Next on the list of companies which should know better is Malwarebytes, but it is not as bad as some say
Subject: General Tech | February 3, 2016 - 12:46 PM | Jeremy Hellstrom
Tagged: security, Malwarebytes
Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be. The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection. The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.
The actual concern you should have is that the original bug report also found vulnerabilities on the server side. Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side. It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.
"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."
Here is some more Tech News from around the web:
- Exascale project wants machine with TEN MEEELLION ARMS @ The Register
- Joysix, Six Degree of Freedom Mouse Made From Retractable Key Rings @ Hack a Day
- Intel, Qualcomm set up their WiGig 802.11ad devices on blind dates @ The Register
- MQTT: Building an Open Internet of Things @ Linux.com
- Build Your Swarm: Control Cockroaches for Under $30! @ Hack a Day
- Building Custom Appliances with SUSE Studio @ Linux.com
- Microsoft ships 6.0 million Surface tablets in 2015, say sources @ DigiTimes
- Ventec 3015+ Battery Pack/Wall Charger combo @ TechwareLabs
- Barracuda Networks Kills Copy & CudaDrive @ TechARP
- Auslogics Registry Cleaner Tutorial @ Hardware Secrets
- 2016 Samsung SUHD TV Models Revealed @ Tech ARP
Subject: General Tech | February 2, 2016 - 11:34 PM | Scott Michaud
Tagged: Blender, open-source
The Blender Foundation guides development with a series of first-party short films, each of which are created with open-source software and released under a Creative Commons license. Despite their purpose, to promote open source software and highlight ways to improve Blender, they each have engaging traits that are uncommon in commercial films. Cosmos Laundromat opens with a fairly long shot of a sheep's attempt at hanging itself, while Sintel's ending will make you feel hollow when it reveals its meaning.
This short, Caminandes 3: Lamingos, above, is much lighter than Cosmos Laundromat or Sintel. It has more of the ironic, mischievous cartoon feel of Big Buck Bunny, their second Blender short film. It is about a Llama and a Penguin who are trying to eat some berries; unfortunately, they are both trying to eat the same ones.
The two-and-a-half-minute short film can be downloaded and is free to use under a Creative Commons Attribution license. Its assets are also available, but only under a Blender Cloud subscription.
Subject: General Tech | February 2, 2016 - 05:11 PM | Tim Verry
Tagged: file syncing, encryption, bittorrent sync, bittorrent
BitTorrent continues to support its file sharing and syncing application with the recent release of Sync 2.3.1. The 2.3.x update contains a number of bug fixes for stability, but the important news is the added support for encrypted folders and finally allowing selective file syncing on Linux systems. Additionally, the company put out a short brief on the information they collect and how they are securing your files synced by Sync which is available as a PDF.
Sync 2.3 allows Windows users to run Sync as a service and Android users can move data to and from an SD card from within the app so long as they are running at least Android 5.0 or newer. Linux users also get a bit of love with support for selective file syncing (where you can choose which specific files to download locally and which to keep on the remote peers) though it appears that BitTorrent has limited this feature to its paid Sync Pro tier which is in line with other platforms. According to BitTorrent Inc. among the performance and bug fixes, the biggest UI change is a redesigned process for adding new folders.
On the security and privacy front, BitTorrent claims that it employs several security measures to keep your data safe. First though, the company allegedly only collects benign data including the program version, add folder errors, the amount of data transferred (directly and via relay server), number of peers, and share link and tracker statistics as well as few more things you can see in the brief linked above. All the data that they collect is reportedly sent in the clear so that users can verify what they are collecting on them.
To secure your files, BitTorrent uses SSL and AES-128 encryption to transfer files. In the case of Advanced folders, it generates a X.509 certificate (each folder is given it's own certificate) using a certificate authority and then uses a certificate chain to control user access and file modification permissions as well as a mechanism to revoke access. In the case of encrypted folders, Sync generates storage and session keys with the session keys complying with perfect forwards secrecy standards such that future session keys being cracked does not compromise past sessions. When using the encrypted folders option (which is useful when using a VPS as an off-site backup or to any machine that you do not fully own and control for that matter), data from your local machines is encrypted before being sent to the remote machine using AES 128 bit encryption (I wish they had gone with at least AES-256, but it's something). The data is then sent over SSL. Thus, the data on the remote machine is never in an unencrypted state which is a good thing for having a secure off-site backup. The encrypted folder can still be used as part of the mesh to speed up syncing among your machines, as well, while remaining secure.
