An Android developer by the name of Koushik Dutta is building an alternative Android app store which will house the apps that have been banned from Google’s official Android Market. These will include the custom ROMs (customized versions of the Android OS), classic gaming emulators pulled due to copyright complaints, unofficial tethering apps removed at the behest of mobile operators, Visual Voicemail apps, one-click rooting apps, and more.

The developer, who also goes by the name “Koush” online, suggested the idea earlier this month and received hundreds of positive responses in return. Today, he has posted a progress update, showing an early version of the store being built. (See below).

Dutta is well-known in Android hacking circles as member of the CyanogenMod team and the creator of ClockworkMod, a custom recovery console for Android devices. For the uninitiated, these terms refer to customized versions of Android software which users can install on their devices after rooting their phone, a process which gives them complete administrative control over their handset.

Rooting, similar to its iPhone counterpart jailbreaking, has been popularized among the Android community, and today there are many software applications which less technical users (i.e., those without programming knowledge) can use to root their device. It’s still a risky task, however, so proceed with caution – you could turn your phone into a nice paperweight if you screw up.

After rooting, users are able install replacement firmware like CyanogenMod, created by Steve Kondik, which offers a customized version of the Android OS, free from carriers’ control and customizations. There are now over 1 million active users of CyanogenMod. It’s a sizable community.

These users will have access to the new alternative app store when complete, assuming the project stays on track. The screenshot posted today shows a very basic page for app submissions – nothing that looks like a finished product. But it’s promising.

Although modding has always been a popular activity among the geekier Android crowd, it’s interesting that they’re now facing many of the same restrictions as their iPhone-toting counterparts when it comes to apps. Android may offer a more open app publishing process – there are no review boards or wait times involved – but there are still rules. Certain apps are not allowed, especially if they violate copyright or a mobile operator’s need to generate revenue from value-added services, like tethering.

This should be an interesting project to keep an eye on.

Customers who used the self-checkout lanes at Lucky Supermarkets have been hacked. The grocer, which operates stores in California, says some of their credit card machines have been altered with sniffers to capture credit and debit card numbers. Lucky, owned by parent company Save Mart, is telling customers who used those machines to close their bank and credit card accounts. At least 80 at-risk accounts have been identified and the supermarket chain has gotten calls from more than 500 customers who fear they are victims of fraud.

Card-skimming scams have been reported at gas stations and ATMs and retail chain stores. But this appears to be a first widespread attack at a supermarket checkout lane.

A key question remains how criminals could have attached these devices at multiple Lucky locations without anyone noticing. Lucky says at least 24 Bay area stores have been affected.

According to a report in the San Jose Mercury News, Save Mart’s CFO doesn’t think it’s an inside job, saying “It’s pretty well-understood technology. If a bad guy really wanted to go do this, they could probably go online and educate themselves at Google.”

Lucky first got suspicious on November 11th, when an employee doing maintenance noticed something that didn’t look right. They discovered an extra computer board inside the checkout machine recording customer info. Lucky says it warned customers on November 23rd, but it wasn’t aware of any cases of fraud at the time.

The checkout card readers were made by VeriFone, which confirmed there was a problem. The Lucky spokesman told the Mercury News “it was a very sophisticated device that they’d never seen before.” In addition to making credit card readers, VeriFone has a partnership with Google for NFC-based mobile payments.

Save Mart operates 233 stores in Northern California and Nevada under the names Save Mart, S-Mart Foods, Lucky and FoodMaxx brands. Lucky has posted a list of stores affected and information for consumers on their website.

A hacking group calling themselves “Team Swastika” posted what they claimed was over 10,000 comprised Facebook accounts to Pastebin, a service that serves as an online clipboard. However, according to statements from Facebook PR, these email and password combinations don’t actually represent live Facebook accounts. Instead, it appears that the hackers obtained the accounts using common phishing techniques, where users were tricked into giving away their personal information.

The development was first discovered by Rik Ferguson of Trend Micro, who notes that this hacking group had previously drawn attention to itself by publishing database tables and user credentials from the websites of the Indian Embassy in Nepal and the Government of Bhutan.

He was able to look at the list of supposed Facebook accounts before it was taken down, and found that they came from all over the world, and the majority of the users were not using complex passwords. Many of the passwords were simply a derivation of the user name, a favorite sports team or a short numerical password.

There was no indication as to how this account data was stolen, said Ferguson.

Says Facebook:

This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of email and password combinations that are not associated with any live Facebook accounts.

In reality these emails/passwords are the result of standard phishing activities where people were tricked into giving away their credentials.

Although the accounts may not have been actual Facebook logins, assuming they are indeed legitimate email/password combos, they could represent a comprise of numerous other services. Because users often reuse their same password around the Web, the logins may open up access to other accounts that were not the intended target of the phishing scheme. Good thing they’ve been taken down from Pastebin then.

Update: Ferguson now has new info on the compromised accounts. He says that the two lists the hacking group posted have previously been seen online. One list has been around for the better part of a year, while the second, which may actually be the work of another hacking group, was posted 19 days ago. More details are here.   

Image: Countermeasures

Austrian blogger and developer Florian Rohrweck recently discovered a lot of Google+’s upcoming features just by digging around in the source code for the new social networking service. He was one of the first (but not the only one), to reveal Google+ Games before its launch, for example, as well as still unreleased features like “Shared Circles” and social search, among other things.

