Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.
“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.
During an IRS budget hearing Monday before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.
“Now we find out that you’ve been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014,” Crenshaw said at the hearing. “I know you probably wish you’d already done that.”
According to the IRS, it has approximately 110,000 Windows-powered desktops and notebooks. Of those, 52,000, or about 47%, have been upgraded to Windows 7. The remainder continue to run the aged, now retired, XP.
John Koskinen, the commissioner of the IRS, defended the unfinished migration, saying that his agency had $300 million worth of IT improvements on hold because of budget issues. One of those was the XP-to-7 migration.
“You’re exactly right,” Koskinen said of Crenshaw’s point that everyone had fair warning of XP’s retirement. “It’s been some time where people knew Windows XP was going to disappear.”
But he stressed that the migration had to continue. “Windows XP will no longer be serviced, so we are very concerned if we don’t complete that work we’re going to have an unstable environment in terms of security,” Koskinen said.
According to Crenshaw, the IRS had previously said it would take $30 million out of its enforcement budget to finish the migration.
Part of that $30 million will be payment to Microsoft for what the Redmond, Wash. developer calls “Custom Support,” the label for a program that provides patches for critical vulnerabilities in a retired operating system.
Analysts noted earlier this year that Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support.
Using that average — and the number of PCs the IRS admitted were still running XP — the IRS would pay Microsoft $11.6 million for one year of Custom Support.
The remaining $18.4 million would presumably be used to purchase new PCs to replace the oldest ones running XP. If all 58,000 remaining PCs were swapped for newer devices, the IRS would be spending an average of $317 per system.
Facebook released its second government requests report covering the second half of 2013, and it expands its scope from the first one in two ways. First, it includes requests to restrict or remove users’ content from the site, whereas the first report was limited to requests for account information. And second, the report now includes data on Instagram, the photo sharing site owned by Facebook.
Facebook is not breaking out the number of Instagram requests; they’re included in the overall tallies. But Instagram’s inclusion speaks to the popularity of the service, which Facebook acquired in 2012 but didn’t include in its government requests report for the first half of 2013.
The report includes data on government requests to receive data about Instagram accounts and to restrict access to its content.
Facebook receives requests to restrict or remove content based on countries’ laws over what can be shared online. When the request is legally sound, Facebook restricts access to content in the specific country whose government objected to it. If Facebook also determines that the flagged content violates its own standards, it removes the content globally. Separately, Facebook also receives requests for account information and data, many of which relate to criminal cases such as robberies or kidnappings.
Facebook does not hand over data every time it receives a government request — sometimes the requests are overly broad or vague, or do not comply with legal standards, the company says.
In the U.S., Facebook received about 12,600 law enforcement requests in the second half of 2013, up from the range of 11,000-12,000 it tallied in its first report. For the second half of 2013, Facebook said it produced data for about 81 percent of the requests.
Regarding U.S. government requests about national security matters, Facebook reported it may have received none or as many as 999, saying it couldn’t be more specific due to U.S. legal restrictions.
Governments in other countries across the world are also interested in Facebook users’ data. India ranked second behind the U.S. with about 3,600 requests targeting more than 4,700 accounts. Facebook produced data for roughly half of those requests.
More than 1,900 requests came from the U.K., while the governments of France, Germany and Italy each served Facebook with more than 1,600 data requests.
Besides Facebook, other companies like Yahoo, Google and Microsoft periodically release their own government request reports, as part of an effort to be more transparent to users. The tallies have taken on increased significance following leaks about U.S. government surveillance made by former contractor Edward Snowden.
“Grey Goo is remarkable not for what it has added to the RTS formula, but what it has stripped away,” PC Gamer wrote in its reveal of Grey Goo, a new real-time strategy game from the veterans at Petroglyph. Perhaps the same could be said of Grey Goo’s recently formed publisher Grey Box, which is seeking to strip away the more negative aspects of game publishing. Suits and creatives typically will bump heads because the two sides are looking at the creation of games from wildly different perspectives. But what if they actually had the same goals?
Ted Morris, executive producer at Petroglyph, felt an immediate kinship with the team at Grey Box. “As a small [studio] – small being 50, 60 people – we are always talking to publishers to see what deals we can put together. But with Grey Box, I think that we meshed better on a personal level with them as a company and as a group of people than we have ever meshed with another group,” he enthused to GamesIndustry International during GDC. “And we’ve worked with Sega and LucasArts – all the big guys – and certainly talked to everybody else, too – the EAs and everybody – and these guys – man, we just gelled with these guys so well.”
