Tech Today w/ Ken May

Archive for May 24th, 2017

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. “By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device, ” they write. Read more of this story at Slashdot.

Categories: reader

A half-lap joint is good-looking, functional and, once you get good at it, quick to cut with hand tools. But even if you get the joint to fit snugly, the intersections may show ugly gaps due to slight imperfections in your sawing or chiseling technique. Traditional Japanese woodworking has a method to completely erase those gaps, and to get the joint fitting so tightly that when removed, you can actually see the imprint of one workpiece on the other:  The technique is called kigoroshi , and here’s how they do it . (Sorry folks, the creator has disabled embedding.) See Also: The Ultimate Wood Joint Visual Reference Guide

Categories: reader

JSON Feed Announced As Alternative To RSS

Posted by kenmay on May - 24 - 2017

Reader Anubis IV writes: With Slashdot recently asking whether we still use RSS, it may come as a surprise that something interesting has happened in the world of news feeds this week. JSON Feed was launched as an alternative to RSS and Atom, eschewing the XML they rely on — which is frequently malformed and difficult to parse — in favor of a human readable JSON format that reflects the decades of combined experience its authors have in the field. The JSON Feed spec is a simple read that lays out a number of pragmatic benefits the format has over RSS and Atom, such as eliminating duplicate entries, adding the ability to paginate feeds so that old entries remain available, and reducing the need for clients to scrape sites to find images and other resources. Given that it’s authored by the developers behind one of the earliest, popular RSS clients and a recently Kickstarted blogging platform, the format is intended to address the common pain points currently faced by developers when producing and parsing feeds. While it remains to be seen whether JSON Feed will escape the chicken-and-egg stage of adoption, several clients have already added support for the fledging format in the week since its announcement, including Feedbin, Inoreader, and NewsBlur. Read more of this story at Slashdot.

Categories: reader

45,000 years ago, in an area that is now part of Ethiopia, humans found a roomy cave at the base of a limestone cliff and turned it into a special kind of workshop. Inside, they built up a cache of over 40 kilograms of reddish stones high in iron oxide. Using a variety of tools, they ground the stones into different colored powders: deep reds, glowing yellows, rose grays. Then they treated the powder by heating it or mixing it with other ingredients to create the world’s first paint. For at least 4,500 years, people returned to this cave, known today as Porc-Epic, covering its walls in symbols and inking their bodies and clothes. Some anthropologists call it the first artist’s workshop. Now, a new study in PLoS One suggests that the cave offers us a new way to understand cultural continuity in the Middle Stone Age, when humans were first becoming sophisticated toolmakers and artisans. Paleoscientists Daniela Eugenia Rosso, Francesco d’Errico, and Alain Queffelec have sorted through the 4,213 pieces of ochre found in the cave, analyzing the layers of history they represent. They argue that Porc-Epic is a rare continuous record of how humans pass on knowledge and rituals across dozens of generations. Read 8 remaining paragraphs | Comments

Categories: reader

FCC stonewalls demands for evidence of cyberattack

Posted by kenmay on May - 24 - 2017

The FCC swears that a denial of service attack hit its servers hours after Last Week Tonight ‘s John Oliver rallied support for net neutrality, but where’s the evidence? Well, don’t expect it any time soon. In an interview with ZDNet , the regulator’s David Bray says the FCC won’t release the logs that might show who was responsible for the incident. The logs contain private info like IP addresses, he says. Bray does note that there wasn’t a botnet involved, though — instead, the traffic came from commercial cloud services using the FCC’s public programming interface. But if it wasn’t a botnet, then who was involved? Some critics are concerned that the FCC isn’t exactly being forthright. The advocacy group Fight for the Future tells ZDNet that the FCC should disclose information “to the appropriate authorities and to journalists” to have them investigate the data while maintaining privacy. And if there’s an organization behind the attack, the group says, the FCC should divulge who it is. That it isn’t is worrying — does the Commission not know, or is it trying to hide the origins? Fight for the Future is concerned that the traffic is either from net neutrality supporters (and thus evidence that the FCC couldn’t/wouldn’t handle opposition to its net neutrality rollback ) or opponents trying to stifle criticism. And unfortunately, there’s circumstantial evidence that might support either theory. Anti-net neutrality bots recently flooded the FCC’s comments, and Chairman Ajit Pai even suggested that he might honor these obviously fake statements. It doesn’t help that the FCC has since gone into a “sunshine period” where it won’t take new public comments on decisions. And it’s no secret that telecoms are less than fond of net neutrality proponents, especially when they try to expose astroturfing campaigns . Simply put, both the current FCC and internet providers have a vested interest in downplaying net neutrality’s supporters while enshrining its critics. The FCC says it has since upgraded its website to better handle loads, so it isn’t completely unresponsive. Without more disclosures about what happened around the attack, though, it’s impossible to know just how honest it really is — and it’s not helping its case by being unresponsive to public outcries. Via: Gizmodo Source: ZDNet (1) , (2)

Categories: reader

New York forces smart lock maker to improve its security

Posted by kenmay on May - 24 - 2017

Smart locks promise the security of a traditional lock without the need to carry around a key. Most can be unlocked with a mobile app or an RFID-equipped card you can store in your wallet. Unfortunately, they’re also pretty easy to hack open. The office of New York’s attorney general, Eric T. Schneiderman, announced a settlement today with one such smart lock manufacturer. Utah-based Safetech Products has agreed to encrypt all of its smart lock passwords, electronic keys and other credentials within its locks, prompt users to change the default password upon initial setup and establish a more comprehensive security program. Safetech makes both padlocks and door locks, each available on Amazon. According to the New York AG’s office, independent security researchers found that the company’s locks did not secure passwords or other security information in its locks, which left customers open to hacking and theft. “Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption, ” Schneiderman said in a statement. “Together, with the help of companies like Safetech, we can safeguard against breaches and illegal intrusions on our private data.” While this may be the first time an attorney general has taken legal action against a smart lock company like this, it won’t likely be the last. Kwikset was sued recently for its Smart key lock’s alleged culpability in the rape and murder of a young woman in Florida by the building security guard. While not a true smart lock, the lock in question has a programmable cylinder that can be made to work with any key, which can be used to give temporary access to anyone. It’s also easily broken into with a screwdriver and a paper clip. As we all turn to smart devices and the Internet of Things in our lives, it becomes even more important to make sure we’re being protected from both hackers and ourselves. The settlement with Safetech could be the first big step towards companies building better security into their smart devices. The devices in our homes are increasingly connected to the internet—posing new privacy & security risks to consumers. We’re taking action. — Eric Schneiderman (@AGSchneiderman) May 23, 2017 Source: New York Attorney General’s office

Categories: reader