Home / Tag Archives: reprints

Tag Archives: reprints

Minecraft Windows 10 edition will launch on Oculus Rift in 2016 (Sam Machkovech/Ars Technica)

The second day of this year's Oculus Connect conference for virtual reality developers kicked off with an announcement-rich keynote presentation. While the event was short on new game announcements, one big one got the crowd's attention: Minecraft . A brief video confirmed that the hit game's Windows 10 edition will launch on the Oculus Rift "next year," and it will allow players to navigate their blocky worlds in VR with the Xbox One controller. Oculus CEO Brendan Iribe confirmed that the Oculus Touch handheld controller system will launch in the "second quarter next year," which is a firmer confirmation than a previous "first half of 2016" estimate . After showing off that system's impressive "toybox" demo, Iribe confirmed that the Touch controllers will require a second motion sensor "for improved sensing," so be ready to make room in your home's potential VR room should you want to try the tech out. The Touch sizzle reel confirmed that a few previously SteamVR exclusive games would now also launch for Oculus Touch, including Job Simulator and The Gallery: Six Elements . It also had Oculus' own answer to SteamVR's Tilt Brush, a "digital clay molding" art app called Medium . "Every great platform has to have a paint app, and this is our paint app," Iribe told the Oculus Connect crowd. Epic Games' Bullet Train. Additionally, Epic Games' Tim Sweeney took the stage to show off  Bullet Train , an upcoming VR action game for Oculus Touch that includes  a warping mechanic much like SteamVR's The Gallery: Six Elements , meaning characters may potentially be able to move around the world without experiencing VR nausea. Since virtual reality gaming on PCs demands incredibly powerful performance —particularly to support a 90 frames-per-second visual refresh, in order to reduce nausea and discomfort—Oculus announced a new "Oculus Ready" initiative through which computer manufacturers can slap a sticker on a PC that meets Oculus Rift's performance minimums. Announced partners for the program include Asus, Dell, and Alienware (itself a wholly owned Dell subsidiary). Oculus wanted the crowd to know that there's no shortage of interested Oculus developers, so they took the opportunity to announce that "over 200,000" developers had registered to create games for the new VR platform

Read More »

Broadband is a "core utility" like electricity, White House report says (Jon Brodkin/Ars Technica)

Broadband Internet service "has steadily shifted from an optional amenity to a core utility" and is now "taking its place alongside water, sewer, and electricity as essential infrastructure for communities," says a report released by the White House yesterday. Further Reading The report was written by the Broadband Opportunity Council, which was created by President Obama and is chaired by the heads of the Commerce and Agriculture departments. In an accompanying blog post , the White House touted Obama's "leadership" in expanding broadband access but said that nearly 51 million Americans still cannot purchase wired broadband with download speeds of at least 25Mbps. The statistic was based on data from 2013, so things may have improved since then. But it's time for a government-wide effort to expand broadband deployment and adoption, the White House blog post said. The Council "reviewed every major Federal program that provides support for broadband, from the Department of Housing and Urban Development and Health and Human Services to the Department of Justice," noted the Obama administration. The report made several recommendations, and federal agencies have committed to the following: Modernizing Federal programs valued at approximately $10 billion to include broadband as an eligible program expenditure, such as the Department of Agriculture’s (USDA) Community Facilities (CF) program, which will help communities around the country bring broadband to health clinics and recreation centers; Creating an online inventory of data on Federal assets, such as Department of the Interior (DOI) telecommunications towers that can help support faster and more economical broadband deployments to remote areas of the country; Streamlining the applications for programs and broadband permitting processes to support broadband deployment and foster competition; and Creating a portal for information on Federal broadband funding and loan programs to help communities easily identify resources as they seek to expand access to broadband. Some federal programs that can support broadband "lack specific guidelines to promote its use," while others should put more money into broadband, the Council report said. The report also recommended that federal agencies promote "dig once" policies that put fiber or fiber conduit underground when streets are dug up for other purposes. The White House said it will implement the recommendations over the next 18 months. Obama previously urged the Federal Communications Commission  to regulate broadband providers as common carriers, a designation traditionally applied to utilities. The FCC did so, but it  stressed that its new rules aren't utility-style regulation because they don't include the strictest regulations traditionally applied to phone service

Read More »

Google OnHub teardown shows large speaker, huge heatsink, lots of antennas, and a light sensor that doesn’t yet work (Ron Amadeo/Ars Technica)

