Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

October 25 2013

Power over USB

I’ve been reading about enhancements to the USB 3.0 standard that would allow a USB cable to provide up to 100 watts of power, nicely summarized in The Economist. 100 watts is more than enough to charge a laptop, and certainly enough to power other devices, such as LED lighting, televisions, and audio equipment. It could represent a significant shift in the way we distribute power in homes and offices: as low voltage DC, rather than 110 or 220 volt AC. Granted, 100 watts won’t power a stove, a refrigerator, or a toaster, but in a USB world, high-voltage power distribution could be limited to a few rooms, just like plumbing; the rest of the building could be wired with relatively inexpensive USB cables and connectors, and the wiring could easily be done by amateurs rather than professional electricians.

It’s an interesting and exciting idea. As The Economist points out, the voltages required for USB are easily compatible with solar power. Because USB cables also carry data, power consumption can become more intelligent.

But I have one concern that I haven’t seen addressed in the press. Of course USB cables carry both data and power. So, when you plug your device into a USB distribution system, whether it’s a laptop or phone, you’re plugging it into a network. And there are many cases, most notoriously Stuxnet, of computers being infected with malware through their USB ports. It no doubt took some fairly good social engineering to get an infected USB stick into a computer in an Iranian nuclear facility. But it wouldn’t take any social engineering at all, just a lunch appointment or an interview, to plug an infected drive into the USB power distribution system at some future office complex. You might not even need access to the business you wanted to attack if, as the Economist imagines, power distribution is shared between different buildings in an industrial park.

The most security conscious among us frequently put epoxy in their USB ports. But epoxy won’t work if that port is your only way to charge your laptop. We’re going to need much stricter discipline than epoxy if USB is to become a power distribution standard. More than anything, we will need to be confident that there aren’t any backdoors into our system. A quick Google search is scary indeed, and the NSA is the least of our worries. Can we keep our data, and our systems, safe? History suggests that we can’t.

October 07 2013

Four short links: 9 October 2013

  1. Android Malware Numbers — (Quartz) less than an estimated 0.001% of app installations on Android are able to evade the system’s multi-layered defenses and cause harm to users, based on Google’s analysis of 1.5B downloads and installs.
  2. Facebook Operations Chief Reveals Open Networking Plan — long interview about OCP’s network project. The specification that we are working on is essentially a switch that behaves like compute. It starts up, it has a BIOS environment to do its diagnostics and testing, and then it will look for an executable and go find an operating system. You point it to an operating system and that tells it how it will behave and what it is going to run. In that model, you can run traditional network operating systems, or you can run Linux-style implementations, you can run OpenFlow if you want. And on top of that, you can build your protocol sets and applications.
  3. How Red Bull Dominates F1 (Quartz) — answer: data, and lots of it.
  4. Ground-Level Air Pollution Sensor (Make) — neat sensor project from Make.

August 04 2013

Sourceforge. Vers la distribution de malwares dans l'open-source

Sourceforge. Vers la distribution de malwares dans l’open-source
http://neosting.net/actualite/sourceforge-distributeur-crapware-dans-open-source.html

On pouvait pester contre CNET, ou telecharger.com - pour ne citer qu’eux - c’est désormais au tour de SourceForge de faire la même chose (ou presque). Oui, SourceForge, le site qui a souvent donné l’habitude d’héberger et de distribuer de nombreux logiciels open-sources, propose aux développeurs son initiative DevShare. Dans son communiqué officiel, SourceForce explique […] #crapware #devshare #malware #open-source #sourceforge

March 28 2013

Four short links: 28 March 2013

  1. What American Startups Can Learn From the Cutthroat Chinese Software IndustryIt follows that the idea of “viral” or “organic” growth doesn’t exist in China. “User acquisition is all about media buys. Platform-to-platform in China is war, and it is fought viciously and bitterly. If you have a Gmail account and send an email to, for example, NetEase163.com, which is the local web dominant player, it will most likely go to spam or junk folders regardless of your settings. Just to get an email to go through to your inbox, the company sending the email needs to have a special partnership.” This entire article is a horror show.
  2. White House Hangout Maker Movement (Whitehouse) — During the Hangout, Tom Kalil will discuss the elements of an “all hands on deck” effort to promote Making, with participants including: Dale Dougherty, Founder and Publisher of MAKE; Tara Tiger Brown, Los Angeles Makerspace; Super Awesome Sylvia, Super Awesome Maker Show; Saul Griffith, Co-Founder, Otherlab; Venkatesh Prasad, Ford.
  3. Municipal Codes of DC Freed (BoingBoing) — more good work by Carl Malamud. He’s specifically providing data for apps.
  4. The Modern Malware Review (PDF) — 90% of fully undetected malware was delivered via web-browsing; It took antivirus vendors 4 times as long to detect malware from web-based applications as opposed to email (20 days for web, 5 days for email); FTP was observed to be exceptionally high-risk.