Morris said that Grey Box’s approach to publishing was noticeably different from the start. While other, larger publishers may immediately come up with marketing plans and sales targets, Grey Box found itself on the same page with Petroglyph: fun comes first.
“Every meeting that we have is always a sit down and then people open up financial books and they start talking about what the sales figures are going to be like, and when we sit down with [Grey Box], it’s like ‘how can we make a great game?’ We don’t even talk about money, we talk about ‘how good can we make this game?’ and ‘how successful will it be?’ You know, let the game drive the sales, don’t let the marketing drive the sales, don’t let the sales department drive the sales. It’s really about, if you make a great game, they will come,” Morris continued. “They spoke to that so often, so frequently that we thought, ‘man, these guys just want to help us focus on what’s really important.’”
One of the defining traits for publisher Grey Box is that they’re all gamers at heart, noted Josh Maida, executive producer for the publisher.
“I’m not going to pre-judge any of those other publishers – I mean, for all I know they love games as much as we do. And we do. We all love games. We all come from different areas. I lost a whole grade point in college to Street Fighter, and… we want to be fiscally mindful. You need to make money, but with the money we make, we want to make more games,” he remarked.
“So I think at the core of that is we’re not trying to take away from the industry. We want it to feed itself and go bigger. Quality over quantity is something that we’re mindful of. We also just want to make a good working relationship for our partners… everybody’s in here for fulfillment. The talent we work with, they could all be working in private industries for twice the amount they do, but they’re here because they love to make games, and so we want to be mindful of that. And when people die, they want to know they did great things and so we want to create those opportunities for people.”
Tony Medrano, creative director for Grey Box, criticized other publishers for being too quick to just follow another company’s successful formula.
“We’re not chasing a trend, we’re chasing something we believe in, we’re chasing something we like, and we’re not trying to shoehorn a formula or monetization model onto things that just don’t work because they’re popular,” he added. “I think from the get-go, it’s been all about how can we make the best game, and then everything else follows from that. I think a difference structurally [with other publishers] would be that we have a very lean and mean team. We’re not trying to build a skyscraper and have redundant folks. Everybody that’s here really cares, has some bags under their eyes from late nights… I think it is just that we look at all our partners as actual partners. We let them influence and make the product better, whether it’s the IP or the game.”
Speaking of monetization models, Maida commented that there’s no “secret agenda to Zyngafy RTS or anything.” Grey Goo is strictly being made for the PC, but the RTS genre easily lends itself to free-to-play. Upon the mere mention of free-to-play, however, you could almost feel the collective blood pressure in the room rising. It’s clearly not the type of experience that Petroglyph and Grey Box are aiming for.
For Petroglyph’s Morris, in particular, free-to-play hit a nerve. “I’m going to jump in here, sorry. I’m really annoyed!” he began. “There’s been such a gold rush for free-to-play right now that is driving publishers – I mean, there needs to be a good balance. There’s a great place for free-to-play – I play lots of free-to-play games – but it is driving developers like us to focus on money instead of making great game content. I’m not going to name any examples, but I’ve been disappointed with some of the free-to-play offerings because it’s not so much about making a great experience for the player anymore. It’s about ‘how can we squeeze them just a little bit more?’ or annoy them to the point where they just feel like they have to pay.”
Medrano added, “I get frustrated when I play free-to-play games, and if I purchase something, I feel dirty. I feel like ‘oh, I got cheated, I fell for the trap.’ Or even more modern games where they baby you through the whole thing. There’s no more of that, like, ‘this is tough, so that means if I get good at this, there’s reward – there’s something there.’”
Ultimately, while Petroglyph and Grey Box came together thanks to a shared love of the RTS genre, they feel there’s a real opportunity to bring back hardcore, intelligent games.
Andrew Zoboki, lead game designer at Petroglyph, chimed in, “It’s almost as if the industry has forgotten about the intelligent gamer. They feel like that everyone’s going to be shoehorned in there, and I would say even from a design perspective that a lot of design formulas for a lot of things, whether they be free-to-play or what the mainstream is going to, next-gen and such, that all those titles are kind of a little more cookie-cutter than they probably should be. They’ve tried to shoehorn gamers into a formula and say, ‘this is what a gamer is,’ rather than understanding that gamers are a very wide and diverse bunch of individuals, everyone from the sports jock to the highly intellectual, and they all have [different] tastes… there’s different games that will appeal to different demographics… if you make the games that players want to play, they will come.”
