thewayne: (Cyranose)
The good news is that a non-technical jury found that Google's use of Java to create Android was not infringing. Oracle has been suing Google over this for years and the jury came back after three days of deliberation and said Google was OK with what they did. Considering that Sun, who was bought out by Oracle, also thought it was OK even though Sun didn't like it, probably was a key factor.

Revealed in the testimony was that Oracle tried to develop their own phone using Java and couldn't.

I'm not a huge fan of Google. Yes, their products are pretty good, and I use their search engine, maps, and Gmail regularly. It's their original 'Don't be evil' mantra that bugs me because they monetize everything. Now, a business has to make money to survive in business, but why couldn't they be more upfront about it?

The basic standard is that if you're not paying for a service, then YOU (and your information) is the product being sold.

Oracle is, of course, going to appeal the verdict. Had Google lost, it is rumored that they could ask for as much as $9 BILLION dollars, insert your best Dr. Evil voice as needed.

The bad news concerns Apple. Amongst the many lawsuits against it at any given time was one from VirnetX that claimed that Apple was infringing against its patents with its Facetime and iMessage apps. Yesterday they lost the case. VirnetX is a patent troll: they buy lots of patents, wait for a product that is vaguely similar to be successful the go crying to the East Texas courts. VirnetX claims that Apple has done irreparable harm to its brand, even though they've never produced a product and no one has heard of them outside of the patent troll game.

So Apple may have to cough up a heck of a lot of money, or possibly turn off iMessages and Facetime, which would suck in a major way and probably FINALLY! get the attention of Congress and the need for patent reform.

Me, personally, I don't use Facetime but I can appreciate the product. I use iMessages regularly, and I love the fact that my texts, which are all so sexy and top secret, are very strongly encrypted and my cell carrier can't see them since they're shunted through Apple's servers. So I would hate to see them go.

Apple is, naturally, going to appeal the decision.


Apple just hired the co-founder of Silent Circle, Blackphone, and PGP Corp. Jon Callas is an expert when it comes to encrypted communications, so presumably he's going to beef-up Apple crypto and possibly revamp iMessages and Facetime so they're even more secure and perhaps no longer infringe on VirnetX's patents.
thewayne: (Cyranose)
It's interesting. We're used to being presented with a Captcha box with squiggly letters that supposedly only humans can decifer (which software could in some circumstances), now Google will be presenting us with a checkbox that says 'I am not a robot.'

The little square that the text and box are in is monitored, and Google says that the characteristic of a person checking that box is unique and identifiable. I just wonder how long it will take spammers to figure out how to make the mouse pointer jiggle a little bit before checking the box. I also wonder how this will work with assistive devices for people who don't use conventional pointing devices.
thewayne: (Cyranose)
The text Lorem Ipsum is faux Latin taken from a passage by Cicero, it was most commonly used as a placeholder in texts or web pages to check layout before actual content was available. It doesn't mean anything, it's mangled Latin.


A researcher noticed that while typing Lorem in to Google Translate that it translated as 'China', further research with other words from the Lorem Ipsum block showed other peculiarities, almost as if people were using Google Translate to send secret messages. Sadly, Google Translate underwent an update that stopped these interesting translations, however, people have since found that some words from the faux text do still produce interesting results.

Coincidence, or not? We'll probably never know. I wonder if Krebs or others have filed FOIA requests with the CIA/NSA for documents related to Google Translate? Could be interesting.
thewayne: (Cyranose)
PGP stands for Pretty Good Privacy, a VERY strong crypto system that gives excellent end-to-end encryption for email users. It has been released to security researchers to poke at it to find flaws, it's not yet available to the general public but will be in the form of browser add-ins.

On the plus side: industry-standard and publicly-examined crypto. This should do an excellent job of preventing anyone from reading your email except for the intended recipient. On the down side: it can be slightly clunky to use, though the Gmail integration should make key exchanges more smooth.