January 22 2013

Falscher Virenalarm von Avira

In den letzten Tagen habe ich immer wieder Hinweise von Lesern meines Blogs darauf erhalten, dass der Virenscanner von Avira Antivirus mein Blog als potentiell gefährlich einstuft, weshalb das Programm den Zugriff auf die Seite gesperrt hat. Ich habe das zunächst sehr ernst genommen, weil ich vor knapp einem Jahr bereits einmal Schadcode auf meinem Blog hatte. Nachdem ich aber einerseits nicht finden konnte und andererseits Avira der einzige Virenscanner war, der die Meldung produzierte, bin ich von einem Fehler ausgegangen.

Ich habe deshalb die Fa. Avira gebeten, mir konkret mitzuteilen, wo sich der angebliche Schadcode befindet oder andernfalls die Meldung zu unterlassen.

Als Antwort erhielt ich von Avira mit Mail vom 18.01.2013 folgende Mitteilung:

Die url wurde durch unser Virenlabor geprüft. Die Blockierung wird mit einem der nächsten Updates aufgehoben. Wir bitten die unannehmlichkeiten zu entschuldigen.

Heute folgte von Avira dann noch folgende Ergänzung:

Vielen Dank für Ihre Email und Ihre Geduld bei der Auswertung der Daten. Die Seite war tatsächlich falsch in unserer Datenbank aufgeführt. Wir haben den Eintrag gelöscht, sodass keine Blockade der Seite mehr erscheint.

Die Malwaremeldung war also tatsächlich falsch und hat u.a. offenbar dazu geführt, dass mein Blog auch im DB-Netz geblockt wurde, wie mir ein Leser mitgeteilt hat.

Ich werde die Sache damit auf sich beruhen lassen. Als Jurist kann man sich aber durchaus mal die Frage stellen, wie es denn mit einer Haftung für falschen Virenalarm aussieht.

Update:
Sehe gerade, dass sich Fefe auch mit dem Thema befasst und die Frage einer Störerhaftung von Avira aufwirft. Störer sind die aber eigentlich nicht, sondern eher unmittelbarer Verletzter.

January 18 2013

Seeing peril — and safety — in a world of connected machines

I’ve spent the last two days at Digital Bond’s excellent S4 conference, listening to descriptions of dramatic industrial exploits and proposals for stopping them. A couple of years ago Stuxnet captured the imagination of people who foresee a world of interconnected infrastructure brought down by cybercriminals and hostile governments. S4 — which stands for SCADA Security Scientific Symposium — is where researchers convene to talk about exactly that sort of threat, in which malicious code makes its way into low-level industrial controls.

It is modern industry’s connectedness that presents the challenge: not only are industrial firms highly interconnected — allowing a worm to enter an engineer’s personal computer as an e-mail attachment and eventually find its way into a factory’s analytical layer, then into its industrial controls, bouncing around through print servers and USB drives — but they’re increasingly connected to the Internet as well.

Vendors counter that the perfect alignments of open doors that security researchers expose are extremely rare and require unusual skill and inside knowledge to exploit. And the most catastrophic visions — in which malicious code shuts down and severely damages a large city’s water system or an entire electrical grid — assume in many cases a level of interconnection that’s still theoretical.

In any case, industrial security appears to be advancing quickly. Security firms are able to make particularly effective use of anomaly detection and other machine-learning-based approaches to uncover malicious efforts, since industrial processes tend to be highly regular and information flows tightly prescribed. These approaches will continue to improve as the networks that feed information back to analytical layers become more sophisticated and computing power makes its way deeper into industrial systems.

The efforts of industrial security researchers seem to be paying off. In his keynote talk, Digital Bond founder Dale Peterson noted that the exposure of new vulnerabilities has slowed recently and wondered whether security might be subject to something of apredator-prey cycle, in which weak defenses in industrial controls attract hackers, which draws the attention of security researchers, who in turn drive away the hackers by closing vulnerabilities.

If that’s the case, then we’re looking at a gradual victory for the industrial Internet — as long as we don’t reach the last phase of the predator-prey cycle, in which security researchers, feeling they’ve vanquished their enemies, move on to a different challenge.


This is a post in our industrial Internet series, an ongoing exploration of big machines and big data. The series is produced as part of a collaboration between O’Reilly and GE.

