Wi-Fi routers: More security risks than ever

The research team that discovered significant security holes in more than a dozen home Wi-Fi routers adds more devices to that list at Defcon 21.LAS VEGAS -- More major brand-name Wi-Fi router vulnerabilities continue to be discovered, and continue to go unpatched, a security researcher has revealed at Defcon 21.

Jake Holcomb, a security researcher at the Baltimore, Md.-based firm Independent Security Evaluators and the lead researcher into Wi-Fi router vulnerabilities, said that problem is worse than when ISE released its original findings in April.

The latest study continues to show that the small office and home office Wi-Fi routers are "very vulnerable to attack," Holcomb said.They're not a means to protect your network and your digital assets," he cautioned.

Holcomb is a relatively young researcher, in his mid-20s, who turned his lifelong interest in computer security into a professional career only in the past year. Previously, he was doing network security for a school district in Ohio.

The new report details 56 new Common Vulnerabilities and Exposures, or CVEs, that Holcomb and the other ISE researchers have found in popular routers. These include the Asus RT-AC66U, D-Link DIR-865L, and TrendNet TEW-812DRU, for which Holcomb plans on demonstrating vulnerabilities at Defcon on Saturday and Sunday.

Requests for comment from the affected vendors were not immediately returned. CNET will update this story when we hear from them.

You might not think that the router security holes could affect you, or would be easy to exploit, but Holcomb explained that because the vulnerabilities appear to affect most routers, and are hard to fix, these could put nearly every person who connects to a vulnerable router at risk.

The scenario he explained from the noisy hallways of the Rio Convention Center here was a common one. Small-business and home Wi-Fi router administration often employs weak passwords, or static passwords that are the same across multiple stores, like a Starbucks.

The Asus RT-AC66U, one of the routers that has been discovered to have vulnerabilities.

(Credit: Dong Ngo)

All an attacker has to do is go to his favorite Seattle-based coffee joint, buy a venti latte and a low-fat pumpkin ginger muffin, and get the establishment's Wi-Fi password. Then, equipped with access to the Wi-Fi network, all that attacker would have to do is use one of the exploits that ISE has uncovered. The router would be compromised, including all the Web traffic flowing through it.

Holcomb compared the problem of fixing routers to traditional PCs. "In most cases, automatic updates are enabled for Windows and Mac," he said. But, he added, "even if a router manufacturer were to implement a similar feature, most people don't log into their routers."

Basically, because people have been trained to think of the router as a set-it-and-forget-it device, and one without security flaws, it's nearly impossible to get them to update router firmware.

The TrendNet TEW-812DRU, another of the routers that has been discovered to have vulnerabilities.

(Credit: Dong Ngo/CNET)

The fix won't be an easy one, at least not logistically. "I think the solution is for routers to automatically update, and give users the ability to opt out of it," Holcomb said. But given the reluctance of some major router manufacturers to address the problems, these exploits could exist unpatched in the wild for years to come.

Holcomb said that while TP-Link fixed all the vulnerabilities that ISE reported to it, D-Link has never responded. And Linksys, he said, chose not to repair many of the vulnerabilities reported to it.

In the case of the Linksys EA-6500, someone can place their own code in the router's configuration file and overwrite it. "It's an attack that relies heavily on social engineering," said Holcomb, "but it's an example of the vendors not resolving a vulnerability. Why [not], I don't know."

Under the guidelines of responsible disclosure, Holcomb says that ISE notified all router manufacturers of the vulnerabilities discovered before going public with them, giving them a chance to fix them.

The D-Link DIR-865L, also discovered to have vulnerabilties.

(Credit: D-Link)

Holcomb will be demonstrating how to take control of three different routers using a different vulnerability in each.

For the aforementioned Asus router, he plans to demonstrate a buffer overflow exploit; for the D-Link he plans to use Web-based and SIM link directory traversal exploits; and he will attack the TrendNet router using a cross-site scripting forgery and command injection exploit.

"All three give us a root shell," he said, meaning access to the router's lowest levels of code.

Holcomb will be speaking at Defcon's Wall of Sheep Speaker Workshop on Saturday from 3 to 4 p.m. PT, and at the conference's Wireless Village on Sunday.

Read More [...]

Posted in Info, News

Could the future of Glass and wearables be hidden in Moto X?