And that really is at the heart of it. Morris lamented how business creeps into the games creation equation far too often. “They’re trying to balance the game with Excel spreadsheets instead of sitting down and actually playing it and having focus tests and bringing people in and actually trying to iterate on the fun,” he remarked about other publishers.
For Grey Box at the moment, the focus is on making Grey Goo the best it can be, but the company does have plans for more IP. It’s all under wraps currently, however.
“We do have a roadmap, but it’s not based off of the calendar year. We do have another game in the works right now and we might announce that at E3. And we have a road map for this IP, as well,” Maida said. “Obviously we want to get it in the hands of players and fans to see what they respond to, but we’ve got capital investment in the IP with hopes to not only extend this lineage of RTS’s but possibly grow out that franchise and other genres as well.”
Grey Box plans to release Grey Goo later this year.
BlackBerry Ltd would think about abandoning its handset business if it remains unprofitable, its chief executive officer said on Wednesday, as the technology company looks to expand its corporate reach with investments, acquisitions and partnerships.
“If I cannot make money on handsets, I will not be in the handset business,” John Chen said in an interview, adding that the time frame for such a decision was short. He would not be more specific, but said it should be possible to make money off shipments of as few as 10 million a year.
At its peak, BlackBerry shipped 52.3 million devices in fiscal 2011, while it recorded revenue on less than 2 million last quarter.
Chen, who took the helm of the struggling company in November, said BlackBerry was also looking to invest in or team up with other companies in regulated industries such as healthcare, and financial and legal services, all of which require highly secure communications.
The chief executive said small acquisitions to strengthen BlackBerry’s network security offerings were also possible.
“We are building an engineering team on the service side that is focused on security. We are building an engineering team on the device side that is focused on security. We will do some partnerships and we will probably, potentially do an M&A on security.”
He said security had become more important to businesses and government since the revelations about U.S. surveillance made by former National Security Agency contractor Edward Snowden.
In a wide-ranging interview in New York, Chen acknowledged past management mistakes and said he had a long-term strategy to complement the short-term goals of staying afloat and stemming customer defections.
“You have to live short term. Maybe the prior management had the luxury to bet the world would come to it. I don’t have the luxury at all. I’m losing money and burning cash.”
In March, the embattled smartphone maker reported a quarterly net loss of $423 million and a 64 percent drop in its revenues, underscoring the magnitude of the challenge Chen faces in turning around the company.
Chen said BlackBerry remained on track to be cash-flow positive by the end of the current fiscal year, which runs to the end of February 2015, and to return to profit some time in the fiscal year after that.
Chen said his long-term plans for BlackBerry included competing in the burgeoning business of connecting all manner of devices, from kitchen appliances to automotive consoles to smartphones.
Chen said he was not sure how long it would take for the “machine-to-machine” or “M2M” world to become a mainstream business, but he said he was sure that was coming.
“We are not only interested in managing BlackBerry devices. We are interested in managing all devices that you would like to speak to each other,” he said. “To achieve our dream of being a major player in M2M requires more partnerships with others,” including telecom companies eager to participate.
A surge in cybercrime is forcing security vendors to release security updates every 40 minutes, according to security firm Symantec.
Senior manager for Symantec Security Response, Orla Cox, reported the development during a briefing attended by The INQUIRER.
“We’re seeing more sophisticated attacks than ever before and people want security,” she said. “Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They are rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified.”
Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers.
“It’s been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection.”
She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company’s rapid update cycle has increased the risk of pushing out an update with a false positive signature.
“The biggest quality issue we face is the danger of false positive definitions. There’s a risk of detecting something clean as malicious, that’s the big no no in our industry, so it’s as much about building definitions libraries about legit files as malicious,” she said.
False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013, Malwarebytes crippled thousands of its customers’ machines when it issued a false positive update.
Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. “We’ve had to evolve how we work, it’s not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we’ve begun doing intelligence work,” she said.
“We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don’t – that’s the benefit of us being here every day, reverse-engineering malware.
“Doing this over the years we’ve had to develop a number of systems and now we’re trying to understand the individual attacks in the context of who did them and why.”
Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March.
Dubbed Heartbleed, the bug was discoverd in a software library used in servers, operating systems and email and instant messaging systems and allows anyone to read the memory of systems using vulnerable versions of OpenSSL software.
OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which email, instant messaging, and some VPNs are kept secure.
The vulnerability is called Heartbleed because it’s in the OpenSSL implementation of the TLS/DTLS heartbeat extension described in RFC6520, and when it is exploited it can lead to leaks of memory contents from the server to the client and from the client to the server.