June 26 2012

Four short links: 26 June 2012

  1. SnapItHD -- camera captures full 360-degree panorama and users select and zoom regions afterward. (via Idealog)
  2. Iago (GitHub) -- Twitter's load-generation tool.
  3. AutoCAD Worm Stealing Blueprints -- lovely, malware that targets inventions. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. This one has soured, but give the field time ... anything that can be stolen digitally, will be. (via Slashdot)
  4. Designing For and Against the Manufactured Normalcy Field (Greg Borenstein) -- Tim said this was one of his favourite sessions at this year's Foo Camp: breaking the artificial normality than we try to cast over new experiences so as to make them safe and comfortable.

March 28 2012

Four short links: 28 March 2012

  1. MS Office Exploit In The Wild, Targeting Mac OS X -- This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X. (via Hacker News)
  2. Please Do Not Take Down The Sality BotNet -- best responsible disclosure ever.
  3. 3Difficult -- I’m an industrial designer at heart, and I’m saddened by what’s happened to my craft. We were once the kings of things, but for a variety of reasons I think we’re in danger of being left behind. [...] Making became the talk of the town, and to some extent it still is. We’re in the first stumbling days of the Internet of Things, and are increasingly seeing the paper thin definition between digital and tangible falling away.
  4. Air Quotes Product (Matt Webb) -- Recently I noted down some places in which traditional products have changed and he goes on to list some critical ways in which networked objects challenge our thinking. I love the little brain/big brain distinction--great to have words for these things at last!

February 10 2012

Commerce Weekly: Facebook finds a mobile commerce partner

Here are a few items that caught my eye this week.

How will Facebook cash in on mobile?

Facebook logoWith Facebook's public filings ahead of its imminent IPO, we know now that advertising accounted for 83% of its revenue of $3.71 billion in 2011. But we also know that almost none of its revenue came from mobile users — which is a bit of a problem since mobile users are an increasingly large part of Facebook's user base. Facebook members have embraced mobile apps on smartphones and tablets, and Facebook has encouraged their use by developing and releasing apps that deliver a UI experience that is, in some ways, superior to the traditional browser-based interface.

Now, Facebook has to figure out how to make mobile pay. A deal signed this week with mobile payments firm Bango aims to help. Bango provides mobile payment services and direct billing to carriers (like Boku and BilltoMobile), so that the cost of buying things on your mobile shows up on your mobile bill. That seems like a convenient way to buy, and such services have sometimes touted themselves for nobly serving "the unbanked" — even if many of those unbanked are largely American teenagers who use the services to buy virtual goods in games. The drawback is that mobile carriers have been lukewarm to the systems because they worry about customers seeing huge mobile phone bills and complaining or switching, even if what they're seeing is made up of virtual poker chips and Smurfberries. Direct billing services have helped the carriers get over these anxiety by giving them a cut of the revenues much greater than most payment providers get, often as high as 33%.

There's no word yet on how Bango and Facebook will manage payment or what percentage of those payments will go to the telecoms. But we can imagine what goods will be sold: Facebook Credits, as Facebook last year began insisting that mobile game providers sell their virtual goods using only Facebook credits. But I would expect Facebook's position on Credits to evolve as mobile commerce grows on the site. It's one thing to force users to buy Credits so they can be dispensed within social games; it seems unnecessary when consumers are buying a wider range of digital (or physical goods) throughout their Facebook experiences, and a restriction that could limit the potential. As long as the mobile carrier is taking a cut, why couldn't Facebook take a cut as well, without having to force Facebook's virtual currency into the equation?

X.commerce harnesses the technologies of eBay, PayPal and Magento to create the first end-to-end multi-channel commerce technology platform. Our vision is to enable merchants of every size, service providers and developers to thrive in a marketplace where in-store, online, mobile and social selling are all mission critical to business success. Learn more at x.com.

Google Wallet's glitches

Google Wallet is stumbling through some embarrassing growing pains as it comes under the scrutiny of white-hat hackers who are finding and publicizing security flaws. Engineers at Zvelo developed a Google Wallet Cracker app that appears to be able to break Google Wallet's encryption in seconds. Google is working to find a solution for the glitch, which exposes users' Google Wallet PIN numbers on rooted Android phones. Kate Knibbs at Mobiledia writes that the breach "validates Verizon's decision to block Google Wallet on the Galaxy Nexus," due in part to its concerns about security on the Android platform.

Meanwhile, over at TheSmartPhoneChamp.com, there's a video that highlights another security flaw in the phone. Since the Google prepaid account option within Wallet is tied to the device, not a separate Google account, someone who finds the device can open the Wallet app, clear the data, and then re-launch the app. Although the "new owner" will need to enter a PIN, the old prepaid Google account is still tied to that smartphone. I'm not certain how big a hole this is because I have no idea how much people store on their prepaid accounts — though I would hazard a guess it's not more than $300. All right, so nobody wants to lose $300, but it's not like being upside down on your mortgage.