Motorola's latest phone has always-on voice connectivity, much like Google Glass. Maybe it's a hint at where Google's connected future is really heading.Motorola's long-anticipated Moto X phone was unveiled yesterday amid much anticipation: would Google's ownership craft a new direction for Motorola? Would the phone be able to stand out from the crowd? And would it be sold with a Moto watch?

The watch rumor, born out of Motorola's previous history in smartwatches and, perhaps, the recent mania in watch tech, didn't come true. But the Moto X might have more interesting wearable ideas up its sleeve.The Moto X features an "always listening" voice-command technology that taps into Google Now and works completely hands-free. "OK, Google Now," Motorola executives demonstrated, making phone calls and looking up appointments. It sounds a lot like Siri, but it sounds even more like my earlier experiences with Google Glass.

Google Glass, something most people can't even get their hands on, is a very smart camera, but it's also an embodiment of an always-on Google connection. So is the Moto X.

What if Glass is a technology vehicle more than a product? Could the Moto X -- coming out in a month -- be the beginning of that always-on Google product before Glass? And could it even represent where Glass might be morphing toward? Add a few extra wearable peripherals, and suddenly the idea doesn't seem so far-fetched.OK, phone: Do everything 

At Google I/O, voice-controlled Google services much like what the Moto X delivers were demonstrated on Chrome browsers. But it was Glass that started the "OK, Google" style of speak-to-your-device connectivity and made it interesting.

One of the chief features of the Moto X is its always-on voice connectivity, enabling you to speak requests much like Siri or Google Now currently allow, but without pressing any buttons at all. If you choose to, the Moto X simply listens, with finely tuned microphones that can hear you across a room. It'll even listen through a pocket.

If you're thinking of it in a car, or in a room, it sounds like an always-connected speakerphone. But I'm more interested in the idea of the Moto X in your pocket as you walk around.

It's not the first Motorola phone to adopt this idea: the Droid Maxx, Mini, and Ultra have similar touch-free voice features, too. But, the Moto X might be the phone most people associate the technology with. Could always-on listening be the start of a trend? Maybe, if the right kinds of headsets and software are made to deliver smart information back at you.

Audio augmented reality, versus a screen on your face?
Forget barking on a speakerphone and imagine a headset. Maybe it has good noise-canceling technology. Now you're speaking to your phone, much like you'd do with Siri, but with no button to activate.

That could be the start of a nightmare for some people, but the more interesting part of the equation could be if that always-on connectivity also delivered audio cues to your ear, delivering location-specific details in the same way a head-up display would without distracting your eyes. Location-aware apps and services could trigger information such as traffic alerts, sports scores, or flight arrival time changes, all spoken.

Maybe your phone could tell you a prescription was ready, or remind you when you're in a store that the shoes you like are on sale. Or maybe it says your friend's in the bar you're at, and tells you to look for him.

I imagine it as an auditory augmented reality, the equivalent of those little earbuds worn by agents in "The Matrix."

What if a wearable camera like the Looxcie could be controlled by an always-on voice connection?

(Credit: Andrew Hoyle/CNET)

Future peripherals?
Motorola is keen to emphasize the Moto X as a hands-free device. Motorola's executives also explained that the Moto X will work with a "trusted Bluetooth device" to be part of that always-listening experience.

A headset would make the most sense, considering Motorola's background. Executives at the Moto X event acknowledged that connection, and did nothing to dissuade my thinking. Right now, that voice recognition service is best imagined with a headset.

But could there be more in store? A watch, like the one that was rumored alongside the Moto X, or maybe even a wearable camera headset? If you connected a camera and were able to voice-control recording, how different would it really be from Glass?

Wearables without the screen
You'd lack that distinctive, floating display of Google Glass in the scenarios I'm imagining, but that seems OK by me. A lot of wearable tech is about far more-discreet systems of notification: watches, little activity sensors, or earpieces.

As I said earlier this week, all of wearable tech must find a way to make itself more useful than a phone, arguably the most critical piece of semi-wearable tech you're likely to own. The Moto X's mission to stay in your pocket and remain unseen could be the future trend of all phones: being invisible, wireless hubs, linking to accessories that help it do our bidding completely unseen.

Maybe the Moto X is just one more small step in that direction.

Read More [...]