I think the encrypted folders are a good addition to Sync, though the encryption bit-ness could be improved (a weak VPS' processor doesn't need to decrypt the data anyway so CPU time needed for the beefier algorithm should not matter...). In past coverage users have mentioned issues when syncing folders that they encrypted themselves before adding to Sync where the data could get corrupted when the peers became confused on changes made and what to sync. Hopefully this will help avoid that though they do still need to work on fixing user chosen pre-sync encryption. I am still using Sync to backup my photos and sync documents between my laptop and desktop and it works well for that sans the storage limits imposed by One Drive (and the uncertainty of my once-promised 25GB of free storage).
What do you think of the changes, and is their security good enough?
Subject: General Tech, Graphics Cards, Motherboards, Cases and Cooling | February 2, 2016 - 02:07 PM | Ryan Shrout
Tagged: Z170, PSU, power supply, motherboard, GTX 970, giveaway, ftw, evga, contest
For many of you reading this, the temperature outside has fallen to its deepest levels, making it hard to even bare the thought of going outdoors. What would help out a PC enthusiast and gamer in this situation? Some new hardware, delivered straight to your door, to install and assist in warming up your room, that's what!
PC Perspective has partnered up with EVGA to offer up three amazing prizes for our fans. They include a 750 G2 power supply (obviously with a 750 watt rating), a Z170 FTW motherboard and a GTX 970 SSC Gaming ACX 2.0+ graphics card. The total prize value is over $650 based on MSRPs!
All you have to do to enter is follow the easy steps in the form below.
We want to thank EVGA for its support of PC Perspective in this contest and over the years. Here's to a great 2016 for everyone!
Subject: General Tech | February 2, 2016 - 01:36 PM | Jeremy Hellstrom
In the search for higher density data storage some rather arcane materials are being studied for their unique magnetic properties. The latest research being conducted is with extremely thin multilayered films, in this specific case iridium-cobalt-platinum films. These materials display the ability to create incredibly small magnetic features called skyrmions, an area where the magnetic field is rotated compared to the surrounding material and can be coerced to appear and disappear. This is the essence of magnetic data storage, on a much smaller scale you see in current storage material. There are certainly a lot of hurdles to overcome, the experiment described at Nanotechweb is the first to form skymirons at room temperature and they used an X-ray source as the write head. It is still quite interesting to read about, even if we are a long way from seeing it considered for use in data storage.
"Researchers in France, Switzerland, the UK and Germany say they have observed nanoscale chiral skyrmions at room temperature for the first time. Skyrmions, which are quasi-particle magnetic spin configurations with a whirling vortex-like structure, could be used to make ultrahigh-density data storage technologies and nanodigital electronic devices with greatly improved data transfer speeds and processing power."
Here is some more Tech News from around the web:
- PEDOT-based composites provide electrode materials for supercapacitors @ Nanotechweb
- AMD Updates APUs, Athlons & Motherboards @ Hardware Canucks
- Windows 10 now a 'recommended' update for unsuspecting PCs @ The Register
- Rooting your Android phone? Google’s rumbled you again @ The Register
- Google plugs Android vulns @ The Register
- Samsung Forum 2016 Coverage @ Tech ARP
- Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products @ Slashdot
Subject: General Tech | February 1, 2016 - 04:49 PM | Jeremy Hellstrom
Tagged: fluke, fail, cat6
The difference between Cat5(e) and Cat 6 will not be obvious for home users but is certainly noticeable in large business deployments. Cat5 and 5e are capable of providing 100MHz whereas Cat6 is rated to 250MHz, assuming it is installed to specifications. In addition to the increased frequency, Cat6 is has much greater protection against crosstalk and system noise which is far more important to many sysadmins.
