The majority of devices running Google’s Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.
The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID, because, like a fraudulent driver’s license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits. Google developers have introduced changes that limit some of the damage that malicious apps can do in Android 4.4, but the underlying bug remains unpatched, even in the 5.0 preview.
The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.
According to Jeff Forristal, CTO of Bluebox Security, Android fails to verify the chain of certificates used to certify an app belongs to this elite class of super privileged programs. As a result, a maliciously developed app can include an invalid certificate claiming it’s Flash, Wallet, or any other app hard coded into Android. The OS, in turn, will give the rogue app the same special privileges assigned to the legitimate app without ever taking the time to detect the certificate forgery.
Amazon Web Svcs. in Fight of Its Life as Customers Like Dropbox Ponder Hybrid Clouds and Google Pricing
For many years Amazon Web Services was the only public cloud in town. That is no longer true as Microsoft and Google are now aggressively selling their infrastructure to startups and enterprises alike. In that superheated battle, they are wooing even Amazon’s biggest and best customers; companies like Dropbox, Airbnb, and, yes, Netflix.
That could be one reason AWS sales dipped this quarter. Amazon announced Thursday that for its second quarter, which ended June 30, the category that includes AWS saw a 3 percent sequential revenue slip. That “other” category — which also includes advertising services and co-branded credit card agreements — also logged 38 percent growth year over year. That sounds great until you realize year-over-year growth in the first quarter was 60 percent. There have been other slight quarterly dips in the category’s otherwise relentless rise over the past few years, but they’ve mostly happened between fourth and first quarters.
The other thread in this narrative is that many big companies — including startups that were nurtured on AWS and then grew — are finding the hybrid cloud model attractive. This involves keeping some workloads on public clouds like AWS, Microsoft Azure or Google Cloud Platform and others in-house on a company’s own servers. And for workloads that will remain in public cloud, companies would be fiscal dopes if they did not spec out AWS competitors; if only to wring pricing advantages from AWS. Starting a few years ago, this is exactly how big Microsoft Office shops wielded Google Apps to wrangle concessions on their Microsoft enterprise licenses. What’s old is new again.
Will the FAA drive studios to cross the border whenever they need aerial shots?
Hollywood’s aerial filmmaking community is organizing under the newly named Society of Aerial Cinematographers, which kicked off with an education and training event Saturday, held by camera gear provider and training facility AbelCine in Burbank.
Prompted by the growing interest in attaching cameras to unmanned aerial vehicles (UAVs)—also referred to as drones—the new group was initiated by aerial cinematography enthusiast Robert Rodriguez, who is also director of technical operations for Technicolor Creative Services.
Opening Saturday’s program - attended by an estimated 100 people, many of whom were pilots - Rodriguez urged participants to learn about and get involved in issues surrounding drones for production, which he believes might be “at risk.” He noted that the U.S. “is the only country” where UAVs for production are regulated. “This makes it difficult for people to market themselves as aerial cinematographers,” he said, adding that with tax incentives already driving work out of the country “we don’t need another piece to go.”
As the FAA watches its drone regulation deadlines loom, President Obama intends to issue an executive order that will deal with drone privacy, something that the federal agency hasn’t delved too deeply into. According to Politico, the president plans to put together an executive order asking the National Telecommunications and Information Administration to come up with rules relating to consumer privacy, unmanned aircraft, and the interaction between the two.
Drones are an important topic at the moment, as the technological underpinnings of the product segment quickly mature and regulation lags. The FAA is currently operating a number of drone testing sites around the nation and is expected to come up with regulation on the use of commercial drones.
If the president executes his planned push forward on drone regulation, we could see a wider, more diverse set of rules in place to manage the commercial and private use of the unmanned aircraft.
This is a needed step - for cloud services to work well the “heavy iron” server infrastructure in the cloud’s core has to work well - that means many mondo app, content, and data servers connected via speedy high capacity broadband pipes. If the heavy lifting and crunching takes place in the core it makes the extended network and the minimum device needed to support the applications lighter.
Just days after a consortium was formed to pursue a 25Gbit/s specification for data centers, the IEEE has anointed its 802.3 25 Gbit/s Ethernet Study Group, the first step to establishing for formal standard.
