Home / Tag Archives: devin-coldewey

Tag Archives: devin-coldewey

Comcast is leaking the names and passwords of customers’ wireless routers

Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service. Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet . The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service. The problem is threefold: You can “activate” an account that’s already active The data required to do so is minimal and it is not verified via text or email The wireless name and password are sent on the web in plaintext This means that anyone with your account number and street address number (e.g. the 1425 in “1425 Alder Ave,” no street name, city, or apartment number needed), both of which can be found on your paper bill or in an email, will instantly be given your router’s SSID and password, allowing them to log in and use it however they like or monitor its traffic. They could also rename the router’s network or change its password, locking out subscribers. This only affects people who use a router provided by Xfinity/Comcast , which comes with its own name and password built in. Though it also returns custom SSIDs and passwords, since they’re synced with your account and can be changed via app and other methods. What can you do? While this problem is at large, it’s no good changing your password — Comcast will just provide any malicious actor the new one.

Read More »

Comcast is leaking the names and passwords of customers’ wireless routers

Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service. Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet . The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service. The problem is threefold: You can “activate” an account that’s already active The data required to do so is minimal and it is not verified via text or email The wireless name and password are sent on the web in plaintext This means that anyone with your account number and street address number (e.g. the 1425 in “1425 Alder Ave,” no street name, city, or apartment number needed), both of which can be found on your paper bill or in an email, will instantly be given your router’s SSID and password, allowing them to log in and use it however they like or monitor its traffic. They could also rename the router’s network or change its password, locking out subscribers. This only affects people who use a router provided by Xfinity/Comcast , which comes with its own name and password built in. Though it also returns custom SSIDs and passwords, since they’re synced with your account and can be changed via app and other methods. What can you do?

Read More »

Researchers disclose new Spectre exploit variant, but Intel and AMD leave mitigation off by default

The specter of Spectre still looms above chipmakers; a new variant of that most dire of chip flaws was disclosed today, and Intel has a patch ready to go. It’s issuing the mitigation in tandem with the announcement that may come with a serious performance hit — which is why it will be off by default. Like the other Spectre variants, this one has to do with “speculative execution,” a core component of modern computing architecture that predicts what might be required of it in the immediate future and executes on it, either keeping the results if the prediction is right or discarding them if not. Spectre variants basically trick the processor into revealing the data it uses for speculative execution, potentially allowing an attacker to get at even highly protected bits. Unlike Meltdown, which affected Intel primarily, Spectre affects other chip manufacturers as well. Variant 4 is similar to but distinct from variants 1 through 3, and in this case takes place “in a language-based runtime environment.” JavaScript is such an environment and would be the most obvious place to attempt the exploit. It was discovered by Microsoft and Google researchers, who worked with the chipmakers to develop mitigations. Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? Variant 1 is the most similar and there are already mitigations in place for it both in browsers and in microcode, which is executed at a much lower level of a computer. But, as Intel puts it, “to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.” OEMs, which make components like motherboards, already have the fix. But like some other patches, this one will be left off by default.

Read More »

Sony shrinks its Digital Paper tablet down to a more manageable 10 inches

I had a great time last year with Sony’s catchily named DPT-RP1 , an e-paper tablet that’s perfect for reading PDFs and other big documents, but one of my main issues was simply how big the thing is. Light and thin but 13 inches across, the tablet was just unwieldy. Heeding (I assume) my advice, Sony is putting out a smaller version and I can’t wait to try it out. At the time, I was comparing the RP1 with the reMarkable, a crowdfunded rival that offers fantastic writing ability but isn’t without its flaws. Watch this great video I made: The 10-inch DPT-CP1 has a couple small differences from its larger sibling. The screen has a slightly lower resolution but should be the same PPI — it’s more of a cutout of the original screen than a miniaturization. And it’s considerably lighter: 240 grams to the 13-inch version’s 350. Considering the latter already felt almost alarmingly light, this one probably feels like it’ll float out of your hands and enter orbit. More important are the software changes. There’s a new mobile app for iOS and Android that should make loading and sharing documents easier. A new screen-sharing mode sounds handy but a little cumbrous — you have to plug it into a PC and then plug the PC into a display. And PDF handling has been improved so that you can jump to pages, zoom and pan and scan through thumbnails more easily. Limited interaction (think checkboxes) is also possible. There’s nothing that addresses my main issue with both the RP1 and the reMarkable: that it’s a pain to do anything substantial on the devices, such as edit or highlight in a document, and if you do, it’s a pain to bring that work into other environments.