Previously we benefited from the honour system in place, many Cat 5 cables actually met the Cat 5e specification but it seems that this is not the case with Cat 6. Hack a Day has heard word through a cable provider that Fluke noticed that 80% of the Cat 6 tested with their equipment does not meet specification, in many cases it does not even meet Cat 5e specs. Since a Fluke line tester capable of analyzing network cabling to this degree of accuracy costs north of $10,000 not all companies are going to have their networks fully tested for compliance. This may be why you are seeing odd behaviour on your network.
"So they did some research and purchased a Fluke certification tester for a measly 12,000 US dollars. While they were purchasing the device, they ran across an interesting tidbit in the fluke knowledge base. Fluke said that 80% of the consumer Cat 6 cables they tested didn’t begin to meet the Cat 6 specification."
Here is some more Tech News from around the web:
- Running "rm -rf /" Is Now Bricking Linux Systems @ Slashdot
- Graphene Optical Lens a Billionth of a Meter Thick Breaks the Diffraction Limit @ Slashdot
- Galaxy S6 and S6 Edge start getting Android 6.0 Marshmallow update @ The Inqurier
- Galaxy S7: 7 things to expect from Samsung's next smartphone @ The Inquirer
- Windows 10 dethrones XP to become number three operating system @ The Inquirer
- Intel and Micron's XPoint: Is it PCM? We think it is @ The Register
- Tronsmart Vega S95 Telos Android 4K Media Player Review @ Madshrimps
- Reg readers battle to claim 'my silicon's older than yours' crown @ The Register
- How a Hacker Jump Starts a Car @ Hack a Day
Subject: General Tech | February 1, 2016 - 12:48 AM | Tim Verry
Tagged: ripjaws, RGB LED, mechanical keyboard, G.Skill, Cherry MX
Memory maker G.Skill recently announced a refresh of its mechanical keyboard line that tweaks the KM780 series and cuts $10 off of the MSRP pricing. The two new refreshed products are the Ripjaws KM780R RGB and KM780R MX.
The new keyboards use an aluminum plate/base, Cherry MX switches, and a black anodized finish on the frame. The KM780R MX is backlit by red LEDs while the KM780R RGB can have custom per-key backlighting. Both feature a full QWERTY layout plus number pad as well as media playback keys, a LED volume level display, and six macro keys (three on-board key profiles). There is also USB and analog audio pass-through ports.
G.Skill is offering the new gaming keyboards in several models depending on your choice of key switch. Specifically, users can choose from Cherry MX blue, brown, or red switches. Connecting via USB, they employ anti-ghosting and full N-key rollover tech as well.
The every so slightly cheaper KM780R series does away with its predecessors bundled extra gaming key caps and key removal tool. The KM780R MX has an MSRP of $120 while the KM780R RGB model has an MSRP of $159.99 (Note that the brown and red variants are actually $140 on Amazon right now, but the Cherry MX blue version is not on sale.)
While I have not used them, the original models from last year appear to have garnered quite a bit of praise in reviews (particularly from AnandTech). It seems like G.Skill has not changed much and the R variants are more of the same for a bit less, and that's probably a good thing. I'm looking forward to seeing full reviews though, of course.
Have you tried the memory giant's other products before?
Also read: Mechanical Keyboard Switches Explained and Compared by Scott Michaud @ PC Perspective
Subject: General Tech | January 30, 2016 - 07:05 PM | Scott Michaud
Tagged: web browser, web, shockwave flash, shockwave director, oracle, Java
After decades of semi-ubiquitous usage, Oracle has announced plans to stop providing the Java plug-in for web browsers. It will still be available in the upcoming Java 9 platform, but classified as a deprecated feature.
Java, Shockwave Director, and Shockwave Flash filled in a huge gap in Web standards during the late 90s and early 2000s. Plug-ins were about the only way to access files, per-pixel 2D animation functions, and even access to 3D graphics hardware. Web browsers can do almost all of that now, albeit file input and output is limited to individual files, because you don't want every website to be able to read and write files (and site-specific data lockers with APIs like IndexedDB and Web Storage) on the user's hard drive without the user's explicit control.
