Two days ago, security professional Gaurang Pandya made an interesting discovery about the browser that comes bundled with the Nokia Asha 302, or pretty much any Nokia feature phone. The browser uses a proxy to route its traffic instead of hitting the requested server directly. This led many people to believe that Nokia is performing a MITM attack on their connection. Now, it would be wrong to refute those claims, because this indeed is a MITM technically. However, it is too early to jump to conclusions here.
Nokia uses its Nokia/Ovi proxy servers pretty much the same way any other browser manufacturer uses its proxy servers — for transcoding, resulting in data compression and faster browsing. Amazon’s Silk browser does it, Opera Mini does it, but with a slight difference. Others, who do it, are not handset manufacturers. Nokia, on the other hand, is a handset manufacturer and this allows it to proxy HTTPS connections as well. So, how does this work?
Nokia has control of your device (at least during the manufacturing process), and it cunningly includes a fake certification authority (CA) on your device. With this fake certificate issuer on your device, the proxy server can now decode your data because it is signed with a public key for which, the proxy server will have private key [Public Key Cryptography]. The proxy server in turn sends the data to the actual server, only this time, signing it again with a certificate issued by a proper CA. The outcry in this case was that HTTPS connections could also be hijacked by the proxy servers at Nokia, which is not possible with Opera Mini or other browsers that use proxy servers.
So, is there reason to be worried? Of course there is. However, is there reason to blame Nokia? No. There is just reason enough to ask better questions, like how secure are these proxy servers?
Following the plan to open source its Simian Army gradually, Netflix has now open sourced the Janitor Monkey tool. This is the second Simian tool to be open sourced by Netflix after the source for Chaos Monkey was released to the public in July last year. The Simian Army at Netflix is used to manage cloud services and the last offering of Chaos Monkey was used for stress testing. As a whole, this Simian Army suite is well designed to perform a multitude of actions on cloud services.
The legend behind Janitor Monkey goes as follows:
At Netflix, when we analyzed our Amazon Web Services (AWS) usage, we found a lot of unused resources and we needed a solution to rectify this problem. Diligent engineers can manually delete unused resources via Asgard but we needed a way to automatically detect and clean them up. Our solution was Janitor Monkey.
In short, the Janitor Monkey comes in handy when disposing of unused resources. The Janitor Monkey service runs in Amazon Web Services (AWS) and it can be scheduled to perform regular resource cleanups.
Although Netflix is calling this an open sourcing of the entire tool, it seems like Janitor Monkey have not been open sourced entirely. Only modules that are generalized for other cloud services have been made available under the Apache 2 license.
The source code for Simian Army tools are made available on Github, as and when they are released. Netflix had also open-sourced its Asgard tool in June last year, which was not a part of the Simian Army, but deals with cloud services.
Gaming on Linux is getting more interesting by the day. Valve has updated its Steam December Survey to include Linux statistics. This is Valve’s first month with Linux and even though the Steam for Linux system is still in a beta stage, Linux users already account for 0.8% of total Steam users. This figure is expected to increase once Steam for Linux comes out of beta, and reaches more Linux distros. Nonetheless, this is a good start for Steam for Linux.
The Steam hardware and software survey is explained as,
Steam conducts a monthly survey to collect data about what kinds of computer hardware and software our customers are using. Participation in the survey is optional, and anonymous. The information gathered is incredibly helpful to us as we make decisions about what kinds of technology investments to make and products to offer.
In other statistics, Windows 7 64 bit is the leading operating system with more than 50% of the total user share and the favorite primary display resolution of Steam gamers is 1920×1080. While 60% of all Steam users use Mozilla Firefox, only 11.56% of them were found using Google Chrome, which is surprisingly low (lower than Internet Explorer at 19.82%) given Google Chrome’s market share.
Another interesting fact is that the number of Steam users on 64 bit versions of Ubuntu 12.10 and 12.04 are almost double that of 32 bit users (unlike Windows 7, where 64 bit users are four times of 32 bit users), which is probably for Physical Address Extension (PAE).