The researchers from defense security firm Codenomicon said that attackers could take advantage of the bug to eavesdrop on communications, steal data directly from server or client systems, and impersonate users and servers.
“This compromises the secret keys used to identify service providers and to encrypt the traffic, the names and passwords of the users and the actual content,” the researchers wrote on a website dedicated to the bug.
“Without using any privileged information or credentials, we were able to steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
Because such attacks are not traceable, it’s not clear how widespread the bug is or was, but it is thought that at least two-thirds of websites could be affected, as the most notable software using OpenSSL are the open source webservers Apache and nginx.
The researchers pointed out that the combined market share of those two webservers was over 66 percent of the active websites on the internet, according to Netcraft’s Web Server Survey released this month.
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet,” the researchers added.
“Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”
Although an updated version of OpenSSL has been released to patch this security vulnerability, it might take time before some operating system developers and software distributions deploy it.
“Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys,” the researchers said. “Even doing all this will still leave any traffic intercepted by the attacker in the past vulnerable to decryption.”
A U.S. court has ruled that the Federal Trade Commission can proceed with a lawsuit against hotel group Wyndham Worldwide Corp for allegedly failing to properly secure consumers’ personal information.
Wyndham had argued that the commission did not have jurisdiction to sue over what it saw as lax security leading to data breaches, It had asked for the lawsuit to be dismissed.
Judge Esther Salas, of the U.S. District Court for the District of New Jersey, disagreed and ruled that the FTC should be allowed to proceed with its case.
Wyndham said in a statement that it planned to continue its fight.
“We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” the company said. “We intend to defend our position vigorously.”
The FTC has accused Wyndham of failing to provide adequate security for its computer system, leading to three data breaches between April 2008 and January 2010. It says the breaches led to fraud worth $10.6 million.
FTC Chairwoman Edith Ramirez said she was “pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data.
“We look forward to trying this case on the merits,” she said.
Wyndham operates several hotel brands, including the value-oriented Days Inn and Super 8. It is one of many organizations to acknowledge in recent years that it had been hacked by people seeking either financial gain or intellectual property.
Bloomberg reported that IBM supplies server equipment to the Pentagon and that national security concerns have been raised.
The inter-agency Committee on Foreign Investment in the US (CFIUS) is set to investigate whether Chinese technology company Lenovo is a safe buyer for a company that builds products to process so much potentially sensitive data.
Application for the $2.3bn purchase, which was announced on 23 January, has been made to the CFIUS, however investigations might take up to 75 days.
Concerns might be alleviated by the decision to keep the IBM server business as a separate subsidiary for five years, with a possible extension. In the past, this was not the case as IBM’s personal computer division was rebranded by Lenovo soon after its acquisition in 2005.
US officials will also have to consider the future safety of US utilities, weapons systems and other critical infrastructure to ensure that there is no potential risk of malware or hijacking.
This is not the first time that CFIUS has intervened in Chinese acquisitions in the computing sector, with Huawei and ZTE both having been subjected to mutterings about “deep concerns” when they began accelerated trading in the US in 2012.
The IBM deal is just one part of Lenovo’s recent spending spree after it bought Motorola from Google at a cost of $3bn to gain a stronger foothold in western markets.
Microsoft has hardened its stance regarding classifying programs as adware and gave developers three months to conform with the new principles or risk having their programs blocked by the company’s security products.
The most important change in Microsoft’s policy is that adware programs will be blocked by default starting July 1. In the past such programs were allowed to run until users chose one of the recommended actions offered by the company’s security software.
Interestingly, Microsoft’s crackdown on adware comes as it introduces tools to make it easier for developers to incorporate advertising into Windows 8.1 and Windows Phone apps.
The company has re-evaluated its criteria for classifying applications as adware based on the principle that users should be able to choose and control what happens on their computers, according to Michael Johnson, a member of the Microsoft Malware Protection Center.
First of all, only programs that display ads promoting goods and services inside other programs — for example, browsers — will be evaluated as possible unwanted adware applications, Johnson said in a blog post. “If the program shows advertisements within its own borders it will not be assessed any further.”
In order to avoid being flagged as adware and blocked, programs whose revenue model includes advertising must only display ads or groups of ads that have an obvious close button. The ads must also clearly indicate the name of the program that generated them.
Recommended methods for closing the ad include an “X” or the word “close” in a corner; the program name can be specified through phrases like “Ads by …”, “… ads”, “Powered by …”, “This ad served by …”, or “This ad is from …”.
