Huzzah! Throw up the flags! Send off the fireworks! Summon the townspeople! Apple has lost! The people have won! Huzzah!
I’m referring, of course, to Monday’s ruling by The Library of Congress, which explicitly carves out a legal exception for those looking to jailbreak their iPhones. No longer will industrious little hackers (or those who downloaded a one-button jailbreak app off the Interwebs) be subject to Digital Millennium Copyright Act smack-downs over their choice of Cydia instead of the App Store.
In short, so long as you’re jailbreaking your iPhone to make it work with a third-party application that, itself, isn’t kosher on a vanilla iPhone, you’re in the clear. I’m not quite sure what you would do with a jailbroken phone otherwise—perhaps smash it with a hammer to test its durability or something--but there you have it.
Now, we’ve won, right? The choice of how and why you use your iPhone has finally been wrested out of the turtleneck-laden hands of Apple CEO Steve Jobs. The people are in control now, and we all have carte blanche to do with our handheld devices as we please! Yay!
Stop whatever it is you're doing and visit your router manufacturer's website. Once there, drill down to the firmware section and bookmark that page, and then get in the habit of checking it regularly. The reason? Millions of routers are about to become extinct (sort of).
At this year's Black Hat security conference in Las Vegas, one of the items on the agenda is "How to Hack Millions of Routers," an alarming keynote in which Craig Heffner, a researcher with security firm Seismic, plans to release a software tool he says is capable of cracking half of all routers in existence.
This isn't a new technique, but an altered version of "DNS rebinding," something that has been talked about for more than a decade.
"There have been plenty of patches over the years, but this still hasn't really been fixed," Heffner says.
In short, the hack exploits part of the Domain Name System (DNS) so that when an unsuspecting visitor surfs to a compromised site, their browser ends up hijacked, giving the attacker access to their router settings. Browser makers have already patched earlier versions of this attack, but according to Heffner, it's all for naught.
"The way that [those patches] are circumvented is actually fairly well known," Heffner explains. "It just hasn't been put together like this before."
More info here, including a small sample of routers Heffner has demonstrated this attack on.
Palm Pre modder who goes by the name "unixpsycho" is living up to his nick with a new bit of firmware that comes with following disclaimer in big, bold, red lettering:
"DO NOT INSTALL THIS IF YOU LIKE YOUR PHONE!!! YOU HAVE BEEN WARNED!!!"
If that sounds over the top, consider that his latest firmware -- SR71 Blackbird -- pushes the Palm Pre's OMAP 3430 processor to 1.2GHz. That's twice the speed this little chip was meant to run at, which ships stock at 600MHz.
For those willing to throw caution to the wind, there are some safety measures that keeps this from being a total smartphone suicide mission. Temp monitoring comes built in, and whenever the chip jumps past 55C, the firmware ramps things down to 500MHz, "or at least it should."
For the most part, first impressions of Motorola's recently launched Droid X have been largely positive, but it's the eFuse chip contained inside that's getting all the attention. As was reported all over the place last week, modders who muck with the device's bootloader will set off the chip and end up with a bricked smartphone for their trouble, but that's all a bunch of hogwash, says Motorola, who set out to clear the air.
"Motorola's primary focus is the security of our end users and protection of their data, while also meeting carrier, partner, and legal requirements," Motorola wrote in an email to Engadget. The Droid X and a majority of Android consumer devices on the market today have a secured bootloader. In reference specifically to eFuse, the technology is not loaded with the purpose of preventing a consumer device from functioning, but rather ensuring for the user that the device only runs on updated and tested versions of software. If a device attempts to boot with unapproved software, it will go into recovery mode, and can reboot once approved software is reinstalled."
In other words, altering the phone's firmware won't result in a dead device like many had feared, but it does sound as though the Droid X will be harder to hack than other smartphones. Does that mean it will be impossible? We highly doubt it, given the modding community's never-die attitude, especially now that we know the Droid X isn't any danger of dying either.
Motorola's Droid X has been stirring up quite the stink on the Internet lately, with several websites pointing out how the device's eFuse chip could potentially spell the end of third-party mods.
Here's how it works. The eFuse chip is tasked with verifying the handset's firmware (ROM), the kernel, and the bootoader version. If it detects that something is awry -- like a third-party ROM -- the eFuse chip "ignites," so to speak, bricking the phone. The only way to undo the damage is to ship the device off to Motorola and hope that they'll be sympathetic to your plight. Perhaps you fell down a long flight of steps and through a series of bumps and bangs, you inadvertently downloaded a third-party ROM and installed it.
