Tag Archives: art

Start up: Apple’s hacker flaw, Downing St’s FOI oddity, machines that parse art, and more

Posted on by
Reply


“You mean all we need to do to defeat him is adopt HTML5? Why didn’t you say?” Photo by Tom Simpson on Flickr.

A selection of 8 links for you. Uninflammable. I’m charlesarthur on Twitter. Observations and links welcome.

Encryption “would not have helped” at OPM, says DHS official » Ars Technica

Sean Gallagher:

pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, [US Office of Personnel Management Katherine Archuleta] said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network…

…nearly every question of substance about the breach—which systems were affected, how many individuals’ data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn’t classified was OPM’s horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

Serious OS X and iOS flaws let hackers steal keychain, 1Password contents » Ars Technica

Dan Goodin:

The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers’ apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers’ cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.

“The consequences are dire,” they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS. “For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome.”…

…It’s not the first time researchers have found flaws in application sandboxes. The attack exploiting WebSocket weaknesses, for instance, can also succeed in Windows under certain conditions, the researchers said. Interestingly, they said application sandboxing in Google’s Android OS was much better at withstanding XARA threats.

For the time being, the researchers told Ars, there isn’t much end users can do except wait for Apple to fix the vulnerabilities.

Bad (though not deluge-of-malware bad; instead it’s sneaky-Trojan bad). Apple was told about this in October 2014. The best hope is that this is fixed in OS X 10.11 and iOS 9, but there’s no clear indication of how hard it is to fix.

Freedom of information turns into Mission Impossible for Downing St emails » FT.com

Jim Pickard and Kiran Stacey:

Emails sent from computers in Downing Street are automatically deleted within three months under a system that makes it harder for the public to obtain answers to “freedom of information” requests, former staff have disclosed.

The system, instigated a decade ago but not widely known about, means that messages are only held beyond that period if an individual saves them. It is widely blamed by government advisers for what one former employee called a sometimes “dysfunctional” operation at the heart of Whitehall.

The email system was introduced under the Labour government in late 2004, just weeks before January 2005 when the Freedom of Information Act belatedly came into force.

“The timing of this very strongly indicates that it was not a coincidence,” said Maurice Frankel, director of the UK Campaign for Freedom of Information.

Gee, ya think?

China and Russia almost definitely have the Snowden docs » WIRED

Bruce Schneier (who is a veritable security expert; if he says it, it’s true):

The vulnerability is not Snowden; it’s everyone who has access to the files.

First, the journalists working with the documents. I’ve handled some of the Snowden documents myself, and even though I’m a paranoid cryptographer, I know how difficult it is to maintain perfect security. It’s been open season on the computers of the journalists Snowden shared documents with since this story broke in July 2013. And while they have been taking extraordinary pains to secure those computers, it’s almost certainly not enough to keep out the world’s intelligence services…

…In general, it’s far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s how computer and network security work today. A former NSA deputy director recently said that if we were to score cyber the way we score soccer, the tally would be 462–456 twenty minutes into the game.

Even airgapped, never-connected computers can be attacked (don’t ask me how). The Guardian took extraordinary pains with its London copy: two people needed to enter passwords, at least two people needed to be present when documents were read, the computers used had never been online and had no connection.

But a simpler thought is this: if Snowden was one of 10,000 or so NSA staff with access to that data (and more in the UK), what are the chances that absolutely none of those has somehow been coerced or willingly turned over data to foreign powers? Pretty much zero.

Flash will soon be obsolete: it’s time for agencies to adapt » Advertising Age

David Evans on the fact that major browsers on desktop are hurrying to dump Flash:

If this sounds like a big problem to you, you’re absolutely right. If the major browsers were to disable Flash immediately, we could be looking at a scenario where roughly 84% of banners across the internet would not be viewable on desktop browsers. Rather than clicking on a visually dynamic, animated ad created to capture attention with movement and video, users would instead see a static banner in place of the intended ad, and most advertising creatives don’t pay much attention to the creation of static backups.

For advertisers, this could mean shelling out first-class money for economy-class impressions.
Though it might be painful to admit for an industry that has relied on Flash for over a decade, the right choice is to start creating desktop ads in the HTML5 language used to create ads for mobile.

This is a bit obvious to anyone who’s been paying attention for the past three years (minimum), but perhaps advertising has been looking somewhere else.

Market Monitor Q1 2015: LATAM smartphones grow 25% annually » Counterpoint Technology

Tina Lu:

LATAM is third, behind North America and Europe in the global ranking of smartphone shipment penetration.

• Except for Peru, majority of the key LATAM markets are seeing a significantly higher smartphone demand, with shipment penetration of total handsets between 77% and 99%.