The Google OnHub, in pieces. Even after our review of Google's OnHub router , the device is still a mystery. Today Google is selling a $200 Wi-Fi router with an abundance of processing power that promises to some day be a smart home device. We're guessing it will power the "Google On" smart home ecosystem, but Google isn't talking about any details today. Further Reading Perhaps the mad scientists over at iFixit can shed some light on the device. They recently ripped open the Google OnHub, displaying its internals for all the world to see. They found lots and lots of antennas, a huge heatsink, and it was mostly held together with clips. The big surprise is the sizable speaker that sits at the top of the device. During setup, the speaker emits a loud ringtone-like sound that pairs the OnHub with a phone, but the OnHub speaker is much larger than what you would find in a smartphone. It's still a far cry from Amazon's woofer/tweeter combo in the Echo, though. iFixit was able to confirm that the odd little "plug" in the speaker grill is really an ambient light sensor, which Google told us doesn't work yet. There's also a Silicon Labs EM3581 SOC network co-processor for ZigBee and Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module, which are also dormant.

Read More »

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked (Dan Goodin/Ars Technica)

When the Ashley Madison hackers leaked close to 100 gigabytes worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them . Further Reading Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two. The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data . The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5 , a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers. The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 2 12 , or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve a MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in padlock-secured box in plain sight of that vault

Read More »

Man arrested for parodying mayor on Twitter gets $125K in civil lawsuit (David Kravets/Ars Technica)

An Illinois man arrested when his residence was raided for parodying his town's mayor on Twitter is settling a civil rights lawsuit with the city of Peoria for $125,000. The accord spells out that the local authorities are not to prosecute people for parodies or satire. Further Reading Plaintiff Jon Daniel, the operator of the @peoriamayor handle, was initially accused last year of impersonating a public official in violation of Illinois law. However, the 30-year-old was never charged. His arrest was kicked off after the local mayor, Jim Ardis, was concerned that the tweets in that account falsely portrayed him as a drug abuser who associates with prostitutes. One tweet Ardis was concerned about said, "Who stole my crackpipe?" As part of the agreement , (PDF) which includes legal fees, his attorneys from the American Civil Liberties Union said Peoria will publish a "directive" to the police department making it clear that Illinois law criminalizing impersonation of a public official does not include parody and satire. "The directive makes clear that parody should never be the predicate for a criminal investigation and that the action against Mr. Daniel should never be repeated again," Karen Sheley, an ACLU attorney, said in a statement. Daniel said he never "dreamed" that he would be arrested for his fake Twitter account. "I am satisfied with the outcome in this case," Daniel said in a statement. "I always thought that the twitter account was a joke for me and for my friends." As we previously reported, the city had defended the arrest: In its first response to the lawsuit, the city of Peoria's and Mayor Jim Ardis' attorney told Ars that the mayor and city officials believed Daniel was breaching an Illinois law making it illegal to impersonate a public official. The mayor's attorney said city officials got a judge to issue warrants from Twitter and Comcast to track down Daniel. In short, they were just following the law

Read More »

Improved Simplocker Android malware disguises as an NSA app, has infected tens of thousands of devices using XMPP (Sean Gallagher/Ars Technica)

Apparently, NSA only takes payment via PayPal for penalties for bad app downloads? That doesn't seem right... A new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action. The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers. The malware requests administrative permissions to sink its hooks deep into Android. Once it's installed, it announces itself to some victims by telling them it was planted by the NSA—and to get their files back, they'll have to pay a "fine." Ofer Caspi of Check Point's malware research team wrote in a report posted this week that the team has "evidence that users have already paid hundreds of thousands of dollars to get their files "unencrypted" by this new variant. He estimates that the number of infected devices so far numbers in the tens of thousands, but may be much higher. Because the software can't easily be removed once it is installed, and because the files it encrypts can't be recovered without it, victims have no choice but to either pay $500 to get their files decrypted or  wipe the device and start from scratch. While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications. Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server.

Read More »

PhantomAlert files suit against Waze, claims Waze copied its database, incorporated it into its own application before sale to Google (Cyrus…