Posted in Info, News

DOJ proposes ways to halt Apple e-book price-fixing

Apple would need to pay for an external monitor, sever deals with publishers, and let Amazon and Barnes & Noble link their iOS e-book apps to their respective online stores, among other proposed measures.Following a court ruling last month that Apple conspired to fix prices of digital books, the Department of Justice on Friday proposed measures "intended to halt Apple's anticompetitive conduct, restore lost competition, and prevent a recurrence of the illegal activities."

The measures are still subject to court approval and may not be adopted in full.Among the measures, Apple would need to let other e-book retailers like Amazon and Barnes & Noble provide links to their respective e-bookstores from their iOS apps, "allowing consumers who purchase and read e-books on their iPads and iPhones easily to compare Apple's prices with those of its competitors."

In addition, Apple would need to end its agreements with the five major publishers linked to the conspiracy -- Hachette, HarperCollins, Holtzbrinck (also known as Macmillan), Penguin, and Simon & Schuster. (Disclosure: Simon & Schuster is owned by CBS, which is the parent company of  IEn.)

Apple would be prevented from "entering into contracts that would, in any way, fix the price that any of its competitors charge for content." The company would also need to refrain for five years from "accepting limitations on its own ability to price-compete with respect to e-books."

Likewise, Apple could not funnel information among the conspiring publishers and couldn't retaliate against them for refusing to set prices.

The department also asked for an external monitor, paid for by Apple, to oversee Apple's internal antitrust compliance policies.

The proposed remedies are in line with what the Department of Justice has said it would ask for. The court will hold a hearing on proposed remedies on August 9.

Last month in a quick decision, a federal judge ruled that Apple had conspired to fix e-books prices, handing the U.S. government a major win.

IEN-News will update this story as we learn more.

Read More [...]

Posted in Info, News

Facebook skyrockets back to within cents of IPO price

After a tumultuous year, the social network's blossoming mobile business has finally made believers out of skeptics.Fourteen months after listing on the Nasdaq, Facebook has finally circled back to within striking distance of its initial offering price of $38 a share.

Facebook opened Tuesday at $35.65 a share, already up more than 34 percent since it reported stellar second-quarter earnings last week. The social network's shares continued to climb higher on the back of news that Facebook has added another revenue stream that will help it capitalize on its ballooning mobile audience.

The social network reached $37.61 a share by market close on Tuesday, up more than 6 percent for the day and marking the first time Facebook has traded at close to the same value as its IPO price since its market debut in May 18, 2012.

Facebook's return to glory has taken more than year, but the past week has proved the most consequential. The company's stock finally popped last week when Facebook announced that it earned 19 cents per share on $1.81 billion in revenue during the second quarter. Facebook's earnings report astounded investors and analysts alike as it revealed that the social network had managed to make 41 percent of its advertising revenue from its year-old mobile business.Now, Facebook is being further uplifted by the promise of additional revenue from the 819 million monthly active users of its mobile applications. The social network revealed that, as expected, it would act as a mobile games publisher for small and medium-size application developers wanting to reach larger audiences. The new Mobile Games Publishing program means that Facebook will take a cut of revenue from mobile game makers who turn to the social network for distribution.

Facebook's remarkable gains are especially good news for CEO Mark Zuckerberg, who holds 425 million vested shares and has 60 million additional options. In September, the Facebook chief promised not to sell his shares for at least 12 months as a way to instill investor confidence in the company's then-slumping stock. At the time, Facebook's shares had reached a low of $17.73. Now with Facebook near $38 a share again, Zuckerberg's decision seems especially prudent as his holdings are worth more than double what they were 11 months ago

Read More [...]

Posted in Info, News

Low-cost iPhone named in China Labor Watch report

A report citing worker abuse at Apple supplier Pegatron mentions rumored iPhone with plastic coverProof of Apple's much-rumored, low-cost iPhone might have been revealed inadvertently in a new report.

Released today by watchdog group China Labor Watch, the report accuses Apple supplier Pegatron of several worker abuses, including safety violations, poor living conditions, and excessive overtime.

Page 11 of the 62-page report describes Pegatron as assembling cell phones and tablets for Apple. "Its assembled products include iPhone 4, iPhone 4s, iPhone 5, and low-priced plastic iPhones," the report said.

The long, difficult day in the life of one factory worker is detailed further in the report. Page 28 describes that worker's task with the plastic iPhone:

Today's work is to paste protective film on the iPhone's plastic back cover to prevent it from being scratched on assembly lines. This iPhone model with a plastic cover will soon be released on the market by Apple. The task is pretty easy, and I was able to work independently after a five-minute instruction from a veteran employee. It took around a minute to paste protective film on one rear cover. The new cell phone has not yet been put into mass production, so quantity is not as important.