Read More »

Does Google’s Duplex violate two-party consent laws?

Google’s Duplex , which calls businesses on your behalf and imitates a real human, ums and ahs included, has sparked a bit of controversy among privacy advocates. Doesn’t Google recording a person’s voice and sending it to a data center for analysis violate two-party consent law, which requires everyone in a conversation to agree to being recorded? The answer isn’t immediately clear, and Google’s silence isn’t helping. Let’s take California’s law as the example, since that’s the state where Google is based and where it used the system. Penal Code section 632 forbids recording any “confidential communication” (defined more or less as any non-public conversation) without the consent of all parties. (The Reporters Committee for the Freedom of the Press has a good state-by-state guide to these laws.) Google has provided very little in the way of details about how Duplex actually works, so attempting to answer this question involves a certain amount of informed speculation. To begin with I’m going to consider all phone calls as “confidential” for the purposes of the law. What constitutes a reasonable expectation of privacy is far from settled, and some will have it that you there isn’t such an expectation when making an appointment with a salon. But what about a doctor’s office, or if you need to give personal details over the phone? Though some edge cases may qualify as public, it’s simpler and safer (for us and for Google) to treat all phone conversations as confidential. What we know about Google’s Duplex demo so far As a second assumption, it seems clear that, like most Google services, Duplex’s work takes place in a data center somewhere, not locally on your device. So fundamentally there is a requirement in the system that the other party’s audio will be recorded and sent in some form to that data center for processing, at which point a response is formulated and spoken. On its face it sounds bad for Google. There’s no way the system is getting consent from whomever picks up the phone.

Read More »

AI will save us from yanny/laurel, right? Wrong

If you haven’t taken part in the yanny/laurel controversy over the last couple days, allow me to sincerely congratulate you. But your time is up. The viral speech synth clip has met the AI hype train and the result is, like everything in this mortal world, disappointing. Sonix, a company that produces AI-based speech recognition software, ran the ambiguous sound clip through Google, Amazon, and Watson’s transcription tools, and of course its own. Google and Sonix managed to get it on the first try — it’s “laurel,” by the way. Not yanny. Laurel . But Amazon stumbled, repeatedly producing “year old” as its best guess for what the robotic voice was saying. IBM’s Watson, amazingly, got it only half the time, alternating between hearing “yeah role” and “laurel.” So in a way, it’s the most human of them all. Top: Amazon; bottom: IBM. Sonix CEO Jamie Sutherland told me in an email that he can’t really comment on the mixed success of the other models, not having access to them. “As you can imagine the human voice is complex and there are so many variations of volume, cadence, accent, and frequency,” he wrote. “The reality is that different companies may be optimizing for different use cases, so the results may vary. It is challenging for a speech recognition model to accommodate for everything.” My guess as an ignorant onlooker is it may have something to do with the frequencies the models have been trained to prioritize.

Read More »

Tiny house trend advances into the nano scale

All around the world, hip young people are competing to see who can live in the tiniest, quirkiest, twee-est house. But this one has them all beat. Assembled by a combination of origami and nanometer-precise robot wielding an ion beam, this tiniest of houses measures about 20 micrometers across. For comparison, that’s almost as small as a studio in the Lower East Side of Manhattan. It’s from the Femto-ST Institute in France, where the tiny house trend has clearly become an obsession. Really, though, the researchers aren’t just playing around. Assembly of complex structures at this scale is needed in many industries: building a special radiation or biological sensor in place on the tip of an optical fiber could let locations be probed or monitored that were inaccessible before. The house is constructed to show the precision with which the tools the team has developed can operate. The robot that does the assembly, which they call μRobotex, isn’t itself at the nano scale, but operates with an accuracy of as little as 2 nanometers. The operator of μRobotex first laid down a layer of silica on the tip of a cut optical fiber less than the width of a human hair. They then used an ion beam to cut out the shape of the walls and add the windows and doors. By cutting through some places but only scoring in others, physical forces are created that cause the walls to fold upwards and meet. Once they’re in place, μRobotex switches tools and uses a gas injection system to attach those surfaces to each other. Once done, the system even “sputters” a tiled pattern on the roof.