Now, it seems, Google has had enough of Rohrweck’s snooping. It’s hiring Rohrweck to help secure the code instead.

This story sounds a little familiar, doesn’t it? After all, just last week, Apple hired one of iOS’s top hackers, Nicholas Allegra, also known as “@comex” on Twitter, to work on securing its mobile operating system.

Likewise, Rohrweck will be tasked with securing Google Web apps from leaks, and possibly working as a developer advocate as well. (Even he doesn’t quite know what his duties will include, he says.) The ink isn’t dry on the job contract, Rohrweck notes, so technically he’s about to be hired, not hired yet.

But to be clear, it was the code snooping (and blogging about it, extensively) that got Google’s attention in the first place. Says Rohrweck in an exchange, “yep, it was my leaking and lurking that made them nervous!” Google had previously taken notice of the developer, and gave him a shout-out in Google+’s code by way of an easter egg.

We suppose that getting hired by Google means Rohrweck’s detailed and sneaky (and yep, sometimes NSFW) glances into the future of Google+ will now no longer be published for all to see. That’s too bad for us, but probably a smart by Google.

Apple has just hired yet another member of the iPhone jailbreaking community, Nicholas Allegra, also known as “@comex” on Twitter. Allegra is best known for the JailBreakMe website which made the process of jailbreaking the iPhone as simple as visiting a webpage using mobile Safari.

The 19-year old hacker from Chappaqua, New York, posted the news of his hire on Twitter, stating that he will be starting an internship with Apple week after next.

Allegra was one of the most visible members of the jailbreaking community, regularly finding security vulnerabilities in Apple’s iOS software, which made it possible to hack iPhones, iPod Touches and even iPads. Typically, these holes were exploited through the use of specialized jailbreaking software applications which required the phone or other device to be connected to the computer via a USB cable.

But JailBreakMe was far easier to use – visitors just launched the website from their mobile device. The site featured a familiar-looking “slide to jailbreak” bar at the bottom of the page. One simple gesture, and the device was hacked. It made jailbreaking accessible to anyone, even non-technical users.

Traditionally, Apple discouraged jailbreaking, as it allows for the installation of third-party applications outside the official iTunes App Store. The concern is that once a phone or other device is jailbroken, it’s easier to illegally pirate applications which would otherwise be sold in the App Store, earning revenue for developers and Apple alike.

However, not all jailbreakers are interested in stealing apps – sometimes, like their Android-rooting counterparts, they just want control over their handset. On jailbroken iOS devices, users can make tweaks to the software and install widgets, themes and other unapproved applications by way of third-party “jailbreak” app stores like Cydia, Icy and ThemeIt.

In recent months, Apple has begun to take notice of the now-burgeoning jailbreak community, estimated to include 10% of all iPhones. For example, Apple hired Peter Hajas in June, the creator of a popular jailbreak app known as Mobile Notifier, which bears a striking resemblance to the new notification system in iOS5. The move prompted discussion as to whether Apple was reconsidering its position in regards to jailbreaking – maybe it’s now being thought of as a farm league for discovering new talent?

Jailbreaking is going even more mainstream this year, thanks to its first-ever hacker convention called MyGreatFest. According to event organizers, Allegra was planning on attending the conference, but whether he still will is now unclear.

Says MyGreatFest organizer Craig Fox, “I think it’s a great move for Allegra, but it’s sad for the jailbreaking community to lose such a bright and young hacker.”

Image credit: Forbes, which outed @comex earlier this month

The bounty to get a workable version of the Android operating system installed on the now-discontinued HP TouchPad is up to $2,000+, as of today.

As we previously reported, the goal of this project is to get some version of Android 2.x onto the TouchPad and, most importantly, stable. If successful, this effort will help keep the HP tablet a little more relevant to those unfortunate early adopters who have been left with a mobile operating system whose future is decidedly uncertain.

The project is being led by the modding community called HackNMod, which said it would divvy up the money to developers who achieve certain milestones, such as the first to get a “basic” port up and running, the first to get Wi-Fi working, the first to get audio functional, etc. $450 for the Android port itself comes from HackNMod itself, while the remaining portion will come from sponsors.

Today, the popular developer forum site XDA announced it, too, is getting in on the effort and has teamed up with HackNMod to increase the bounty to over $2,000. Its donation comes from an anonymous XDA member. XDA also has a dedicated forum for the TouchPad and TouchPad development. The forum thread announcing the increased bounty is here.

One group to watch in this effort is RootzWiki, which is working own its own “Touchdroid” project detailed here. Something tells us they’re going to end up with a good bit of that cash prize.

They’re out there. Be afraid. They could be anywhere, everywhere, anyone. They are shadowy, deadly, mysterious, guided by intellects vast and cool and unsympathetic. Security consultants and antivirus firms whisper legends of them to their clients to scare them straight. They are the Voldemort of online security, except that everyone is all too eager to say their name: the Advanced Persistent Threat. Hide your children! You cannot stop them!

…well, actually you probably could, and pretty easily too, but apparently most folks can’t be bothered.

