Thursday, August 30, 2012

Scientist might have found a cure for Malaria!

In an awesome development researchers at the University of Cape Town might have found a quick and easy cure for Malaria. Malaria is one of the most common causes of death world wide with an estimated 200 million cases in 2010 and around 1 million deaths. As a comparison this is almost as many deaths as from AIDS with the difference that there are few precautions you can take to protect you against the disease.

Current treatments are complicated, long and have many bad side effects. The new treatment is a pill that needs to be taken only once and so far no side effects have been observed. It is scheduled to enter human trials in 2013 and if successful could save millions of lives in the future, many of them children who are extra susceptible to the disease.

Oracle apparently knew about the current Java exploit in April

According to this article Oracle has known about the current 0-day exploit since April but have not acted to patch it.

I would seriously consider trusting mission critical data to software from a company that apparently have such a lax attitude towards security flaws as Oracle has displayed in this case.

Wednesday, August 29, 2012

How to open a tricky jar lid

You ever have problem open a tricky jar? This is a nice video that goes through a bunch of different tips and tricks about how to solve this sticky problem.

Unpatched Java exploit found in the wild

In case you missed it there is an unpatched security flaw in Java that is being actively exploited on the internet right now.

The vulnerability affects both Windows, Apple OSX and Linux versions of Java irregardless of what browser you use. Oracle has not announced any plans to patch the vulnerability with an out of cycle patch (The next scheduled Java patch is months away).

Now might be a good idea to disable Java in your browser. Usually you can do this by finding the settings for addins. In chrome you have to go to the URL chrome://plugins/ and find Java in the list and disable it (There is no item for this in the menus as far as I can tell).

Why we still have spam

According to a report from Microsoft and Google spammers world wide rake in around $200 million in profits, however while doing this they are also costing the receivers of that spam around $20 billion. Unfortunately given that the $20 billion is paid by all of us and not the people that are making the $200 million I don't see them stopping voluntarily anytime soon.

There are fortunately some encouraging developments that could end spam forever (At least in its current incarnation). For instance DMARC which combines Sender Policy Framework and DomainKeys Identified Mail seems a promising technology. If you want to know more about DMARC there is a whole episode on it with Security Now. One of its most important features is that it is supported by all the big guys like AOL, Gmail, Hotmail, Yahoo Mail and Facebook. That said it is something you need to set up on your own mail domain so it will probably take a long time before this is supported universally. Hopefully we are moving in the right direction though.

Tuesday, August 28, 2012

Is your VPN secure? The answer might surprise you!

During DEF CON 20 a new attack against the MS-CHAP 2 protocol was announced that basically reduces the complexity of cracking a MS-CHAP login down to a single DES 56 bit brute force attack. The announcers also combined this with a new services on the site CloudCracker which will handily brute force this DES for you in less than 24 hours.

The input required is a network capture of the MS-CHAP 2 handshake. For now there are a few manual steps, but they shouldn't be beyond anybody with a basic understanding of networks and using command line tools. The payoff is huge though, once you have the cracked token you can both listen in on any subsequent traffic from the authenticated user and also authenticate as the user yourself.

CHAP authentication is currently used in almost all PPTP VPN networks (It is usually the default authentication). It is also often used in enterprise WiFi authentication but there the handshake is already encrypted using TLS so the attack is usually not possible in this case.

Microsoft has put out a security advisory (Although they are by no means the only affected vendor) advising everybody to switch to EAP authentication for PPTP. However the change is not an easy one since it needs to be configured both on the client and the server side of the VPN tunnel.

Monday, August 27, 2012

Why the Apple verdict against Samsung is bad for you

Last week Apple won a lawsuit against Samsung and was awarded over $1 billion in damages. Obviously this is bad for Samsung, but I would argue that it is also bad for all of us, the consumers.

The patents that Samsung was found infringing on were either extremely obvious (Bounce back when scrolling for instance) or just weird (Design patent on a rectangle with rounded edges). It gets even worse when you hear the jurors talk about how they came to the verdict and it is obvious that they have no idea of what they were doing (Which is understandable given that this stuff is very complicated). For instance they decided to skip the discussion about prior art on the patents because "It was bogging us down". Groklaw also has a good rundown on some of the inconsistencies in the jury's verdict.

What will probably happen now is that Android phones will have to jump through a bunch of hoops trying to work around Apple's patents instead of concentrating on adding new awesome features even if Google themselves are trying to down play the significance of the verdict. Also Google has already started to leverage its newly acquired patent portfolio from its acquisition of Motorola so we will see more of this nonsense from all sides. And none of this will get us any better phones because technology is not improved by lawyers, it is improved by engineers.

I would contend that the reason why we have such awesome phones these days is not thanks to either Apple, Samsung or Google. It is thanks to all of them and the fact that they are all trying to put out the absolute best products they can so that they are better than the competition. As Steve Jobs himself was fond of saying "Good artists copy, great artists steal" (In fact even the quote itself is stolen from Pablo Picaso). The copying also goes both ways, tell me the new notifications in iOS wasn't inspired by Android's implementation.

Research and innovation has always been a matter of standing on the shoulders of giants. And most importantly as has happened over and over in the history of science, what happens is that once the body of knowledge gets to a certain point the next step becomes obvious and once anybody thinks about it the next step is usually not that hard and so should not be patentable. I am not saying that there aren't ground breaking leaps of new knowledge that is thought of (Theory of relativity and quantum mechanics stand out), but they are exceedingly rare and for instance inventing a square with rounded corners is not it (In fact if the jury had considered prior art they would have seen that Samsung had prototypes looking like that before the iPhone was released).

Gizmodo does have a different take on this where they are hoping that this will mean the end of the mere copying and the beginning of true innovation. I wish they are right, but I highly doubt it. Also, as they point out, there are quite a lot of innovation already happening in the mobile space. I don't think this will change that either way except that more resources will now be devoted expressly trying to not be similar to the competition instead of trying to make the best possible product.

46% of Americans are creationists according to latest poll

According to a recent gallup poll 46% of Americans believe in creationism. If you include intelligent design the number goes up to a staggering 78%.

If only these people also decided not to enjoying the fruits of the research based on the theory they are rejecting (Meaning most of modern medicine)? Due to Darwin's survival of the fittest it shouldn't take too long until these numbers turned a little bit saner... Since creationists don't believe in that premise (At least not when applied to humans), I can't see them having any moral dilemma with it either.

On a more positive note Richard Leakey predicts that in two to three decades the debate about evolution will be over due to a preponderance of evidence. I'm not so sure that I am that optimistic though since when we are dealing with faith, evidence unfortunately seem to not be in a big demand.

I have to admit I don't understand why it's only in this country that mainstream religion seem to have such a big problem with the theory of evolution? In most other countries it is only fringe nut jobs that are advocating creationism, while in this country we have serious debates over teaching it as science in school. In the end I think it comes down to fundamentalism being scary no matter what religion is practicing it and we just have a lot more Christian fundamentalism in USA compared to most other countries.

Sunday, August 26, 2012

The next step in human development?

This video discusses how we have already started and will probably continue using technology to improve human performance. We already started using pace makers and prosthethics that might be better than the real thing.

The next logical step is to start enhancing the performance of our brains. We have already began with implants that can treat epilepsy. Is the next step to help people with concentration difficulty really that far off? Where it goes after that is anybody's guess.

The contents of the video is based on the book Amped by Daniel H Wilson.

Saturday, August 25, 2012

Violent crime is down 80% from it's peak in Los Angeles

You might not now know it watching the news these days but violent crime in Los Angeles is down to around one fifth of what it was at its peak in 1992. Even more surprising is that this trend has actually accelerated since 2008 even though you would expect there to be more crime as more people lost their jobs.

Even better this trend holds true to most of the USA. Part of this is improved techniques employed by the police, some of it is also due to a demographic shift as we are growing older. Also the fact that we are having more immigration also generally leads to lowered crime rates. Yes, you read that right! Increased immigration can possible lead to lower crime rates (Although that relationship is by no means certain).

Now if we could only figure out that perhaps we shouldn't incarcerate such a ridiculous percentage of our population, I think we could really have something here! Did you know that the USA incarcerates 5 times higher percentage of its people than China or 20 times more than India. Said another way, the USA has 5% of the world population but 25% of the worlds inmates, and I don't think it is because Americans have a natural higher propensity to turn to a life of crime.

Cool interactive info-graphic to calculate the chance of extra terrestrial life

Check out this cool info graphic that lets you play around with the parameters of Drake's equation and see how likely you think it is that we are not alone.

Also just because there might be alien civilizations it still doesn't mean that we will ever run into them. The universe is really big and compared to its size the speed of light is pretty slow.

Friday, August 24, 2012

Did you know that anybody can create new BMW keys?

Did you know that anybody with a kit for around $300 can create their own BMW keys? I didn't and it kind of freaks me out a bit. Especially in a convertible where someone can just jump in (I park with my top down all the time) and get their own key for the car in around 10 seconds.

For some reason BMW has the ODB (On Board Diagnostic) port on the car powered on even though the car is off and through this port you can read the key data needed to program a new key and also add that key to the car. All BMW models are affected that have the option of key less entry except for the new 3-series 2012 sedan, but that could just be because the software hasn't been updated yet.

This is by no mean a BMW only issue, but it is exasperated on for this brand by the fact that this port is on when the car is off and also that it has no security required to access it. BMW is trying to down play the issue, but has as of yet offered no solution.

Thursday, August 23, 2012

Finally someone is looking at the high price of a college degree

You might already know about Kahn Academy which provides an interesting and fun way of learning for children up to around a high school level. But what do you do if you are an adult and want to learn a more advanced topic. If you are not the person that is able to get comfortable with a new field by just picking up a book. There is another site aiming for revolutionizing higher level education in the same vein as Kahn Academy is trying to do for lower degrees called Udacity.

Currently the site is free as they are building up their course catalog, but the goal is to eventually offer the equivalent of graduate degrees for as little as $100. A slight difference to what is currently available from universities in the US.

They are also disputing the notion that learning that happens early in your life before you go off and start your career. Instead it thinks that you should keep educating yourself throughout your entire life. Something that I totally agree with.

I completed a couple of classes myself and so far I really like it and can completely recommend it to everybody who has an interest in learning new things. And as I said earlier... It's free!

Wednesday, August 22, 2012

How to protect your digital life

I've already written in another article about how to digitize your life and what benefits that can bring. When you do this you need to start thinking about how you make sure it stays secure though as was highlighted in a spectacular fashion by Mat Honan who almost lost everything he had in a digital form including all his photos of his 1 year old daughter. So I figured I would write up some stuff that you can do to help you protect yourself online.

Securing your central email account

Almost every service you use will allow you to reset your password through by sending an email to an account you gave them when you signed up for the service. This obviously means that it is critical that you protect this account as much as you can. To this end make sure that this account has two factor authentication and make sure you enable it. It is a little bit of an extra hassle to set it up, but the extra security it buys you is absolutely worth it. Currently as far as I know GMail and Facebook do support this (Your phone being your second factor in both cases). Unfortunately Yahoo, Outlook or Hotmail do not.

Furthermore, don't use work or your internet provider as your central account. It will be a pain in the ass if you ever need to get a new internet provider or move to another job if you do, because all of a sudden you need to go in and reconfigure all your accounts to another email address. Furthermore keep in mind that your employer has the right to read and use your company email address so using that for anything you want to keep for yourself is just a bad idea.

Can add as a note that if you use Google Authenticator for your Google account you only have one chance to set up a device for this (Or you have to start over from the beginning setting it up), so if you want to have it on more than one device make sure you set them all up while you still have the chance.

Handling your passwords

Creating secure passwords are getting harder and harder. Here are some tips about what to do now.

  • Make sure they are at least 8 characters long, preferably longer.
  • Use lower case, upper case, digits and special characters in your passwords.
  • Don't use passwords that are words or combination of words.
  • Don't use the same passwords for all your sites. At least use special passwords for sites that are important (For instance your central email account or accounts that deal with real money or sites where you have saved your credit card information).
  • One method to make a password more security is to use password haystacks.

