Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Updated: 55 min 25 sec ago
For a decade, some security professionals have held out extended validation certificates as an innovation in website authentication because they require the person applying for the credential to undergo legal vetting. That's a step up from less stringent domain validation that requires applicants to merely demonstrate control over the site's Internet name. Now, a researcher has shown how EV certificates can be used to trick people into trusting scam sites, particularly when targets are using Apple's Safari browser.
Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page https://stripe.ian.sh/. When viewed in the address bar, the page looks eerily similar to https://stripe.com/, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.
The demonstration is concerning because many security professionals counsel end users to look for EV certificates when trying to tell if a site such as https://www.paypal.com is an authentic Web property rather than a fly-by-night look-alike page that's out to steal passwords. But as Carroll's page shows, EV certs can also be used to trick end users into thinking a page has connections to a trusted service or business when in fact no such connection exists. The false impression can be especially convincing when end users use Apple's Safari browser because it often strips out the domain name in the address bar, leaving only the name of the legal entity that obtained the EV certificate.
Microsoft today launched a preview version of a new programming language for quantum computing called Q#. The industry giant also launched a quantum simulator that developers can use to test and debug their quantum algorithms.
The language and simulator were announced in September. The then-unnamed language was intended to bring traditional programming concepts—functions, variables, and branches, along with a syntax-highlighted development environment complete with quantum debugger—to quantum computing, a field that has hitherto built algorithms from wiring up logic gates. Microsoft's hope is that this selection of tools, along with the training material and documentation, will open up quantum computing to more than just physicists.
Given that quantum computers are still rare, Microsoft has built an as-yet-unnamed quantum simulator to run those quantum programs. The local version, released as part of the preview, can support programs using up to 32 quantum bits (qubits), using some 32GB of RAM. Microsoft is also offering an Azure version of the simulator, scaling up to 40 qubits.
Google's push to bring Augmented Reality to the masses hit a big milestone today with the launch of the "AR Stickers" app. Google has been doing Augmented Reality for some time now with the hardware-packed Project Tango devices, but AR Stickers is the first app in Google's new AR strategy, which revolves around ARCore. ARCore is a reworked augmented reality framework that can do many of the Tango AR tricks but without all the extra hardware.
AR Stickers is out now in the Play Store for the Pixel 1 and Pixel 2. The app is a new mode in the Google Camera that allows you to drop various 3D characters into the camera feed. ARCore will map out the nearest horizontal plane, like a floor or table, and ground the characters in real life. You can move the camera around, take pictures, and record video.
The Federal Communications Commission is still on track to eliminate net neutrality rules this Thursday, but the commission said today that it has a new plan to protect consumers after the repeal.
The FCC and Federal Trade Commission released a draft memorandum of understanding (MOU) describing how the agencies will work together to make sure ISPs keep their net neutrality promises.
After the repeal, there won't be any rules preventing ISPs from blocking or throttling Internet traffic. ISPs will also be allowed to charge websites and online services for faster and more reliable network access.
NASA has had a big problem since the agency triumphantly landed humans on the Moon nearly half a century ago. Namely, after the Apollo landings delivered a solid US victory in the Cold War, human exploration has no longer aligned with the strategic national interest. In other words, sending humans into space has represented a nice projection of soft power, but it has not been essential to America's domestic and foreign policy aims.
As a result, NASA's share of the federal budget has declined from just shy of five percent at the height of the Apollo program to less than 0.5 percent today. At the same time, NASA's mandate has grown to encompass a broad array of Earth science, planetary science, and other missions that consume more than half of the agency's budget.
With less buying power for human exploration, NASA has had to scale back its ambitions; and as a result, astronauts have not ventured more than a few hundred miles from Earth since 1972. Twice before, presidents have attempted to break free of low-Earth orbit by proposing a human return to the Moon, with eventual missions to Mars. President George H.W. Bush did so with the Space Exploration Initiative in 1989, on the 20th anniversary of the Apollo 11 Moon landing. And George W. Bush did so in 2004, with the Vision for Space Exploration. Neither of these were bad concepts—indeed, both offered bold, ambitious goals for the space agency—but they died due to a lack of commitment and funding.
