Tag: digest

Judge orders unmasking of Amazon.com “negative” reviewers

A federal judge has granted a nutritional supplement firm’s request to help it learn the identities of those who allegedly left “phony negative” reviews of its products on Amazon.com. The decision means that Ubervita may issue subpoena’s to Amazon.com and Cragslist to cough up the identities of those behind a “campaign of dirty tricks against Ubervita in a wrongful effort to put Ubervita at a competitive disadvantage in the marketplace .” (PDF). According to a lawsuit by the maker of testosterone boosters, multivitamins and weight loss supplements, unknown commenters  had placed fraudulent orders “to disrupt Ubervita’s inventory,” posted a Craigslist ad “to offer cash for favorable reviews of Ubervita products,” and posed “as dissatisfied Ubervita customers in posting phony negative reviews of Ubervita products, in part based on the false claim that Ubervita pays for positive reviews.” Read 2 remaining paragraphs | Comments

More:
Judge orders unmasking of Amazon.com “negative” reviewers

Emergency Windows update revokes dozens of bogus Google, Yahoo SSL certificates

Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned other undiscovered fraudulent credentials for other domains may still be in the wild. Thursday’s unscheduled update revokes 45 highly sensitive secure sockets layer (SSL) certificates that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India, an intermediate certificate authority (CA) whose certificates are automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use the cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday , the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains. “These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties,” a Microsoft advisory warned. “The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.” Read 4 remaining paragraphs | Comments

View post:
Emergency Windows update revokes dozens of bogus Google, Yahoo SSL certificates

Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords

Context In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices. The attack works against LIFX smart lightbulbs , which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000. According to a blog post published over the weekend , LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN , a wireless specification built on top of the IEEE 802.15.4 standard . While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload. Read 4 remaining paragraphs | Comments

More here:
Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords

Deep-sea streaming: 500-mile NEPTUNE cabling brings Internet to the ocean floor

Your home Ethernet cable doesn’t deal with any of this ish—pictured here, a sea star and a squat lobster—behind some desk. NEPTUNE Canada The Juan de Fuca tectonic plate is by far one of the Earth’s smallest. It spans just a few hundred kilometers of the Oregon, Washington, and British Columbia coast. But what the Juan de Fuca lacks in size it makes up for in connectivity. It’s home to a unique, high-speed optical cabling that has snaked its way across the depths of the Pacific seafloor plate since late 2009. This link is called NEPTUNE—the North-East Pacific Time-Series Underwater Networked Experiment—and, at more than 800 kilometers (about 500 miles), it’s about the same length as 40,000 subway cars connected in a single, long train. A team of scientists, researchers, and engineers from the not-for-profit group Oceans Network Canada maintains the network, which cost CAD $111 million to install and $17 million each year to maintain. But know that this isn’t your typical undersea cable. For one, NEPTUNE doesn’t traverse the ocean’s expanse, but instead loops back to its starting point at shore. And though NEPTUNE is designed to facilitate the flow of information through the ocean, it also collects information about the ocean, ocean life, and the ocean floor. Read 52 remaining paragraphs | Comments

See more here:
Deep-sea streaming: 500-mile NEPTUNE cabling brings Internet to the ocean floor

$1,099 iMac review: lose 50% of your performance to save 18% of the money

Technically, this is the $1,299 iMac, not that you’d be able to tell the difference. Andrew Cunningham Apple’s new $1,099 iMac will undoubtedly be a popular computer. People in the know who want the most computing bang for their buck would be smarter to step up to a higher-end model, but there are plenty of people—casual users, schools, businesses—who just want an iMac that’s “fast enough,” not one that’s “as fast as it could possibly be.” For those people, we obtained one of the new entry-level iMacs so we could evaluate its performance. On paper, it sounds like a big step down—you’re going from a quad-core desktop processor and GPU to a dual-core Ultrabook processor and GPU. This new iMac and the base MacBook Air models in fact use the exact same processor, even though historically there’s been a big performance gap between MacBook Airs and iMacs. In practice, the story is more complicated. Let’s talk about what the new low-end iMac changes, and then we’ll spend some time looking at processor performance. Read 29 remaining paragraphs | Comments

Follow this link:
$1,099 iMac review: lose 50% of your performance to save 18% of the money

Millions of dymanic DNS users suffer after Microsoft seizes No-IP domains

Microsoft Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users. Microsoft enforced a federal court order making the company the domain IP resolver for the No-IP domains. Microsoft said the objective of the seizure was to identify and reroute traffic associated with two malware families that abused No-IP services. Almost immediately, end-users, some of which were actively involved in Internet security, castigated the move as heavy handed, since there was no evidence No-IP officially sanctioned or actively facilitated the malware campaign, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm). “By becoming the DNS authority for those free dynamic DNS domains, Microsoft is now effectively in a position of complete control and is now able to dictate their configuration,” Claudio Guarnieri, co-founder of Radically Open Security, wrote in an e-mail to Ars Technica. “Microsoft fundamentally swept away No-IP, which has seen parts of its own DNS infrastructure legally taken away.” Read 6 remaining paragraphs | Comments

