May 31, 2011

Group hacks PBS website in WikiLeaks protest

A group of hackers angered by a PBS documentary about WikiLeaks has posted a fake news story on the website of the public broadcaster claiming that dead rapper Tupac Shakur was alive and well.
The group, Lulz Boat, attacked PBS' servers on Sunday, posting stolen passwords and other sensitive PBS information alongside a story headlined "Tupac still alive in New Zealand." Shakur was murdered in 1996.
PBS took down the story, but Lulz Boat's Twitter page linked to a cached copy.
"We just finished watching WikiSecrets and were less than impressed," Lulz Boat said, referring to an hour-long documentary that aired on PBS' "Frontline" program on Tuesday.
The documentary revolved around incarcerated U.S. soldier Bradley Manning, who is suspected of supplying WikiLeaks with a trove of sensitive military and diplomatic material. The documents have variously titillated and angered a worldwide Internet viewership for the past few months.
WikiLeaks founder Julian Assange, whom the United States wants to put on trial for leaking the documents, denounced the program as "hostile" before it aired. The Australian computer expert is free on bail in Britain, fighting extradition to Sweden over alleged sex crimes.
PBS said in a statement that the hackers also posted login information to two internal sites -- one used by journalists to access information and an internal communications website for public television stations. "We're notifying stations and affected parties to advise them of the situation," it said.
The identity of the people behind Lulz Boat was not known. Somewhat unhelpfully, they described themselves as "a small team of 80-year-old men and people who smoke on webcam." They also proclaimed: "Laughing at your security since 2011!"
Lulz Boat said it was not related to Anonymous, another group of hackers who also consider Assange and Manning to be heroes. Anonymous disrupted the websites of various credit card and online payment companies in December in a protest against Assange's arrest in Britain.

Iran aims to exchange the global Internet for a national one

The Iran government is increasingly unsatisfied with the influence the Internet is exercising on the country's citizens despite its censorship efforts and is planning on setting up a national Internet disconnected from the World Wide Web, reports the Wall Street Journal.

The initiative is the result of government's deep-seated belief that the West - especially the US - are using the Internet to insidiously "poison" Iranian minds with Western ideas and culture. Their intent is to develop a network that will comply with Islamic law and that will in the future be used not only by Iranians, but by other Muslim countries.

Such a project cannot be realized in one go, so in the beginning, this national Internet would be operating in parallel to the global Internet, but the final goal is to make it the only option for Iranian citizens.

Economy experts have challenged the feasibility of this idea, since even Iran needs the "regular" Internet to do business with China, Russia and other world countries that - unlike the US and most Western countries - don't enforce an economic embargo on the country.

Far more likely is a coexistence of the two Internets, which Cuba has proved possible and North Korea is trying to accomplish.

Along with this news, there have been also reports about the Iranian efforts of building its own computer operating system that should replace Microsoft's Windows, and of manufacturing its own filtering gear for blocking Internet traffic and access to certain websites. And, it seems that an alternative to Google and other search engines is also in the works.

While cost is one of the reason Iran wants to set up a national Internet, the primary reason is definitely about control of information, which ultimately translates into power.

Even though the government has tried to censor the information that got in and out of the country during the presidential election in June 2009, it became clear that a complete media blockade is impossible.

Can this new plan bring the results the government hopes for? I guess only time will tell.

Encrypt files on Mac with BestCrypt

Jetico announced that their popular BestCrypt Container Encryption software now offers full compatibility with Mac computers.



The software delivers data protection. Selected files and folders are automatically encrypted when stored inside BestCrypt container files which work like virtual disk drives. When the virtual disk drive is mounted or opened, you can read and write data or drag and drop files - just like you would with any regular removable disk drive.

BestCrypt's key advantage is working with container files for transfer and storage of encrypted data – compatible across Windows, Linux and Mac. Users can determine the size of the container depending upon their needs, as well as create multiple containers for more flexible data management.

Compared to Apple's specialized Mac-only FileVault, BestCrypt Container Encryption is a flexible advanced data protection system offering the following added benefits:
  • Encrypt any files - not just the user home directory
  • Protect data with multiple passwords, public keys and a wide choice of strong encryption algorithms (AES, Blowfish, Twofish, CAST and others)
  • Container-level compatibility to conveniently store and move encrypted data across major operating systems - Windows, Linux and Mac
  • Hidden containers allowing advanced deniable encryption - cannot be proven to exist
  • Enforce key management policies by changing container encryption keys without losing contents
  • Ease of use that seamlessly integrates into your daily workflow providing automatic and transparent data protection.

Data center IT departments fear targeted attacks

T departments are now turning to virtualization, with half of the respondents having either implemented or are planning to deploy private clouds, according to a McAfee study.

Yet, as organizations continue to progress down the path of implementing virtualization and cloud computing, they are facing inherent challenges that arise when applications are decoupled from the physical resources they rely on, introducing new obstacles such as traffic bottlenecks, inconsistent network policies and security loopholes.



The survey shows that 62 percent of respondents are planning or engaged in data center upgrades, many due to increased use of virtualization. Additionally, 29 percent of the respondents report that scaling server virtualization is a concern and 32 percent report that bandwidth and traffic engineering are pressing issues.

The results show that virtualization comes at a cost and that traditional networking architectures are not always best-suited to handle the demands of a virtualized environment. Application security can fail when subjected to data center-wide server virtualization and application mobility.

“Companies investing in full scale virtualization are now running into network and security challenges,” said Rees Johnson, senior vice president and general manager for network security, McAfee.

Respondents view targeted attacks and security breaches as the biggest threats to the next-generation data center. When asked to rate security challenges, 77 percent rate threat protection (i.e., intrusion prevention) as “critical” or “important”.

Twenty-six percent view targeted attacks as their biggest concerns and 24 percent think security breaches are their biggest concerns. However, although half are relying on the same security model for virtualization they used with physical servers, 18 percent have not decided this is the best approach when securing virtual servers.