The report's purpose apparently was to find out how a low-cost iPhone can be produced.

The executive summary specifically states: "Apple is preparing to release a cheap iPhone. Just how does a prosperous company like Apple produce a discounted version of its phones?" Another question asks: "So what is the competitive advantage that Pegatron has utilized to win Apple's order of the cheap iPhone?"

The report blames some of the violations on the rush to create a cheaper iPhone:

At this moment, in Shanghai, China, workers in Apple's supplier factory Pegatron are monotonously working long overtime hours to turn out a scaled-back, less expensive version of the iPhone. Six days a week, the workers making these phones have to work almost 11-hour shifts, 20 minutes of which is unpaid, and the remainder of which is paid at a rate of $1.50 an hour ($268 per month) before overtime. This is less than half the average local monthly income of $764 and far below the basic living wage necessary to live in Shanghai, one of costliest cities in China. So these workers rely on long overtime hours. If a worker does not finish three months at Pegatron, the dispatch company that got the worker hired will deduct a large portion of his wages.

The report goes on to highlight the labor violations claimed by China Labor Watch, which sent investigators to three Pegatron factories to conduct almost 200 interviews with workers from March to July.China Labor Watch said it found at least 86 labor rights violations, including 36 legal violations and 50 ethical violations, across 15 categories: dispatch labor abuse, hiring discrimination, women's rights violations, underage labor, contract violations, insufficient worker training, excessive working hours, insufficient wages, poor working conditions, poor living conditions, difficulty in taking leave, labor health and safety concerns, ineffective grievance channels, abuse by management, and environmental pollution.

In response to the report, Apple sent a statement to The Wall Street Journal in which it said it has been in contact with China Labor Watch to investigate the allegations. Pegatron CEO Jason Cheng said: "We will investigate [the allegations] fully and take immediate actions to correct any violations to Chinese labor laws and our own code of conduct."

Read More [...]

Posted in Info, News

First look at the BMW i3 electric car

First look at the BMW i3 electric carFor the amount of fanfare and effort BMW gave to its i3 electric car, I would have expected something at least nearly competitive with the Tesla Model S. But BMW's vision for a clean, futuristic urban vehicle doesn't reach far beyond what has already been put on the market by Nissan, Mitsubishi, Ford, and Honda, at least when it comes to raw performance numbers.

With an electric vehicle, performance primarily means range. BMW estimates the i3 will go 80 to 100 miles between charges, putting it in the same class as the majority of electric cars launched in the last few years. From BMW's perspective, that range fits perfectly within the parameters it set out. As an urban vehicle, the i3 is meant to handle daily driving around a city. Especially in Europe, that range is more than adequate for the majority of people to make a daily commute and run errands.

That sort of range is a tougher sell in the U.S., even if most people don't actually drive further on a daily basis.

When it comes to style, the i3 may not fit the brand perception BMW has built up in the U.S. The i3 comes out as a premium small electric car, a five door hatchback. Small and premium remain uncomfortable partners in the minds of U.S. car buyers, although vehicles such as theLexus CT200h have begun to bridge that rift.The i3's hatchback style offers excellent utility, with the ability to carry four passengers and cargo. Adding to the utility of the i3 is the fact that BMW designed it from the ground up to be an electric car. As such, there are no intrusions into the cabin for legacy components such as a transmission. The cabin floor is flatter than in most gasoline cars, while BMW takes a minimalist approach to the dashboard. The result is equivalent cabin space to BMW's 3-series, despite the shorter overall length of the i3.

Similar to the i3 concept vehicle BMW displayed at the 2011 Frankfurt auto show, the production version uses carriage style doors, meaning the rear doors are rear-hinged. However, the production version uses a longer front door, so the rears are half-doors, similar to the Mazda RX-8 or Honda Element.

As a premium vehicle, the i3 shows off nicer interior materials than you would expect from the typical economy hatchback in the market. And BMW gives the i3's cabin a futuristic twist. Rather than an instrument cluster embedded into the dashboard in front of the driver, BMW carves out some of the extra dashboard space and sets up an LCD for all instrumentation display, kind of like a flatscreen TV standing atop a modern entertainment center.Likewise, stereo, phone, and navigation controls appear on another LCD panel sitting on the center of the dashboard. However, BMW keeps its standard iDrive controller mounted on a console between the front seats as an interface for the cabin tech features. In fact, current BMW owners with iDrive will find it easy to adapt to this version in the i3.