Read the article:
Millions of dymanic DNS users suffer after Microsoft seizes No-IP domains

Burglar logs in to Facebook in victim’s house, forgets to sign off

Nicholas Wig. Dakota County Sheriff’s Office A 27-year-old Minnesota man appears to have violated at least two tenets of the digital age: Never log in to your Facebook account in a stranger’s house you’re burglarizing, and don’t forget to sign off if you do. Such egregious violations have led to the arrest of a South St. Paul man charged with burglary allegations. Nicholas Steven Wig is accused of stealing cash, credit cards, a watch, a checkbook, and other items. When the victim came home last week, he noticed a screen missing from a window and his house in disarray. He also discovered his home computer was open to a Facebook page of one “Nick Dub,” who turned out to be Wig, police said. Read 4 remaining paragraphs | Comments

See the article here:
Burglar logs in to Facebook in victim’s house, forgets to sign off

Running WordPress? Got webshot enabled? Turn it off or you’re toast

A zero-day vulnerability in the popular TimThumb plugin for WordPress leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code, security researchers have warned. The vulnerability, which was disclosed Tuesday on the Full Disclosure mailing list , affects WordPress sites that have TimThumb installed with the webshot option enabled. Fortunately, it is disabled by default, and sites that are hosted on WordPress.com are also not susceptible. Still, at press time, there was no patch for the remote-code execution hole. People who are unsure if their WordPress-enabled site is vulnerable should open the timthumb file inside their theme or plugin directory, search for the text string “WEBSHOT_ENABLED,” and ensure that it’s set to false. When “WEBSHOT_ENABLED” is set to true, attackers can create or delete files and execute a variety of other commands, Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Thursday . He said uploading a file to a vulnerable site was possible using URLs such as the following, where a.txt was the file being created: Read 1 remaining paragraphs | Comments

View original post here:
Running WordPress? Got webshot enabled? Turn it off or you’re toast

Are those lost IRS e-mails “unbelievable”? Not really

Former IRS official Lois Lerner giving testimony to a Congressional committee in 2013. The IRS says it can’t find her e-mails from before 2011. During a hearing held yesterday by the House Oversight Committee, Committee Chairman Darrel Issa said that it was “unbelievable” that the IRS had lost the e-mails of former IRS official Lois Lerner. While Congressman Issa is not generally ignorant on tech issues, he’s clearly not familiar with just how believable such a screw-up is. The IRS claims that many of Lerner’s e-mails were lost when the hard drive on her desktop computer crashed in 2011. In a Monday night hearing, IRS Commissioner John Koskinen told Issa and the Oversight Committee that there was no way to recover these e-mails. “If you have a magical way for me to do that,” he told Issa, “I’d be happy to hear about it.” The IRS is not the only federal agency to lose e-mails over the past few years. In fact, despite efforts at many agencies to standardize and improve e-mail by moving to services like Google Apps for Government and Microsoft Office 365 Government, many agencies still run their e-mail like it’s 1999. It’s not just a technology issue—it’s an IT policy issue, a staffing issue, and a cultural issue within government, one that the federal government shares with many private corporations. Read 12 remaining paragraphs | Comments

View article:
Are those lost IRS e-mails “unbelievable”? Not really

Mint 17 is the perfect place for Linux-ers to wait out Ubuntu uncertainty

The team behind Linux Mint unveiled its latest update this week—Mint 17 using kernel 3.13.0-24, nicknamed “Qiana.” The new release indicates a major change in direction for what has quickly become one of the most popular Linux distros available today. Mint 17 is based on Ubuntu 14.04, and this decision appears to have one major driver.  Consistency.  Like the recently released Ubuntu 14.04, Mint 17 is a Long Term Support Release. That means users can expect support to continue until 2019. But even better, this release marks a change in Mint’s relationship with Ubuntu. Starting with Mint 17 and continuing until 2016, every release of Linux Mint will be built on the same package base—Ubuntu 14.04 LTS. With this stability, instead of working to keep up with whatever changes Ubuntu makes in the next two years, Mint can focus on those things that make it Mint. With major changes on the way for Ubuntu in the next two years, Mint’s decision makes a lot of sense. Not only does it free up the Mint team to focus on its two homegrown desktops (Cinnamon and MATE), but it also spares Mint users the potential bumpy road that is Ubuntu’s future. Read 53 remaining paragraphs | Comments

Original post:
Mint 17 is the perfect place for Linux-ers to wait out Ubuntu uncertainty