Vanity Fair just wrote breathlessly about “Operation Shady RAT”, which featured “a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer.” Military-industrial standard-bearer Northrop Grumman is “constantly under attack by cyber-gangs.” A few months ago Security firm RSA’s SecurID systems were the victim of “an advanced persistent threat, a slow and consistent attack used by hackers to obtain specific information.” The Pentagon is alive to the APT threat, and says it is beginning to focus more on deterrence than on defence, because “each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks.” Why, just this week, San Francisco’s government-owned BART system was hacked by—

…waaaaaait a minute.

One can never be sure, particularly in this arena, but it seems that BART’s police database was hacked by … a teenage French girl, who reported: “They had zero security.” Here’s the link she allegedly used to hack them. Don’t worry, it’s no longer active. Take a good look at that URL. Remind you of anything? It should, if you’re an XKCD reader:

Ah, SQL injection, that old canard. But wait, it gets even worse:

BART's been hacked and it looks like they stored user passwords as plain text. Looks like they missed the class on Security 101 #opBART—
Michael Meehan (@michaelmeehan) August 14, 2011

Seriously? Seriously? Plaintext? Who runs security for these jokers, Mr. Bean?

OK, so maybe the BART hack was a script kiddie enabled by morons. But what about “Shady RAT”? So glad you asked. Vanity Fair’s clueless hyperbole makes it sound like no one in the history of the Internet had ever sent an email that linked to a page with a browser exploit before. Earth to their editors: you’re about a decade-and-a-half behind the times. The attacker then used steganography to communicate with the compromised machines. Ooo, steganography, scary and hard to pronounce! Sure, that might have been amazingly sophisticated…ten years ago.

The RSA hack worked in exactly the same way: emails to employees with an enticing-looking attachment, plus a zero-day Flash vulnerability. And the tech media went crazy about the deadly APT attack on a security company. Are you kidding me? That’s an example of an “advanced persistent threat”? Adobe products are legendary for their insecurity. If that’s an APT, so was News Corporation’s kindergarten-tech-level hacking of cell phones.

But don’t just take my word for it: “Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case,” says Symantec security researcher Hon Lau. Or as IT World trenchantly put it, re APT attacks in general: “The striking thing is sophistication of the excuses of victims, not the techniques of crackers … Only 3 percent of attacks were considered too slick for the victims to have been able to stop. That leaves 97 percent of data breach victims trying to find something other than themselves to blame. “

There are genuine, sophisticated, brilliant black-hat hackers out there. Some of them work in groups. Some even work for nation-states and militaries, including, very likely, the people who hacked Google eighteen months ago. But most hacks are made possible because the victims allowed them; and we shouldn’t forget that security companies have every incentive to make the dangers seem as deadly and sophisticated as possible.

Organizations everywhere put up full-spectrum firewalls, draft byzantine and Kafkaesque security policies, send delegates to security conferences to talk very seriously in hushed voices about APTs, and make endless pointless and/or disastrously counterproductive demands in the name of security theatre, such as forcing people to use impossible-to-remember passwords

while storing those incomprehensible passwords in plaintext on databases vulnerable to URL SQL injection, as their employees open poisoned attachments sent by strangers. That’s like being so worried about whether an enemy nation-state has fired a cruise missile at your house that you forget you left your car parked overnight with the door open and the keys in the ignition. In Oakland. Worrying about APTs directed by, say, China is very sexy—if blatantly sinophobic—these days, but maybe organizations shouldn’t start worrying about the enmity of the Middle Kingdom until they’ve first established their ability to handle bored teenage French girls with a bone to pick.

Image credit: “Public Enemy / Minor Threat”, believekevin, Flickr.

Unsurprisingly, the response was one of boilerplate outrage, albeit with a truly classic quote from FBI deputy assistant director Steven Chabinsky: “We want to send a message that chaos on the internet is unacceptable.”

I’m hoping this one will go down in history with chestnuts like “a series of tubes” and “just don’t hold it that way.” Chabinsky continued in his interview with NPR:

…it’s entirely unacceptable to break into websites and commit unlawful acts.

The investigative opportunities that present themselves in this area are transnational. The resolution of these cases will involve international cooperation. The Internet has become so important to so many people that we have to ensure that the World Wide Web does not become the Wild Wild West.

Leaving aside the curious implication that the web was not always wild, his choice of words is interesting. “Transnational” and “international cooperation” imply a global alignment on internet issues that simply doesn’t exist, though I’m sure the well-established channels of international police cooperation function as advertised. Anonymous issued a response of sorts to Chabinsky’s words, in which they are a bit less optimistic.

Tracking and collecting hackers of this type is like herding cats that move at the speed of light. The arms race in the detection/evading detection field is lopsided, and hackers are unquestionably at an enormous advantage. They’re savvy enough to avoid the pitfalls set for them by aging heads of security, and even cooperation at the level of internet providers is unlikely to be too effective. Besides, it’s survival of the fittest: script kiddies running LOIC on their mom’s unencrypted open wifi are going to get picked up while the shrewd hacker who pays for a Swedish VPN and codes his own tools won’t even be on the radar.

The fun part is that all this hacking really isn’t even very sophisticated. I mean, it’s not something you can just pick up and do on a Sunday afternoon, but these people aren’t sneaking into access tunnels and jacking into corporate mainframes. They freely admit it; part of LulzSec’s mission was to show just how poorly protected much “secure” information is. This NATO hack (like many high-profile hacks recently) was accomplished with a little SQL injection, an embarrassing oversight by a security team that, if anything, should be far more circumspect in its work than the average security-conscious organization or company. I wouldn’t go so far to say that those who are so easily hacked deserve it, exactly, but they deserve the dressing down they get later. The Sony hacks, for instance, almost certainly harmed the consumers and as such are deplorable acts — but Sony is more deplorable for its irresponsibility and tone-deaf response.

