Apple Pay Rival CurrentC Has Been Hacked

by tanuki64@pipedot.org in security on 2014-10-30 16:32 (#2TT4)

story imageTechCrunch reports:
MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC meant to rival newcomer Apple Pay, has been hacked.
CurrentC is still in its pilot phase. Only emails of the early app testers have been stolen. No payment data or other personal informations. Furthermore since the project is still in the pilot phase, many of those emails belonged to dummy accounts.

Since there might be a war coming between CurrentC, Apple Pay, Google Wallet, and perhaps the established credit card companies, it would be easy to construct a nice conspiracy theory. However: Never ascribe to malice that which is adequately explained by incompetence. And even incompetence does not describe it correctly. The developers of each of those systems on the one side are probably vastly outmatched by the black hats, who try break it, on the other side. And the black hats just need to find one single implementation error, while the developers have to anticipate everything. I cases like this, where real money can be made, the Linus's Law is definitely applicable.

What does it mean for the customers? They should be extra careful. Neither Apple, nor Google, nor MCX have much experience as payment service providers. Their technologies are new and most certainly will have weaknesses, which is bad. But also for the courts these system will be uncharted waters. For a duped user this might even be worse. So before using one of those shiny new and convenient payment options: Read the fine print in the contracts. Check who carries the risk and the burden of proof in case of a misuse.

ChromeOS and Android to remain separate for now

by zafiro17@pipedot.org in mobile on 2014-10-29 12:31 (#2TS3)

CNET just interviewed Brian Rakowski, Google's vice president of product management for Android, who has confirmed that the two teams in charge of the Android mobile device software and the Chrome OS software for PCs [should] work together much more. But that won't mean sweeping changes, at least for now.

"There's no plans to change the way the products work," said Rakowski. That might be disappointing to fans of Android who were hoping to see convergence of the two product lines as a result of internal reorganization that sees both Android and Chrome being developed under the same division.
Android and Chrome, both headed by Google Senior Vice President Sundar Pichai, are important businesses to Google. The company's cash cow is still search and advertising -- now a $50 billion a year business -- but Google CEO and co-founder Larry Page has called Android "the future" of the company.
There's some more, related commentary at OSNews.

wget prior to 1.16 allows for a web server to write arbitrary files on the client side

by Anonymous Coward in security on 2014-10-29 12:25 (#2TS1)

Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.

A Metasploit module is available for testing:

https://github.com/rapid7/metasploit-framework/pull/4088

the disclosure is here:

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

Redhat's bug is here:

https://bugzilla.redhat.com/show_bug.cgi?id=1139181

Orbital Sciences' Antares rocket and Cygnus cargo spacecraft explodes moments after launch

by evilviper@pipedot.org in space on 2014-10-29 00:27 (#2TRQ)

story imageAn unmanned NASA-contracted rocket exploded early Tuesday evening along the eastern Virginia coast, causing a huge fireball. Video shows the rocket rising into the air for a few seconds before an explosion. It then plummets back to Earth, causing more flames as it hits the ground. NASA tweeted that the failure occurred six seconds after launch. Afterward, the launch director said on NASA's feed that all personnel were accounted for and that no injuries were reported.

According to NASA, the Orbital Sciences Corp.'s Antares rocket and Cygnus cargo spacecraft were set to launch at 6:22 p.m. ET from the Wallops Flight Facility along the Atlantic Ocean. It was set to carry some 5,000 pounds of supplies and experiments to the International Space Station. Since the end of NASA's space shuttle program, it has relied on private companies -- specifically Orbital Sciences and SpaceX -- to bring materials to the space station, albeit using NASA facilities for launch. Tuesday's launch was supposed to be the fourth flight for Orbital until it ended, as the company acknowledged in a statement, in "catastrophic failure." Marking the first accident since NASA turned to private operators to deliver cargo to the International Space Station.