In brief, this is how PGP works. The software generates a gobsmackingly-huge prime number and creates two crypto keys, a public one and a private one. You don't need to be concerned about the content of the key because it's just a huge hexadecimal mess. Let's say that you and I want to exchange email, and we've both implemented PGP. Let's call my private key A1 and my public key A2, your private key is Z1 and your public key is Z2. We give our public keys to anyone with whom we want to exchange email, but we jealously guard our private keys. When I want to send you an email, the message is encrypted on my end using A1+Z2, you decrypt it using Z1+A2. At a basic level, that's all there is to it. The software handles combining the keys and encrypting or decrypting the message, it also handles key exchanges. The thing that you have to watch out for is if you ever lose your private key, you have to notify everyone that your key was compromised, your friends delete your public key from their systems, and then you generate a new pair of keys and redistribute your public key.

Which brings up a third negative: you can't use email on a public computer without importing your key in to that system, with potential security risks if that computer has already been compromised. A lot of people store their keys on USB drives which they try to never let out of their personal control. Another negative is that if you're sending big attachments in email, it can take some time for big files to have the crypto applied/removed.

Google is doing a definitely good thing here, opening up the code to the public for review by experts, and at some cost to them: they cannot read the encrypted messages, so they can't do keyword searches and targeted advertising.
thewayne: (Cyranose)
There’s so much data available on the internet that even government cyberspies need a little help now and then to sift through it all. So to assist them, the National Security Agency produced a book to help its spies uncover intelligence hiding on the web.

The 643-page tome, called Untangling the Web: A Guide to Internet Research (.pdf), was just released by the NSA following a FOIA request filed in April by MuckRock, a site that charges fees to process public records for activists and others.

The book was published by the Center for Digital Content of the National Security Agency, and is filled with advice for using search engines, the Internet Archive and other online tools. But the most interesting is the chapter titled “Google Hacking.”

Interesting stuff. The document is a bit dated, it was last updated in 2007, but the fundamentals wouldn't change that radically.
thewayne: (Default)
"The Justice Department is defending the government's refusal to discuss — or even acknowledge the existence of — any cooperative research and development agreement between Google and the National Security Agency. The Washington based advocacy group Electronic Privacy Information Center sued in federal district court here to obtain documents about any such agreement between the Internet search giant and the security agency. The NSA responded to the suit with a so-called 'Glomar' response in which the agency said it could neither confirm nor deny whether any responsive records exist. U.S. District Judge Richard Leon in Washington sided with the government last July."
thewayne: (Default)
Heh. Yes, named after Majel Barret Roddenberry, the voice of Star Trek's computers. It'll be interesting to see how it shapes up, Google has such a huge data mine to work with it should be quite viable. I use Siri occasionally, mainly as a lark. Last night I was playing with it as a joke and I said "play one song", and got Pink Floyd's One Slip, and that was it. I have used it while driving to play a podcast, and it's definitely useful that way. One thing didn't work as expected: Apple advertised that you could say 'remind me to buy milk when I leave work', I tried it to remind me to pick up some paper for my laser printer when I left Applebee's and I didn't get a reminder, but since I remembered that I needed to hit Staples it was no big deal.
thewayne: (Default)
The thot plickens. BT alleges that Android violates:
* 6,151,309: a 2000 patent for "service provision system for communications networks"
* 6,169,515: a 2001 patent for a "Navigation information system"
* 6,397,040: a 2002 patent for location tracking of users
* 6,578,079: a 2003 patent for a "communications node for providing network based information service"
* 6,650,284: a 2003 patent for an "information system" with "a fixed part and a mobile part"
* 6,826,598: a 2004 patent for "storage and retrieval of location based information in a distributed network of data storage devices"

The suit was filed in Delaware, I'm curious why they didn't go for West Texas. It'll be interesting to see how this plays out. I'm really sick and tired of patent wars, the system has mutated far beyond what it was intended what patents should protect.
thewayne: (Default)
NFC is similar to the payment fobs tied to your credit cards that you can wave at some gas pumps to pay for purchases. It is a more sophisticated in that it's built-in to some cell phones and requires that you enter a PIN into your phone to complete the transaction, so it has a slightly higher level of security: you must have possession of the phone, know how to start the NFC payment program, and know the PIN.