“Virtualization, especially in the context of private clouds, introduces unique operational and security challenges,” said Johnson. “The ability to move virtual machines is essential to creating flexible virtual data centers, yet this same flexibility introduces operational complexity and makes it much more difficult to maintain traditional trust boundaries.”

In the survey, 40 percent of respondents said that moving virtual machines is challenging because it introduces operational complexity and 25 percent indicated a concern with securing trust boundaries.

The complete survey is available here.

Broadcom releases 40nm Wi-Fi and Bluetooth combo chip

Broadcom released the BCM43142 InConcert combo chip which combines Wi-Fi Direct connectivity with seamless proximity-based pairing, simplifying wireless connectivity in the home.

The combo chip supports a variety of platforms including Windows and Android-based systems.



The single-die BCM43142 is the industry's first 40nm Wi-Fi Bluetooth Combo Chip for notebooks and netbooks. With its high levels of integration, it provides a significant reduction in footprint and a lower bill-of-materials and a 40 percent reduction in power consumption.

The BCM43142 software development kit includes APIs for Bluetooth Low Energy (BLE), Bluetooth High Speed and 802.11n Wi-Fi Direct functionality. This allows devices to automatically recognize and communicate with each other directly, delivering innovative applications such as proximity-based PC security, router-less collaboration and instant photo/video sharing.

BCM43142 highlights:
  • It supports single stream IEEE 802.11n and Bluetooth 4.0 + HS. It also features integrated power amplifiers and a low noise amplifier.
  • The BCM43142 is optimized for cost and power. It is available in a 68-pin QFN package and uses the PCIe interface for Wi-Fi and USB interface for Bluetooth.
  • Broadcom continues to support its widely deployed Bluetooth stack and software for Windows. This also includes support for Bluetooth Low Energy. The software package includes APIs for BT4.0+HS and BLE.
  • Broadcom's support for Wi-Fi Direct enables devices to communicate directly with one another without having to interact with an access point. This allows simpler, faster communication with high-density video resolution. The software package includes APIs for Wi-Fi Direct.
  • The BCM43142 implements the industry's most advanced and proven radio coexistence algorithms and hardware mechanisms to allow a collaborative Wi-Fi and Bluetooth coexistence scheme internal to the device. The chip also provides support for coexistence schemes with additional wireless technologies such as LTE and WiMAX. As a result, enhanced overall quality for simultaneous voice, video and data transmission is achieved in a laptop computer.

Phishing forms on Google Docs

Google Docs is a handy online service for creating various types of documents that are hosted by the company in their cloud and can be made accessible to the greater public.

But, as it turns out, the service is not only handy for regular users, but for phishers as well.

F-Secure has unearthed a number of spreadsheets with a form functionality that are apparently designed to act as phishing forms for webmail accounts upgrades, bug reporting, entering of student data and more.



What makes these spreadsheets particularly dangerous is the fact that they are hosted on spreadsheets.google.com, and that domain has a valid SSL certificate and a prominent padlock icon before the address in the URL bar.

This detail could easily fool unexperienced users into thinking they are safe in sharing their personal and financial information.

While digging around, the researchers have also stumbled upon a Google spreadsheet form that is the request form for a Google Voice account transfer, and they couldn't figure out if it was a phishing form or the real deal.

In the end, Google confirmed the validity of the form, but the researchers can be forgiven for thinking otherwise, since it requested the users' Google Voice number, e-mail address and secret PIN code.

Web Application Attack and Audit Framework 1.0 released

The Web Application Attack and Audit Framework's (w3af) goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.



Version 1.0 brings you important improvements of the framework:

Stable code base, an improvement that will reduce your w3af crashes to a minimum.

Auto-Update, which will allow you to keep your w3af installation updated without any effort.

Web application payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you'll see in web application security. The developers created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server.

PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting a vulnerability try: "payload php_sca", that will download the remote PHP code to your box and analyze it to find more vulnerabilities.

May 30, 2011

Backdoor instructions for Allied Telesis switches leaked

A simple categorizing mistake has resulted in the publishing of an internal Allied Telesis document that reveals how to set up backdoor accounts for the company's switches.

According to Jody Feigle, Allied's North American Customer Support Manager, the document was recategorized from "public-internal" to "public global" by mistake, which made it available - along with three other documents - for perusal to Internet users on the company website.

Indexed by Google, it was spotted, downloaded and posted to a file sharing site. The file - an Excel spreadsheet - contains instructions on how to obtain a backdoor password for around 20 different switch models made by Allied Telesis. A password generator for some of the switches was also made public.

According to ThreatPost, Allied is trying to minimize the importance of the incident and reassure users by pointing out that the backdoor accounts can only be set up by someone who has physical access to the device.

It also says that even though the document is referring to backdoors, the feature is actually a password recovery feature used by most hardware manufacturers.

The company is currently working on removing the leaked documents from the file sharing sites and has notified its support staff of the incident.

Attack against Lockheed Martin result of previous RSA breach?

Lockheed Martin, one of United States' largest military contractors, has experienced an attack against its computer networks, and speculations abound on whether the assault is tied to the March RSA breach, when data regarding the company's SecurID authentication tokens is thought to have been compromised by the attackers.


Lockheed Martin has confirmed on Saturday that it has detected the "significant and tenacious attack on its information systems network" almost immediately, which allowed it to block the intrusion and keep its data safe.

"Our systems remain secure," the company said. "No customer, program or employee personal data has been compromised."

According to the The New York Times, once the attack was detected by the company's information security team, remote access to the networks has been mostly blocked, and the team started issuing new passwords and tokens to company employees.

Lockheed has contacted US government agencies and is currently investigating the incident. An anonymous company executive has supposedly said that at present, a connection between this attack and the RSA breach cannot be ruled out, but the company has not officially commented on the speculations.

Sondra Barbour, Lockheed’s CIO, said that the company has upgraded the SecurID tokens and that they now issue eight-digit codes instead of four-digit ones.

Fake YouTube notifications doing rounds

YouTube users are targeted with notifications supposedly sent by YouTube administrators and containing links to Canadian pharmacy sites, warns BitDefender.