Verizon Wireless uniquely identifies your traffic for all to see

by tierack@pipedot.org in internet on 2014-10-28 16:06 (#2TRD)

Wired reports that Verizon inserts a unique identifier into all HTTP requests going over its wireless network, subverting Do Not Track, private browsing sessions, using different browsers, or moving around their network. Verizon has an opt out page, but it only opts you out of having it being used by Verizon and its partners from targeting ads based on it. Obviously, anyone else seeing the headers are under no agreement to not use them to build a profile of you. There are anecdotal reports AT&T may be doing the same. Security researcher Kenneth White set up a page to check for this header with more information.

More than 350,000 AT&T customers apply for "cramming" refunds

by evilviper@pipedot.org in legal on 2014-10-28 15:50 (#2TRC)

After spending most of the last decade profiting off of cramming, AT&T this month was finally held accountable by the government and fined $105 million by the FTC, FCC, and state governments. A similar investigation is ongoing again T-Mobile, and you can likely expect similar settlements in time with both Verizon and Sprint, who also turned a blind eye for years while scammers bilked their customers (because they netted 30-40% of the profits). The FTC case against AT&T is a great read detailing at length how AT&T not only turned a blind eye to the scams, but actually made it harder for customers to identify they were being scammed and to obtain refunds.

With the customer refund process underway, the FTC tells Time that more than 359,000 customers have already applied for refunds, with many many more expected. AT&T of course generates $105 million in about the time it took me to write this post, and the money they made off these scams was potentially dozens of times larger than the fine. Still, it's nice to see the government do its job when big companies are involved, as for most of the decade the FTC and FCC ignored how large carriers helped make these scams possible. Customers need to file their claim before May 1, 2015.

FCC Postpones Auction Of Broadcast TV Spectrum To 2016

by evilviper@pipedot.org in mobile on 2014-10-27 06:20 (#2TQT)

The FCC has been working on a voluntary auction of broadcast TV frequencies for years, with plans to have it take place in mid-2015. But today the agency says it will postpone the sale to early 2016 as it grapples with a lawsuit from the National Association of Broadcasters complaining that many TV stations would end up with reduced coverage areas. Supporters of the auction say that unless wireless service providers have more spectrum, the fast-growing ranks of consumers using smart phones, tablets, and other mobile devices will face dropped calls, dead zones, slow speeds, and high prices. The Obama administration is eager to free up 300MHz of bandwidth over five years, and 500MHz over a decade. That will be hard to accomplish without help from broadcasters – the biggest users of spectrum outside of the military, and operating on frequencies with propagation characteristics that are particularly desirable for mobile service providers.

The FCC has also said that its auction could be a windfall for some stations because they would share some of the proceeds. In fact a full-power TV station in Los Angeles could get as much as $570 million for its spectrum in the federal incentive auction. It's little wonder, then, that Los Angeles area public broadcast stations KCET and KLCS already announced joining forces to split a single over-the-air broadcast television channel, even as their business and programming operations remain separate, in order to free a channel for auction.

This delay comes shortly after the FCC pushed back the digital switch-over date for translators and low-power TV stations (from September 2015) allowing them another year to see how the auction results will affect their licenses, but now may require yet another delay. Which seems just as well, as the spectrum auction actually gives no consideration to their facilities at all, likely repurposing their channels, with no guarantee there will be any others slots left available for them to switch over to. This has some lawmakers taking-up their cause trying to ensure the survival of small community TV stations, and all broadcast TV in remote areas.

New G.fast standard offers gigabit DSL over short distances

by evilviper@pipedot.org in hardware on 2014-10-25 20:30 (#2TQA)

story imageAt the Broadband World Forum in Amsterdam this week, several companies are announcing and demonstrating products that bring DSL -- or digital subscriber line -- into a future with a speed of 1 gigabit per second. That's about 1,000 times the data-transfer speed the technology offered when it arrived in the late 1990s. The DSL upgrade comes through a new technology called G.fast. The technology should arrive in homes starting in 2016.

Much of the world doesn't have cable-TV infrastructure at all, and still less of it has fiber-optic connections. Phone networks, though, are widely used, and covered about 422 million DSL subscribers globally in 2013, according to analyst firm IHS. That should rise to 480 million by 2018. But reflecting the competitive threat to DSL equipment makers, fiber optic links are expected to spread much more rapidly -- from 113 million in 2013 to 200 million in 2018. European customers are likely to favor G.fast in particular, Triductor CEO Tan Yaolong said. That's because labor costs are very high in that region, which discourages extensive renovation projects.

