem ends. Other networks also need to apply the software update in both server and client devices. This includes gadgets like phones, computers and other communication devices. It also include numerous other technologies in the broader world, particularly as it relates to the Internet of Things. 

Because Heartbleed affects OpenSSL, which is widely adopted, it can affect an extensive range of categories, including connected homes, citywide transportation, emergency services, power grids and other utilities—pretty much any large scale, connected systems. But locking all of them down can be difficult. 

Organizations must update to the patched version of OpenSSL, revoke encryption certificates that authenticate their sites and issue new ones. However, systems that haven't gone through security and system testing may not be set up to handle update protocols efficiently. “There’s a lot of stuff out there that was built a long time ago,” said Chartier. “It wasn’t built for the type of stuff that’s coming out today.”

Security tests are essential for critical infrastructure, but unfortunately, there’s still a lot of room for improvement. “A lot of companies do a little performance testing, to see if [software] does what it’s supposed to,” he said. “But they don’t do enough security testing.”

Chartier thinks it could take up to a year or two before all or most of the old versions of OpenSSL out there get updated. In the meantime, things may get tricky.

At this point, many—though not all—of the largest vulnerable sites on the Web have patched OpenSSL against Heartbleed. With some of the smaller service providers and businesses, it may take a little more time. The most prudent users may want to assume that their data was compromised, and change those passwords on every site and service that has been secured. The Codenomicon chief recommends going through each provider, one by one, and “finding out if they used OpenSSL, and if they patched it.” 

As for the companies and organizations, Chartier urges them to adopt more stringent security standards. “You need to put this type of testing into your build cycle,” he said. That’s the best chance at mitigating the risk—so threats don’t penetrate quite so deeply. 

Feature collage by Adriana Lee for ReadWrite using images courtesy of Flickr user Marjan Krebelj and Heartbleed.com; heart lock image by Flickr user Alonis; David Chartier image courtesy of Codenomicon

13 Apr 08:32

How Much Time Have You Killed In Front Of Your TV? This Tool Tells You

by Greg Kumparak
shows Do you ever wonder how much of your life you've spent watching TV shows? It's probably a lot. But how much? Two week's worth? A month? This tool crunches the numbers for you. Read More
13 Apr 08:20

Psychologists debate adding another attention disorder to the books

by Dante D'Orazio

Soon, children may be diagnosed with another attention disorder. Psychologists are working to determine if sluggish cognitive tempo (SCT) — marked by daydreaming, mind-wandering, and lethargy — has a clear set of symptoms and can join the ranks as a legitimate disorder. If it does, it'd open up an opportunity for more pharmaceutical treatments in an area that some experts argue is already over-diagnosed and over-medicated due to attention deficit hyperactivity disorder (ADHD). As detailed in a New York Times article, experts question whether proponents of minting another attention disorder are merely interested in expanding what's already a multi-billion dollar business spurred by marketing efforts.

Continue reading…

12 Apr 19:51

After trip to space, cherry trees mysteriously blossom years ahead of schedule

by Dante D'Orazio

It's that time of year when cherry blossoms draw crowds across the world, but a few cherry trees this year have sprouted a mystery. Four cherry tree saplings across Japan blossomed this spring, as much as six years ahead of schedule. The trees all come from a selection of seeds that took a trip to the International Space Station in 2008 as part of an experiment. Over 250 seeds made the trip, and while many are being studied in labs, 14 were planted around Japan after spending eight months in space. This variety of tree typically takes no less than ten years to sprout, but a few had a big surprise in store this spring.

Scientists are now scratching their heads to try and figure out the premature blossoms. Kaori Tomita-Yokotani, a...

Continue reading…

12 Apr 10:04

High school science teacher suspended for teaching science

by Mark Frauenfelder

The LA Times reports that Greg Schiller, a popular high school science teacher, was suspended because two of his students made projects that "appeared dangerous to administrators."

One project used compressed air to propel a small object but it was not connected to a source of air pressure, so it could not have been fired. (In 2012, President Obama tried out a more powerful air-pressure device at a White House Science Fair that could launch a marshmallow 175 feet.)

Another project used the power from an AA battery to charge a tube surrounded by a coil. When the ninth-grader proposed it, Schiller told him to be more scientific, to construct and test different coils and to draw graphs and conduct additional analysis, said his parents, who also are Los Angeles teachers.

A school employee saw the air-pressure project and raised concerns about what looked to her like a weapon, according to the teachers union and supporters. Schiller, who said he never saw the completed projects except in photos, was summoned and sent home. Both projects were confiscated as "evidence," said Susan Ferguson, whose son did the coil project.

One of the most important lessons kids learn in public schools is that school administrators are usually autocratic imbeciles.

Science teacher's suspension spurs petition drive (Thanks, John!)