With "YouTube Administration sent you a message: Illegal video warning" as the subject line, the fake pharma peddlers are trying to create a sense of urgency that will make the recipients less careful and make them click on the offered link instead of signing in to the service as they normally would.


Luckily for them, positioning the mouse on the link reveals an unexpected destination URL. Unexpected for YouTube, that is, since it is hosted on a Spanish domain. Just to make sure, the researcher logged in into his YouTube account and - as predicted - there was no warning from the real YouTube.

As relatively harmless as the destination site is, the researcherpoints out that the link could have lead to malware instead.

"If you receive an e-mail from a Web service that you use (e-mail, photo and video sharing, social networks etc.) whereby you are required to do anything by following a link within the body of the message, please first do check the legitimacy of that message with your provider," he advises.

May 29, 2011

Content-Focused iPad Apps Value Form Over Function, Study Finds


A report released by the Nielsen Norman Group shows that many iPad apps are confusing users by being too subtle about the gestures needed to navigate them, and some are not sensitive enough to the accuracy limit of fingertips. The authors also found that many companies with perfectly functional websites are wasting their time making a less-functional iPad app.

The authors of the report sought to determine what roadblocks a group of 16 individuals interacting with iPads they’ve owned for two months would experience during use. The test subjects were asked to perform a variety of tasks on different apps and a few websites, including finding a story of interest they could easily get back to onThe Daily, listening to the last “Science Friday” episode on NPR’s app, and looking for a birthday gift for themselves on Amazon.
Many companies with perfectly functional websites are wasting their time making a less-functional iPad app, the authors say
One of the overarching problems was ambiguous implementation of navigation techniques. Apps often weren’t clear about which parts of a screen were tappable and which were not, and often expected users to figure out when they needed to swipe or scroll a screen. The report noted that while users knew to swipe through book-like content, apps without that obvious similarity that required swiping and didn’t include an arrow pointing in the direction of more content were confusing to users.
At the same time, users didn’t want to read instructions on how to use an app. Some apps, like Moleskine’s notetaking app, were abandoned because it required so many unintuitive gestures that it included two pages of instructions.
Users avoided some apps, like Amazon’s Windowshop, because it was more difficult to navigate than the corresponding website. In the case of Amazon, users found that the app was too dissimilar from the site they were accustomed to using on actual computers, and displayed incomplete information about products from a search results page. Because of this, one participant abandoned the app in order to continue a purchase on Amazon’s website.
The authors noted that the appeal of an iPad app increased when it was more functional than the site in way geared towards regular users of the brand. But some appmakers were trying to get too creative: ABC News’ display of stories in a spinnable globe was visually surprising to users, but ultimately was a poor use of the large screen of the iPad.
Another problem with some apps, particularly shopping-related ones, was the lack of a back button. If users accidentally navigated away from a product they had searched for, they would have to go back to the homepage and recreate their search.
The authors also chided a few apps, like the one created for photographer Ansel Adams, because they favored visual interest over functionality, with buttons placed too close together for the average finger to hit accurately (a square centimeter is considered the minimum allowable size for a touchable button, they said). Some apps also crowded popover menus into too-small windows, just so a pretty background picture would stay visible on half the screen.
While apps favoring appearance and subtlety over functionality were the biggest problems, the authors scolded appmakers for a common unsubtle inclusion: splash-screens. The researchers said in no uncertain terms that splash screens that don’t integrate well with the app, and especially long introduction sequences, should always be avoided.
Ultimately, the authors concluded that not every company needs to have an iPad app, and that far too many companies are putting out suboptimal versions of their content, seemingly just to get in on the platform. They stressed that iPad apps should not make users do more work than the actual websites, and are best received when geared toward the actions of repeat users who are already familiar with the brand. If a company can’t create an app with added value, the authors said, they’re better off just making their website more finger-friendly.

May 28, 2011

"Margaritaville" going 3D as Buffett launches Facebook game


RALEIGH, North Carolina (Billboard) - Jimmy Buffett has partnered with THQ to bring "Margaritaville Online" to Facebook and iOS devices (iPhone, iPad, iPod Touch) this fall, but attendees of E3 in Los Angeles will get a first look at the game. The casual online video game is targeting Buffett's devoted followers, known as Parrotheads, along with the 45 million Facebook gamers who play FarmVille.
Buffett, who is currently touring, will be at E3 at the THQ booth to promote the new game. "The Margaritaville laid back state of mind is inherently social, and THQ has captured the spirit of that lifestyle in this game," said Buffett. "With Margaritaville Online, fans across the globe can party together any time and any place."
Developed by Exploding Barrel Games, the 3D open world features tropical environments and a full catalog of Buffett's music. Players will be able to create their own island resort, play mini-games and interact with characters from Buffett's songs and literary works including Captain Tony and Joe Merchant. They'll even be able to create their own band.
Hollywood producer Frank Marshall is responsible for bringing Margaritaville to gamers, according to Danny Bilson, THQ's executive vice president of core games. While THQ was developing games based on M. Night Shyamalin's "The Last Airbender," Marshall, who is close with Buffett, explained the vision of what has become "Margaritaville Online" to the game publisher.
"Frank Marshall is essentially one of the producers on the game," said Bilson. "He and Jimmy work very closely with us on every element in the game. Everything in the game is based on ideas from the songs and books." Bilson said this Facebook game will stand out from games like Zynga's CityVille because Margaritaville Online is an immersive 3D world. At the same time, it has all the great core tenets of a Facebook social game where players can build a unique island resort, embark on adventures and socialize with friends.
This is the second social game from THQ, which released UFC Undisputed Fight Nation last year. Bilson said a third social game will be announced after E3.
"We think social games are a big part of our future," said Bilson. "In the social gaming space it's important to have an ecosystem of games to make the whole thing work, so that people can share and go from one world to the next. You're going to see THQ focusing some energies around that in the next year."
Buffett is the first musician to completely embrace the booming casual online gaming space. Artists like Lady Gaga and Dr. Dre have partnered with Zynga to connect with fans in games like CityVille and Mafia Wars, but those have focused on promoting music. Just as he has with his Cheeseburger in Paradise restaurant chain, Margaritaville Online will allow fans to connect with Buffett in a unique way.