Read More »

LocationSmart didn’t just sell mobile phone locations, it leaked them

What’s worse than companies selling the real-time locations of cell phones wholesale? Failing to take security precautions that prevent people from abusing the service. LocationSmart did both, as numerous sources indicated this week. The company is adjacent to a hack of Securus , a company in the lucrative business of prison inmate communication; LocationSmart was the partner that allowed the former to provide mobile device locations in real time to law enforcement and others. There are perfectly good reasons and methods for establishing customer location, but this isn’t one of them. Police and FBI and the like are supposed to go directly to carriers for this kind of information. But paperwork is such a hassle! If carriers let LocationSmart, a separate company, access that data, and LocationSmart sells it to someone else (Securus), and that someone else sells it to law enforcement, much less paperwork required! That’s what Securus told Senator Ron Wyden (D-OR) it was doing: acting as a middle man between the government and carriers, with help from LocationSmart. LocationSmart’s service appears to locate phones by which towers they have recently connected to, giving a location within seconds to as close as within a few hundred feet. To prove the service worked, the company (until recently) provided a free trial of its service where a prospective customer could put in a phone number and, once that number replied yes to a consent text, the location would be returned. It worked quite well, but is now offline. Because in its excitement to demonstrate the ability to locate a given phone, the company appeared to forget to secure the API by which it did so, Brian Krebs reports . Krebs heard from CMU security researcher Robert Xiao, who had found that LocationSmart “failed to perform basic checks to prevent anonymous and unauthorized queries.” And not through some hardcore hackery — just by poking around. “I stumbled upon this almost by accident, and it wasn’t terribly hard to do.

Read More »

Microsoft’s Xbox Adaptive Controller is an inspiring example of inclusive design

Every gamer with a disability faces a unique challenge for many reasons, one of which is the relative dearth of accessibility-focused peripherals for consoles. Microsoft is taking a big step toward fixing this with its Xbox Adaptive Controller, a device created to address the needs of gamers for whom ordinary gamepads aren’t an option. The XAC, revealed officially at a recent event but also leaked a few days ago, is essentially a pair of gigantic programmable buttons and an oversized directional pad; 3.5mm ports on the back let a huge variety of assistive devices like blow tubes, pedals and Microsoft-made accessories plug in. It’s not meant to be an all-in-one solution by any means, more like a hub that allows gamers with disabilities to easily make and adjust their own setups with a minimum of hassle. Whatever you’re capable of, whatever’s comfortable, whatever gear you already have, the XAC is meant to enable it. I’d go into detail, but it would be impossible to do better than Microsoft’s extremely interesting and in-depth post introducing the XAC , which goes into the origins of the hardware, the personal stories of the testers and creators and much more. Absolutely worth taking the time to read. I look forward to hearing more about the system and how its users put it to use, and I’m glad to see inclusivity and accessibility being pursued in such a practical and carefully researched manner.

Read More »

After Senate victory, House announces plans to force its own vote on net neutrality

