Tech News Weekly: Edition 30-09

[Ehtyar]

The Weekly Tech News

Hi all. Enjoy As usual, you can find last week's news here.

1. Researcher Raids Browser History for Webmail Login Tokens

Spoiler

http://www.theregister.co.uk/2009/07/20/csrf_token_hijacking/
To see it in action: http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/
The scary bit about this one ('coz CSRF is pretty old hat at this stage...) is that they're finding the token, and with just css :S

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.

Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.

2. Network Solutions Breach Exposed 500k Card Accounts

Spoiler

http://www.theregister.co.uk/2009/07/25/network_solutions_ecommerce_breach/
I've been trying to avoid posting data breaches, since they're so common now-a-days, but this one is particularly large, and probably relevant to a lot of DCers. Basically, Network Solutions' CMS was hacked, and the baddies got all your c4rdz0r.

A breach at Network Solutions has exposed details for more than 500,000 credit and debit cards after hackers penetrated a system it used to deliver e-commerce services and planted software that diverted transactions to a rogue server, the hosting company said late Friday.

The unauthorized software was in place from March 12 to June 8 and affected transactions Network Solutions processed on behalf of 4,343 merchant websites that mostly belonged to small businesses, spokeswoman Susan Wade said. While the company discovered the software in early June, it waited until the close of business Friday to disclose the breach. Wade said it took until July 13 for forensics investigators to crack the code and understand how it worked.

3. Palm Plays Cat-and-mouse With Apple, Reenables ITunes Sync

Spoiler

http://arstechnica.com/gadgets/news/2009/07/palm-plays-cat-and-mouse-with-apple-reenables-itunes-sync.ars
Seems like Palm has decided to start a game of cat and mouse with Apple. They've modified the Pre to again work with iTunes, after Apple locked them out in their last update.

Palm passive-aggressively fired back at Apple in its 1.1.0 update to the Pre's webOS Thursday night. Among the handful of changes that came with the point update, the software restores syncing functionality with iTunes after Apple unceremoniously "fixed" the "problem" last week. The move is the latest in this high-profile cat-and-mouse game between Apple and Palm, and Palm seems to be willing to keep poking the fate bear—but to what end?

webOS 1.1.0 isn't all about iTunes compatibility. Among other things, it contains a number of useful updates to the Pre, including better timezone support in the Clock application, improved syncing with Google when you edit a Google contact, and the addition of emoticons in text, multimedia, and instant messages. The software also gained some enterprise features in the form of Exchange ActiveSync (EAS) support that allows for remote wipe, PIN/passwords, inactivity timeouts, and improved certificate handling.

4. Wireless Power System Shown Off

Spoiler

http://news.bbc.co.uk/2/hi/technology/8165928.stm
A wireless power transfer system has been unveiled at the latest TED conference. It exploits resonant frequency between the charging station and appliance to transfer the power in a substantially more efficient manner.

The technique exploits simple physics and can be used to charge a range of electronic devices over many metres.

Eric Giler, chief executive of US firm Witricity, showed mobile phones and televisions charging wirelessly at the TED Global conference in Oxford.

He said the system could replace the miles of expensive power cables and billions of disposable batteries.

"There is something like 40 billion disposable batteries built every year for power that, generally speaking, is used within a few inches or feet of where there is very inexpensive power," he said.

5. Microsoft Caves to EU Pressure, Will Offer Browser Ballot

Spoiler

http://arstechnica.com/microsoft/news/2009/07/microsoft-caves-to-eu-pressure-will-offer-browser-ballot.ars
Sketchy on the details as of yet, but it looks like MS has finally caved, and will ask the user which browser they'd like to use in Windows 7...in the EU at least.

Although Intel may have been hit with a bigger fine, the multi-year saga of Microsoft's fight with the European Union's Competition Commission may have run up larger legal bills, given its longevity. The most recent point of contention between Redmond and Europe has been the browser; Microsoft bundles its own with its operating systems, but the EU views that as using monopoly power to the detriment of potential competitors.

Earlier this month, word came out that Microsoft was looking to make this matter go away, and it may have succeeded; the European Commission has just announced that Microsoft has agreed to proposed EU remedies and is willing to offer a "browser ballot" to new users.