Adding to the idea that the i3 is a car of the future is its carbon fiber reinforced plastic body. BMW took great pains and a lot of investment to develop this high tech material for mass production. This body construction promises a lighter car, without sacrificing strength and safety, and is unique among the competition.

Despite the lightweight materials, though, the i3 doesn't get any better range than its electric competition, at least on paper. It makes you wonder why BMW went to all the trouble.

The electric drivetrain itself hasn't evolved much, at least when it comes to power and efficiency, than that which BMW released in its ActiveE vehicle. The ActiveE, based on the 1-series, is an electric vehicle that BMW offers for limited leasing, and is being used to gather performance data for electric drive technology.

The i3 gets a 22 kilowatt-hour lithium-ion battery pack. Like the ActiveE, its electric motor drives the rear wheels and produces 170 horsepower and 184 pound-feet of torque. That gets the i3 from zero to 62 mph in 7.2 seconds, a reasonable acceleration rate for most traffic situations, but not ground-breaking. Top speed is electronically limited to 93 mph.

Similar to the Tesla Model S, BMW activates braking regeneration when the driver merely lifts from the accelerator, slowing the car without applying the brakes. It makes for a different driving strategy than with a gasoline-powered car, one where most of the driving is done with the accelerator pedal, and very little with the brake pedal.

BMW says the i3 can be fitted with a range extender internal combustion engine, which would bring total range up to 186 miles. BMW has not specified which markets might offer the range extended version.

Battery recharge will take about 5 hours from a 240 volt source, or 30 minutes for an 80% charge from a DC fast charging station.

Selling points
With pricing at $41,000, the BMW i3 comes in slightly higher than its electric competition. Federal and state incentives can bring the total price down by almost $10,000. Although its technical specifications don't make it look much more attractive than other options, upscale buyers may be more attracted to the brand.

Test drives will be another factor. If the i3 holds up BMW's Ultimate Driving Machine mantra, it could win converts through a premium ride experience.

Read More [...]

Posted in Info, News

Twitter to simplify the reporting of abusive tweets, after outcry over rape threats

Following outrage in the U.K. over tweets containing threats of rape, the company says a feature designed to make it easier to report abusive tweets when using Twitter on the iPhone will be coming to other platformsAfter an outcry in Britain over rape threats on Twitter, the company said a feature designed to make it easier to report abusive tweets when using Twitter on the iPhone would be coming to other platforms. And the recipient of the threats expressed approval but added that the service needs "to step up and take responsibility for what is tweeted on their site."
Earlier Saturday, an executive with Twitter UK said the service was testing ways to make abuse reporting simpler. Twitter UK General Manager Tony Wang sent a series of tweets saying that the service takes online abuse seriously and directing users to the company's report form. He also said, "we're testing ways to simplify reporting, e.g. within a Tweet by using the 'Report Tweet' button in our iPhone app and on mobile Web."
A Twitter representative subsequently told IEN that "the ability to report individual tweets for abuse is currently available on Twitter for iPhone, and we plan to bring this functionality to other platforms, including Android and the Web."
The tweets and the rep's statement appear to be a response to an outcry over rape threats received by Caroline Criado-Perez, a freelance journalist, feminist campaigner, and co-founder of a group that pushes for more women experts in the media.
As Britain's Observer newspaper reported earlier, Criado-Perez was subjected to a number of abusive tweets after she and others successfully campaigned to have novelist Jane Austen honored on England's ten-pound banknote (Austen will replace naturalist Charles Darwin in 2017).
The abusive tweets led to an online petition calling on Twitter to simplify the reporting of abuse:
"We need Twitter to recognize that its current reporting system is below required standards," reads the petition, which as of this writing had logged 10,000 signatures. "It currently requires users to search for details on how to report someone for abuse; a feature that should be available on each user's page."