It’s like leaving your bike unlocked on the street as a kid and coming back to find it gone. It’s not that you deserved to have your bike stolen, but you clearly don’t value it much if you don’t take even elementary precautions. You may not agree with the thief’s motives (probably mercenary), but they don’t have to be paragons of virtue to be the bearers of an important lesson: yes, this can happen to you.

To come back to Chabinsky’s claim that chaos on the Internet is unacceptable, though. Mr. Chabinsky, I admire your dedication to orderliness, but you may as well try to straighten out a rainbow. Chaos isn’t the problem — chaos is the point. I don’t envy anyone whose stated job is to reverse entropy.

The lawsuit alleges that Sony was both remiss in its security responsibilities and its duty to inform its customers of the problem. I think it’s got legs.

While the statement from Sony wasn’t as straightforward as we’d have liked, it’s not hard to see that this breach was serious from the very beginning and the extent of the information the hacker potentially had access to included passwords, credit card numbers, and everything else that should be near-impossible to access. If there was any chance that a hacker had access to my credit card — even encrypted, as they mention the information was — Sony should have said that at the very first moment they knew.

No doubt the various security, policy, PR, and other teams at Sony have been working frantically to come up with an official statement and damage report. But when very important details of some 77 million people are at stake, it’s probably better to overstate the danger at once to be safe. That way, people can make the evaluation of whether or not they are at risk.

By staying silent, Sony has potentially given the hackers a week-long head start on using, selling, or otherwise abusing the customer data. They knew it was bad from the start — the total shutdown is proof of that. And they should have told us. Were you one of the people affected by this? Keep an eye on this one.

Here’s the full text of the complaint:

JohnsvSony Complaint FINALhttp://www.scribd.com/embeds/54070618/content?start_page=1&view_mode=list

And although Sony’s responses have been somewhat restricted, you can keep track of official developments (like this Q&A) over at the Playstation Blog.

[via CNET]

Since Sony’s PlayStation and music networks went down two days ago, there has been a fair amount of public speculation over the cause of the outage. (Largely due to Sony’s tight-lipped handling of public relations.) Many blamed vengeful gremlins loose in Sony’s server clusters and datacenters, while others immediately pointed the finger at Anonymous, the merry band of hackers that metastasized out of 4chan.

Thankfully, after 24+ hours of communication silence, Sony has updated its blog and ended the speculation. According to the electronics colossus, “an external intrusion” is responsible for the ongoing outages of the PlayStation Network and Qriocity. (It probably sounded like this at Sony headquarters. Or this.)

As to who these nefarious “intruders” are: It seems that Sony does not yet know who is responsible for the breach, or if it does, it is instead smartly spending its time sealing areas of vulnerability and trying to get the network back up and running. And though reports of PlayStation’s outage began heating up early Thursday morning, Sony reports that it in fact self-defensively shut down the Network sometime Wednesday evening.

According to the network’s blog, “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

So, when I said Sony has ended all speculation, I was really only half-correct. Sony is still not naming the party responsible for the breach, so the speculation will likely continue. (Can you hear the blogosphere cheering?) Anonymous has prior beef with Sony and has attacked the company before, so it’s not surprising many blamed them for the service disruption. (You can read more about Anon’s prior grievances with Sony in yesterday’s post.)

However, AnonOps (Anonymous Operations), the group’s mouthpiece and network through which members frequently communicate, has adamantly stated via its news wing that it was not responsible for the outage. Though, it seems that this particular announcement was made prior to Sony delivering the news that the problem was in fact due to hacking. So, Anonymous pointing to Sony’s incompetence as the cause of the outages is off base. Sort of.

More likely, as Anonymous makes mention of in the announcement, the hack was perpetrated by some offshoot of the group, which is either more angry at Sony than the majority, or is more eager to get its precious “lulz”. (While I have to admit that I sometimes find myself sympathetic to some of Anonymous’ philosophical stances, it’s hard not to use words like “fundamentalist” when referring to “factions” within the group, and draw structural comparisons between black hatters and terrorists. There are obviously important distinctions here, and line-blurring, but there it is.) Or, on the other hand, we might soon be learning of an as-yet-unknown hacker entity that is making a run at Anonymous for public notoriety. Gulp.

The PlayStation Network currently has over 70 million users and is Sony’s online medium for its PlayStation 3 and PlayStation Portable consoles. Both the Network, and Sony’s Qriocity music service were targeted. As stated previously, in its most recent blog post, Network spokespeople make no mention of how long the outage will continue, but it’s likely that it may take several more days to sort out. And this is after Sony posted yesterday saying that the outage may last for a “full day or two” — and after Amazon’s web and cloud services suffered from their own major outage.

At this point, the outage has lasted for over 48 hours and has become quite a disaster for Sony. (Or a “kerfuffle”, if you prefer a softer word.) Now, if this were in fact the result of denial-of-service attacks, it’s hard to place the blame entirely on Sony. Few networks can defend against large-scale DDoS attacks, which is, sadly, the point. That being said, the company has known since Wednesday night that there was an intrusion, so I find it odd that it would wait for two days to inform its users — and remove a post from its EU blog early Thursday saying that the outage is a result of “targeted behaviour by an outside party”.