Google, Facebook lose social network patent ruling


Google Inc and Facebook Inc failed to win dismissal of a lawsuit by a New York company related to software designed to let people take part on social networks through their mobile phones.
Wireless Ink Corp, which runs the Winksite service, may pursue claims that Google Buzz and Facebook Mobile infringed its October 2009 patent, U.S. District Judge Kevin Castel in Manhattan wrote in a ruling made public on Friday.
The patent related to a method to help novice mobile phone users create mobile websites that other phone users can see. Wireless Ink is seeking a halt to the alleged infringement, and compensatory and triple damages.
Jeremy Pitcock, a lawyer for Wireless Ink, did not immediately respond to requests for comment. Facebook and Google did not immediately return requests for comment.
According to an amended complaint filed in December, Wireless Ink's application for its so-called '983 patent became public in January 2004.
It said this was three years before Facebook, the world's most popular social networking website, launched its first mobile website, and six years before Google launched Buzz to compete with Facebook.
"If two of the most resource-rich, patent-savvy and technologically advanced companies leading the Internet were not aware of the '983 patent, despite its potential ramifications upon a major segment of the defendants' business," Wireless Ink wrote, "this was solely due to a deliberate indifference on the part of defendants."
Wireless Ink said Winksite had more than 75,000 registered users, while Facebook Mobile has tens of millions of users, and Google said tens of millions of people had "checked Buzz out" in the service's first two days.
In his ruling, Castel said Wireless Ink "does not allege any facts that are inconsistent with the existence of a viable claim." He also dismissed counterclaims seeking to invalidate the Wireless Ink patent.
Facebook is based in Palo Alto, California, and Google in Mountain View, California.
Analysts now generally consider Google Buzz a failure. Google raised privacy concerns when it at first used email lists from users' Gmail accounts to build social networks of Buzz contacts. It later changed the settings so that Gmail contacts are kept private by default.
The case is Wireless Ink Corp v. Facebook Inc et al, U.S. District Court, Southern District of New York, No. 10-01841.

Honda Canada warns customers of major data breach


The personal information of more than 283,000 customers at Honda Canada has been breached, the company confirmed on Friday.
Honda Canada said the stolen data included names, addresses, vehicle identification numbers and in some cases financing account numbers.
It said the data was not the type that would typically be used for identity theft or fraud, such as birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, social insurance numbers, or dollar amounts of financing or payments.
The company said the information was collected in 2009 as part of a series of customer mail programs encouraging Honda and Acura owners to register at the myHonda and myAcura websites. It added that the unauthorized access was recent.
The Toronto Star reported Honda first noticed suspicious activity on the e-commerce websites in late February and that it said in a letter to affected customers dated May 13 that it was tipped off by unusual volume on the sites, including "some unauthorized attempts to access account information."
Honda would not confirm the additional details the newspaper gave in its report.
The company said it is notifying all the affected customers by mail. It said it does not recommend taking any specific action at this time, other than being alert for marketing campaigns from third parties that reference Honda vehicle ownership.
Honda said it has had a toll-free line -- 1-800-839-2826 -- open since May 16 for customers who would like further information.

Sony: We’ll Restore PSN By May 31, Unless We Don’t


According to some Japanese sources, Sony’s long-promised date of May 31 for the restoration of all PlayStation Network services now comes with some caveats.
In a presentation for investors on Thursday following the release of its fiscal year 2010 results, a Sony representative commented on the status of its PlayStation Network online service.
“We have not changed our target date of full restoration within the month of May,” AV Watch quotes a Sony representative as saying. “In the U.S. and Europe, service has been partially restored. In Japan and Asia, while we cannot give a precise date, we hope to restore service in the coming days. Anyway, it’ll be in May. And even if we’re late on that, it’ll only be by a matter of days.”
In other words, PlayStation Network will definitely absolutely be restored by May 31, unless it isn’t.
PlayStation Network’s outage entered its sixth week Thursday, following a security breach in mid-April that caused Sony to take the service down for extensive fixes. PSN is partially online in the U.S. and Europe, but remains fully offline in Asia.


One Year In, iPad Apps Get Less Wacky and More User-Friendly


One year after the iPad’s release, third-party apps have improved dramatically in usability, according to an interface scientist.
Jakob Nielsen, often hailed as “king of usability,” published results this week on a follow-up studyexamining iPad app interfaces. He found that iPad apps today are considerably “less wacky” and therefore easier to use than they were last year.
“We really came quite a long way in a year, and a year is a short amount of time,” Nielsen told Wired.com in a phone interview. “If we think back to when the web came out … there were five years when the web got worse before it started getting better.”
For software makers, interface design can be a tricky thing, because digital experiences are purely subjective. The ultimate question: What do customers want? For instance, where do they want this button, or what do they want to happen when selecting this menu? Software makers often must poll groups of testers before releasing their apps to the public to determine the most user-friendly design.
On the iPad, it can be especially challenging to nail usability, because multitouch gestures are invisible, and it’s up to the user to figure out which gestures do what. Compare that to the desktop PCs we’ve grown accustomed to, which deal with physical keyboard and mice, mouse pointers, windows and icons — usability is a bit more clear-cut in this environment.
The initial issue with the iPad, Nielsen pointed out last year, was that before the original iPad was released, Apple didn’t give developers iPads to test their apps on. Apple only allowed a select group of programmers access to iPads to test their apps in an isolated room with blacked-out windows at Apple headquarters, meaning they couldn’t do any user testing prior to the iPad’s release. Therefore, the earliest iPad apps were coded in the dark.
As a result, user interfaces in the initial batch of iPad apps were all over the map, with little consistency among the various apps. Apps would behave differently when we swiped or pinched, and some apps used complex interactions such as running three fingers diagonally across the screen, Nielsen said.
Today, iPad apps have become more simple and user-friendly, Nielsen said. He found that magazine apps, for example, would display a cover with the top stories, and tapping on a top story would bring you straight to the content, rather than make you turn to the table of contents and flip to the article manually. His study also found that more apps included Back buttons and broader use of search.
“For the average user, technology is a means to an end,” Nielsen said. “People want to jump in and get results. If I see a cover with three interesting [stories], I want to tap and read right away.”
To conduct his study, Nielsen recruited 16 iPad customers with two months of experience using their iPads. Nielsen’s team watched the test subjects as they launched and interacted with 26 different apps and six websites.