Hot on the heels of a surprising 52-47 Senate disapproval of the FCC’s new, weaker net neutrality rules, the House of Representatives will soon attempt to force a similar vote under the Congressional Review Act. Representative Mike Doyle (D-PA) announced in a statement and at a press conference following the Senate vote that he will begin the process first thing tomorrow morning. “I have introduced a companion CRA in the house,” Rep. Doyle said, “but I’m also going to begin a discharge petition which we will have open for signature tomorrow morning. And I urge every member who’s uproots a free and open internet to join me and sign this petition so we can bring this legislation to the floor.” The CRA requires Senate and House to submit the resolution itself, in the former’s case Joint Resolution 52 , after which a certain number of people to sign off on what’s called a discharge petition, actually forces a vote. Senate votes to reverse FCC order and restore net neutrality In the Senate this number is only 30, which makes it a useful tool for the minority party, which can easily gather that many votes if it’s an important issue (a full majority is still required to pass the resolution). But in the House a majority is required, 218 at present. That’s a more difficult ask, since Democrats only hold 193 seats there. They’d need two dozen Republicans to switch sides, and while it’s clear from the defection of three Senators from the party line that such bipartisan support is possible, it’s far from a done deal. Today’s success may help move the needle, though. Should the required votes be gathered, which could happen tomorrow, or take much longer, the vote will then be scheduled, though a Congressional aide I talked to was unsure how quickly it would follow. It only took a week in the Senate to go from petition to floor vote, but that period could be longer in the House depending on how the schedule works out.

Read More »

Senate votes to reverse FCC order and restore net neutrality

The Senate today voted 52-47 to disapprove the FCC’s recent order replacing 2015’s net neutrality rules, a pleasant surprise for internet advocates and consumers throughout the country. Although the disapproval will almost certainly not lead to the new rules being undone, it is a powerful statement of solidarity with a constituency activated against this deeply unpopular order. To be clear, the FCC’s “Restoring Internet Freedom” is still set to take effect in June. BREAKING: The Senate just voted to restore #NetNeutrality ! We won. To all of those who kept fighting and didn’t get discouraged: you did this. You raised your voices and we heard you. Thank you. Now the fight continues. On to the House! — Ed Markey (@SenMarkey) May 16, 2018 Senate Joint Resolution 52 officially disapproves the rule under the Congressional Review Act, which allows Congress to undo recently created rules by federal agencies. It will have to pass in the House as well and then be signed by the president for the old rules to be restored (that or a two-thirds majority, which is equally unlikely).

Read More »

Senate votes today on rollback of net neutrality rollback

Today’s the big day for the Senate’s big push to undo the FCC’s “Restoring Internet Freedom” order nullifying 2015’s net neutrality rules . A vote is scheduled for this afternoon on whether to repeal that order, though as of this writing the coalition is still one vote shy of making it happen. The vote is an application of the Congressional Review Act, which as you might guess from the name allows Congress to review and if necessary undo recent regulations enacted by federal agencies. It’s been seldom used for decades but the current administration has been very free with it as a method of squelching rules passed in the twilight of the Obama era. Today Senate Democrats strike back with the same weapon. A simple majority is required, but right now only a single Republican Senator, Maine’s Susan Collins, has courageously stepped across the aisle to join the Democrat-led effort. One more would pass the bill, though it would still have to get through the House and the President’s desk, making its prognosis poor. The FCC just repealed net neutrality. What happens next? That matters little, though: until today, many Senators will have been able to largely stay silent on the issue, and a vote to support this highly unpopular rule may come back to bite them come midterms. Net neutrality may very well be an issue constituencies care about, or at least that’s what Democratic challengers are hoping for. On the other hand, a Democratic-led CRA is a direct, partisan attack on the administration, which has supported this FCC’s actions, and would cause return to Obama-era rules, which few Republicans would relish.

Read More »