Further Reading PhantomAlert , a company that makes a Waze-like traffic smartphone app, has now sued its better-known rival for copyright infringement. The Washington DC-based company argues in a Tuesday filing that after a failed data-sharing deal between itself and Waze collapsed in 2010, within two years, Waze apparently stole PhantomAlert’s "points of interest" database. As the civil complaint states : Among other methods, PhantomAlert determined that Waze had copied its Points of Interest database by observing the presence of fictitious Points of Interest in the Waze application, which PhantomAlert had seeded into its own database for the purpose of detecting copying. On information and belief, Waze copied the PhantomAlert database on multiple occasions after late 2012, re-incorporated the copied data into the Waze application, and continued to display the Points of Interest data to the users of the Waze application. Then, as the case alleges, when Waze was sold to Google in June 2013, the company profited handsomely from this theft. "Waze needed to grow its database to increase its value and become more attractive to potential acquirers," Karl Kronenberger, PhantomAlert’s attorney, said in a statement . "Our complaint alleges that Waze stole PhantomAlert’s database when Waze could not get it legally, and then sold itself to Google for over $1 billion." The lawsuit asks the court to shut down Waze entirely, and to order Google to pay unspecified damages. “I started PhantomAlert seven years ago as an entrepreneur with a dream, and now that dream has been crushed by companies that are profiting from the years of blood, sweat and tears our team put into our product," Joseph Scott Seyoum, PhantomAlert's CEO, said in the same statement. Kronenberger did not respond to Ars’ request for comment as to how exactly this database was stolen. Google also did not immediately respond to Ars’ request for comment.

Read More »

Snapdragon 820’s custom CPU is twice as fast, efficient as disappointing 810 (Andrew Cunningham/Ars Technica)

Qualcomm Further Reading Qualcomm's new Snapdragon 820 flagship won't actually ship in any phones before early 2016, but the company continues to dole out bits of information ahead of the launch . Today it's talking in very broad terms about the CPU, which is based on a brand-new custom 64-bit architecture called Kryo. Kryo is Qualcomm's official successor to Krait, the CPU architecture used in a wide range of Snapdragon chips from the S4 all the way up to the 805. The toasty Snapdragon 810 used a mix of off-the-shelf ARM Cortex A57 and A53 CPU cores to bring 64-bit ARMv8 compatibility to high-end phones while Qualcomm finished its own architecture. Kryo, which will initially run at clock speeds up to 2.2GHz, promises to be twice as fast as the 810 while also being twice as power efficient. Some of this is no doubt due to architectural improvements, but it will help that the 820 will be built on a 14nm FinFET manufacturing process—Qualcomm doesn't name its manufacturing partner, but Samsung is the most likely candidate. The Kryo CPU cores in the 820 will be accompanied by a new Adreno 530 GPU , the first in the Adreno 500-series of products. The GPU will support the latest OpenGL ES, OpenCL, and Vulkan APIs, and Qualcomm says that it will be 40 percent faster and 40 percent more power efficient than the Adreno 430 in the 810. Phones and tablets are such tightly integrated devices that we'll need to see shipping hardware before we can really say how well the Snapdragon 820 performs, but Qualcomm's early numbers all paint an optimistic picture. © 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Read More »

Popcorn Time lawsuits continue as 16 are sued for watching Survivor (Joe Mullin/Ars Technica)

Plaintiffs included a screenshot from the Popcorn Time app, with their movie circled in red. The "Popcorn Time" app was launched in 2014 as a kind of "BitTorrent for dummies" with a simple Netflix-style interface for viewing movies. But now with a second lawsuit filed against users of the app, it looks like 16 as-yet-anonymous watchers may soon need a primer on "mass copyright suits for dummies." The lawsuit (PDF) , entitled  Survivor Productions Inc. v. Anonymous Users of Popcorn Time (Does 1-16) , targets 16 Comcast subscribers who allegedly used the app to watch Survivor— not the reality series, but a thriller starring Pierce Brosnan released earlier this year. Lawsuits over BitTorrent piracy of non-pornographic content are rare to begin with. Survivor Productions now joins Voltage Pictures in being one of just a few movie studios willing to pursue individual downloaders over copyright claims. "The fight against counterfeiting and piracy are critical issues of importance to the both the United States of America and the State of Oregon," states the complaint. "Popcorn Time exists for one purpose and one purpose only: to steal copyrighted content." The complaint includes warnings from the Popcorn Time software as exhibits, and it notes that the movie Survivor was promoted to users of the app. The Survivor Productions lawsuit is nearly identical to another lawsuit against Popcorn Time users filed four days earlier over the Adam Sandler movie The Cobbler . Both were filed by the same attorney, Oregon-based practitioner Carl Crowell. In an earlier e-mail interview with Ars, Crowell said his client does not seek more than the statutory minimum for damages, which is $750. "The goal is to deter infringement," he said. In addition to the Popcorn Time lawsuit, Survivor Productions filed 12 lawsuits against individual users who allegedly used standard BitTorrent technology to get their copies. The suits were filed between July 13 and August 21

Read More »

KeyRaider malware infecting jailbroken iPhones stole over 225K valid Apple account logins, thousands of certificates, private keys, and purchasing…

A newly discovered malware family that preys on jailbroken iPhones has collected login credentials for more than 225,000 Apple accounts, making it one of the largest Apple account compromises to be caused by malware. KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia , which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom, and it has made unauthorized charges against some victims' accounts. Researchers with Palo Alto Networks worked with members of the Chinese iPhone community Weiphone after members found the unauthorized charges. In a blog post published Sunday , the Palo Alto Networks researchers wrote: KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information. The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS. These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials. Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom. As if the theft of the Apple account credentials wasn't bad enough, the data was uploaded to a website that contained a SQL-injection vulnerability .