Sounds pretty gruesome, right? But let's back up a moment. It's now coming to light that the eFuse chip isn't anything new, and in fact it's included on all of TI's OMAP3 processors. Why is that relevant? Well, the gloom and doom scenario being played out in the press hasn't been an issue for past devices with the eFuse mechanism, like the original Droid and Milestone, and it would be odd if Motorola suddenly switched directions with the Droid X.
Let's not forget that the ability to mod is a huge draw for the Android platform, and something like this wouldn't be good for either Motorola or Google.
Would you be okay with Motorola locking down its hardware and bricking modded devices, or does something like this cross the line? Does all the hoopla surrounding eFuse influence your decision on whether or not to get a Droid X?
NZXT Product Manager and Co-Founder Johnny Hou this morning sent out a letter that wasn't quite as seething as the one Cleveland Cavaliers majority owner posted online after LeBron James skipped town, but almost as defiant. With the subject line "NZXT Still Kicking Ass and Thriving," Hou wrote:
To our friends and loyal customers in the PC enthusiast community,
Yesterday at 7:30 PM PST the NZXT website was infiltrated illegally. While having access to the site, hackers made several malicious changes including sending out an erroneous newsletter to our database claiming that NZXT is going out of business. They also changed product warranties, deleted product and home page banners, etc.
Well, I’m happy to report that NZXT is NOT going out of business and to the contrary we are more excited than ever to be a part of this tremendous industry. We are poised to launch several highly anticipated products over the next two months including the Phantom full tower case we unveiled at Computex. We feel this will provide enthusiasts with one of the most fresh and unique case designs in quite some time.
I’d like to take this opportunity to offer my sincere gratitude to the community for your ongoing support of NZXT. We design our products based on what you need to build a stellar PC and welcome your feedback as to how we can help your computing experience be as enjoyable as possible. Please don’t hesitate to contact me if you have any questions, concerns, or suggestions.
Best regards, Johnny Hou
The source of the attack is unknown, and so is the intent, which may have simply been to stir up a bit of trouble or to pick a bone with NZXT. Either way, NZXT fans who may have read gloom and doom scenarios prior to today can breathe a sigh of a relief.
A young Argentinian hacker, known only by his sobriquet Ch Russo, claims to have successfully slipped past The Pirate Bay's defenses, gaining access to the torrent site's administrative control panel. An SQL injection vulnerability discovered by Ch Russo and a couple of his chums exposed the site's user database, which is said to contain account information belonging to around 4 million users. However, the hacker denies altering or deleting information.
The trio also resisted the temptation of selling the data to the companies assisting the entertainment industry in its fight against piracy. “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told security blog KrebsOnSecurity in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”
Hackers made a mockery of Twitter's security on a couple of occasions last year – first in January and then in April. The first breach affected 45 accounts, including that of President Barack Obama, and exposed the micro-blogging site's wafer-thin security. The two incidents were enough to draw the Federal Trade Commission's attention, which launched an investigation into the site's security practices.
Twitter has convinced the FTC to call an early end to the probe, allowing it to escape without a penalty. One of the terms of the settlement requires that the micro-blogging site establish a security program and have it reviewed by a neutral party once every year for the next ten years.
The hacker responsible for the first breach was assisted by the fact that the site allowed rapid-fire log-in attempts, making it a sitting duck for a dictionary attack. He used this gaping hole in Twitter's security to hack an employee's account with administrative privileges and a lame password.
In what's being described as AT&T's worst security breach in recent history, the wireless company went and left sensitive information on 114,067 owners of the iPad 3G exposed on the Web. The subscriber data was obtained by a group calling itself Goatse Security, who then published the personal email addresses of the victims, including military officials, CEOs, prominent politicians, and celebrities.
AT&T, which has confirmed the breach, insists that only email addresses were lifted, and that more sensitive data like credit cards and home addresses were not compromised.
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS," AT&T said in a statement. "The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
While this one falls on AT&T's shoulders, the breach doesn't look good for Apple, either. This latest incident comes just weeks after an Apple employee left an iPhone prototype in a bar.
Jesse William McGraw, a former security guard who worked the night shift at a Dallas hospital, has pleaded guilty to two counts of transmitting malicious code, the U.S. Department of Justice said in a statement.
It was only a matter of time before the bumbling 25-year-old hacker was caught. In a YouTube video he posted, McGraw, who goes by the alias "Ghost Exodus," shows himself pretending to break into the hospital where he proceeds to install botnet code on a nurse's computer station. While all this is going on, the theme to "Mission Impossible" plays in the background.
So why do it? Apparently McGraw was a member of a hacking group known as the Electronik Tribulation Army, and he installed the botnet code to help take down the website of a rival hacker group, the DoJ said.
McGraw broke into more than 14 computers and now faces up to 10 years in prison on each of the two counts. Sentencing is scheduled for September 16, 2010.