All in all, the company’s public relations strategy is, at the least, very confusing. While it’s true that millions of gamers are being inconvenienced and are being forced offline, sure, it’s certainly not the end of the world. But, both for the sake of the company — and its users — a higher frequency of communication and level of transparency has to be achieved. In today’s world, a company can’t allow its official Twitter streams (@Playstation has nearly 800K followers) to go without an update for 24 hours. Especially when 70 million people are affected.

So, for everyone’s sake, I hope the Network can get up and running before this turns into the longest widespread network outage (due to hacking) in recent memory. If it isn’t already.

We will update this post over the weekend as we learn more. Stay tuned.

UPDATE: Sony said in a message posted at around 8pm Saturday that the network remains down due to the fact that company is “re-building our system to further strengthen our network infrastructure”. I imagine rebuilding its entire network is going to take some time, but in the long run, it’s probably best to do this all at once, even if it takes several more days.

UPDATE 2: As of 1pm Monday, the outage continues. Today’s update from the PlayStation blog offers a whole lotta nothin’. There is still no word about when the Network will be back up and running. Could be tomorrow, could be next week. From Sr. Director, Corporate Communications Patrick Seybold, “I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time”.

McAfee, the computer security company, has issued a fresh warning to the world’s corporations and other large organizations. The firm has warned that hackers now have these bodies fully in their sights, and that a combination of the de-centralization of the workplace (thanks to to proliferation of mobile devices and the like) and the move to the cloud means in-house security technicians have their work cut out for them. And since there’s a market out there for stolen corporate secrets, you can bet that the bad guys aren’t going to stop anytime soon.

There’s a few things at play here. The first is probably that, now more than perhaps in the past, says McAfee, there’s very much a market for stolen corporate secrets. A bit of source code here, some revenue projections there, tie it in a bow, and hand it off to someone who could use that information. What did Bernie Ecclestone say, that money and sex makes the world go ‘round? (I don’t know, I’m reading this book and it was mentioned.) Offer enough money and you’ll find someone willing to break into this or that server, no questions asked.

And it’s perhaps easier to get this information. Back in the day, a corporation’s private data might be stored in a server under lock and key, and you’d need physical access to get at it. That’s not so much the case anymore. People work from home, and they sometimes need access to this or that file. That means you have to create some sort of remote-access system, a system that could be compromised all the more easily. (How many of you use one of those RSA keyfobs to log into your job’s server? Think along those lines. Oh, almost forgot: RSA was partially compromised a few days ago. Fun for everyone!)

Then there’s also the fact that seemingly all of us are carrying around mobile devices. How many of you have sensitive information about your clients (or whatever the case may be) on your smartphone or tablet? What if you lose said smartphone or tablet? That could be trouble. Ten, 15 years ago your company’s network security staff didn’t have to worry about you leaving your iPhone at a bar, did they?

There’s also the transition to the cloud to examine. Corporations are readily storing their own information somewhere else! Now you don’t even have the physical access to your own sensitive data—could be problematic.

McAfee says this has become a pointed problem in countries like Brazil and Germany, and that it’s particularly troubling because you might not even know if your data has been stolen. A quick cp here and there and you’re boned.

What to do? First, panic. Second, learn how to use your equipment. At the very least put a password on your mobile device in the hope that the bad guys will see it as not worth the energy to try to crack; plenty of other unsecured devices out there. Third, make sure you know who you’re dealing with. If you’re storing data on a third-party sever make sure you understand what their security polices are, and what they’ll do in case of an attack.

Other than that? Yeah, panic. Just panic, everyone.

That didn’t take long. Yesterday, we reported that hacker @koush had successfully made the Xoom moddable by installing his ClockworkMod Recovery ROM manager. At that point root access was not achieved, but, no less than a day later he made it happen.

There are detailed instructions up on his site if you want to try it out. But, be warned there are still a few limitations to the rooting; i.e. the SD card isn’t working yet.

Now that the Xoom is rooted, we can expect to see a bunch of different mods. Though, it likely means non-Market apps and free Market apps.

[via electronista]

Writing on their blog yesterday, Rafael Rivera, Chris Walsh, and Long Zheng have revealed what they can (outside of the NDA they voluntarily signed) about the 2 days of meetings, and are “genuinely excited” about what lays in store for the platform.

They are now working “with Microsoft towards long-term solutions that support mutual goals of broadening access to the platform while protecting intellectual property and ensuring platform security.”

As a nice bonus, the three of them were given non-production ASUS E600 development devices, on which to weave their magic.

Note that, while a future WP7 update will fix the bug that allowed the ChevronWP7 unlocker tool to work — and thus render it useless — the guys are collaborating with Microsoft to create an “interim solution that will continue to support homebrew developments after the update.”

In short, Microsoft are doing their best to support both the interests of IP holders, and the interests of the homebrew community.

This approach seems to be paying off, too, with multi-platform hacker Geohot going out and buying a Windows Phone 7 handset. Or, at least he would have, had the head of WP7 development, Brandon Wilson, not offered him a free one.