Read More »

Former FireEye intern pleads guilty to developing Dendroid spyware for Android; sentencing scheduled for Dec. 2 (Dan Goodin/Ars Technica)

A former intern at security firm FireEye has admitted in federal court that he designed a malicious software tool that allowed attackers to take control of other Android phones so they could spy on their owners. Morgan Culbertson, 20, pleaded guilty to federal charges involving Dendroid, a software tool that provided everything needed to develop highly stealthy apps that among other things took pictures using the phone's camera, recorded audio and video, downloaded photos, and recorded calls. According to this 2014 blog post from Android security firm Lookout, at least one app built with Dendroid found its way into the official Google Play market, in part thanks to code that helped it evade detection by Bouncer, Google’s anti-malware screening system. Culbertson, who last month was one of 70 people arrested in an international law enforcement sting targeting the Darkode online crime forum , said in a LinkedIn profile that he spent four months at FireEye. While there, he said, he "improved Android malware detection by discovering new malicious malware families and using a multitude of different tools." He was also a student at Carnegie Mellon University. According to The Pittsburgh Post-Gazette , Culbertson on Tuesday pleaded guilty to developing and selling the malicious tool kit . Culbertson advertised the malware on Darkode for $300, and he also offered to sell the source code, presumably for a much higher price, that would allow buyers to create their own version of Dendroid. He faces a maximum 10 years in prison and $250,000 in fines at sentencing, which is scheduled for December 2. Culbertson said he had spent more than a year designing Dendroid, a timeline that means he worked on the remote access toolkit during or shortly after his four-month tenure at FireEye. FireEye told Forbes that   Culbertson has been suspended from any future work at the company.

Read More »

Leaked Microsoft intranet screenshot reveals Office 2016 for Windows will be released Sept. 22 (Peter Bright/Ars Technica)

A leaked image from a Microsoft intranet site has disclosed that Office 2016 for Windows will be released on September 22. Office 2016 for Mac is already available to Office 365 subscribers . When that was launched in July, Microsoft said that regular retail copies would be released in September. While we're not certain, it seems likely that September 22 will be the release date for that, too. Office 2016 is an incremental update . It makes styling between Windows, OS X, and the mobile apps a little more consistent—by default each app gets a boldly colored title bar that reflects the icon color, just like the mobile apps—and includes improved collaborative editing, rights management, and data analysis capabilities. The leaked image also says that the new Office 365 variant, E5, and Skype for Business are due in "Q2." With E5 already promised by year-end, this likely refers to the second quarter of Microsoft's financial year (October to December 2015) rather than the second quarter of the calendar year (April to June 2016). Office E5 replaces the old E4 plan. E4 is the most pricey tier of Office 365 for enterprises at $22 per user per month when bought on an annual basis, and it includes the full desktop Office suite, Exchange, SharePoint, Skype for Business, Business Intelligence, and Rights Management support. It also supports PBX integration for Skype for Business, but this requires an on-premises server. The new E5 will offer a new cloud-based PBX capability, which is currently available to US customers on a preview basis. With this, businesses will be able to use Office 365 for virtually all of their (non-hardware!) IT and infrastructure needs, and they will have one less reason to operate on-premises infrastructure servers. E5 will also include upgraded data analytics and security capabilities. Pricing for E5 is as yet unannounced

Read More »

Internal Ashley Madison documents found in a 10GB file with information about 30M+ users, confirms the data is real (Dan Goodin/Ars Technica)