A previously undetected hacker group has netted around $10 million in heists on at least 20 companies, in some cases by targeting the transfer networks banks use to transfer money, a Moscow-based security firm said Monday.
Members of the MoneyTaker group, named after a piece of custom malware it uses, started its heist spree no later than May 2016. That's when it penetrated an unnamed US bank, according to researchers with Group-IB in a report titled MoneyTaker: 1.5 Years of Silent Operations. The hackers then used their unauthorized access to control a workstation the bank used to connect to the First Data STAR Network, which more than 5,000 banks use to transact payments involving debit cards.
MoneyTaker members also targeted an interbank network known as AWS CBR which interfaces with Russia's central bank. The hackers also stole internal documents related to the SWIFT banking system, although there's no evidence they have successfully carried out attacks over it.
Greetings, Arsians! Courtesy of our friends at TechBargains, we have another round of deals to share. Our Dealmaster Calendar tells us that today is Green Monday, the kid brother of the made-up retail holiday family. The idea is to be a miniature Cyber Monday for late gift buyers in December; it's a bit forced, sure, but regardless of its legitimacy, there are still a few discounts worth noting.
So, per usual, we've rounded up what we could. The discounts aren't as plentiful as they were on Black Friday, but there still may be a gadget or two that catches your eye, so have a look at the full list below.
Note: Ars Technica may earn compensation for sales from links on this post through affiliate programs.
Apple confirmed today in statements to several media outlets that it will buy Shazam, pending approval. This news had previously been reported by TechCrunch, which had one source claiming the sale price was around $400 million—far less than Shazam's $1 billion valuation at its last round of funding.
Shazam is arguably best known for its music recognition technology; tap the "Shazam" button in the app for smartphones and it will usually identify whatever song it hears after just a few seconds. Shazam has become so popular that there's even a network TV game show called Beat Shazam hosted by Oscar-winner Jamie Foxx. In it, contestants must guess songs faster than Shazam can.
But Shazam has also invested in second-screen TV viewing features, image recognition, and augmented reality services and products. Shazam's talent and technology could be used in several of Apple's products and initiatives, including Apple Music, Siri, and augmented reality.
In recent testimony before Congress, the director of the FBI has again highlighted what the government sees as the problem of easy-to-use, on-by-default, strong encryption.
In prepared remarks from last Thursday, FBI Director Christopher Wray said that encryption presents a "significant challenge to conducting lawful court-ordered access," he said, again using the longstanding government moniker "Going Dark."
The statement was just one portion of his testimony about the agency's priorities for the coming year.
After an initial glimpse at this summer's San Diego Comic-Con, the first full trailer for Ready Player One premiered this weekend. Author Ernest Cline brought the footage to his hometown theater—Austin, Texas' Alamo Drafthouse—and live-streamed it (with a post-roll Q&A) for fans worldwide on the film's Facebook page.
"If Willy Wonka was a game designer instead of a candy maker and held his golden-ticket contest inside the world's greatest video game, that's kind of the essence of what the story is," Cline said.
For those unfamiliar with Cline's best-seller, Ready Player One is the story of a kid growing up in the near future, dreaming of escape from his life in a massive, dystopian trailer park. Our hero Wade Watts only finds real happiness in The OASIS, a massive multiplayer VR world where he can indulge his love for 1980s pop culture. (See flashes of The Iron Giant, Battletoads, Lara Croft, Chun-Li, Overwatch characters, and many, many more.)
The Federal Communications Commission's net neutrality repeal "is based on a flawed and factually inaccurate understanding of Internet technology," a group of inventors and technologists told members of Congress and the FCC in a letter today.
