Home / Tag Archives: digest-golf (page 2)

Tag Archives: digest-golf

Internal Ashley Madison documents found in a 10GB file with information about 30M+ users, confirms the data is real (Dan Goodin/Ars Technica)

Dave Kennedy The massive leak attributed to the hackers who rooted to the Ashley Madison dating website for cheaters has been confirmed to be genuine. As if that wasn't bad enough, the 10 gigabytes of data—compressed, no less—is far more wide ranging than almost anyone could have imagined. Researchers are still poring over the unusually large dump, but already they say it includes user names, first and last names, and hashed passwords for 33 million accounts, partial credit card data, street names, and phone numbers for huge numbers of users, records documenting 9.6 million transactions , and 36 million email addresses. While much of the data is sure to correspond to anonymous burner accounts, it's a likely bet many of them belong to real people who visited the site for clandestine encounters. For what it's worth, more than 15,000 of the e-mail addresses are hosted by US government and military servers using the .gov and .mil top-level domains. The leak also includes PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of proprietary internal documents. Also found: huge numbers of internal documents, memos, org charts, contracts, sales techniques, and more. "The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more," TrustedSec researcher Dave Kennedy wrote in a blog post . "This is much more problematic as its not just a database dump, this is a full scale compromise of the entire companies infrastructure including Windows domain and more." Kennedy continued: This included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company, PayPal accounts and passwords for the company, internal only documents, and a ton more. The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as its not just a database dump, this is a full scale compromise of the entire companies infrastructure including Windows domain and more. So far, it looks like around 33 million usernames, first names, last names, street addresses, and more are impacted by this breach. The dump itself – 10 gigs COMPRESSED. For folks that may not know, that is massive. Huge.

Read More »

Google bans 8chan-hosted domains from search, displaying warning about child abuse content (Sam Machkovech/Ars Technica)

Google Google appears to have taken an unprecedented step in filtering its search results by banning an entire domain—and adding a warning about "suspected child abuse content" to a search for the domain itself. Ars Technica has been unable to determine exactly when the change went into effect, but Imgur posts as early as this Wednesday pointed to a Google-wide ban of the imageboard site 8chan. As of press time, cursory attempts to find Google search results with content hosted at that site came up empty; searches for specific pages, or for sites containing terms 8chan, 8ch, or 8ch.net, only brought up related sites such as 8chan's official Twitter account. In the case of a search for the domain directly, or for more targeted terms, the brief page of results would end in the aforementioned warning. After users began reporting the lack of 8chan-hosted content among Google's links, 8chan founder Frederick Brennan took to Medium on Thursday to  confirm his findings and publicly ask why 8chan had been singled out. "It seems to me like Google has abandoned the same policy we use, and a policy that U.S. hosted websites have held to for a very long time," Brennan wrote, referring to Google's reactive removal of links after DMCA or abuse reports have been filed. Brennan also pointed out that the "child abuse content" phrase attached to the domain's searches had only appeared on ten other Google results up until that point; Ars noticed that the phrase pops up just as infrequently in a Bing search. Though Brennan didn't mention it in his Medium post, Google also uses a hashing system to automatically filter and block search results that contain previously reported images of abuse—and according to Ars' interview with Brennan earlier this year , 8chan employs a similar system to block reported images with matching hashes. A November Daily Dot report , mentioned by an Observer report on this week's 8chan news, recounted 8chan's history as a less-regulated alternative to the already-controversial imageboard site 4chan. Its author asked Brennan pointed questions about specific, repeated examples of child pornography found in a cursory 8chan search, along with borderline-pornographic content at 8chan subsites (which is nothing to say about the site's reputation for hosting conversations about doxing and swatting , as well). In the case of the latter, Brennan said the responsibility was in the hands of "the studios who are producing this content. Some of them are even legally based in the USA. That’s the real story here, not some perverts posting them online after the fact.” Further Reading Google's  major portal about child-abuse content  points to an official post from 2013 that details the aforementioned hashing system, along with Google's contributions to anti-abuse agencies and its collaborations with law enforcement agencies.