The National Mall: A Location-Aware App-Album




Two musicians from Washington, D.C., who go by the name Bluebrain have put together a location-aware album called The National Mall.

It comes in the form of an iPhone app, which you download to your handset and then open up while you’re standing in the National Mall— the green space between the Lincoln Memorial and Capitol building. As you move around the area, the music changes.
“For example,” Ryan Holladay, one half of Bluebrain, told Wired.co.uk, “Approach a lake and a piano piece changes into a harp. Or, as you get close to the children’s merry-go-round, the wooden horses come to life and you hear sounds of real horses getting steadily louder based on your proximity.”
It’ll be available soon on Apple’s App Store, and iPad and Android versions will follow in time.
It’s the first in a series of location-aware albums that will focus on different places. The next will be in New York’s Prospect Park, and then there’ll be one running the length of the Highway 1 coast road in California.
Unfortunately, you can’t listen to any of them outside the locations they’re designed for, but in an exclusive interview for the Wired.co.uk podcast, Holladay told us he’s considering making the tools he used to create the album more widely available. For bands who are interested in reinventing the experience of listening to an album, that’ll be worth waiting for.
Hear some samples from The National Mall, along with the aforementioned interview, on Episode 27 of the Wired.co.uk podcast.

Slick HTML5 App Muro Animates Super Stick-Figure Videos


Powered by Ritz crackers and Sour Patch Kids, Adande Thorne works late into the night creating the worlds in which his frenetic stick-figures live. But even when he’s working so diligently that he doesn’t notice that the sun came up, he is still churning out his short films much faster than he used to, back when he made his animations with a Sharpie, some pencils and a scanner.
Now he whips up his web-ready doodles in muro, an HTML5-based illustration tool created by artist networking site deviantArt. The free, web-based software, still in beta, allows Thorne to create a five-minute video in about two weeks, cutting his work time nearly in half.

sWooZie makes awesome videos using muro.
Image courtesy Adande Thorne
“I used to draw with paper and pen and scan it and go through this long tedious process and then one day a friend was like ‘Dude, why don’t you just jump on muro?’” Thorne told Wired.com. “When I started messing around with it, it cut down so much on the footwork I had to do. It just blew up after that.”
With its simple interface and sleek design, muro puts digital tools in the hands of people typically accustomed to working with brushes and canvas or pens and paper — it’s like Adobe Illustrator for non-pros. Originally designed to allow deviantArt members to add simple sketches to the site’s lively forums, muro put an easy-to-master tool in the hands of artists who use it to create a wild variety of works.
That’s exactly what someone like Thorne needed. Better known by thenom de art sWooZie, Thorne makes the kind of videos the internet loves: comedy acted out by slick and cute animations, complete with fight scenes and tricked-out DeLoreans.
The video that gained him internet fame (read: a post on Gawker) used a series of stick-figure animations to illustrate his miscreant behavior as a Walt Disney World employee. It topped a quarter-million YouTube views within a few days of its posting in January.
He followed that up with “Cheating in High School” and eventually “Super Sick Stick Figure Fight [FTW],” which went up in April and was the first of five installments he sees as his summer blockbuster. (See the second, “Cute College Girls [FTW],” which was released Friday, above.)
Thorne’s process is deeply rooted in the web’s DIY aesthetic. The artist, who also happens to be a pro gamer, shoots videos of sets in his home or out in the wild in Orlando, Florida, where he lives. He then illustrates and animates his characters on top of those images. His concepts definitely lean toward the nerdy — videogame references and lightsaber fights — but he’s got a style all his own. (See how sWooZie made his latest video below.)

His style is starting to pay off. Thorne, who completed a one-year program in computer animation at theDigital Animation and Visual Effects School, now makes between $1,000 and $2,000 a month from his videos through YouTube’s partner program. He once made $500 a day from a single clip.
“I used to work at the Hard Rock Hotel [as a lifeguard] making $400 every two weeks after taxes, and now I’m getting a little bit more than that just from uploading videos to the internet,” Thorne said.
There’s very little overhead. Since muro is a free program, Thorne incurs few costs beyond his time investment and the few die-cast car models he buys as props. That’s exactly what muro’s creators atdeviantArt want.
The original concept for muro was to build a simple drawing tool deviantArt members could use for sketching in the site’s forums. But while the developers were working with the prototype, codenamed “drawplz,” the company’s CEO Angelo Sotira got addicted to using it and asked lead developer Mike Dewey to make a larger version for use on bigger artworks. From there, muro blossomed into a much more robust illustration application.
“[Sotira] said, ‘Sometimes I get frustrated that I’m drawing so small,’” Dewey said. “I said, ‘I’ll make it so that it goes full-screen for you,’ and that ended up evolving into the full-fledged drawing application.”
It only took a few weeks. Sotira asked for a bigger version in the middle of summer 2010 and muro launched that August. Now deviantArt users fill the site with about 3,100 muro-made images each day even while the program remains in beta. Some artists are even using the program on their iPads, turning the tablet into an electronic sketch book.
Much to the surprise of its creators, muro is also being used for animation by people like Thorne.

“I don’t think any time while we were developing this did we say, ‘Yeah, OK, let’s make something for animators,’” Dewey said. “But once [Thorne] started doing it, I could see why he picked muro. It’s the ease of creation — when he has an idea, he can have it work it in a day or two rather than creating an entire 3-D model.”