The researchers attempted man-in-the-middle attacks when transacting and when registering new credit cards through the phone, and also analyzed the memory content of the phone. They discovered no blatant security issues and were unsuccessful with their MITM attacks, but they did find some unencrypted data cached in memory that did not contain sensitive information such as complete credit card numbers.

So overall, it looks like Google did a good job with their NFC implementation, though the researchers stressed that something as important and ubiquitous as this needs a lot more study. The iPhone does not yet have NFC tech built-in, it is more likely for the iPhone 5 than it was for the 4/4S. iPhones can accept credit card payments through Intuit or the Square dongle, I have a Square and it works pretty nice. But that's receiving payments, not making them.
thewayne: (Default)
This is an awesome project, and it would be nice to see it expanded. Sadly, the scanned archive will end at 1870 due to European copyright law, which apparently is a little more restrictive than US copyright law, if such a thing is possible.

I'm looking forward to cruising this material.
thewayne: (Default)
Amazon requires that your phone be set to allow apps from untrusted sources, which can open your phone to exploits. Google's app store does more inspecting, but is still not invulnerable. Amazon won't consciously allow compromised apps through, but you never know. And Amazon doesn't have a remote kill switch to remove installed apps that are found to be compromised like Google does.
thewayne: (Default)
A lot of this is in response to their getting hacked by China last year. Employees will now have the choice of a Mac or a PC running Linux, the article didn't specify which flavor.

If you need to run Windows, you have to get permission from VERY high up, you need approval from the CIO.

There's an interesting paragraph:
The move created mild discontent among some Google employees, appreciative of the choice in operating systems granted to them - an unusual feature in large companies. But many employees were relieved they could still use Macs and Linux. “It would have made more people upset if they banned Macs rather than Windows,” he added. (emphasis mine)

Ultimately, I'm sure they'll eat their own dog food and base their operations on Chrome/Android, but those platforms still need some maturing.

The article might need to be taken with a grain of salt: they quote Google's employee base as more than 10,000; there are sources saying it's more than 20k.

This was yesterday. So today, naturally, Microsoft releases a rebuttal, which I'm not going to bother going in to at any length. It's basically saying we've made lots of improvements, and the Mac is far from secure. What they don't bother mentioning is that 99% of the malware out there targets Windows because that's where the machines are.
thewayne: (Default)
It did on mine. I installed it two months ago to check it out. I went back to using Firefox because there were a couple of behaviors in Chrome that I didn't care for, so today I decided to update it and see if those behaviors had changed.

I opened Chrome and it was already at the latest version. With no interaction from me.

I do not allow ANYTHING to update software on my computer without my explicit approval. I'm not happy at all that Google would silently update their browser without my permission.

If I don't get a satisfactory answer from them soon on how I can turn this off, I'm ripping it out by the root and possibly canceling my Gmail accounts.
thewayne: (Default)
"The Mercury News reports that Google, whose stated mission is to make the world's information universally accessible, says the race and gender of its work force is a trade secret that cannot be released. So do Apple, Yahoo, Oracle, and Applied Materials. The five companies waged a successful 18-month FOIA battle with the Merc, convincing federal regulators who collect the data that its release would cause 'commercial harm' by potentially revealing the companies' business strategy to competitors. Law professor John Sims called the objections — the details of which the Dept. of Labor declined to share — 'absurd.' Many industry peers see the issue differently — Intel, Cisco, eBay, AMD, Sanmina, and Sun agreed to allow the DOL to provide the requested info. 'There's nothing to hide, in our view,' said a spokesman for Intel. Some observers note it's not the first time Google has declined to put a number on its vaunted diversity — in earlier Congressional testimony, Google's top HR exec dodged the question of how many African-American employees the company had."

There's five links in the story, so I'm just going to link the Slashdot thread.

I really love the dichotomy of Google. They publicly chant "do no evil", then in so many other ways (such as this) they're not in the least bit open.
thewayne: (Default)
From TFA: Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Linux and Mac have forced you to use Sudo to access low-level stuff for quite a while now, most Windows home users, prior to Vista, have been running as local admin, and were very vulnerable to this. Vista and Win7 made a lot of improvements in this area, but there are still far too many compromises possible.