As such, browsers are trying to kill off native plug-ins. This could be a problem for games like Battlefield 3 and 4, which (Update Jan 30th @ 7:51pm: Used to... it's apparently been a while. Thanks wileecyte in the comments.) require plug-ins to launch the native application, but the browser vendors have been expressing their desires for quite some time. Even companies that are heavily invested in plug-ins for their products, like Oracle, are finally giving up.
Subject: General Tech, Processors, Mobile | January 29, 2016 - 05:28 PM | Scott Michaud
Tagged: tesla, tesla motors, amd, Jim Keller, apple
Jim Keller, a huge name in the semiconductor industry for his work at AMD and Apple, recently left AMD before the launch of the Zen architecture. This made us nervous, because when a big name leaves a company before a product launch, it could either be that their work is complete... or they're evacuating before a stink-bomb detonates and the whole room smells like rotten eggs.
It turns out a third option is possible: Elon Musk offers you a job making autonomous vehicles. Jim Keller's job title at Tesla will be Vice President of Autopilot Hardware Engineering. I could see this position being enticing, to say the least, even if you are confident in your previous employer's upcoming product stack. It doesn't mean that AMD's Zen architecture will be either good or bad, but it nullifies the earlier predictions, when Jim Keller left AMD, at least until further notice.
We don't know who approached who, or when.
Another point of note: Tesla Motors currently uses NVIDIA Tegra SoCs in their cars, who are (obviously) competitors of Jim Keller's former employer, AMD. It sounds like Jim Keller is moving into a somewhat different role than he had at AMD and Apple, but it could be interesting if Tesla starts taking chip design in-house, to customize the chip to their specific needs, and take away responsibilities from NVIDIA.
The first time he was at AMD, he was the lead architecture of the Athlon 64 processor, and he co-authored x86-64. When he worked at Apple, he helped design the Apple A4 and A5 processors, which were the first two that Apple created in-house; the first three iPhone processors were Samsung SoCs.
Subject: General Tech | January 29, 2016 - 02:32 PM | Jeremy Hellstrom
Tagged: security, isp, wifi
ISPs have stumbled onto a new money making venture, renting out your wireless internet connection to third parties so that those companies can provide public WiFi to their customers. Sources told The Inquirer that some ISPs already do this without informing their customers and that it will likely be a common industry practice by 2017. Theoretically you are allowed to opt out but since your ISP may not have told their users they are doing this; how would the average customer know to request this be turned off?
This raises several concerns, especially here in North America thanks to our pathetic internet services. Most users have a data cap and the ISPs have little reason to spend resources to properly monitor who is using the bandwidth, their customers or random passersby. As well the speeds of most customers are low enough that they may see degradation of their service if numerous passersby connect to their WiFi. Putting the monetary concerns to the side there are also serious security concerns. Once a user has access to your WiFi router they are most of the way into your network and services such as UPnP and unprotected ports leave you vulnerable to attack.
Change the password your provider put on the router and consider reaching out to them to find out if you have been unwillingly sharing your bandwidth already, or if you might be doing so in the near future.
"Companies are going to be selling a lot more public Wi-Fi plans over the next few years and it's going to be home Wi-Fi users who'll be the backbone of the network, according to analysts from Juniper Research."
Here is some more Tech News from around the web:
- Seek Thermal Turns Your Android Phone/Tablet Into A Thermal Imaging Camera @ Phoronix
- Attackers Use Microsoft Office To Push BlackEnergy Malware @ Slashdot
- TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever @ Hack a Day
- Microsoft Office pulled into SCADA security shenanigans @ The Inquirer
- OnePlus ends rationing. You can now buy its phones just like that! @ The Register
- 2016 Samsung Galaxy A Series Exudes S6 Elegance @ TechARP
- Wiko Mobile Introduces 3 New Smartphones @ TechARP