May 27, 2011

Bill Would Keep Big Brother’s Mitts Off Your GPS Data



The reauthorization of the Patriot Act looks like a forgone conclusion. But next month, a bipartisan band of legislators will try to mitigate a different kind of damage done to civil liberties: the government’s warrantless collection of location data beamed out by your car or mobile phone.
The courts aren’t sure whether so-called “geolocation” data taken from GPS devices or cellphones is covered by the Fourth Amendment, as Wired.com’s blog Threat Level has extensively reported. That ambiguity has largely enabled law enforcement to snatch it up without getting a warrant or showing probable cause.
Sen. Ron Wyden, a Democrat, and Rep. Jason Chaffetz, a Republican, want to make things crystal clear: no warrant, no geolocation info.
“GPS devices are everywhere and that’s a good thing,” Chaffetz tells Wired.com. “We just don’t want nefarious characters tracking people without someone knowing, nor do I want law enforcement to be able to just follow everyone all the time.”
A bill they’ve collaborated to draft prevents the government from getting tracking data sent by your smartphone, GPS unit or other device — including any “successor device,” a nod to as-yet-unimagined tech — without a court order. It exempts geolocation collection from the Patriot Act’s “business records” provision.
The cops also would be barred from taking that information from numbers that call you (“trap and trace” devices) or that you dial (“pen registers”). Its provisions protect both real-time and historic geolocation info.
And the bill doesn’t just restrict the government’s abilities to get your geolocation data. Telecoms, carriers and businesses would have to get your explicit consent before collecting it. (Sorry, Apple.)
“The last thing these companies want is for people to be afraid of their phones, [so] you’ll see people in this space embrace this legislation,” said Chaffetz. Those companies wouldn’t be allowed to divulge your geolocation data to the government unless the feds show their inquiry is connected to a criminal investigation.
Chaffetz and Wyden plan to introduce the bill the week of June 15. The bill’s existence was first reported by CNet, and Danger Room has acquired a copy, which you can read below.

So far, civil libertarians seem pleased. “It’s an excellent start,” says Christopher Calabrese, a privacy lobbyist for the ACLU. “It gets at some of the core concerns that people have, that my cellphone is also a portable tracking device that can be used by law enforcement or companies or anybody that wants to know where I am.” (Full disclosure: My fiancee works for the ACLU.)
The bill’s requirements for a warrant are extensive, covering “cellular geo-location, GPS tracking devices under cars and triggerfish devices, which enable law enforcement to track a phone without having to go to the phone company,” says Christopher Soghoian, a graduate fellow with the Center for Applied Cybersecurity Research. That’s likely to make the bill a “non-starter” for the feds, who he says are “thoroughly addicted to location data.”
And how. The FBI once demanded a 20-year old return a GPS tracker it had attached to the youth’s car. The Obama administration doesn’t want judges deciding when the feds can examine your electronic footprints.
Wyden is also warning that the government is secretly reinterpreting the Patriot Act, enabling a surveillance dragnet not envisioned by the law. That has led some to speculate that the dragnet includes mass amounts of geolocation data. But for what it’s worth, Jennifer Hoelzer, Wyden’s deputy chief of staff insists that the senator’s Patriot Act concerns and the GPS bill “are independent efforts.”
Not everyone’s convinced, particularly when they read the Chaffetz-Wyden bill.
“It is notable that Sen. Wyden singles out pen registers and [the Patriot Act's] business-records orders as provisions that may not be used to get geolocation data,”says Julian Sanchez, a privacy and technology researcher at the libertarian Cato Institute. “It’s highly suggestive that the secret ‘interpretation’ of the Patriot Act that Wyden has been warning about may involve allowing the use of these broader intelligence tools for some sort of potentially very large-scale location tracking.”
“Americans have a reasonable expectation of privacy,” Chaffetz says. “Just because you use a device that has a geolocator on it doesn’t mean everyone should be able to follow you.”








Hands-On: Incredible 2, a Phone That Lives Up to Its Name

I scoffed when HTC first released the “Incredible 2.” Not at its hardware or features necessarily, but rather for its presumptuous name.
But after spending some time with the device itself, I can safely say the phone’s title is no misnomer (if not a little overconfident).
The phone bucks the trend of huge, power-hungry phones we’re seeing debut in today’s mobile market. At 4.75 by 2.5 inches and less than a half-inch thick, the phone’s size felt like the third bear’s bed from Goldilocks: not too big, not too small, but just right.
It fit comfortably in hand, and the matte resin finish on its unibody design felt much nicer to the touch than the glossier plastic we’ve seen on other phones.
Moving on to the specs: Unfortunately, the Incredible 2 lacks access to Verizon’s 4G network. But considering the phone’s relatively compact size, it seems like less of a media consumption device — like, say, HTC’s Thunderbolt — and more of a phone focused on making calls, so you may not need those high data speeds.

The phone’s major draw, for example, is focused mainly on globetrotters: The Incredible 2 is a so-called “world phone,” operating on both CDMA and GSM frequencies. So while you won’t be able to access Verizon’s 4G speeds, at least you can chat up your pals while you’re abroad.
That’s not to say that the Incredible 2 isn’t capable of showing media off. The phone’s 4-inch screen displayed images in crystal clarity, and despite a lack of 4G, YouTube videos played well running on Verizon’s 3G network. And with DLNA capability, you can stream video and audio to friendly peripheral devices, like your big screen. There isn’t, however, any HDMI output on the phone, limiting your media-out capabilities somewhat.
There’s also a number of subtle under-the-hood upgrades from the previous generation. For one, the Incredible 2 comes with an adequate 768 MB of RAM, compared to the Incredible 1’s 512 MB. Not a huge boost, but coupled with a 1-GHz Qualcomm Snapdragon processor, it seemed like enough to keep apps running smoothly. Although the first Incredible used a 1-GHz Snapdragon as well, the Incredible 2 features the second generation of the processor, which is manufactured using Qualcomm’s 45nm technology. Essentially, that means increases in both performance and battery life.
The Incredible 2 also has a 1.3-megapixel front-facing camera for video chat, which the first Incredible didn’t have. The mandatory back-facing 8-megapixel camera is capable of 720p video capture, and handles photos just like any other current smartphone.
One cool aesthetic plus — the orientation of the four home keys rotates as you switch between portrait and landscape mode. A minor tweak, but attention to details like this are what get Android users excited.
The biggest detractors for my taste — one, it’s not shipping with Android 2.3.4 (Gingerbread), but rather 2.2 (Froyo). Nearly every phone I’ve tested this year (save the Xperia Play) has shipped with the last generation of Android on it, and frankly, it’s annoying. On occasion we’re promised future device updates, but we never see exact dates. Hopefully Android’s new cross-company partnership will keep future phones up to date.
The other qualm is the user interface. For the life of me, I can’t get past the custom skin HTC includes on its phones. Call me a purist, but I’m partial to stock Android, no frills. HTC’s Sense interface brings with it a bevy of cluttered menu screens, all filled with HTC’s take on regular Android phone apps (Twitter, for example, becomes “Peep” on a Sense-skinned phone). It’s mainly for HTC to differentiate its phones from the glut of other Android offerings out there.
But these aren’t glaring issues. If you don’t mind a skinned phone, they won’t affect usability in any major way.
Overall, I’d recommend the Incredible 2 to those who want a phone first, and a media player second, and especially if you want to stay connected while you travel abroad.
The Incredible 2's finish -- a matte resin with a slight tooth -- is pleasant to the touch. Photo: Jon Snyder/Wired.com
Mike is a Wired.com staff writer covering Google and the mobile beat. He's written on a number of different tech topics, ranging from startups to social media.
Follow @mj_isaac and @GadgetLab on Twitter.
ADVERTISEMENT
Verizon