• Overall feature phone demand has been declining, and so has been the overall scale and profitability of manufacturing and selling them. As a result, in countries like Argentina, due to government protectionist measures and import restrictions, vendors are manufacturing and selling only the more profitable smartphones. This has led to smartphone shipment penetration of sales to reach 99%; the highest in the region.

Here’s the shipment figure: Latam smartphone shipments Q1 2015

If you do the maths, on a 25% yoy growth both Samsung’s and LG’s shipments actually fell; Apple’s more than doubled. Alcatel and “Others” both grew faster than the market.

Apple’s Siri, Spotlight extend Google-like search inside iOS 9 apps, without tracking users » Apple Insider

Daniel Eran Dilger:

Because Apple is indexing in-app content for its search results, it can more easily suppress “Search Engine Optimization” malicious content or link spamming, as relevancy is tied to user engagement. If few users find a search result worthwhile, it can fade from relevance.

Many of the new search-related features Apple debuted for iOS 9 and OS X El Capitan bear a strong resemblance to some of predictive search features first introduced by Google starting back in 2012 as part of Android 4.1, branded as “Google Now.”

Since then, Google has introduced “app indexing,” a related feature designed to make the company’s web-style search more relevant to mobile users by delivering results that can open within local apps. For example, a recipe might open within a cookbook app, rather than just presenting the same information on a web page or dumping users into the app to find the recipe on their own.

The most profound difference between the two companies’ approach to in-app search is that Apple does not monetize its search with ads, and therefore has no need to capture and store users’ data and behaviors for future profiling, tied to a persistent user and device identifier that individuals can’t easily remove.

Apple is perhaps two years behind Google on this – but most people are using a version of Android that is at least two years old (87% are using 4.4, KitKat, from November 2013, or earlier). Which means that by November or so, Apple will roughly have parity on this feature.

Machine vision algorithm chooses the most creative paintings in history » MIT Technology Review

The job of distinguishing the most creative from the others falls to art historians. And it is no easy task. It requires, at the very least, an encyclopedic knowledge of the history of art. The historian must then spot novel features and be able to recognize similar features in future paintings to determine their influence.

Those are tricky tasks for a human and until recently, it would have been unimaginable that a computer could take them on. But today that changes thanks to the work of Ahmed Elgammal and Babak Saleh at Rutgers University in New Jersey, who say they have a machine that can do just this.

machine vision view of art

They’ve put it to work on a database of some 62,000 pictures of fine art paintings to determine those that are the most creative in history. The results provide a new way to explore the history of art and the role that creativity has played in it.

Can’t be long before someone puts a human art historian up against the machine to see who spots the fake. (By the way, there was no byline I could find on the story. Maybe a robot wrote it.)

Start up: Lenovo, Superfish and its implications; identifying Jackson Pollocks, tech v fashion, and more

Posted on by
Reply


Currently unfashionable inside Lenovo “consumer laptops”. Photo by sinosplice on Flickr.

A selection of 8 links for you. Makes a lovely salad when added to salad. I’m charlesarthur on Twitter. Observations and links welcome.

How Lenovo’s Superfish ‘malware’ works and what you can do to kill it » Forbes

Thomas Fox-Brewster:

Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘Superfish ’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.

Here’s what you need to know about Superfish and what you can do to stop it chucking irksome ads on your browser and leaving you open to hackers.

This is probably the most comprehensive piece on the problems around this, though Lenovo suggests it has only installed it since September 2014. On Thursday night it issued instructions on how to remove it. And here’s a site you can use to check whether it’s affecting you. Read on for more of the implications.

AVAST 2015 Release Candidate 1 (10.0.2202) » Avast forums

Avast is a well-known antivirus program:

Features already introduced in previous AVAST 2015 betas:

• GrimeFighter Free
GrimeFighter will offer free cleaning of junk files and tuning of system settings. These tasks are performed by our Zilch and Torque minions. Other minion functions remain as paid-for features.

• HTTPS scanning
Now, we are able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering component. We are using our own generated certificates that are added into the Root Certificate store in Windows and also into major browsers. This feature will protect you against viruses coming through HTTPs traffic as well as adding compatibility for SPDY+HTTPS/ HTTP 2.0 traffic. You can tune/disable this feature in the settings section.

That “https scanning” is exactly the thing that people are worried about with the Lenovo-installed Superfish. The reason why it’s used is because a lot of malware uses https: to connect to command-and-control servers. Superfish used it because connections to Google are https: and it wanted to insert its own adverts into the Google results stream.

Somehow, the Avast reason seems much preferable. (Link via Jon Honeyball.)

Extracting the SuperFish certificate » Errata Security

Robert Graham:

I extracted the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. I discuss how down below. The consequence is that I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law.