[via Redmond Pie]

Darn shame that none of us thought to attend the Chaos Communication Congress in Berlin. Why cover fun stuff, right? Thankfully PSGroove made it out there, and came away with video of a video game console security discussion. The Wii has been “broken” (hackable, in other words) pretty much since Day One; the Xbox 360 has been hackable for a few years now (JTAGing is the way to go these days); and the PS3′s security is dead as disco. This, despite all of Sony’s huffing and puffing, particularly with regard to its stance toward Linux. In other words, Sony’s security can now be considered an “epic fail.” Note to self: do not get on the Linux’s community’s bad side.

The gist of the talk, which is broken into several 15 minute chunks, is that the PS3 can now be hacked with a dongle-less solution, making all of those paid dongle solutions a complete waste of money. The hack wasn’t invented to placate silly kids who want to download the latest PS3 game, but for folks who want to be able to run homebrew code (read: Linux) on the hardware they own.

All of this would seem to invalidate Sony’s original decision to remove the Other OS option for the PS3, fearing that it would leave the system susceptible to hacking.

And now it’s been hacked. Good job.

KrebsOnSecurity has a fascinating look at ATM skimmers. After approaching a Russian skimmer “salesperson,” Brian Krebs asked about the latest and greatest in skimmer technology. His recommendation? A GSM-based SMS transfer system that blows out the contents of your card’s magnetic stripe whenever you swipe it. Because it’s inexpensive to build and install, you can even leave it if the feds find out because all the data is safe on your home servers. Get a pre-paid SIM card to grab the SMSes and you’re set! Instant Christmas miracle.

Here’s his GSM-based skimmer sales pitch:

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.
And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer – you lose equipment, and tracks, and money.

That’s not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

Another benefit of the GSM system? You reduce employee theft.

“Consider this scenario: You have employed people who will install the equipment. For you it is important that they do not steal tracks. In the case of skimmer equipment that does not transfer dumps, the worker has full control over receiving of tracks.

Call me paranoid, but I physically pull and push the skimmers on all ATMS I use. It’s not worth the risk.

via BoingBoing

China Telecom, alleged to have hijacked all that Internet traffic back in April, has denied any wrongdoing. Meanwhile, the Chinese government has not commented on the matter. Hmm…

All of this stems from a report in the recent US-China Economic and Security review that said China Telecom had routed Internet traffic away from its intended destination. The report doesn’t say whether or not the re-routing was done intentionally or not, so who knows.

From here we can go in one of at least two different directions. We can take the popular approach and say demonize China for this or that, without any real proof of whether or not the hijacking was intentional (CYBER WAR~!), or we can say, well, how about we give China the benefit of the doubt? I simply don’t understand what China would gain by so very noticeably fiddling with Internet traffic. It just seems like a waste of time with no real upside.

Reminds me of that Penny-Arcade strip…

This is probably a case of where the idea is sound but humans will no doubt muck everything up. Thirty-three states here in the good ol’ U.S. will allow military and overseas citizens to vote via the Internet beginning with the mid-term election in November. This is being done in part to ensure that overseas voters’ votes, you know, count. I don’t know how many of y’all have ever lived overseas, but it’s probably easier to find Jay Leno funny than it is to obtain a ballot, then have it count. It’s 2010 and we still don’t have simple things like voting figured out. Amazing.

In steps the Internet to the rescue, right? The idea is to have these voters (including military personnel) vote via the Internet in some capacity. Now, whether or not that means you’ll be able to e-mail some overseas county clerk, as it were, with the subject MY VOTE and the body I VOTE FOR CANDIDATE A, HE’S COOL AND STUFF is completely unknown. There’s been a bunch of trial programs to figure our exactly how the votes would be cast. Do you set up a VPN for votes to pass through? Maybe a special Web site with super fancy authentication? No idea.

The problem with this, of course, is that the Internet is wildly insecure. Any teen with a copy of ettercap could, if he wanted, snoop an entire cafe’s Internet traffic while sipping a latte. Don’t think SSL will protect you, because it won’t! I’ve seen it effortlessly defeated so many times that I’m hesitant to even check my throwaway Gmail account on a public connection (airport Wi-Fi, at the café, heck, even at the TechCrunch office in New York). Unless I can see the pipe coming from the street into my modem, then to my router, I have zero control over who or what could possibly “hack” my connection.

When you’re dealing with something as important as voting, you can guarantee that there will be people looking to cause trouble—it’s just human nature (which is partially why I want “I, Robot” to actually happen).

Internet voting: a solution to a very real problem that unfortunately will never work as well as you’d like. Maybe it would work if people weren’t jerks…

These questions are natural, because a few years ago they wouldn’t even be possible. What reason would you have for breaking open an first-generation iPod, or hacking an original Playstation? The question of “unauthorized software” on System 9 and Windows XP was plainly moot. But as the capabilities of the PC, console, and phone have expanded, so have their magisteria. And as their power grew, so did their chains. These chains were so light before that we didn’t notice them, but now that they are not only visible but are beginning to truly encumber our devices, we must consider whether we are right to throw them off. The answer, to me at least, seems obvious: no company or person has the right to tell you that you may not do what you like with your own property.

It really is as simple as that. But let me restate it so no one thinks I was just being deliberately dramatic or provocative. As long as what you are doing is restricted to the privacy of your home or person, no company, no individual, no designer or engineer, no manager, no CEO, can tell you what you may or may not do with a device which you have purchased legally. How could it be otherwise? It’s yours.