Read More »

Adapted OwnStar MITM Wi-Fi attack can grab the virtual keys of BMW, Mercedes, Chrysler cars through a vulnerability in RemoteLink mobile app (Sean…

Samy Kamkar presents OwnStar at DEF CON 23 in Las Vegas. Sean Gallagher Remember OwnStar ? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar's server, or—as is more common in mobile apps using HTTPS to access web services—use a "pinned" certificate hard-coded into the application itself.  OnStar quickly resolved the issue with a RemoteLink app update. Further Reading But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler's Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: "no pinned cert or even PKI/certificate authority validation. Trivial to attack an unadulterated mobile device." The type of man-in-the-middle attack Kamkar staged is a common exploit against mobile applications. Using an open-source tool such as SSLStrip and a malicious Wi-Fi access point, an attacker can get a mobile device configured to connect to known Wi-Fi hotspots to pair with it. By default, for example, iOS devices on AT&T's mobile network will pair with hotspots with the SSID, "attwifi". The attacker can then act as a proxy for secure connections, offering a forged certificate for the remote server, and then decrypting data sent up from the app. The OwnStar device Kamkar built packs all the components required to execute this attack into a portable case that can be placed nearby a targeted vehicle

Read More »

Qualcomm details Snapdragon 820: Adreno 530 GPU 40% faster, consumes 40% less power than 430, supports HDMI 2.0 4K display at 60 FPS (Andrew…

Enlarge / Qualcomm's new Snapdragon 820. Today we're learning about the Adreno 530 GPU and the Spectra ISP. Qualcomm Further Reading Qualcomm’s Snapdragon 810 and 808 will continue to be its flagship chips for the rest of this year, but, as we’ve written, the 810 in particular has been problematic for the company. It had a gift for generating both heat and bad press , and, while the Snapdragon 808 didn’t suffer from the same problems, it was less of an improvement over older 800-series chips. As this has been happening on the technical side, things have been looking less rosy on the financial side. Qualcomm’s outlook for Q4 of 2015 ( PDF ) sums it up nicely: there’s “increased concentration” at the high end of the market, pushing out phones that use Snapdragon SoCs (the huge worldwide success of the iPhone 6 and 6 Plus can be at least partially blamed); “lower demand” for high-end Snapdragons from one of Qualcomm’s major customers (read: Samsung, which is using its own chips in high-end Galaxy phones); and lowered sales of “certain handset models” in China using high-end Snapdragons. Some of this could be attributed to the 810 specifically, but a lot of it would be happening no matter how good the chip was. Most of the money in consumer electronics is in high-end, high-margin products, but Apple controls an overwhelming amount of that market , and the company only uses Qualcomm’s modems, not the (presumably more expensive and profitable) Snapdragon SoCs.  The wider smartphone market continues to grow, but companies like Xiaomi and Motorola are willing to sell to good-to-great phones for one-third to one-half of what you’d pay for a flagship, and those phones often use lower-end, less-profitable Qualcomm SoCs or chips from an upstart like MediaTek or a newly competitive Intel.  Keep all of this in mind as you read about the Snapdragon 820, which Qualcomm is officially starting to talk about today—we’ve got some details about the GPU and the image signal processor (ISP), though information about the custom Kryo CPU core and other parts of the chip will need to wait. From what we’ve seen so far, it looks like a respectable generational leap in both performance and power usage. There’s plenty of tech to talk about, and we’ll do that here because that’s what we do. But a new flagship chip isn’t all Qualcomm is going to need to compete in 2016 and beyond. New GPUs: The Adreno 500 series Enlarge / Performance up, power consumption down

Read More »

Al Franken, Ron Wyden, Bernie Sanders, Elizabeth Warren, and two other senators urge FCC and DOJ to block $45.2B Comcast-Time Warner Cable merger (Jon…