Institute of Electrical and Electronics Engineers Inc. (IEEE) members voted last week to pursue the effort to explore uses and market interest in 25Gbit/s Ethernet for single-lane interconnections between servers and top-of-rack networking gear inside data centers. Mark Nowell, chairman of the study group and senior director at Cisco Systems Inc. (Nasdaq: CSCO), tells Light Reading an initial straw poll of voting engineers found 121 in favor and just one against the idea. The move to establish the study group was unanimously approved in a follow-up vote. (See IEEE Studies 25G Ethernet Standard.)
Cross posted at Noblesse Oblige
Malware targeting Linux servers has been increasingly hitting the headlines over the past year. In this post we will present research on an advanced and highly versatile malware operation targeting Linux and FreeBSD servers. We have named the malware family at the heart of this operation GalacticMayhem, as a reference to some of the C&C urls. It is the same family of malware that was written about by a team of researchers from Yandex.
Infection of a server with Mayhem begins with a PHP dropper script. This script is responsible for dropping a malicious ELF shared object file and executing it. The dropped binary is usually named libworker. so but our research has also uncovered cases where the binary was called atom-aggregator. so or rss-aggr. so. The dropper script always includes both a 32-bit and a 64-bit version of the malware. These are of identical functionality and configuration.
If you were the scientific advisor to a $200-billion venture capital fund that aims to limit global warming over the next 20 years, what investment would you recommend as having the single biggest impact? A survey of climate experts found that a majority listed the retirement of coal power—or the sequestering of their emissions—as the top priority for investment.
The retiring of coal-fired plants was picked as the number one choice among an array of other investment options such as rainforest preservation, changing the human diet to less meat (or perhaps encouraging consumption of insects), and building low-emission products. Such findings come from the Vision Prize, a nonpartisan research platform that uses charity prize incentives to carry out online surveys of climate experts.
This latest Vision Prize survey also asked the opinion of experts regarding an open letter on nuclear power by Ken Caldeira, Kerry Emanuel, James Hansen, and Tom Wigley that was published on 3 November 2013. About 71 percent of experts surveyed agreed with the letter’s opinion that nuclear power will play a crucial role in any plan to stabilize the effects of climate change.
Why does the label matter? In theory, it should not: the FCC could call Comcast a cat food company, and it would still provide the same services. But under FCC rules, the “telecommunications service” label is important because it triggers a series of obligations under Title II of the Communications Act of 1934.
The Title II debate is divisive, which has led some to call for a middle ground — one that is unlikely to work.
Those obligations, which cover everything from price-caps to closed-captioning to emergency services, have traditionally applied to “common carriers” like wireline phone companies, and place restrictions on how they run their business. That’s why broadband providers like Comcast and Verizon don’t want to live under Title II — they want to continue on as “information services” under a different part of the law (Title I) which, on paper, involves a lighter regulatory load.
Those thrilling moments when a soccer player kicks home the winning goal in the World Cup final or Beyonce debuts new dance choreography in concert might someday be recreated in full 3-D motion down to the smallest piece of confetti and played back from almost any angle. Such a possibility comes from a new motion-capture technique capable of reconstructing scenes captured by more than 500 video cameras mounted inside a two-story geodesic dome.
The new technique comes from Carnegie Mellon University researchers working in the Panoptic Studio—a video lab with a camera system capable of capturing 100,000 different points in motion at any time. Researchers developed a technique that uses consistent motion patterns as a cue for identifying and tracking certain points on an object captured by cameras. And it all works without the need for physical markers, such as those used by Hollywood motion-capture systems to translate the acting performance of Andy Serkis into the movements of the ape leader Caesar in the newest “Planet of the Apes” films.
More than 1 million people filed a comment with the Federal Communications Commission on how to preserve an open Internet as the first period to do so ended Friday.
Originally a strong supporter of net neutrality, the FCC had told the D.C. Circuit that without FCC regulation “[a] service provider could prevent an end user from accessing Netflix, or the New York Times, or even this court’s own website, unless the website paid the provider to allow customer access.”
This stance changed, however, after the D.C. Circuit ruled in January that the Federal Communications Commission (FCC) lacks the authority to regulate broadband Internet companies because the agency had not classified broadband providers as “common carriers” like a phone company or other utility, subject to telecommunications regulations. Instead, it called them “information services.”
More: Courthouse News Service