Television has run on the cable model for as long as we can remember. Channel subscriptions always come in bundled packages, and more often than not, we end up subscribing for the bundle just to get those few channels. That is not a very efficient way of doing things and Intel has a grand plan to change this scenario. Intel is joining Apple and Google in the IPTV race. However, the unique selling proposition here is that Intel’s service would allow us to subscribe to individual channels of our preference, instead of complete bundles. The project has been developed in secrecy, and this is the first time anyone has heard of it.
The product will be made available to a limited set of beta-tester customers in March, and will be made available through an internet connection. This makes the service independent of any cable provider. The service will also include games, on-demand shows and Intel’s app marketplace.
Much of this effort is being worked upon by the Microsoft Mediaroom team, with Jim Baldwin as the VP of this program at Intel. Intel has the expertise in chip manufacturing, and it has also stuck just the right deals with Hollywood to keep this product profitable for everyone.
The project will not be showcased at CES this year. Moreover, there are many unanswered questions here. Some people are skeptic about content providers actually wanting to accept this model. Others have speculated that as the prices for these individual channels will be adjusted in such a way that the profitability per channel remains the same in both these systems. At the end of the day, the consumer will probably still end up paying the same amount overall.
The new year has started on a disturbing note for Citibank and Bank of America (BoA), as Al-Qassam Cyber Fighters have started attacking them with a DDoS. The attack is not a surprise, as it was announced back in December last year. This is the second phase of their Operation Ababil, which started on 27 December, last year. The operation seems to have one agenda only — to get the controversial anti-Islamic video removed from YouTube and to stop the organized western offensive against Islam (if there is such a thing).
The first phase of Al-Qassam’s attack took place in October, after which they took a break for Eid al-Adha. The list of targets for this second phase includes US Bancorp, JPMorgan Chase, Bank of America (BoA), PNC Financial Services Group and SunTrust. The hackers at Al-Qassam said,
In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks.
The hackers are extremely confident about their mission and have been able to cause temporary interruption of services in BoA and Citibank. While Bank of America has been attacked earlier in the first phase, Citibank is being attacked by Al-Qassam Cyber Fighters for the first time.
Citibank has announced about the disruption in service on its official Twitter account.
This hacker collective does not have any affiliation with Anonymous, and is one of its kind as it has risen to defend Islam, unlike other hacker groups.
The free software foundation has started a campaign to prevent restricted boot from becoming an industry standard in hardware. If you were living under a rock lately, restricted boot is exactly the kind of evil that will kill the PC, as we know it. Restricted boot is being sold as UEFI and although it is marketed as a security feature, it is a well-devised mechanism to create a vendor lock-in for Windows 8. That means, if your PC is secured with UEFI 2.2, you will not be able to install any operating system whose bootloader is not signed.
Although the original EFI specification was developed by Intel, it was done with the Windows OS in mind. With this move, custom kernels will be a thing of the past, as the kernel must be signed with the developer’s private key and the OEM should ship its PC with the required key alongside the Microsoft key.
Currently, the campaign by FSF has gathered 40,000 signers who support the FSF in this movement, and want to rid the world of this evil. The campaign’s appeal page goes here, and it outlines plans for the next year.
Currently, Ubuntu Linux 12.10 supports UEFI secure boot by loading GRUB though a workaround, and then proceeding with the boot. Beside this workaround, Canonical also has its private key, which will be used on certified OEM PCs. From what it seems, you need to be a big corporation to be able to fiddle with an x86 PC now.
The Linux Foundation also announced back in October that it would start working on its own version of a minimal UEFI bootloader signed with Microsoft’s key. However, it is still waiting for Microsoft to give them a signed pre-bootloader.
A few days ago, YouTube released statistics for its biggest channels and it was seen that over two billion video views were missing from them. The worst hit group was Universal, which lost around 1 billion views, followed by Sony losing over 850 million views. However, the lost views were not all fake video views. This YouTube stats of two billion lost views included views from videos that were deleted over a year ago and moved to the Vevo channel instead.