The letter's 21 signers include Internet Protocol co-inventor Vint Cerf; World Wide Web inventor Tim Berners-Lee; Apple co-founder Steve Wozniak, public-key cryptography inventors Whitfield Diffie and Martin Hellman; RSA public-key encryption algorithm co-inventor Ronald Rivest; Paul Vixie, who designed several widely used Domain Name System (DNS) protocol extensions and applications; and security expert and professor Susan Landau, who has fought against government attempts to make phone encryption less secure. The letter was also signed by former chief technologists at both the FCC and Federal Trade Commission, David Farber and Steven Bellovin, respectively.FCC’s “flawed” understanding of Internet
The letter calls for a delay of this Thursday's FCC vote to deregulate broadband service and eliminate net neutrality rules. It says:
Lock an infinite number of monkeys in a room with an infinite number of typewriters for an infinite amount of time, and I’m not sure they’d ever come up with Xenoblade Chronicles 2. The action-JRPG so greatly lacks a cohesive style—mechanically and artistically—that its very absence becomes its cohesive style. It’s a mishmash of ideas from MMOs, anime, gacha games, science fiction, fantasy, management sims, satire, melodrama, and probably a load of other stuff I haven’t even seen.
But just like the classic adage about simians writing Shakespeare, given enough time, it kind of works.
It does not give that impression at first. Xenoblade Chronicles 2 leads with some of the most generic setup and characters I’ve seen since the PlayStation 2 era, when everyone and their uncle put out six 80-hour RPGs a month. You start as Rex: a determined young man on his own. He meets a magical girl who is wanted by an empire, among others, and goes off on an adventure where he slowly accrues party members of various stripes. Some of those party members get amnesia, of course, because what JRPG is complete without an amnesiac subplot?
If that all sounds like the plot of every JRPG in the past 20 years to you, you’re not alone. That familiarity, plus the game’s well-documented and tacky ogling of its female lead, had me ready to roll my eyes right off the screen for the first couple hours or so. The poor start is especially egregious given the incredibly evocative intro to the original Xenoblade Chronicles—which was set on a world made from the interlocked corpses of two continent-sized colossi.
Flaws in software often offer a potential path for attackers to install malicious software, but you wouldn't necessarily expect a hardware vendor to include potentially malicious software built right into its device drivers. But that's exactly what a security researcher found while poking around the internals of a driver for a touchpad commonly used on HP notebook computers—a keystroke logger that could be turned on with a simple change to its configuration in the Windows registry.
The logger, which could potentially be leveraged by an attacker or malware to harvest login credentials and other data, was discovered by security reasearcher Michael Myng (also known as ZwClose) lurking within driver software for Synaptics touchpads—used by hundreds of HP and Compaq business and consumer notebook computer models, as well as many other Windows notebook computers from other manufacturers. Myng disclosed the discovery on his blog on December 7 after the problem was disclosed to HP.
The keylogger was apparently included for debugging during development and is disabled by default. However, a user or software with administrative privileges could activate the keylogger by making a registry change—potentially remotely using Windows Management Instrumentation (WMI) or PowerShell scripts. Once turned on, it captures keystrokes and generates a trace log file.
We've re-launched our Ars Technica merch store just in time for the holidays, and the response has been great—"Nuke it from orbit" mugs and Ars hyperspace logo T-shirts are flying off the virtual shelves.
If you're pondering an order and want to make sure it arrives by Christmas, order today to avoid disappointment. Between the time needed to print the shirts and the time needed to ship them, December 11 is the final day to place most orders for Christmas delivery. Here are the shipping options that will still get your merch to you by December 25:
USPS Priority Mail: Dec 11
The Federal Communications Commission has again refused to help New York's attorney general investigate impersonation and other fraud in public comments on the FCC's net neutrality repeal.
For the past six months, New York State Attorney General Eric Schneiderman has been "investigating who perpetrated a massive scheme to corrupt the FCC's notice and comment process" by filing fraudulent comments under real people's names. But FCC Chairman Ajit Pai's office has "refused multiple requests for crucial evidence in its sole possession," Schneiderman wrote in an open letter to Pai last month.