Six US senators today urged the Federal Communications Commission and Department of Justice to block Comcast's proposed $45.2 billion acquisition of Time Warner Cable. Further Reading As Comcast prepares for a meeting tomorrow with DOJ antitrust officials, the senators wrote a letter to FCC Chairman Tom Wheeler and Attorney General Eric Holder, saying, "we believe that Comcast-TWC's unmatched power in the telecommunications industry would lead to higher prices, fewer choices, and poorer quality services for Americans—inhibiting US consumers' ability to fully benefit from modern technologies and American businesses' capacity to innovate and compete on a global scale." The letter  was signed by Sens. Al Franken (D-Minn.), Bernard Sanders (I-Vt.), Edward Markey (D-Mass.), Ron Wyden (D-Ore.), Elizabeth Warren (D-Mass.), and Richard Blumenthal (D-Conn.). As we wrote yesterday , "DOJ antitrust lawyers are reportedly close to recommending that the government block the deal. Comcast might be able to save the merger by agreeing to conditions, but the cable company could also walk away from the deal if the government asks for conditions to which it objects." The senators urged the agencies to reject the deal outright. They wrote: Since the proposal was announced last year, we have heard from consumers across the nation, as well as from advocacy groups, trade associations, and companies of all sizes, all of whom fear that the deal would harm competition across several different markets and would not serve the public interest. The concerns about the transaction center on the undeniable reality that the combined Comcast-TWC would be the overwhelmingly dominant cable and broadband Internet provider in the nation and control much of the programming that Americans watch. With 57 percent of the broadband Internet market and 30 percent of the cable market, Comcast-TWC would have an ability to defeat competing TV and Internet companies and stifle American innovation across the industry. And with Comcast's ownership of NBCUniversal and the numerous popular TV networks it controls, the combined company would have incentives and means by which to extract higher prices from other multichannel video programming distributors and prioritize its own programming over that of competitors. Comcast-TWC's monopsony power to dictate the terms of transactions with programmers will also force companies from across the country to reevaluate their business models, including the content they produce and the prices they charge.

Read More »

Pwnie Express demos new tool to detect stingray devices and other monitoring hardware used by law enforcement (Sean Gallagher/Ars Technica)

A modified Pwn Pro sensor with cellular network monitoring capabilities, on display at the RSA conference today. At the RSA Conference in San Francisco today, the network penetration testing and monitoring tool company Pwnie Express will demonstrate its newest creation: a sensor that detects rogue cellular network transceivers, including "Stingray" devices and other hardware used by law enforcement to surreptitiously monitor and track cell phones and users. In an exclusive demonstration for Ars, Pwnie Express' CTO Dave Porcello and Director of Research and Development Rick Farina showed off the company's new cell network threat detection capabilities, which integrate into Pwnie's Pulse security auditing service. The capability will give companies the ability to monitor cellular networks around them and detect anomalies caused by rogue cellular base stations, IMSI catchers, and devices used to extend cellular coverage into areas where it may not be authorized. Of all the potential security threats to companies and individuals that have emerged over the past few years, perhaps the hardest to crack is rogue cellular base stations. Whether they're used to attack the privacy of a cell phone user's communications or as a backdoor out of places where cell phone usage is restricted, configuring unauthorized cell "towers" has become increasingly simple. It doesn't necessarily even require law enforcement-grade hardware. Anyone with a HackRF card or other software-defined radio kit and open-source software can turn a laptop computer into a cellular network transceiver—or even a cellular jammer. Call baiting "The real thing that scares people the most is that we have no visibility into these things," Porcello said. "Nobody knows how many of them are out there." But they definitely are out there. Last September, ESD America—which manufactures the CryptoPhone secure cell phone—reported that more than a dozen rogue cell "towers" had been discovered in Washington DC . It's not clear if all of these were being operated by law enforcement

Read More »

Match.com’s HTTP-only login page puts millions of passwords at risk (Dan Goodin/Ars Technica)

Tens of millions of Match.com subscribers risk having their site password exposed each time they sign in because the dating site doesn't use HTTPS encryption to protect its login page. The screenshot above was taken Thursday afternoon. Showing a session from the Wireshark packet sniffing program , you can see that this reporter entered "dan.goodin@arstechnica.com" and "secretpassword" into the user name and password fields of the Match.com login page . Amazingly, the page uses an unprotected HTTP connection to transmit the data, allowing anyone with a man-in-the-middle vantage point—say, someone on the same public network as a Match.com user, a rogue ISP or telecom employee, or a state-sponsored spy—to pilfer the credentials. Had Match.com followed basic security practices and properly enabled HTTPS on the login page, the entire session would have been unintelligible to all but the end user and connecting server. Ars reader Scott Bryner, who alerted Ars to the Match.com faux pas , said he first noticed it in early March . It's unclear exactly how long the site has failed to encrypt user credentials. Brynder provided the screenshot immediately above this paragraph, which suggests Match.com is experiencing a server configuration error that's redirecting all HTTPS traffic to an HTTP connection. As a site with tens of millions or possibly hundreds of millions of members, that's a lot of password exposure. Ars has asked Match.com officials for comment and will update this post if they respond. © 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Read More »

Virginia e-voting systems relied on weak hard-coded passwords, trivial Wi-Fi security, unpatched OS (Dan Goodin/Ars Technica)

Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote , made by Advanced Voting Solutions, passed national Voting Systems Standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of "admin," "abcde," and "shoup" to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections. The weak passwords—which are hard-coded and can't be changed—were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy , an algorithm so weak that it takes as little as 10 minutes for attackers to break a network's encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE , the world's largest association of technical professionals. What's more, the WINVote runs a version of Windows XP Embedded that hasn't received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports. "Because the WINVote devices use insecure security protocols, weak passwords, and unpatched software, the WINVote devices operate with a high level of risk," researchers with the Virginia Information Technologies Agency wrote in Tuesday's report. "The security testing by VITA proved that the vulnerabilities on the WINVote devices can allow a malicious party to compromise the confidentiality and integrity of Voting data." To prove their claim the machine was vulnerable to real-world hacks, the auditors were able to use the remote desktop protocol to gain remote access to the voting machines. They also used readily available hacking and diagnostic software to map, access, and transfer data from default shared network locations including C$, D$, ADMIN$, and IPC$. After downloading the database that stores the results of each vote, the auditors required just 10 seconds to figure out its password was "shoup" (named after the company name that preceded Advanced Voting Solutions). The auditors were then able to copy the database, modify its contents to tamper with recorded votes, and copy it back to the voting machine

Read More »

TWC gives Charlotte, NC customers up to a six times speed boost for same price after Google announces Fiber for the city (Jon Brodkin/Ars Technica)

With Google Fiber preparing an expansion into Charlotte, North Carolina, incumbent cable operator Time Warner Cable is trying to hold onto customers by dramatically increasing Internet speeds at no extra charge. Further Reading "The Internet transformation will begin this summer and will include speed increases on TWC residential Internet plans at no additional cost, with customers experiencing increases up to six times faster, depending on their current level of Internet service," Time Warner Cable announced last week . "For example, customers who subscribe to Standard, formerly up to 15Mbps, will now receive up to 50Mbps, customers who subscribe to Extreme, formerly up to 30Mbps, will now receive up to 200Mbps; and customers who subscribe to Ultimate, formerly up to 50Mbps, will receive up to 300Mbps, at no extra charge." Google announced plans to enter Charlotte and a few other metro areas in January and is working with local officials to finalize the network design so that construction can begin. TWC also announced improvements to its TV service, including 1TB of storage for recorded programs, double the previous amount. Last year in Austin, Texas, Time Warner Cable upgraded its 100Mbps Internet plan to 300Mbps after Google decided to offer service there. TWC's "Ultimate" Internet starts at $65 a month  and has 50Mbps download speeds and 5Mbps upload. TWC did not say what it will boost upload speeds to. Google Fiber costs $70 per month for gigabit speed (1000Mbps) both upstream and downstream. TWC is not the only company to boost service in order to fend off a challenge from Google Fiber. " Most of us live in monopoly, or at best duopoly, territory for broadband providers," Consumerist wrote Friday . "But when Google announces plans to expand into a new market, competitors either strive to dive in first, like Comcast in Atlanta , or drop prices to match, like AT&T in Austin and Kansas City ." But it's a different story in cities where incumbents don't have to match Google's $70-per-month pricing. In Cupertino, California, where AT&T just launched gigabit fiber but doesn't have to compete against Google, the service costs $110 a month .

Read More »

Marvell Semiconductor appealing record $1.53B patent award to Carnegie Mellon University in suit over hard drive technology (Joe Mullin/Ars Technica)

Carnegie Mellon University and Marvell are locked in a legal battle over what innovations reduced "media noise" in hard drives. Carnegie Mellon University appeal brief Lawyers for Marvell Semiconductor have a towering task ahead of them: trying to eviscerate, or at least tamp down, a punishing $1.53 billion patent verdict. Unless they are successful in their appeal, Marvell will have to pay the largest patent verdict ever upheld. Seeking to preserve the huge payout is Carnegie Mellon University (CMU), which sued Marvell in 2009. Lawyers for CMU say the technology described in two CMU patents, which relate to chips that reduce "media noise" from hard disk drives, did nothing less than save Marvell's business. The jury's original verdict of $1.17 billion, later enhanced for willfulness and interest, is based on a royalty of 50¢ per chip. CMU says that's a reasonable rate given the more than $5 billion in profit that Marvell earned on those chips. A panel of three Federal Circuit judges heard oral arguments in the case earlier this week. In their appeal brief (PDF), Marvell lawyers attack CMU's two patents, numbered 6,201,839 and 6,438,180 , as market failures, "incapable of commercial implementation." In 2005, the company offered to license one of the two patents to Intel as part of a larger group for $200,000, but Intel declined (and was not sued). Marvell, though, was slapped with a running royalty of 50¢ per chip on the more than two billion chips it sold worldwide over nearly a decade. Whether or not Marvell's worldwide sales can be brought to bear on a US patent case may well end up being the most important issue in this case. It's also the issue that has led a group of large technology companies, including Broadcom, Dell, Google, HP, and Microsoft, to support Marvell (PDF) in its appeal. Arguing the other side of the issue, six universities have filed an amicus brief (PDF) supporting CMU.

