Tech Today w/ Ken May

Archive for October 4th, 2017

As we mentioned earlier , Blade Runner 2049 director Denis Villeneuve commissioned three short films to bridge the gap between the original movie and his upcoming sequel. The first, featuring Jared Leto, was pretty darn good. The second, featuring Dave Bautista, was so-so. Both of those were live-action, but the third short, entitled “Black Out 2022” is anime and it’s fantastic. It was done by Shinichiro Watanabe, the creator of the wildly popular Cowboy Bebop series. Check it out (and be warned, there’s some graphic violence): I thought the flashback sequence was particularly artful. It was also cool to hear the return of Edward James Olmos (yes, that’s him voice his original character), and I dug how Trixie clearly references Pris from the original film. Blade Runner 2049 will go into wide release this Friday.

Categories: reader

Enlarge (credit: Christiaan Colen ) Google researchers have discovered at least three software bugs in a widely used software package that may allow hackers to execute malicious code on vulnerable devices running Linux, FreeBSD, OpenBSD, NetBSD, and macOS, as well as proprietary firmware. Dnsmasq , as the package is known, provides code that makes it easier for networked devices to communicate using the domain name system and the Dynamic Host Configuration Protocol . It’s included in Android, Ubuntu, and most other Linux distributions, and it can also run on a variety of other operating systems and in router firmware. A blog post published Monday by security researchers with Google said they recently found seven vulnerabilities in Dnsmasq, three of which were flaws that allowed the remote execution of malicious code. One of the code-execution flaws, indexed as CVE-2017-14493, is a “trivial-to-exploit, DHCP-based, stack-based buffer overflow vulnerability.” Combined with a separate information leak bug Google researchers also discovered, attackers can bypass a key protection known as address space layout randomization, which is designed to prevent malicious payloads included in exploits from executing. As a result, exploits result in a simple crash, rather than a security-compromising hack. By chaining the code-execution and information leak exploits together, attackers can circumvent the defense to run any code of their choosing. Read 2 remaining paragraphs | Comments

Categories: reader

US Studying Ways To End Use of Social Security Numbers For ID

Posted by kenmay on October - 4 - 2017

wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers. “I feel very strongly that the social security number has outlived its usefulness, ” Joyce said. “It’s a flawed system.” For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for “a better system” which may involve cryptography. This may involve “a public and private key” including “something that could be revoked if it has been compromised, ” Joyce added. Read more of this story at Slashdot.

Categories: reader

AmiMoJo shares a report from The Verge: The third episode of Star Trek: Discovery aired this week, and at one point in the episode, Sonequa Martin-Green’s Michael Burnham is tasked with reconciling two suites of code. In the show, Burnham claims the code is confusing because it deals with quantum astrophysics, biochemistry, and gene expression. And while the episode later reveals that it’s related to the USS Discovery’s experimental new mycelial network transportation system, Twitter user Rob Graham noted the code itself is a little more pedestrian in nature. More specifically, it seems to be decompiled code for the infamous Stuxnet virus, developed by the United States to attack Iranian computers running Windows. Read more of this story at Slashdot.

Categories: reader

Yahoo’s 2013 hack impacted all 3 billion accounts

Posted by kenmay on October - 4 - 2017

Last year Yahoo (now part of Oath along with AOL after its acquisition by Verizon) announced that back in 2013, hackers had stolen info covering over one billion of its accounts . Today, the combined company announced that further investigation reveals the 2013 hack affected all of its accounts that existed at the time — about three billion. The information taken “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” For users being notified of the hack now, the notification is that their information is included. At the time the breach was first announced, Yahoo required everyone who had not reset their passwords since the breach to do so. According to the FAQ posted, it doesn’t appear there’s any new action being taken. The announcement isn’t very specific about why or how it determined the breach was so much larger — or how it was missed in the original forensic analysis, or how this happened in the first place — likely due to pending lawsuits over the issue. Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement. Source: Oath , Yahoo FAQ

Categories: reader

Earlier today, Microsoft and Samsung announced the latest Windows Mixed Reality headset: the Samsung HMD Odyssey . At $499, it’s certainly one of the pricier options out of all the Windows Mixed Reality headsets so far. And for good reason. Not only does it come with integrated AKG headphones — which is very similar to the Rift’s design — it has absolutely stunning image quality. The HMD Odyssey is equipped with dual 3.5-inch AMOLED displays, each of which have a 1, 440 x 1, 600 resolution with a refresh rate of 90 to 60 hertz. The result is a brilliantly sharp and crisp virtual environment — when I took a brief Holotour of Machu Picchu, I genuinely felt like I was there, floating above the mountains on a hot air balloon. Color reproduction is fantastic, and there was none of the screendoor effect that so often plagues VR headsets of lesser quality. The 110-degree field of view also contributes to the feeling of immersion, which is especially apparent when viewing 360-degree videos and photos. Yet, this thing is pretty big. It measures 202mm x 131.5mm x 111m and it weighs in at a whopping 625 grams. That’s definitely a lot heavier than the Acer’s 380 grams. It also just looks pretty bulky on the whole. That said, when I placed the whole thing on my head, it didn’t feel so bad. It fits nice and snug, and I loved the feeling of the leather padding around my head. I could see myself wearing this for a few hours at a time. Other specs of the HMD Odyssey include two cameras on the front, each of which give the headset six degrees of freedom. It also has a proximity sensor, an IPD sensor, a built-in microphone, volume adjustment and a couple of dials that help you find the right fit and focus. I also like it that you can wear the headset while wearing your glasses. During my demo, I had a chance to try out the new Halo Recruit title for a few minutes. As was teased, it’s not quite a game as much as a demo of what Halo could look like in VR. Most of what I did was fire at moving targets in a tutorial phase. I found that targeting is sometimes an issue, as I couldn’t just look at something to aim (like I can with a lot of other VR games) I had to actually really aim at it with my virtual gun. Still, it was just my first experience with it and I can see myself getting better over time. The Halo Recruit demo will be available on October 17th for free from the Windows Store, along with 20, 000-plus other apps made for Windows Mixed Reality. Samsung’s HMD Odyssey is available for pre-order today, with a ship date of November 6th.

Categories: reader

You’d think that government agencies would be reticent to work with Equifax given that it just exposed the private info of more than 145 million people through a preventable hack , but a massive data breach apparently isn’t enough of a deterrent. The Internal Revenue Service recently awarded Equifax a fraud prevention contract that will have it verifying taxpayer identities. And crucially, it was a no-bid, “sole source” contract — Equifax was deemed the only company capable of fulfilling demand. In practice, officials didn’t have much of a choice. Credit reporting in the US is dominated by three large companies (Equifax, Experian and TransUnion), and Equifax is arguably the powerhouse of the bunch. However, that only underscores the problem here: the IRS had to trust a crucial anti-fraud system to a company that not only had sloppy online security practices, but has been reluctant to take full responsibility for its mistakes. There’s a real chance that the hack will get Equifax to clean up its act in time to improve its handling of IRS data. We wouldn’t count on it, though, and there’s always the possibility that the IRS will fall afoul of the kind of data breach that prompted this anti-fraud contract in the first place. Via: Politico Source: FedBizOpps.gov

Categories: reader