I used simple reversing to find the certificate. As reported by others, program is packed and self-encrypted (like typical adware/malware). The proper way to reverse engineer this is to run the software in a debugger (or IDApro), setting break point right after it decrypts itself. The goal is to set the right break point before it actually infects your machine – reversers have been known to infect themselves this way.

This is one of the concerning things about Lenovo’s actions: vulnerabilities like this.

Lenovo CTO: we’re working to wipe Superfish app off PCs » WSJ Digits blog

Shira Ovide:

Lenovo is working quickly to wipe all traces of an app it had pre-installed on some consumer laptops, responding to security researchers’ warnings that the app could give attackers a way to steal people’s encrypted Web data or online passwords.

In an interview Thursday, Lenovo’s chief technology officer, Peter Hortensius, acknowledged that “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app. He said the company realized it needs to do more to respond to consumers’ concerns.

Lenovo, the world’s biggest seller of PCs, is working to write software that will delete any data from the Superfish software off laptops on which it had been installed. Hortensius also said the company should have done more due diligence on the security of the Superfish shopping-search app, which was installed from September to December on Lenovo consumer laptops.

Choice quote from Hortensius: “we agree that this was not something that we want to have on the system”. So how did it get there?

Report: 2014 was a bad year for lyrics sites in Google » Search Engine Land

Barry Schmwartz:

Only one lyrics site saw an increase in visibility from Google’s search results, that is azlyrics.com with a 24% lift.

We saw at the end of December 2013, Rap Genius was penalized for link schemes but then saw themselves back in the search results ten days later. Maybe that manual action had Google’s engineers take a deeper look at the lyrics niche.

One thing, you’d probably see a deeper impact on these lyrics sites in 2015. Google in late December 2014 began showing full lyrics in the search results, which can directly impact the traffic and visibility of these lyrics sites in the Google search results.

How Twitter CEO Dick Costolo keeps his focus » Inc.com

Jeff Bercovici:

A typical week for Costolo involves 12 to 15 standing meetings, so he has a few rules for efficiency’s sake. First, no cancelling. Freeing up that time may be tempting, but it’s how small problems become big ones. “I’m the connective tissue between all these groups,” he says. “It’s important for me to have context for the issues and challenges everyone’s dealing with.”

Second, no sidebars, ever. Nothing irks Costolo more than someone approaching him in private and saying, “I didn’t want to bring this up in front of everyone, but…” That rewards politics over process, he says: “Everyone on my team knows that that’s not a valid way to start a conversation with me.”

Finally, no PowerPoint. Meetings are for communicating, not wasting time on pretty slides. Instead, Costolo asks managers to type briefings. “If that sounds straight out of the Jeff Bezos playbook, it’s because it is,” he says. “I totally agree with that.”

These seem really good ideas. And there are more; the article isn’t so much about what happens, but how Costolo functions.

What the tech world doesn’t understand about fashion » Racked

Leslie Price:

at the biggest fashion houses in Europe, there is a general disdain for the connected future that the tech world fetishizes.

“We don’t like [e-commerce]. I don’t care,” Miuccia Prada said in 2013. “We think that, for luxury, it’s not right. Personally, I’m not interested.” As Bloomberg details, this is the case for many luxury brands. Some fashion OGs, like Valentino, don’t even use computers. Anna Wintour famously carries a flip phone. “The problem with technology is it’s a bit cold. It’s a bit sharp,” said Carine Roitfeld, CR Fashion Book EIC and former French Vogue chief.

This aversion actually makes perfect sense. Fashion is, by its very nature, exclusive. It’s about creating an identity, a brand, that is so cool that people will spend thousands and thousands of dollars to acquire a tiny piece of it. If you make that identity widely available, you risk diluting it. This delicate balance is something that the oldest fashion stalwarts have spent a hundred or more years perfecting.

Terrific piece which neatly illustrates (with examples) the gulf between tech and fashion: quite a lot of it is in the language that attaches to things.

A computer can tell real Jackson Pollocks from fakes » Smithsonian

Laura Clark:

according to many connoisseurs, critics and fakers don’t give the painter enough credit. There are indeed complexities to Pollock’s drip art that show it to be the genuine article. And now there’s a computer program helping to make a science out of the deciphering.

The software uses “computational methods to characterize the low-level numerical differences between original Pollock drip paintings and drip paintings done by others attempting to mimic this signature style,” says Inderscience Publishers. You give it a scan of the possible Pollock, and the program goes to work extracting 4024 numerical image descriptors that the human eye would have trouble deciphering as accurately.

I guess we have to add “art authenticator” to the list of white-collar jobs that computers will wipe out in time.