Dave Kennedy The massive leak attributed to the hackers who rooted to the Ashley Madison dating website for cheaters has been confirmed to be genuine. As if that wasn't bad enough, the 10 gigabytes of data—compressed, no less—is far more wide ranging than almost anyone could have imagined. Researchers are still poring over the unusually large dump, but already they say it includes user names, first and last names, and hashed passwords for 33 million accounts, partial credit card data, street names, and phone numbers for huge numbers of users, records documenting 9.6 million transactions , and 36 million email addresses. While much of the data is sure to correspond to anonymous burner accounts, it's a likely bet many of them belong to real people who visited the site for clandestine encounters. For what it's worth, more than 15,000 of the e-mail addresses are hosted by US government and military servers using the .gov and .mil top-level domains. The leak also includes PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of proprietary internal documents. Also found: huge numbers of internal documents, memos, org charts, contracts, sales techniques, and more. "The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more," TrustedSec researcher Dave Kennedy wrote in a blog post . "This is much more problematic as its not just a database dump, this is a full scale compromise of the entire companies infrastructure including Windows domain and more." Kennedy continued: This included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company, PayPal accounts and passwords for the company, internal only documents, and a ton more. The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as its not just a database dump, this is a full scale compromise of the entire companies infrastructure including Windows domain and more. So far, it looks like around 33 million usernames, first names, last names, street addresses, and more are impacted by this breach. The dump itself – 10 gigs COMPRESSED. For folks that may not know, that is massive. Huge.

Read More »

FCC fines Smart City $750K for blocking Wi-Fi hotspots after January notice that the practice is prohibited (Dan Goodin/Ars Technica)

A Wi-Fi service provider has agreed to pay the Federal Communications Commission $750,000 for blocking personal mobile hotspots used by convention visitors and exhibitors so they could avoid paying the company's $80-per-day fee. Smart City Holdings automatically blocked users from using their personal cell phone data plans to establish mobile Wi-Fi networks, according to a statement published Tuesday by FCC officials. After the FCC took action against Smart City Holdings, the company pledged to stop the practice and pay the $750,000 fee to settle the matter. Further Reading It's the second enforcement action by the FCC taking aim at the blocking of FCC-approved Wi-Fi connections. In October, Marriott Hotel Services reached a $600,000 agreement with the FCC to settle allegations it interfered with and disabled Wi-Fi networks established by consumers in the hotel's conference facilities in Nashville . In January, the FCC issued an enforcement advisory that stated unequivocally Wi-Fi blocking was prohibited . Taken together, the moves should put hotels, convention centers, and just about everyone else on notice that it's unlawful to block FCC-approved Wi-Fi connections. The FCC's action against Smart City Holdings stemmed from a complaint filed in June 2014 from a company that allows people to establish hotspots as an alternative to paying Wi-Fi service fees charged by a venue. The complaining company said customers couldn't connect to its equipment at several venues where Smart City operated. In responses to FCC investigators, Smart City later revealed it "automatically transmitted deauthentication frames to prevent Wi-Fi users whose devices produced a received signal strength above a present power level at Smart City access points from establishing or maintaining a Wi-Fi network independent of Smart City's network," according to a consent decree filed in the case. In a statement, Smart City Holdings president Mark Haley said his company in the past used equipment that prevented wireless devices from interfering with operations of exhibitors on convention floors. The activity resulted in less than one percent of all devices being deauthenticated. "We have always acted in good faith, and we had no prior notice that the FCC considered the use of this standardized, 'available-out-of-the-box' technology to be a violation of its rules. But when we were contacted by the FCC in October 2014, we ceased using the technology in question." Smart City Holdings charged as much as $80 per day for Wi-Fi connectivity, the FCC said. Post updated to add comment from Smart City Holdings

Read More »

How distributed reflective DoS can amplify attacks while hiding the attacker’s identity by exploiting weaknesses in the open BitTorrent protocol (Dan…

Adamsky et al. Some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze are also the most vulnerable to a newly discovered form of denial of service attack that makes it easy for a single person to bring down large sites. The distributed reflective DoS (DRDoS) attacks exploit weaknesses found in the open BitTorrent protocol, which millions of people rely on to exchange files over the Internet. But it turns out that features found uTorrent, Mainline, and Vuze make them especially suitable for the technique. DRDoS allows a single BitTorrent user with only modest amounts of bandwidth to send malformed requests to other BitTorrent users. The BitTorrent applications receiving the request, in turn, flood a third-party target with data that's 50 to 120 times bigger than the original request. Key to making the attack possible is BitTorrent's use of the user datagram protocol , which provides no mechanism to prevent the falsifying of IP addresses. By replacing the attacker's IP address in the malicious request with the spoofed address of the target, the attacker causes the data flood to hit victim's computer. "An attacker which initiates a DRDoS does not send the traffic directly to the victim," researchers wrote in a research paper recently presented at the 9th Usenix Workshop on Offensive Technologies. "Instead he/she sends it to amplifiers which reflect the traffic to the victim. The attacker does this by exploiting network protocols which are vulnerable to IP spoofing.

Read More »