In other news, Microsoft released a patch for this particular exploit.,2817,2358284,00.asp
thewayne: (Default)
"Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."

In all fairness, I would imagine that MS is testing a patch. The problem is that regression testing takes a lot of work, especially when you need to test it in conjunction with other patches to make sure that fixing this problem doesn't create THAT problem.

And in even more fairness, a PC World columnist says that abandoning IE is not a cure-all for security problems. And he's right. The attackers used multiple tools to compromise Google and others, ONE of these tools exploited a hitherto-unknown hole in IE. Adobe just fixed a zero-day flaw in Acrobat that could have been used in this attack, we don't yet know.

There are a couple of interesting quotes in the latter article:

I asked Kurtz about the irony that Google, makers of the Chrome Web browser, could be compromised by a flaw in Internet Explorer. Shouldn't Google be using Chrome?

Kurtz replied "It is easy to come to that conclusion, but IE is ubiquitous and is used in almost every corporation. Keep in mind, there are many enterprise applications that only work with IE--so it is difficult to just mandate an alternate browser even if you are the creator of that browser."

I'm a little surprised. As far as I know, Google uses an OS that they built for their servers. Their developers use in-house tools for their coding, so why would they be running Windows? Most likely explanation is that the attack came in through the corporate-side. Chances are their marketing and accounting departments are using Windows.

While research indicates that the Internet Explorer zero-day used in the attacks could be used on any version of Internet Explorer, even on Windows 7, the initial investigation suggests that the systems targeted were actually using Internet Explorer 6 on Windows XP. Simply using a current operating system and a current Web browser would have afforded significantly more protection.

Now this is just sad. I realize that there is huge inertia in IT in large organizations to upgrade operating systems, but this is just sad. There's no reason that Google couldn't have at least been running Vista, which, for all its multitudinous faults, is still more secure than XP. For that matter, they could have been running IE 7 or 8 on top of XP: I know for a fact that it's possible as I run IE 8 on two XP machines.

Interesting stuff.

Corporate IT inertia is a huge thing, and sometimes architectures just don't do what you want them to.
thewayne: (Default)
"After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers. Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

Not only has the exploit been made public, it has already been incorporated in to available hack tools.

I find this advisory particularly amusing. Just Friday I got an email from the IT director at work telling everyone that they must uninstall Firefox and can only use IE. I use IE for two things. First, on a new OS install, to download Firefox. Second, to run Windows Updates. With Vista and Win7, you no longer need IE even for that.

Color me amused.
thewayne: (Default)
The CEO of Google, Eric Schmidt, says that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Schmidt tells CNBC" ...

The original article in The Register:

The Slashdot thread:

On the surface, maybe he's right. But here's where I stand: even though I (or you) might not have anything to hide, that doesn't give you (or me) the right to poke in to my personal, private life. Everyone's done something they're ashamed of, things that they don't want advertised, but it is probably more in the realm of embarrassing than illegal, and there's pretty much zero chance of cleaning it up if it gets online. But I don't care to make my life an open book and you don't have the right to poke in to it.

As a result of Schmidt's quote, the Director of Community development at Mozilla, the makers of the Firefox browser, is encouraging people to use Microsoft's Bing search engine instead of Google.

Now, I've been concerned about Google's reach for a long time. I'm not a fan of Microsoft because of MS's "crush all competitors, or buy them out" mentality, but corporate America (and maybe the world) no longer compete on quality of innovation. I'm not a fan of Bing because of interface issues, I prefer Yahoo search and occasionally use Google. Google has a corporate ethos of "Do no evil", which I read as mainly directed as support of the open source software movement and as a slap in Microsoft's face. But all it takes is one change in management and Google has huge amounts of information that could be sold to marketers.

But the CEO of Google saying 'lead a lily-white life and you have nothing to worry about' is just plain stupid.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 202122 23


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 24th, 2017 11:04 pm
Powered by Dreamwidth Studios