6. Microsoft Aims at VM Market With Linux Kernel Code Offering

Spoiler

http://arstechnica.com/microsoft/news/2009/07/microsoft-aims-at-vm-market-with-linux-kernel-code-offering.ars
Microsoft looks to be seeking dominance in the virtualization market, after it made code available to the Linux Kernel that would improve its performance on Hyper-V.

Microsoft is contributing approximately 20,000 lines of source code to the Linux kernel with the aim of improving support for running the Linux operating system in virtualized environments on Windows servers. The move is part of a broader trend at Microsoft towards collaboration with the open source software community.

Prominent Linux kernel developer Greg Kroah-Hartman announced the code submission today in a message posted to the Linux kernel mailing list. He says that the new drivers contributed by Microsoft will soon land in the staging tree where they will undergo some refinement before they are merged directly into the mainline kernel. Microsoft is making the code available under the terms of GNU's General Public License (GPL), the open source software license that is used by the Linux kernel.

7. Intel's New 34nm SSDs Cut Prices by 60 Percent, Boost Speed

Spoiler

http://arstechnica.com/hardware/news/2009/07/intels-new-34nm-ssds-cut-prices-by-60-percent-boost-speed.ars
Intel's SSDs are getting cheaper people, there may yet be hope they'll be affordable before you buy your next machine.

Intel has announced two new solid state disk drives made on its leading-edge 34nm process. The two new SSDs are X25M SATA parts weighing in at 80GB and 160GB, and they're meant to replace Intel's existing X25M drives in those capacities, but at 60 percent less cost and with better performance. The 80GB X25-M is $225 in lots of 1,000 (down from $595), and the 160GB is $440 (from $945). That's some serious discounting, and it may well drive even more SSD uptake in the coming quarters despite the ongoing IT spending crunch.

So what do you get for 60 percent less? In a word, speed. The new drives boast a 25 percent reduction in read latency, which was already about 60x the speed of an average hard disk; write performance has also doubled with this new generation.

8. EFF's New Lawsuit, and How the NSA is Into Social Networking

Spoiler

http://arstechnica.com/tech-policy/news/2009/07/effs-new-lawsuit-and-how-the-nsa-is-into-social-networking.ars
A sensationalist headline, to be sure, but it's good to know the EFF is watching our backs...

The government could be building a giant map of social networks using Facebook and Twitter, scraping MySpace pages, or mining the metadata associated with cellular phone calls in order to look for communication patterns. On the other hand, all of that computer power that the NSA is aggregating at the datacenters that are coming online could just be for the limited purpose of snooping voice calls and e-mail coming into and out of the US, but such narrow use is unlikely.

What the NSA is doing with its massive and growing capabilities is still a secret, but it's probably an extension of DoD efforts at mapping social networks that extend back to the early part of the decade. A new EFF lawsuit filed this week could finally shed at least a little more light on the nature of these classified activities, so that we can know for sure whether some descendent of John Poindexter's Total Information Awareness program lives on at the NSA.

9. Hackers Scoffing at IPhone 3GS' Hardware Encryption

Spoiler

http://www.engadget.com/2009/07/24/hackers-scoffing-at-iphone-3gs-hardware-encryption/
Looks like the encryption offered in the iPhone 3GS isn't really encryption at all.

There were other features taking higher billing in the iPhone 3GS' announcement than its hardware-level encryption -- hell, even the magnetic compass was getting more play -- but it's there, and Apple's actively marketing the bit-scrambling capability to enterprise clients. Problem is, hackers are apparently having a field day with it, rendering it useless in all but name.

10. [NSFW] Saturday Night Live - Cork Soaker

Spoiler

http://www.143pinoy.com/watch/saturday_night_live_cork_soaker
Don't know how many of you will have seen this -- but oh-my-god so funny.

Ehtyar.

[tinjaw]

I'm almost crying after watching that SNL video. Funniest thing I have seen in a while from SNL.

P.S. Please join me in supporting EFF. I donated again recently because of all of the #$(*% that is going on these days. I am hoping they will lead a class action lawsuit against Amazon and the publisher of 1984 some day.