In other words, you may use your iPhone, PS3, Wii, iPad, TiVo, PC, and any other device you can think of as anything from home server to killer robot control core. Interestingly, it is for some reason far more controversial to oppose Apple’s wishes than, say, Microsoft’s or Sony’s, even when the nature of the opposition is identical (custom software running on a device, for instance). For that reason I’ll be using Apple as my primary example.

Now, this isn’t a license to do whatever you want, to whomever you want, at all times. There are several things that limit your freedom, and it is your responsibility to be aware of them: You may have signed a legally binding contract; the effects of your use may extend beyond what you can reasonably expect to be called your own home or person; there are laws governing certain kinds of use. Essentially, know that your device does not exist in a connective vacuum, and you do not live in a social or legal vacuum.

Let us say that you bought a hammer. The hammer is clearly designed for hitting nails, and it is sold at a hardware store, next to nails. Are you really restricted to using it for hitting nails? Do you need to buy a special license to photograph it, or use it to tenderize meat? Of course not. But if you stand outside hitting a bell with it all day, your neighbors may rightfully complain. And you can’t go around beating people with it, because that’s assault. I really don’t see why a more complicated device, more versatile, sure, but still a piece of hardware bought at a store, should be subject to fundamentally more stringent restrictions. Your use of the tool or device that you bought is limited only by law and your discretion. Acme Hammer company doesn’t get a say in what you do — and for that reason, they are not liable if you do decide to start hammering people.

That said, you may have signed (perhaps without noticing it) a legally binding contract. If you did so, read it. EULAs are meant to be not read, of course, because they are legal language presented to an end user, and the degree to which they are binding is probably going to be a topic for debate for years. Better to be safe: if you can’t read it, research it online and see what the gist is, or call support and ask. If you find that you have a reasonable chance of actually breaking a law and having that illegal act pursued by the company, reflect on that.

But also reflect on the fact that nobody thinks twice about crossing a street at 3AM when there are no cars, because jaywalking laws have no authority when the conditions they are meant to govern are not present. Can we say the same thing of license agreements? We can leave aside the complex philosophical debate that goes along with Law, Justice, and so on — we’re talking about simple cases here. Are you the kind of person who will wait at a “Don’t Walk” sign on an empty street? Then you probably live in Seattle (I see you people). Also, you’re probably not the jailbreaking type and you’re likely infuriated by what I’ve written so far. At any rate, the most extreme consequence for modding is usually a broken warranty and discontinued support. Oh no!

To illustrate this, here’s the relevant portion of the iPad license agreement:

You may not and you agree not to, or to enable others to, copy (except as expressly permitted by this License), decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of the iPad Software or any services provided by the iPad Software, or any part thereof…

…This License is effective until terminated. Your rights under this License will terminate automatically or otherwise cease to be effective without notice from Apple if you fail to comply with any term(s) of this License. Upon the termination of this License, you shall cease all use of the iPad Software

Some will say that because of these you do not “own” the device you bought. But few will say what they mean, viz. that there is in fact no way for you to buy just the Apple hardware — you are actually prohibited from doing so, and are told told to please return the device for a full refund if you do not agree to the EULA for the software. Fortunately, such a flippantly restrictive license is as easy to ignore as it is to create. Make no mistake — such an act is surely “a violation of the rights of Apple.” A violation they will never know about, because there is no way they could ever know. They have as much effective jurisdiction over your home and person as they do over the dark side of the moon. Act accordingly. Many EULAs (Sony’s, for example) establish similar unlimited control, which one may (and often will, without knowing) also ignore with impunity as long as the license-granter or other users are not materially affected in any way. It is telling that the punishment for violating the license is effectively voluntary.

Although I just recommended a casual disregard for certain laws, you must remember that there are laws you ought to respect. Texting and driving comes to mind. That’s not “doing what you want with your device.” That’s putting the people and things around you in immediate danger. Likewise, it seems obvious that modders should refrain from behavior that strays beyond the bounds of their device or home. Have you broken your Xbox 360 to pieces, installed custom software, and are currently using it as a home media server? Great! Have you modded your PS3 so that it pulls extra packets in online games and causes everyone’s pings to rise? Not so great! Use discretion, and don’t be surprised if, when your practices affect more than just you and yours, you get taken to task for it.

Furthermore, don’t begrudge the companies their efforts to lock you out. It’s to their benefit, of course, to limit the use of their device to things they know work and which make them money. Apple’s a great example of this. Jobs has created a brilliant ecosystem of Apple-based services and devices which work best when working with each other. And by “work best,” I mean “work best for Apple.” If they also work best for you that way, great! You’re happy, Apple’s happy. But don’t tell me that I need to be the same way. And just because Apple works doggedly against people using their hardware for non-Apple-approved purposes doesn’t mean that it’s actually wrong or illegal to do so. Amusingly, many seem to think this is actually the case, for example the Apple store manager who called the cops when a customer showed him a jailbroken iPhone. It’d be funnier if this wasn’t such a popular delusion.

Finally, if you decide to hack or mod your device, you are essentially cutting ties with the company that makes and supports it. If that’s a problem for you, don’t do it. And if you do it, don’t complain. Your complaints will be ignored, as they should be. I hacked my PS2, and when it broke (I had resorted to using a SweeTart to keep one component at the right angle) I didn’t try to return it to Sony. I had made my bed, and I lay right down in it. You’ll have to do the same, even if you brick a brand new iPad while trying to flash its BIOS and install a second OS.