Read More »

Dell releases updated XPS-13 Developer Edition Linux ultrabook with 8GB RAM and optional 13.3-inch 3200×1800 touchscreen, priced from $949 to…

For sale: Linux Ultrabooks. Following last month’s release of the Ubuntu-loaded M3800 Developer Edition , Dell has today formally announced the availability of the smaller and lighter 2015-model XPS-13 Developer Edition . The new XPS-13 Developer Edition replaces the original one , which we reviewed two years ago, bringing all the improvements we loved with the 2015-model XPS-13 Ultrabook under the Project Sputnik umbrella. Further Reading The new XPS-13 Developer Edition is available immediately in North America and Europe. According to Dell’s announcement blog post , there is a wide variety of possible configurations available (visible on the XPS-13 Developer Edition store page ), but all will have Ubuntu 14.04 SP1, solid state disks, Broadwell i5 or i7 CPUs with integrated Intel HD Graphics 5500 GPUs, and 8GB of RAM; the different configuration options will be CPU type, SSD size, and whether the included 13.3-inch display is 1920×1080 or 3200×1800 with touch. Interestingly, the blog post also includes details on testing that the company has done with various other Linux distros on the XPS-13, including Fedora and Debian. Knowing that not everyone will be happy with Ubuntu 14.04 as an operating system choice (something Ars readers made clear in the M3800 Developer Edition review’s comments), this time around Dell has provided quick run-downs on how to get the XPS-13 working with a few alternate distros—including recommendations for kernel choices and BIOS revisions to load. The XPS-13 Developer Edition is priced between $949 and $1,849 depending on equipped options; we don’t have one to test yet, but Dell has promised that a review unit will be headed our way as soon as possible. If anyone has any suggestions about things they’d like to see in the review beyond the obvious basics, drop a note in the comments below!

Read More »

Cloud gaming service OnLive to shut down April 30, sells assets and patents to Sony (Kyle Orland/Ars Technica)

Early prototypes for the OnLive controller and microconsole. The first company to try to make a business out of streaming gameplay over the Internet will soon be shutting down its service. OnLive announced today that its servers will go offline on April 30, and that the company is selling its portfolio of patents to Sony Computer Entertainment America. Further Reading The announcement comes almost exactly six years after OnLive first announced its plans in the nascent streaming gaming space. The idea was to take in user input over the Internet, put it through a game running on high-end hardware at a centralized server location, then send back video and audio to end user hardware that could be significantly cheaper and less powerful. The service and a $100 microconsole launched in late 2010 , but suffered from noticeable latency and image quality issues in our initial tests. With its pay-per-game service and a limited subscription-based streaming model failing to connect with many consumers, OnLive faced massive layoffs and a drastic business restructuring in 2012. The company soldiered on to launch a new hybrid streaming/downloadable game plan last year, though. Players who took part in that hybrid plan will still be able to play their purchased games through Steam, but streaming games purchased through Cloudlift or the older Playpass subscriptions will no longer be usable after the end of the month. OnLive will continue to exist as a corporate entity to manage remaining unsold assets such as trademarks, copyrights, and product designs. Further Reading Since OnLive launched, larger, more established companies have followed its lead in trying to stream games over the Internet. Sony purchased OnLive competitor Gaikai back in 2012 and used that infrastructure to launch the surprisingly usable PlayStation Now service last year.

Read More »

Hulu beats lawsuit claiming it illegally shared user data with Facebook (Joe Mullin/Ars Technica)

Internet video providers have been sued under a VHS-era law, the Video Privacy Protection Act. Online video provider Hulu has decisively won a lawsuit claiming it violated the Video Privacy Protection Act, a quirky 1988 law that provides a $2,500 penalty for the "wrongful disclosure of video tape rental or sale records." In the 2011  complaint (PDF), plaintiffs claimed that Hulu broke the law by providing Facebook data about what videos its customers were watching. The suit sought class-action status, but the judge rejected the plaintiffs' first attempt to certify a class. In an order (PDF) published Tuesday, US Magistrate Judge Laurel Beeler said that Hulu was in the clear. Hulu did send to Facebook user data in the form of a cookie called "c_user," which identified users who had logged into Facebook in the last four weeks via a "Like" button on Hulu video places. Hulu also sent URLs of "watch pages" to Facebook, which relate to individual videos, so that Facebook would know where to send code related to the "Like" button. However, there was nothing in the record to suggest that Hulu knew that the watch page data and the c_user cookie would be combined, she found. The VPPA came into existence in the late 1980s when a Washington, DC weekly obtained and published the (utterly boring) video-rental history of Supreme Court nominee Robert Bork, who ultimately was not confirmed by the Senate. Sending along certain user IDs and data of videos didn't mean the two pieces of data were necessarily connected. "By sending those two items Hulu did not thereby connect them in a manner akin to connecting Judge Bork to his video-rental history," Beeler wrote. The data Hulu was shipping to Facebook wasn't like the list of Bork's videos the reporter dug up, Beeler found, creating her own analogy: Let us say that a video-store clerk gives a local reporter a slip of paper showing only someone‘s name. Weeks later, someone else hands the reporter a list of video titles. There is no obvious connection between the two. There's also no evidence that Facebook ever did anything with the "c_user" cookies that were sent by Hulu, Beeler noted.

Read More »

Firefox 37 enables opportunistic encryption by default, encrypts HTTP connections over TLS (Dan Goodin/Ars Technica)

Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support the HTTPS protocol. Further Reading Opportunistic encryption, as the feature is known, acts as a bridge between plaintext HTTP connections and fully compliant HTTPS connections based on transport layer security or its predecessor, protocol secure sockets layer. These traditional Web-based encryption measures require site operators to obtain a digital credential issued by a browser-recognized certificate authority and to implement TLS protection through OpenSSL or a similar code library. Even then, many sites are unable to fully encrypt their pages because they embed ads and other third-party content that's still transmitted in plaintext. As a result, large numbers of sites (including this one) continue to publish some or all of their content in HTTP, which can be readily manipulated by people with the ability to monitor the connection. OE, as opportunistic encryption is often abbreviated, was turned on by default in Firefox 37, which was released this week. The move comes 17 months after an Internet Engineering Task Force working group proposed OE become an official part of the HTTP 2.0 specification . The move garnered critics and supporters alike, with the former arguing it may delay some sites from using the more secure HTTPS protections and the latter saying, in effect, some protection is better than none. The chief shortcoming of OE is its lack of authentication for cryptographically validating that a connected server is operated by the organization claiming ownership. In a recent blog post , Mozilla developer Patrick McManus laid out some of the thinking and technical details behind the move to support HTTP 2 in Firefox: OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial.

Read More »

Flickr adds public domain and Creative Commons Zero designations (Megan Geuss/Ars Technica)

SpaceX On Monday afternoon, Yahoo's photo-sharing platform Flickr announced that it would add public domain and CC-Zero licensing options for users who want to share their work freely with the public. Both options allow others to reuse photos licensed in that manner in any way they wish. Further Reading In a blog post yesterday, Flickr said that Elon Musk's private space flight company, SpaceX, was one of the first accounts to change the licensing on its photos. Musk put hundreds of SpaceX photos up on Flickr last week, initially releasing them under a Creative Commons license, which does leave some restrictions on reuse of the photos (commercial use is not permitted, for example). But when pressed byTwitter followers, Musk agreed to put his company's photos in the public domain, free for all to use. Still, on Flickr's platform, Musk had to list his photos as CC-BY, which allows for any type of reuse as long as attribution is maintained, because a less-restrictive option was not available. Flickr did not say directly whether Musk's dilemma was the impetus for adding the new categories of licensing. “Many members of our community want to be able to upload images that are no longer protected by copyright and correctly tag them as being in the Public Domain, or they want to release their copyright entirely under CC0,” Flickr wrote in its blog post. The company notes that it has used the Creative Commons license scheme since 2004. The photo-sharing platform added that the default setting for all new photo uploads will be “All Rights Reserved,” but people can change those restrictions manually in the Account Settings area of Flickr.

Read More »