[40hz]

#5 - To paraphrase Virgil: Beware of Geeks bearing gifts.

The strategy of "embrace, enhance, extinguish" lives on!

[jgpaiva]

"7. Intel's New 34nm SSDs Cut Prices by 60 Percent, Boost Speed" - 25% in read latency? No moving parts and lower power usage? Looks like my next laptop will be carrying one of these
Or am I misinformed and there's a giant caveat waiting for me?

[Ehtyar]

Intel SSDs had a few fragmentation issues there for a while, but I believe those have mostly been rectified (there was also an encryption screwup, but that was fixed very fast). However, they're still far too expensive IMO, HDDs have been too good to me thus far for me to ditch them for something at three times the price.

Ehtyar.

[f0dder]

Keep in mind that just about all SSDs have had those physical fragmentation issues, and that intel is one of the few manufacturers that has been active about it. I haven't looked at the SSD market for some months (having something to do with getting an X25-E), but back then you basically had two choices: Intel or OCZ Vertex (specifically only the Vertex) - EVERYTHING else sucked (the short story: manufacturers optimizing for high linear speeds ending up with performance lower than harddrives once random read/writes were used).

Cost is still pretty high on SSDs, but once you've had one in your workstation you really don't want to go back. It's not about those ludicrious hundreds-of-megs-per-second linear rates, it's all about the low latency. Couple with a traditional fast HDD for bulk storage and you're flying. I'm considering replacing the 120GB disk in my laptop with a somewhat smaller SSD; I could live with ~60gig there for better speed and no mechanical parts making "hi, I'm about to die" sounds

PS: SSD doesn't necessarily mean lower power consumption; conventional laptop drives are quick to go into standby modes, many SSDs don't have standby mode (not because they can't, but because the manufacturers are silly and lazy).

[jgpaiva]

I'm considering replacing the 120GB disk in my laptop with a somewhat smaller SSD; I could live with ~60gig there for better speed and no mechanical parts making "hi, I'm about to die" sounds

PS: SSD doesn't necessarily mean lower power consumption; conventional laptop drives are quick to go into standby modes, many SSDs don't have standby mode (not because they can't, but because the manufacturers are silly and lazy).

-f0dder (August 25, 2009, 12:42 AM)

It's the "i'm about to die" sounds in disks that scare me... In the recent years, I have lost quite a few disks, and even though I did have backups, I ended up losing loads of time reinstalling the OS and all.

I suppose they'll eventually do something about the standby mode, as soon as they start selling more and the competition rises!
Now that I think of it.. How about temperature? Do SSDs heat more than conventional disks?

[f0dder]

Well, the standby power consumption issues might already have been fixed, I haven't read about the issue for a while . Also, I don't know what amount of write (or rather, erase) cycles the current SSDs can handle; there doesn't seem to be much conclusive data, and people are quick to shout off their mouths without anything to back up their claims. Iirc AnandTech has said that even MLC-based drives with heavy usage should last 3+ years, which is good enough for me... especially if, as I've understood, a "failling" drive simply blocks sectors go read-only (compare that to a failing harddrive where all bets are off).

As far as heat is concerned, I suppose SSDs should run a lot cooler than mechanical drives. Haven't tested my own SSD, but it feels ambient case temperature to the touch

[jgpaiva]

I didn't know about that "bad sectors go read-only" thing! That's just great
Having a temperature-efficient disk would also be great, my laptop heats a lot

[f0dder]

I didn't know about that "bad sectors go read-only" thing! That's just great
Having a temperature-efficient disk would also be great, my laptop heats a lot

-jgpaiva (August 25, 2009, 01:08 PM)

Well, I think that's what happens to bad sectors on SSDs, but I could very well be wrong - and I suppose they could be more sensitive to power surges than mechanical drives.

As for temperature-efficient, I bet the CPU and GPU are going to be the hottest parts of the laptop, not the disk

[Lashiec]

I wouldn't care too much about power comsumption issues. Really. Might help with the cost of the European "tax" applied to anything tech-related

I might be surprised if the SSDs heat up due to its own operation. As f0dder says, the CPU and the GPU are your primary concern. As long as they don't toast your hands, everything will be alright.