To meet its full gigabit-per-second potential, G.fast connections will require broadband providers to use network equipment close to the customers' buildings -- 50 meters (about 160 feet) or less. A 200-meter distance will still be good enough for about 600Mbps. That's why broadband providers have been placing their network gear closer to homes -- often in boxes under sidewalks, in cabinets by roads, or boxes attached to telephone poles. That's also why it's so expensive to upgrade broadband networks: the ISPs have had to extend their networks to bring that network gear closer to their customers.

Lunduke says the LXDE Desktop is "Nothing to write home about"

by zafiro17@pipedot.org in linux on 2014-10-24 20:02 (#2TP9)

Somebody just go ahead and call this article a troll. That's essentially what it is. But heck, maybe it will get some discussion going. Linux pundit Bryan Lunduke over at Network World has spent some time using the LXDE desktop and writes, I've used LXDE for weeks, and I'm still having trouble finding much to say about it. That's not a good sign. What the hell, man?
I feel like, after all this time, I should have something interesting to talk about. But I just plain don’t.

It’s fast, blisteringly fast. And it’s damned lightweight too. After that, things get pretty boring. LXDE is built on GTK+, which means GTK-based apps are right at home. So that’s a plus, I suppose. Though that really isn’t a problem on any desktop environment I’ve tried so far. But… you know… it’s something that I can write down about it. After that, things get average and mundane… in a hurry.
I'm not sure what the issue is: in my opinion, LXDE is simple, intuitive, and stays the heck out of your way so you can work. How can that possible be a negative? So, go ahead: insult the author. Then the guy who submitted this article (me) and posted it (me again). Then discuss. I'm verklempt.

Friday Distro: Redo Backup & Recovery

by zafiro17@pipedot.org in linux on 2014-10-24 10:53 (#2TNW)

Too many Linux distros out there seem to be pet projects, focused on minor choices of theme and desktop environment. Redo Backup & Recovery is much more focused and is worth a look as a useful and important sysadmin tool. For starters, note they don't even bother to call it a distro: the fact that there's Linux underneath is not the point. But take a closer look and it's obvious that it's the power of Linux that makes this thing possible.

RB&R is simple: you download it and burn it to a disk or USB stick you then use to backup your machines. Boot the machine from your B&R disk, and let it work its magic. RB&R will mount the machine's partitions, and create a backup you can store elsewhere, say on a network share. If that machine ever gets misconfigured, virus infected, or anything else, you can simply restore one of the backups as though it were a bare-metal restore. It's essentially OS-agnostic, permitting sysadmins to backup and restore Windows or Linux machines with equal ease (it's not clear how good its Mac support is though!). It's graphical, auto-configs network shares, and because you make the backup by booting the machine from your disk/USB stick, you don't even have to have login rights on that machine.

The whole thing is a simple 250MB disk image, that gets you a graphical interface based on Openbox. Under the hood, it's simply a clever GPLv3 Perl script that leverages GTK2+ and Glade, plus partclone, which does the block-level disk backup or re-imaging. Partclone supports ext2/3/4, HFS+, reiserfs, reiser4, btrfs, vmfs3/5, xfs, jfs, ufs, ntfs, fat(12/16/32), and exfat.

I like this approach: they don't make much noise about Linux; they just present a useful tool any sysadmin would be grateful to be able to use. It is tightly focused on providing a single service and doesn't get wrapped up in troubles related to inevitable "feature creep". It does one thing, and does it well. I know my openSUSE box has recovery tools built into its YaST management system, but my brief test shows B&R is way easier, user-friendly, and hassle-free. I will be continuing to use it as recovering from an image is way easier and undoes the inevitable trouble I get into by downloading and experimenting with software packages that eventually combine to hose my system. Give it a look for yourself, and sleep a bit easier.
12345678910...