The reasoning and explanation above can basically be boiled down to a few basic laws. It seems to me that as long as you stay within these bounds, you should be free from prosecution and criticism.

Do no harm

Hacking your device should not affect anybody else’s user experience. If you break any laws, you should be the only potential victim.

Be informed

The risks you take are your own, and you should thoroughly research anything you’re thinking of doing. Don’t pretend cracking open your 360 or jailbreaking your iPhone is a trivial act.

Accept the consequences

You’re giving up your warranty and all the benefits that come with it. You may also be committing a crime.

But if you’re okay with all that…

Do what thou wilt

No one can tell you what to do with your property in the privacy of your home or on your person.

We’re on the frontier, here, which is why this debate is happening. It’s just a bit weird that people who were alarmed by Amazon sucking content off of Kindles are okay with Apple, Sony, and others dictating what you can do with a device you bought. It was only natural that they would try to extend their power to your living room once that was possible, but you can still shut the door in their face. Note that this discussion is not about content or piracy, although there are parallels. This is about the right to use a device as you will. Some of the same arguments apply, and just as information wants to be free, hardware is always at its best unfettered as well. But while there is legitimate dispute about the rights surrounding digital media, I don’t see any real objections to the hacks and modifications possible for your hardware and devices.

A popular objection is that one doesn’t have to buy the devices that happen to be wrapped up in restrictive systems or deliberately limited. Vote with your wallet, right? Sure, and even when you jailbreak or mod, you are doing just that. You bought the device most suited to your needs. With the iPad it’s the nicest tablet hardware out there and it has a big user base, which will prompt lots of interesting projects to develop — not all approved by Apple. And while the Apple-imposed limitations on the iPhone were less visible because of the highly-limited competition it leapfrogged, the iPad wears its chains on its sleeve with its lack of extra storage, single proprietary interface, and so on. The numbers of the curious and the dissatisfied will swell as the chains begin to weigh on them.

There are greater principles at stake here as well, but I think the simple utility of hacking our devices and the total lack of consequences for anyone involved are the only arguments necessary at this stage. I’ll leave the questions of property, privacy, and other rights to discussion by abler minds.

Lastly, I would like to humbly thank Apple, Sony, Microsoft, and all the others, for creating wonderful devices which I plan to enjoy to the fullest extent. But I humbly ask them, and everyone else, not to tell me what I can and can’t do with it once my purchase is complete. You should do the same.

Pretty much spot-on, this. There’s an op-ed in The Wall Street Journal that argues that Americans should badger Congress and the president, asking them to hold off on doling out stimulus dollars to electronic medical record systems that don’t have appropriate privacy safeguards in place. As it stands, electronic medial records aren’t exactly sealed—insurance companies can peek at them, as can pharmaceutical companies. So, let’s instead focus on creating an electronic medical record system that’s as foolproof as possible. Slight issue: when is your data, medical or otherwise, ever truly secure?

Before I get into this, let the record show that I’m pretty much in full agreement with the op-ed, which was written by a psychiatrist. Thirty-five years on the job gives her a pretty strong leg to stand on.

The main argument is that today’s electronic medial records, as set by the Health Information Portability and Accountability Act, are as porous as something porous. High-minded, yes. Not every Joe can see what medicine you’re taking, but in some cases your employer can, or your insurance company can.

“What? Johnson’s on Prozac? Keep an eye on him, Mack.”

“Will do, boss.”

Granted, that’s a Doomsday scenario, but it’s certainly something that can happen given the nature of electronic medical records.

So that’s that part of the equation, that electronic medial records as we have them today aren’t fully respectful of the privacy that every patient expects.

Here’s the thing, and again I say that I agree with the op-ed: your data is never safe, anywhere. Electronic medical records falling in the hands of, well, anyone other than you and your doctor, is simply par for the course.

How many times do we hear of big box merchants losing credit card records? How many times do we hear stories of dumb kids putting comprising photos of themselves on Facebook, then their schools or employers find out? For that matter, how many Facebook accounts have been hacked in recent months? (Ever get a Facebook message from a “friend” saying that he’s stranded in London and needs $2,000 as soon as possible?) How many e-mail and bank accounts are phished every day, creating a complete nightmare for the victim?

It’s sorta the nature of electronic data as a thing, that makes it easier for it to fall into the wrong hands.

It’s pretty much impossible for The Man to get a hold of your medical records when they’re physically in a safe at your doctor’s office. Unless the insurance company, or your icky boss, Metal Gear Solids his way into the office, you can pretty much assume that no one untoward is going to see said records. That’s not the case when these records are a mere few keystrokes away from anyone on the planet.

Of course, the benefits of electronic medical records are manifest: your primary care physician can zip them on over to the specialist you’re going to see later today in no time at all. Storage costs go way down: how much does it cost to store reams of paper versus a couple of files on a hard drive?

I should probbly mention that I haven’t been to a doctor in years, so they might be using robots and dark matter to look at patients these days for all I know.

So yeah, it’s tricky. Electronic medical records, by their very nature, as far more easily accessible than paper-based ones. We need to ensure that the proper safeguards are in place before embracing them full steam ahead, while keeping in mind all of the advantages of an electronic system.