(Credit: Screenshot by Edward Moyer/IEN)

In an e-mail Saturday, Criado-Perez told Ien she was pleased by Twitter executive Wang's tweets.
"I'm glad that they're looking into simplifying the report process," she wrote. "This is absolutely paramount. When you're under a sustained attack like I have been for the past 48 hours or so, you simply can't be expected to fill out forms, find the link for each tweet, and explain what is wrong with it. It needs to be a one-click automated process. Under the current system it would take me about a week to report the abuse."
The Observer article also mentioned the notion of making Twitter "responsible for any criminal threats posted on it," to which Criado-Perez responded, in her e-mail to IEN:
"I don't think it's realistic to make twitter criminally liable for the threats, but I do think they need to step up and take responsibility for what is tweeted on their site -- from which, let's not forget, they are making millions -- and take firm steps to eliminate it."
For Twitter's part, the statement from the company representative said, "we have rules which people agree to abide by when they sign up to Twitter. We will suspend accounts that once reported to us, are found to be in breach of our rules."
Criado-Perez also told us she thought law enforcement needed to go farther.
"In general, I think the police need to start taking this seriously," she wrote. "If we want freedom of speech, that means for women too -- and at the moment too many of them are being silenced just so a small proportion of abusive men can issue whatever rape threats they deem fit."
MPs weigh in
The flurry of abusive tweets also prompted tweets from two members of Parliament. Steve Rotheram, the Labor party's MP for Liverpool Walton, sent a pair of tweets saying the abuse wasn't "banter" and was instead potentially illegal. And Stella Creasy, Labor MP for Walthamstow, called on Twitter users to #takebacktwitter.
Creasy also penned an opinion piece on the situation for the Observer. The essay says this recent issue goes beyond the policies or response of any particular tech platform, and it suggests the Internet can be used as a tool for change -- pointing to an online project designed to expose sexism and get people talking about it. And, the piece says, this is everyone's problem.

We don't just need a strong response from those who profit from our custom as users of platforms such as Twitter or are there to enforce public order. Projects such as everydaysexism show how these platforms can help change this culture. Men react with surprise to the extent of passive-aggressive sexism exposed. Women express relief it's not just them who feel threatened. That both [men and women] have stood up for Caroline show this isn't a "women's" issue. It's a human rights issue.

Read More [...]

Posted in Info, News

How the new Nexus 7 and iPad Mini compare

Google's latest Nexus 7 is here. How do its features line up against the iPad Mini's? Let's break it down.

ast year's Nexus 7 kicked off the small-tablet movement and predated the iPad Mini, with an aggressive price and comfortable design, but a set of features that were slightly bare-bones (no rear camera). The iPad Mini offered a deeper feature set, but the new Nexus 7 has taken the lead -- at least, on paper -- once again
Screen
The new Nexus 7 has a 1,920x1,080-pixel 16:9 7-inch display, whereas the iPad Mini has a larger 4:3, 7.9-inch display at only 1,024x768 pixels. The iPad Mini's screen was bigger and better than the original Nexus 7, but the new Nexus 7 has the clear edge here -- although color quality, brightness, and viewing angles have yet to be determined.

Excited yet?

(Credit: James Martin/CNET)

Processor/RAM
The 2013 Nexus 7 has a 1.5Ghz Qualcomm Snapdragon S4 processor and Adreno 320 graphics, plus 2GB of RAM. Eric Franklin points out that these graphics match the Samsung Galaxy S4's, but the processing power isn't as impressive as an Nvidia Tegra 4 might be. In terms of gaming graphics, the Nexus 7 could have a big edge, thanks to being OpenGL ES 3.0 capable, which adds a lot of extra graphics effects to games.
The iPad Mini's processor is an A5, with performance similar to that of the fourth-gen iPod Touch and iPad 2. In short: it's a capable but older processor. And, it has only 512MB of RAM.
Storage size/price
In small tablets, price is everything. On nearly every level, the Nexus 7 offers a better deal than the iPad Mini, and its storage configurations are less of a markup.
The 16GB Wi-Fi Nexus 7 costs $229, versus $329 for a 16GB iPad Mini. The 32GB Nexus 7 is only $269 -- $40 more -- but the 32GB iPad Mini costs $429, a $100 upgrade.
The Nexus 7 also has an LTE-ready 32GB model for $349, and it's unlocked to work across Verizon, Sprint, and AT&T. Apple's LTE iPad Minis are carrier-specific. A 16GB LTE Mini costs $459, and the 32GB version costs a whopping $559. The Mini also comes in 64GB configurations.

(Credit: Eric Franklin/CNET)

Design/color
The Nexus 7 comes in just black. The iPad Mini comes in black as well as white/aluminum.