Some people speculated that the real reason for these lost views was the Black Hat SEO that these music labels used to project a higher view count. However, the lost views from these channels must have appeared on Vevo, which was hosting most of these videos now. The matter was later explained by Alex Ham from Billboard, who reported,
For Universal and Sony, that meant thousands of music videos that over the past three years slowly have migrated to the VEVO channel, which is jointly owned by the two companies.
Vevo collaborated with YouTube back in 2009, and has been a major revenue generator for YouTube. However, it also caused a major change in the number of views of videos from major record labels. As the web is moving towards richer forms of media, videos have an important role to play and video views are an important factor in search ranking of videos.
Join this discussion on Reddit for some speculation on this matter.
Over the last two years, a number of hacker collectives have successfully ridiculed existing cyber-security measures and this has brought up the need for a major overhaul in security. MD5, which is the most abused hashing technique, is over two decades old now, but it is still in use at many places, mostly because it is part of some legacy code that was never changed. The world of cryptography has taken the next step to security as BLAKE2 is here.
BLAKE2 is the advanced version of the BLAKE algorithm, which was a finalist in SHA3. The official page for BLAKE describes it as,
The cryptographic hash function BLAKE2 is an improved version of the SHA-3 finalist BLAKE. Like BLAKE or SHA-3, BLAKE2 offers the highest security, yet is fast as MD5 on 64-bit platforms and requires at least 33% less RAM than SHA-2 or SHA-3 on low-end systems.
While BLAKE2 is advocated as being a secure hashing function, it is also as fast as MD5, which might be a reason for concern, but the developers of BLAKE2 have said on their mailing list that BLAKE2 has better security and at-par performance with MD5. From what it seems, they are proposing BLAKE2 as a viable alternative to MD5. The use-case for BLAKE2 is not replacing the existing Keccak algorithm for SHA3.
Many a times, people stick to MD5 for a performance benefit. With its superior performance and better security, BLAKE2 will be a nail in MD5’s coffin.
Some software releases develop a notorious reputation for being in development for a prolonged period, so much that people almost forget about them. Enlightenment 0.17, also known as E17 is one such release, which has arrived after 12 years in development. To put things in perspective, that is how old the PlayStation 2 is!
Enlightenment has many advantages over other window managers. It is a full-fledged platform with libraries to create intriguing user interfaces rapidly. Known as the Enlightenment Foundation Libraries (EFL), this suite realizes a complete framework, with the window manager forming an integral, but not a decisive part.
The window manager is a lean, fast, modular and very extensible window manager for X11 and Linux. It is classed as a “desktop shell” providing the things you need to operate your desktop (or laptop), but is not a whole application suite. This covered launching applications, managing their windows and doing other system tasks like suspending, reboots, managing files etc.
The project has a huge growth potential as the Enlightenment Windows manager can work on a variety of devices (architectures). The next step should be packaging the release for various distros, which would facilitate a wider adoption. If this final step is not executed with care, this prolonged development effort will go to waste. Moreover, this step should come sooner for more people to be able to try out Enlightenment 17.
All the intricate details are well documented at this page. Also, check out the release announcement here.
The internet has an intangible presence in everyone’s lives nowadays, and it has grown into a strong content production and consumption platform with a worldwide audience. Some of the world’s most popular businesses are driven through this medium, and overall, the Internet is the one thing that has made life so much better for everyone. However, the Internet has been around for a few decades now, but it is still requires some decision making when it comes to transferring files over the Internet. This XKCD sums it up pretty well.
Email services have limits on the size of files that can be transferred. Recently, Dropbox was able to fill the gap with its file storage and syncing service. Now, Gmail is making it easier to transfer large file to your peers, by integrating its email service with its cloud storage service— Google Drive. Gmail has allowed email attachments up to 25 MB until now, but with Google Drive, we can send files up to 10 GB in size through Gmail. This is 400 times of what was once allowed.
The Gmail Drive integration comes with a new feature, which also checks if the file being shared has the correct permissions. The Gmail blog announces the new feature, saying,
Whenever you send a file from Drive that isn’t shared with everyone, you’ll be prompted with the option to change the file’s sharing settings without leaving your email. It’ll even work with Drive links pasted directly into emails.
The feature is available for those with Gmail’s new compose interface, and will roll out for all users over the next few days.