Future Forward: MOTOROLA XOOM™ and Samsung Galaxy Tab™
Sized to Suit
Motorola and Samsung make a grand entrance to the ever-expanding tablet market. Futurists are clamoring to get their hands on the personal-pan-sized gadgets. Why? The Samsung Galaxy Tab's ultra-portability (at less than a pound), and the MOTOROLA XOOM's all-immersive 10.1 inch high-definition display. After all, these newest, shiniest items are more than just really big digital picture frames. They're a great big dollop of the future that we can put in our laps today. Maybe none more so than these new Android operators that are shaped for technophiles rearing for more features like next-gen apps, customizable homescreens and mind-blowing resolution defaults.

PayPal Sues Two Ex-Employees Who Created Google ‘Wallet’

Alleging that trade secrets were stolen and disclosed, PayPal is going after Google in a big way: suing the company and two former employees at the search giant who are key executives behind Google Wallet, launched with huge fanfare on Thursday.
While it doesn’t mention Google Wallet by name, PayPal’s lawsuit coincides with the day that Google’s NFC service was announced. PayPal is not only suing Google, but “two former colleagues who now work there, Osama Bedier and Stephanie Tilenius,” Amanda Pires, the senior director of PayPal global communications, wrote on the PayPal blog. According to the lawsuit filed by PayPal and parent-company eBay, vice president of platform, mobile and new ventures Bedier left PayPal in January to take up a “similar role at Google.”
Tilenius meanwhile left the company in 2009 as the senior vice president of North America and global products, taking up the role of president of electronic commerce at Google.
Urging readers to read the lawsuit themselves “see why we believe the law has been violated, and why we needed to take this action to protect PayPal’s trade secrets,” the lawsuit specifies that “over the past year, PayPal has been developing capabilities to provide large retailers with next generation “mobile payment” point of sale technology and services. Recently, Google has also been exploring the market for next generation mobile payment point of sale technology and service,” and that Bedier has helped them along by “misappropriated PayPal trade secrets by disclosing them within Google and to 9 major retailers.”

Apps with dangerous permissions pulled from Chrome Web Store

Do you trust Google to review and ban potentially malicious applications from its online stores?

The Android Market has already been found offering "trojanized" apps, and now the Chrome Web Store has been spotted offering two popular game extensions that request potentially dangerous permissions of users that want to install them.



The apps in question are named Super Mario World and Super Mario 2 and are not manufactured by Nintendo. The fact that they are asking questionable permissions of the users has been discovered by David Rogers, the blogger behind blog.mobilephonesecurity.org, when he was in the process of installing one of them.

"Installation is pretty instantaneous," says Rogers. "As I looked at the screen, I saw the box to the bottom right. 'This extension can access: Your data on all websites, Your bookmarks, Your browsing history'".

He proceeded to deinstall the extension immediately, and searched for an explanation for the unduly broad permissions. The permission to access the user's bookmarks include the permission to read, change, add to and organize his bookmarks, and the one for accessing the user's browser history is supposedly necessary for the app to be able to open new tabs or windows.

But the worst one is the one that gives access to the user's data on all websites. Not only can the app read every page the user visits (think e-mail, Facebook, online banking), but can also use cookies to request the user's data from various websites - in short, the app can impersonate the user to the website.

Apart from being disappointed that Google has failed to spot the problematic permissions and ban the apps, Rogers really takes issues with the "permissions by default" installation.

"You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them," he explains. "It gives me the chance to review what I’ve selected and make a decision, especially if I hadn't spotted that information on a busy and cluttered webpage."

While I do think that Google has basically made no grave mistake here - it did, after all show the permissions needed - the problem is that for this system to work as it should is that you need to have careful and judicious users. And let's face it, they don't constitute a majority on the Internet.

Rogers also points out that to the average user, the fact that the Chrome Web Store is operated by Google makes him trust implicitly the downloads from it. In his opinion, this should make Google extremely careful when it comes to evaluating and vetting possibly dangerous apps.

In the end, Google has quietly removed the two apps from the market, but has not commented officially on the action. Let's just hope that they will take Rogers' objections in consideration.

Code in the Cloud: Programming Google AppEngine

Cloud applications are the next big shift in application development: instead of building single-user applications to run on a personal computer, new applications are being built as multi-user services that run in data centers around the world.


Code in the Cloud: Programming Google AppEngine will teach you what you need to make the shift to cloud development using Google's AppEngine—a powerful, easy-to-use framework for developing cloud-based services.

The cloud is a platform for creating services, a new kind of application that can reach more users and provide those users with more capabilities than a desktop application ever could.

Building applications as cloud services makes them scalable: cloud applications can easily and smoothly adapt from running on a single computer for a single user to running on thousands of computers for millions of users.