Add to these issues the growing awareness that malware and crapware are a problem on the mobile side. To fight the malware problem, Google developed Bouncer, a program that scans for malware and spyware on Android apps. To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn't stop there; it also performs fraud and abuse detection to ban and remove malware writers posing as legitimate developers. Google says it's already deployed the service and has seen a 40% drop in "potentially malicious downloads" thanks to it.

What would you buy with a QR code?

PayPal has launched a pilot with "shopping walls" in subway stations in Singapore, where you can purchase stuff by snapping a pic of the QR code while using a PayPal app on a smartphone (see a shopping wall in action here). It looks like a swell way to get some of your Valentine's Day shopping done while you're waiting for the Circle Line. Another nifty experiment would be ordering dinner from a shopping wall while waiting for your train in one station, so that it would be ready for you when you exit another. Snap the QR codes of the meals you want and checkout with PayPal. The system could even be smart enough to know when you'll pick it up, based on the station you ordered from. And there's no question of the food going to waste: The restaurant has your money and your mobile number.

That's my idea — and I freely admit that it's just because I'm late for dinner. Let me know if you've seen anyone selling meals or other interesting items via QR codes.

Got news?

News tips and suggestions are always welcome, so please send them along.


If you're interested in learning more about the commerce space, check out DevZone on x.com, a collaboration between O'Reilly and X.commerce.


Related:

December 30 2011

Four short links: 30 December 2011

  1. Hadoop Hits 1.0 -- open source distributed computation engine, heavily used in big data analysis, hits 1.0.
  2. Sparse and Low-Rank Approximation Wiki -- interesting technique: instead of sampling at 2x the rate you need to discriminate then compressing to trade noise for space, use these sampling algorithms to (intelligently) noisily sample at the lower bit rate to begin with. Promises interesting applications particularly in for sensors (e.g., the Rice single pixel camera). (via siah)
  3. Rise of Printer Malware -- firmware attacks embedded in printed documents. Another reminder that not only is it hard to write safe software, your mistakes can be epically bad. (via Cory Doctorow)
  4. Electric Circuits and Transistors Made From Cotton -- To make it conductive, the researchers coated cotton threads in a variety of other materials. To make conductive “wires,” the team coated the threads with gold nanoparticles, and then a conductive polymer. To turn a cotton wire into a semiconductor, it was dipped in another polymer, and then a further glycol coating to make it waterproof. Neat materials hack that might lend a new twist to wearables.

July 19 2011

Four short links: 19 July 2011

  1. Tame.js -- async programming library for use with node.js and other V8 projects. (via Hacker News)
  2. The Rise of PDF Malware (Symantec) -- detailed whitepaper showing the incident rate, techniques, and evasion techniques of PDF malware. Despite the fact that the number of PDF CVEs [Common Vulnerability/Exposure] are close to Microsoft Office’s numbers, the amount of nonunique PDF attacks Symantec has seen have increased dramatically, which shows that the PDF file format is being targeted more often within the last two years.
  3. cocos-2d -- iPhone 2d game framework. (via Chuck Toporek)
  4. Nature's Biology Textbooks -- Nature changing the textbook publishing model, trialling in California. 50+ authors write the ebook, filtered through a (hard-working, I'm guessing) editor. This beats Kindle textbook rentals hands down. Another article says of the Nature trial: each school will be testing a different licensing and access model, which I hope for some includes printing out because Princeton's Kindle trial showed (PDF) that ebooks don't measure up to print books for annotation and some other key uses. (via The Daily News)

March 03 2011

Four short links: 3 March 2011

  1. Guangzhou City Map -- Chinese city maps: they use orthographic projection (think SimCity) and not satellite images. A nice compromise for usability, information content, and invisible censorship. (via Hacker News)
  2. Broken Windows, Broken Code, Broken Systems -- So, given that most of us live in the real world where some things are just left undone, where do we draw the line? What do we consider a bit of acceptable street litter, and what do we consider a broken window? When is it ok to just reboot the system, and when do you really need to figure out exactly what went wrong?
  3. Android Malware -- black hat copied apps, added trojans, uploaded to Android Marketplace. Google were slow to respond to original developer's claims of copying, quick to react to security guy's report of malware. AppStores are not magic moneypumps in software form, no more than tagging, communities, or portals were. User contributions need editorial oversight.
  4. The League of Movable Type -- a collection of open source fonts, ready for embedding in your web pages.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl