Monthly Archives: August 2015

astronomy, comets, ESA, Rosetta, Scientific Method

Rosetta follows Comet 67P through closest approach to the Sun

Thursday, the ESA’s Rosetta probe returned images from the comet it orbits during its closest approach to the Sun, or perihelion. At perihelion, Comet 67P/Churyumov–Gerasimenko is about 186 million kilometers from the Sun, or a bit outside of Earth’s orbit (150 million kilometers).

With the added warming from the Sun, the comet has been experiencing higher levels of activity, with gasses escaping from its interior at higher levels, pushing dust and other material out into space. Rosetta’s instruments indicate about 300 liters of water are being ejected every second, meaning the comet is losing 26 million kilograms per day during this period. Another 86 million kilograms of dust are also being lost. The activity should remain high for several weeks after perihelion.

Because of the large volumes of material jetting out of the comet, the ESA’s operators have backed Rosetta off to an orbit that’s over 325km from the comet’s surface. But that’s still close enough for some pretty spectacular images.

Read on Ars Technica | Comments

gallery, Gear & Gadgets, Japan, The Multiverse

Gallery: A practical, low-tech Japan

When I was growing up, I was always told that we have so much to learn from Japan. I grew up during the rise of the Japanese auto industry, I was taught “Japanese” business tactics, and I watched movies like Gung Ho that portrayed discipline, perseverance, and efficiency.

On my first trip to Japan, though, I wanted to explore the weird and wacky high-tech world the media has portrayed so often. What I found was a place that isn’t as “high tech” as many westerners assume but rather a relatively “low tech” cornucopia of conveniences that could make many westerners jealous.

Jennifer Hahn

My Internet: $13/7-day sim from Amazon and Airbnb-provided portable Wi-Fi.

26 more images in gallery

The first thing I noticed was the lack of “open” Wi-Fi before leaving for Japan. My research found that in most places, free Wi-Fi had to be registered for before entering Japan; it’s not ubiquitous. Despite the airports or an occasional restaurant or tourist site offering free Wi-Fi, I found this to be true. Luckily, my Airbnb provided me with a free mobile access point, and my $13 sim for my unlocked Blu Android phone filled in the gaps.

Read 3 remaining paragraphs | Comments

europe, Law & Disorder, leaks, secrecy, ttip, USA

Politicians can only view secret trade pact in special viewing room

The fact that most people have still never heard of the world’s biggest trade deal—the Transatlantic Trade and Investment Partnership (TTIP) between the US and Europe—even after two years of negotiations, might suggest that whatever its problems, maintaining secrecy is not one of them. But the European Commission begs to differ: since the end of July, instead of sending up-to-the-minute summaries of its talks with the US to EU politicians, the Commission now requires that national politicians travel all the way to Brussels to a special reading room where the texts can be viewed under tight security. MEPs must also use this same system.

The EC made this rather drastic move in response to confidential TTIP documents appearing on the non-profit investigative news site Correct!v. News of this secret reading room was revealed in a confidential report of an EU meeting that took place on 24 July… which rather embarrassingly was then also leaked to the same site.

The new system is pretty insulting for top politicians, who are not used to being treated likely naughty schoolchildren that require constant adult supervision. Furthermore, considering the wide-ranging implications of TTIP, you’d think that the EC would want to make it easier for European politicians to read the latest documents, so that they know what is being negotiated in their name.

Read 7 remaining paragraphs | Comments

Cars Technica, Risk Assessment

OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys

Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server, or—as is more common in mobile apps using HTTPS to access Web services—use a “pinned” certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.

But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”

The OwnStar device packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle. Like a virtual bear trap, it can capture the login credentials of a car owner using a mobile app to remotely unlock, lock, or start the vehicle, which can then be loaded onto a copy of the targeted mobile app on the attacker’s own device—giving the attacker the ability to execute all of the functions of the telematics system on the targeted vehicle. And it’s all because of a flaw that is all too common to mobile applications—reliance on a remote server’s certificate being valid, regardless of what network the connection is over.

Read 3 remaining paragraphs | Comments

chip cards, credit card fraud, EMV, fraud, Ministry of Innovation, Square, Twitter

Square will absorb its customers’ liability for fraud during EMV shift

On October 1, 2015, US commerce will undergo a considerable change—a variety of big credit card companies, financial groups, and issuers will require that merchants upgrade their point-of-sale (POS) terminals to accept chip-based cards as well as (and eventually, instead of) magnetic stripe cards. You may have already received chip-based replacements for your magnetic stripe cards in the mail.

The plan to transition to the new payment standard—called EMV for EuroPay, MasterCard, and Visa, (the developers of the standard)—was agreed upon in 2012, but a MasterCard press release circulated today cited a survey that said that 28 percent of small and medium business owners still aren’t aware of the new payment standard. That’s particularly troubling, because in the event of magnetic stripe card fraud at a store’s POS, the store will be liable for that faulty transaction if they don’t have up-to-date hardware that can accept chip cards. (Website-based transactions, commonly considered “card-not-present transactions,” are not part of the EMV transition and are treated separately.)

Today, payments processing company Square, founded by Twitter co-founder Jack Dorsey, said it wants to try to speed that adoption rate up in the next month or two, and hopefully convert some businesses to Square’s platform.

Read 4 remaining paragraphs | Comments

apple, Apple TV, Comcast, Infinite Loop

Report: Apple’s efforts to build a live-TV service have stalled

A report from Bloomberg today said that Apple is struggling to come to common ground with CBS, Fox, and Comcast-owned NBC in negotiations to offer a live TV streaming service much like Dish’s Sling TV.

The rumored service would be targeted at cord cutters, hosting a handful of live channels bundled together for about $30 to $40 a month. Back in March, the Wall Street Journal reported that Apple’s service would include networks like ABC, CBS, Fox, and various subsidiary channels like ESPN and FX. Apple has been pushing hard to develop a news and entertainment ecosystem to keep its users locked into its product line—earlier this year Apple announced a music streaming service and a curated news platform.

Although a September launch date—which would have coincided with the start of the new TV season—had originally been rumored for the service, Bloomberg‘s sources now say that live-TV streaming won’t hit the market until 2016. Besides the stalemate Apple has reached with CBS, Fox, and NBC, Bloomberg says that Apple decided to put a live-TV service on the back burner because it “doesn’t have the computer network capacity in place to ensure a good viewing experience.” Network capacity is a big deal for live-streaming—in Sling TV’s early days it struggled with the crush of customers demanding March Madness games.

Read 1 remaining paragraphs | Comments

Android, exploits, Gear & Gadgets, malware, Risk Assessment, Technology Lab, vulnerabilities

Android security on the ropes with one-two punch from researchers

Android security woes got worse on Thursday, with two separate reports of code defects that put millions of end users at risk.

The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message. Seven days later, security researchers are reporting that the patch, which has been in Google’s possession since April, is so flawed that attackers can exploit the vulnerability anyway.

“The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Jordan Gruskovnjak and Aaron Portnoy, who are researchers with security firm Exodus Intelligence, wrote in a blog post published Thursday. “The public at large believes the current patch protects them when it in fact does not.”

Read 6 remaining paragraphs | Comments

Facebook, Law & Disorder

By “liking” ex-girlfriend’s Facebook pics, man may have violated protective order

Justin Bellanco

Earlier this week, a Pennsylvania county court arraigned a man on charges of contempt of court: he clicked a “like” button in possible breach of a restraining order that had been filed against him by his ex-girlfriend.

The case involves April Holland of Pittston, Pennsylvania, who filed a protection from abuse (PFA) order against her ex-boyfriend Justin Bellanco in July 2015. The Wilkes-Barre Times Leader reported that according to her PFA application, Bellanco “threatened to shoot her knee cap to watch her suffer.”

Earlier this month the application was granted, forbidding Bellanco from having any contact with Holland for a year.

Read 9 remaining paragraphs | Comments

Features, IT, Software, Technology Lab

How to succeed in business—er, remote IT work—without really trying

With more people than ever using ’em, it’s probably difficult to find an Ars reader who doesn’t have a family member or old friend that’s lost at sea when it comes to keeping a computer running. And when that familiar call or e-mail comes—”Do you have a minute? How do you…”—it’s instantly obvious. This person needs a significant amount of long-term help.

In today’s ever more technological and connected world, these requests tend to come often. And while it’s maddening enough playing amateur IT professional for someone in the same house, how do you cope when increasingly the tech-challenged live across town or even across the country? To no one’s surprise, there are as many strategies out there as there are readers.

Luckily for you (and agonizingly for me), I’ve had some experience here.

Read 40 remaining paragraphs | Comments

Ministry of Innovation

Facebook user gets away with nearly a full day of trolling Target commenters

Mike Melgaard

9 more images in gallery

While Facebook facilitates plenty of interaction between big companies and their customers, its interface doesn’t scale incredibly well once company-page comments creep into the hundreds (or more) per day. In particular, “comments by users” on a company page are relegated to a sidebar that is pretty hard to parse. On Sunday, one intrepid Facebook user took advantage of that to sneak onto a company page and mess with commenters before the company could get wise to it—and lucky for us, he screencapped the whole thing.

This week’s case came from American retailer Target, whose Facebook feed began to blow up with unhappy comments over the weekend after the company announced plans to remove gender-specific signs in departments such as Toys and Entertainment. The retailer didn’t get around to individually responding to commenters, but that didn’t stop a user from creating a new account on Sunday, giving it a Target-styled bullseye icon and pretending to be an official company spokesperson.

That user, Scottsdale, Arizona, resident Mike Melgaard, went on to respond to at least 52 negative comments left on Target’s official Facebook page with an account named “Ask ForHelp,” but rarely were his responses helpful. Melgaard heaped on sarcastic smiley faces, grammatical criticisms, and jokes about doing away with all gender-specific labels at the store (including bathrooms and changing rooms). It’s hard to pick a favorite among the jokes—we’ve posted a few of its safe-for-work screencaps above—but our favorite might be when he got into a multiple-comment conversation with one complainer, which he ended with a phony exclamation that it was his “first day, and this is just really frustrating dealing with all of this!”

Read 2 remaining paragraphs | Comments