This book will teach you what a cloud service is, and how it differs from traditional applications. It shows you how to build a cloud service by taking advantage of the services that AppEngine makes available to you, and by using iterative development of a simple application to guide you through the different aspects of AppEngine development, using either Python or Java.

Through the process of working on a simple application, you'll learn about how to build an application as a service; how to manage persistent data using AppEngine; how to build dynamic, interactive user interfaces that run in a user's web-browser; how to manage security in a web application; and how to interact with other services running in the AppEngine cloud.



Cloud identity tools for LinkedIn, Twitter and Microsoft Live

Ping Identity released Cloud Identity Connectors for LinkedIn, Twitter, and Microsoft Live, enabling the enterprise to rely on cloud service providers and social networking sites for third-party user authentication.


Ping Identity can now connect cloud businesses with six of the largest cloud service and social network sites, including Google (and other OpenID 2.0 providers), Salesforce and Facebook.

The LinkedIn, Twitter, and Microsoft Live Cloud Identity Connectors enable any of these social networking sites to be used for third party authentication.

Users visiting an e-business site can sign-on and register using an existing consumer identity. This improves registration rates by eliminating the need to develop a new profile and create another password, while providing a more personalized user experience.

Installed as an add on to PingFederate, the identity connectors use configuration information from PingFederate to create the HTML and javascript code necessary to develop compelling log-in pages featuring the logos of the top social networking websites.

The Cloud Identity Connectors interface with the LinkedIn, Twitter, and Microsoft Live APIs utilising OAuth for consent/authorisation and authentication. The access token obtained during this interaction can be used to authenticate subsequent API calls in order to gather additional data about the user or push information to the application.



SCADA SIEM for critical infrastructure protection

AlienVault released its ICS SIEM, a family of purpose-built appliances which provide a platform for security and compliance management across industrial process control networks.

The solution includes the detection, prevention and awareness capabilities necessary to get ahead of security and compliance challenges.

A single dashboard allows operators to define and enforce security policies as well as produce the forensically accurate reporting to demonstrate compliance with internal and external regulations.

Key features:
  • No-touch deployments add security without impacting process reliability
  • Immediate visibility into Industrial Control System security
  • Unlimited support across all SCADA and other IP-enabled components
  • Rugged fanless chassis for high reliability
  • Embedded intrusion Detection including Host, Wireless and Network
  • Compliance platform for NERC, NRC, CFATS and other regimes.
”Industrial networks face increasing threat of incidents causing economic, physical and human damage,” said Chris Blask, AlienVault’s Vice President, Industrial Control System Group. “SIEM as a technology provides the dashboard for planning and implementing a complete solution. AlienVault ICS SIEM uniquely combines the necessary supporting technologies, such as vulnerability assessment and intrusion detection, in a physical and architectural format appropriate for industrial applications.”

Fake Epsilon breach warning tricks users

Among the most annoying things you can find online are pages that pretend to offer or try to push a service in order to make money by simply referring the user to another site.

While I can appreciate that some people are good at making money practically out of nothing, I get really irritated when these schemes try to frighten users into doing something.

Take the latest example that has been pinpointed by ISC:



The page in question is a landing page with the following URL: www.financialalertssystem.com/5/t/14.php?engsec=10&target=example.com. The last parameter/target - example.com - has been inserted by the researchers simply to make the page innocuous, but the target can be changed into any other domain.

As the target parameter changes, so does the domain name throughout the text, making the page easily customizable for targeting users of various online services. A bit of JavaScript also makes the date in the page always current, so that the user is pressured into acting immediately.

In this particular case, the page is intended to scare people into purchasing a credit report by mentioning the recent Epsilon data breach.

For a careful user, the page does not present a danger - a simple glance at the bottom of the page reveals a pretty straightforward disclaimer that says that the site in question is not sponsored by or affiliated with [TARGET PARAMETER] and that [TARGET PARAMETER] has not authored, participated in, or in any way reviewed this advertisement or authorized it.

It also explicitly states that the site is an ad, and that the author is payed for clicks that go through or for the purchase of products featured on it. And if all that doesn't make the user pause and think twice, let's hope that this sentence does: "This website, and any page on the website, is based loosely off true stories, and is a fictitious account."

35 million Google Profiles collected into private database

If you are one of those individuals that made their own Google Profile, chances are that you knew and agreed to the fact that the information you included in it will be available for anyone who searches for it online.

But, maybe you haven't thought about the possibility of this information being harvested and indexed in order to make mining of it easier. Whether you have or not, it is ultimately irrelevant - you have shared the information with Google, and it does not forbid the indexing of the list.



Nor does it limit the amount of data that can be extracted. According to Matthijs Koot, a Ph.D. student of the University of Amsterdam who attempted this feat, Google didn't attempt to throttle, block, CAPTCHA or in any other way make his mass-downloading more difficult.

The result is that during the course of one month, he was able to create a database containing all Google Profiles - some 35 millions of them. In it are stored Twitter conversations, names, aliases, past education and employment information, links to Picasa photoalbums and - in 15 million cases - the username, which is easily translated into a valid Gmail address.

"My activities are directed at inciting, or poking up, debate about privacy -- NOT to create DISTRUST but to achieve REALISTIC trust -- and the meaning of 'informed consent'," points out Koot. "How can a user possibly be considered to be 'informed' when they're not made aware about the fact that it does not seem to bother Google that profiles can be mass-downloaded and about misuse value - or hopefully the lack of it - of their social data to criminals and certain types of marketeers?"

According to The Register, Google isn't worried about Koot's project and the implications. "Public profiles are usually discovered when people use search engines, and sitemap information makes it possible for search engines to index these public profiles so that people can find them. The sitemap does not reveal any information that is not already designated to be public," said the company spokesman.

And users can set their profile settings not to allow their profiles to be indexed by search engines. I guess that in Google's mind, their hands are clean.

And while I do believe that informed consent is definitely something the company should consider and work on, I can't help to think that people should accept part of the responsibility for their privacy and simply stop putting that much personal information online.