FCC General Counsel Thomas Johnson responded to Schneiderman on Pai's behalf Thursday and once again refused to provide the requested evidence.
The cost to complete a Bitcoin transaction has skyrocketed in recent days. A week ago, it cost around $6 on average to get a transaction accepted by the Bitcoin network. The average fee soared to $26 on Friday and was still almost $20 on Sunday.
The reason is simple: until recently, the Bitcoin network had a hard-coded 1 megabyte limit on the size of blocks on the blockchain, Bitcoin's shared transaction ledger. With a typical transaction size of around 500 bytes, the average block had fewer than 2,000 transactions. And with a block being generated once every 10 minutes, that works out to around 3.3 transactions per second.
A September upgrade called segregated witness allowed the cryptographic signatures associated with each transaction to be stored separately from the rest of the transaction. Under this scheme, the signatures no longer counted against the 1 megabyte blocksize limit, which should have roughly doubled the network's capacity. But only a small minority of transactions have taken advantage of this option so far, so the network's average throughput has stayed below 2,500 transactions per block—around four transactions per second.
The biggest Google Home is finally on its way to stores. The $399 Google Home Max was announced at Google's October 4th hardware event alongside the Google Home Mini, Pixel 2, and tons of other hardware. The Max doubles down on the Home's music capabilities, offering a more powerful sound system in a form factor about the size of a bookshelf speaker.
With pretty much zero fanfare, the Google Home Max has started popping up at stores. Online listings are live at Best Buy and Verizon, with both showing a ship day of "today." The Google Store doesn't seem quite ready yet and still shows a "join waitlist" button instead of a an actual "buy" link. Don't bother checking Amazon, which refuses to sell Google products like the Google Home and Chromecast, in part because they don't support Amazon Prime Video.
SpaceX will attempt to launch its 17th mission of 2017 on Tuesday, a cargo supply flight to the International Space Station. Liftoff is scheduled for 11:46am ET, and weather conditions are expected to be near perfect, with a 90 percent chance of go conditions.
This flight is notable for several reasons. Already this year SpaceX has re-flown one of its Falcon 9 rockets and reused a Dragon spacecraft for a station supply mission. This mission will combine both, marking the first time SpaceX has used a "flight proven" booster for a NASA launch and combined it with a used Dragon spacecraft. This booster first flew in July (also on an ISS cargo mission), and the spacecraft first flew to the station in 2015.
The launch attempt also marks a return to an old launch pad for the California-based company. When a Falcon 9 and its satellite payload blew up in September, 2016, the explosion did significant damage to Space Launch Complex 40 in Cape Canaveral, Florida. The launch pad has been out of service since then.
It’s the holidays, which means it’s once again time to rack your brain in search of the right gifts for the right people. If someone on your list is into tech, though, we’ve got your back.
For this year’s edition of the Ars Technica holiday gift guide, we’re breaking down our recommendations into themes. The following crop of recommendations is centered on video games—from accessories to JRPGs, here are a few things we’d buy for the friend who can’t pull themselves away from their console or gaming rig.Table of Contents
During a major annual tournament for the fighting game Street Fighter V, the series' creators at Capcom announced the biggest anthology ever for the series—if not for Capcom as a game maker. On Sunday, the developers interrupted their Capcom Cup event to unveil the Street Fighter 30th Anniversary Collection, which will combine a giant set of games, a bunch of features, and an ambitious every-system-simultaneous launch in May 2018 for $39.99.
The primary selling point of this set is that it will finally combine every mainline, sprite-based Street Fighter game in one anthology. Capcom counts that as 12 games. The timeline starts with Street Fighter (no number—this is the 1987 original with only Ken and Ryu selectable), and it continues with every version of Street Fighter II, Street Fighter Alpha, and Street Fighter III. (Sorry, Pocket Fighter and Street Fighter: The Movie game fans.)