(Credit: CNET)

Cameras
The new Nexus 7 has a 1.2-megapixel front camera and 5-megapixel rear camera. The iPad Mini does, too. We'll see which one takes better photos and video.
Wireless connectivity
Both the Nexus 7 and iPad Mini support Bluetooth 4.0 for low-power connected wireless devices and 802.11n Wi-Fi, but the new Nexus 7 also supports NFC for near-field communication uses, like Google Wallet.
Operating system and apps
The iPad Mini currently runs iOS 6 but will get iOS 7 capability this fall, and it runs the exact same apps and features as the larger Retina iPad, minus the Retina Display. The Nexus 7 comes ready with Android 4.3 Jelly Bean, a new version of Android with a few additional tweaks like multi-user settings, which also enables Bluetooth Smart, the low-energy Bluetooth element.
The iPad Mini already has Bluetooth 4.0, and iOS 7 is said to enable better support for Bluetooth accessories like game controllers and health monitors.
Apple has more tablet-optimized apps on the whole than Google, as well as a larger selection of games, but Google is making strides in gaming on Google Play.
Ports, extras
The Nexus 7 has an HDMI output along with Micro-USB, and even has wireless charging. The iPad Mini has a Lightning connector for syncing and charging, and supports HDMI output, USB camera input, and SD card camera card importing -- with the purchase of accessories.

(Credit: Best Buy)

Conclusion (for now)
The new Nexus 7 not only offers a better screen, processor, and bells and whistles, but it remains less expensive across the board than October 2012 iPad Mini.
The iPad Mini has a physically larger screen and the same wireless/camera capability, but it's clear that, right now, the Nexus 7 has a lot going for it. Of course, Apple's next iPads -- and perhaps a new iPad Mini -- may only be a couple of months away.

Read More [...]

Posted in Info, News

Feds tell Web firms to turn over user account passwords

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."
Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.
A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law."
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.
Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.
The FBI declined to comment.
Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.
Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said.
An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way."

Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.

(Credit: Photo by Declan McCullagh)

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.
Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.
But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.
The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.
But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.
As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach."
While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt.
Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.
With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking."
Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.

(Credit: Getty Images)

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."
Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order.
If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.
The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.
The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."
In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.
"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
Last updated at 8:00 p.m. PT with comment from Yahoo, which responded after this article was published.
Disclosure: McCullagh is married to a Google employee not involved with this issue.

Read More [...]

Posted in Info, News

Online Matric Result 2013

Punjab BISE’s Matric Result 2013
• BISE Lahore Board ( Check Online Result - )
• BISE Gujranwala Board ( Check Online Result –  )
• BISE Multan Board ( Check Online Result – )
• BISE Faisalabad Board ( Check Online Result –  )
• BISE Sargodha Board ( Check Online Result –  )
• BISE Rawalpindi Board ( Check Online Result –  )
• BISE Bahawalpur Board ( Check Online Result –  )
• BISE DG Khan Board ( Check Online Result –  )
• BISE Sahiwal Board ( Check Online Result – )
Matric annual exams usually held every year in March throughout the Punjab. Total nine school boards are operating in Punjab and everyone is responsible for organizing examinations in a fair, impartial and objective. All these boards organize and announce the matric result on the same day. Now the 2013 Matric results will be released in July end date or dates from August. The tables provide the basis for further studies and ensure that all students can get marks according to their efforts.
Similarly, all school boards of Khyber Pakhtunkhwa SSC announce the result in March and August, respectively. The date of announcement of result may be different, but the month will remain the same. A total of eight educational boards are operating in KPK. Each year, thousands of students receiving income and appear through these cards.
In Sindh, a total of five educational boards are working to carry out annual and supplementary examinations Matric. The boards are designed to provide educational services to the student. Like other education boards of Pakistan also organize these plates and declare the result of tuition according to your schedule.
Forums in Baluchistan and AJK Board also conducted tests at different times matrix and declare the result according to its schedule. All tips Pakistan are working to organize test crystal in each district and after the declaration of the result tables for all award degrees and medals among the toppers.
Top educational website files ilmkidunya Pakistan on 9 and 10 Class Result of all educational boards in Pakistan shortly after the respective meeting advertised. The site always offers more ilmkidunya outcome and other announcements. The result of the registration of all boards will be updated in the relevant pages of the plate. So stay in touch with us for more information.

Read More [...]

Posted in Result