What I am trying to say here is that you really can't realistically remember all your passwords everywhere and I can totally recommend LastPass to help you out. For a detailed evaluation of it's security model check out this Security Now episode.

In case you don't have 2 hours to watch the video here it is in short.

  • It is completely Trust No One, meaning LastPass can never retrieve your passwords even if they wanted to.
  • It supports two factor authentication (Using Google Authenticator from above).
  • It supports every platform that I use. The iOS support kind of sucks though. On Android you will want to use either the Dolphin or Firefox browser.
  • It contains a password generated so you don't have to think up good passwords yourself.

Make sure you have a backup of everything

This can't be repeated enough. Even though data is rarely lost from online services it does happen and worse an attacker might wipe an account once they are done with it just to wipe out their tracks (As happened in the Mat Honan case mentioned above).

Backupify is a great service that allows you to back up a lot of online services. For your computers I can recommend Crashplan which is very cheap, is easy to set up but still has tons of features for the advanced user. If you make a backup onto an external drive make sure that drive is not stored somewhere in your house since a fire or a robber might be able to get to both the original and the copy if they are stored in the same place.

Don't enable remote wipe of your laptop

One of the main reasons the Mat Honan hack turned so disastrous was that he had enabled remote wiping on his laptop and when a hacker compromised his iCloud account they could also wipe his laptop. Remote wipe is a feature that makes a lot of sense on a cell phone that most of us has lost at least a few by this point in our lives. Laptops are lost a lot more rarely and unless you have critically secret stuff on it I don't think the chance of someone being able to remote wipe it simply by getting into one of your cloud accounts is worth the benefit. If it is for you though, make sure you have that backup.

Keep your password recovery questions secret

A lot of services allow you to set up security questions that allow you to reset your password. Make sure that the answers to these questions are not available online.

For example your first school is probably not a good idea if you grew up in a small town like me since there aren't that many schools to choose from. Other bad examples are your mothers maiden name or what was your first car (You sure you didn't post a picture of it somewhere?).

Also don't post your exact address online. Knowing your address is a good place for someone who want to hack your accounts to start. It might help with both security questions and social engineering. Just don't do it.

Online banking

The state of security for online banking in the US is just atrocious compared to Sweden but there is at least one thing you can do to at least make it a little bit safer.

Many banks allow you to select your username and password to log into it. Make sure that both of these are secret and not related to any publicly known information about you. On Wells Fargo and Bank of America you can reset the password by knowing your ATM card number, PIN and online username. This means that if your username is for instance your name (Which is also printed on the card) and someone skims your ATM card they can also hack into your online account and potentially do a lot more damage.

Tuesday, August 21, 2012

Thursday, August 9, 2012

Check out this video if you missed the landing on Mars last Sunday

This is a really cool video where animations and live recordings from NASA are showing the landing and some subsequent commentary from the people at NASA on this amazing achievement.

I am amazed at how little there has been in the news about this fantastic engineering achievement. To me this is probably the coolest thing that has been done since when we landed on the moon and I don't understand why everybody isn't talking about. Why do people care about the Olympic Games? They happen every 4 years!

Wednesday, August 8, 2012

I don't understand the Chick-fil-A kerfuffle

I don't understand the current upset about Chick-fil-A that is going on right now. First of all, the owners of Chick-fil-A have always been very upfront with their bigotry. If you don't believe me just check out Google News with the search "Chick fil A gay" before June this year and you will still find a bunch of hits detailing for instance how Chick-fil-A state "We Explicitly Do Not Like Same-Sex Couples" from January last year.

This is the reason that I have boycotted them ever since they got established down here is Southern California. And it is completely in your right if you agree with their bigoted ways to eat more there to support them. It's the way of capitalism and free enterprise and I am all for it.

What I don't understand though is how anybody can think that it is a good idea for the city of Chicago to not allow them to establish a restaurant simply because they disagree with the proprietors political or religious views. Given how crazy everybody in this country seems to be about free enterprise, how can a business be denied to operate just because their owners are idiots? That seems more like something that would happen in a country that practice state capitalism (For instance China or Russia).