First CubeSats to travel the solar system snap ‘Pale Blue Dot’ homage

The InSight launch earlier this month had a couple of stowaways: a pair of tiny CubeSats that are already the farthest such tiny satellites have ever been from Earth — by a long shot. And one of them got a chance to snap a picture of their home planet as an homage to the Voyager mission’s famous “Pale Blue Dot.” It’s hardly as amazing a shot as the original, but it’s still cool. The CubeSats, named MarCO-A and B, are an experiment to test the suitability of pint-size craft for exploration of the solar system; previously they have only ever been deployed into orbit. That changed on May 5, when the InSight mission took off, with the MarCO twins detaching on a similar trajectory to the geology-focused Mars lander. It wasn’t long before they went farther than any CubeSat has gone before. Citizen spacecraft builders literally race to the moon in NASA’s Cube Quest Challenge A few days after launch MarCO-A and B were about a million kilometers (621,371 miles) from Earth, and it was time to unfold its high-gain antenna. A fisheye camera attached to the chassis had an eye on the process and took a picture to send back home  to inform mission control that all was well. But as a bonus (though not by accident — very few accidents happen on missions like this), Earth and the moon were in full view as MarCO-B took its antenna selfie. Here’s an annotated version of the one above: “Consider it our homage to Voyager,” said JPL’s Andy Klesh in a news release . “CubeSats have never gone this far into space before, so it’s a big milestone. Both our CubeSats are healthy and functioning properly. We’re looking forward to seeing them travel even farther.” So far it’s only good news and validation of the idea that cheap CubeSats could potentially be launched by the dozen to undertake minor science missions at a fraction of the cost of something like InSight.

Read More »

NES Classic loaded with classic manga games raises hopes for other special editions

Japanese gamers and manga aficionados and every combination thereof will get a treat this summer with the release of a NES Classic Edition loaded with games from the pages of Weekly Jump. The beloved manga mag is celebrating its 50th anniversary and this solid gold Famicom is part of the festivities. There’s basically no chance this Jump-themed NES will get a release in the US — first because hardly any Americans will have read any of these manga (with a couple exceptions) and second because even fewer will have played the Famicom games associated with them. Familiar… and yet… That said, this nurtures the hope inside me that we will at some point see other themed NES Classics; the original has, of course, a fantastic collection — but there are dozens more games I would have loved to see on there. You can hack the thing pretty easily and put half the entire NES library on it, but Nintendo’s official versions will have been tested and perhaps even tweaked to make sure they run perfectly (though admittedly emulation problems aren’t common for NES games). Review: The NES Classic Edition and all 30 games on it More importantly it’s possible these hypothetical themed consoles may come with new accessories that I desperately need, like a NES Advantage, Zapper (not sure how it would work), or NES Max. Perhaps even a Power Glove? In the meantime, at least if you missed the chance to buy one the first time around, you can grab one come the end of June. Nintendo’s NES Classic will return to U.S. retail stores on June 29

Read More »

Net neutrality will officially die on June 11

After months of tension and a variety of smaller milestones, the FCC order voiding 2015’s net neutrality rules and instating its own, much weaker ones will finally take effect on June 11, the agency’s chairman Ajit Pai said today . Although the rule was approved in December, entered into the Federal Register in February, and under ordinary circumstances would have taken effect in April, “Restoring Internet Freedom” had one extra step that needed to be taken. The Office of Management and Budget needed to take a look at the rule because it changed how the industry reported information to the government, and under the Paperwork Reduction Act that authority had to approve the final version. That approval was granted on May 2, the FCC explained in a news release, and June 11 was picked as the effective date “to give providers time to comply with the transparency requirement.” The Congressional Review Act paperwork filed yesterday means the Senate will soon be voting on whether the rules can stay in place, but the likelihood of that bill passing the Senate and House and getting signed by the President is pretty much nil. Still, the votes will put proponents and opponents of net neutrality in the open and potentially make it an election issue. Lawsuits alleging various flaws in the process or rule itself may eventually cause it to be rolled back, but that will take months, if not years, and lacking evidence of direct harm judges are unlikely to take the rules out of effect while considering the case. Don’t expect much to happen immediately should the new rule take place; the industry is too savvy to blast out some new, abusive rules under the far more permissive framework established by this FCC. But as before, consumers will often be the first to spot shady behaviors and subtle changes to the wording of marketing or user agreements, so keep your eyes open and tip your friendly neighborhood tech blog if you see something. In a statement accompanying Pai’s announcement, Commissioner Jessica Rosenworcel made her position clear: The agency failed to listen to the American public and gave short shrift to their deeply held belief that internet openness should remain the law of the land. The agency turned a blind eye to serious problems in its process—from Russian intervention to fake comments to stolen identities in its files. The FCC is on the wrong side of history, the wrong side of the law, and the wrong side of the American people. It deserves to have its handiwork revisited, reexamined, and ultimately reversed

Read More »