“Using abbreviations or company logos alone are not considered clear enough,” Johnson said. “Also, only using ‘Ads not by this site’ does not meet our criteria, because the user does not know which program created the ad.”
In addition to following these ad display guidelines, programs need to provide a standard uninstall method in the Windows control panel or the browser add-on management interface, if the program operates as a browser extension or toolbar. The corresponding uninstall entries must contain the same program names as displayed in the generated ads.
“We are very excited by all of these changes,” Johnson said. “We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience.”
Adware programs typically affect the Web browsing experience and have been a nuisance for years, primarily because their developers make it intentionally hard to completely remove all of their components or undo the changes made by these applications.
Western Digital became the first company to debut a 6TB drive; that drive was also its first helium-filled model — something the company sees as crucial for the future of high-capacity drives.
Western Digital released its hermetically sealed Ultrastar He6 drive in November, touting not only its capacity, but its power savings and reliability.
Seagate said it doesn’t yet need to use the lighter gas, which reduces friction and heat.
“We didn’t have to use helium to get to this capacity, and it’s 25% faster than their helium drive,” said Barbara Craig, a marketing manager with Seagate. “You can rest assured, when we need it [helium] we’ll use it.”
The enterprise drive also has what Craig described as a “humidity sensor” that will allow it to continue functioning in humid environments.
Seagate’s Enterprise Capacity 3.5 HDD v4 is aimed at cloud-based data centers, where near-line storage is king.
The new drive also comes in 2TB, 4TB and 5TB capacities and with either 12Gbps SAS or 6Gbps SATA connectivity.
As with its past enterprise drives, Seagate’s new drive is self-encrypting with the company’s Instant Secure Erase, which overwrites data multiple times for easy drive disposal or repurposing. The drive is also FIPS SED certified.
Seagate’s “Super Parity” error correction firmware with RAID rebuild functionality is located on the drive’s SAS controller, which improves data rebuild times after a drive error. Craig said a drive’s data can be rebuilt “in hours instead of days.”
Craig said the new enterprise drive can sustain 550TB in data writes annually — 10 times the 55TB workloads that Seagate’s best desktop drives can handle.
“This is the fastest-growing segment in the enterprise space,” Craig said. “People today are still trying to use desktop drives for near-line storage applications.”
While Seagate did not release pricing, as it sells most of its enterprise-class drives to storage array makers, Craig did say the drive will be the same price per gigabyte as the previous 4TB capacity model.
Polish researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the flaws make it possible for attackers to read or modify users’ sensitive data or to execute malicious code.
Security Explorations said it would normally withhold public airings until after any vulnerability has been fixed. But apparently Oracle representatives failed to resolve some of the more crucial issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.
Oracle apparently has admitted to the researchers that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centres in the future.
Adam Gowdiak, CEO of Security Explorations said Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against Salesforce.com.
The paper’s goal is to keep evolving with changing technology, and accepting bitcoin payments is one way it is trying to stay digitally focused, Editor-in-Chief Jim Kirk said in a release.
The Sun-Times has a “digital-first” strategy that led it to experiment with a bitcoin paywall for a one-day period in February.
It had partnered with San Francisco-based micropayments startup Bitwall so readers could donate bitcoin or tweets on Twitter to benefit an organization called the Taproot Foundation, which pairs professionals with nonprofit groups for pro bono work.
“We were encouraged by our paywall experiment in February,” Kirk said in an interview over Twitter. “We believe there is an opportunity here to expand our readership with Bitcoin.”
The Chicago Sun-Times claims 6 million unique monthly online readers. It was the eighth-largest U.S. newspaper by total average circulation in March 2013, according to the Alliance for Audited Media, an advertising and content provider industry group.
For its print and digital subscriptions, the newspaper is working with Coinbase, a bitcoin wallet service also based in San Francisco. In a blog post, Coinbase said that content providers such as the Sun-Times are one of the early leaders in getting merchants to adopt the cryptocurrency.
In January, Bitcoin-related news sites reported that Dutch newspaper NRC Handelsblad was planning to accept bitcoin as a payment method for individual articles. A Reddit poster, claiming to be a webmaster for the paper, said the new payment method was being implemented step by step.
Although Bitcoin has been overshadowed by allegations of fraud and hacker attacks such as in the collapse of Japan-based bitcoin exchange Mt. Gox, content providers and bloggers are turning to the digital currency in part because it’s a cheaper means of moving payments around, with transaction fees which can be lower than 1 percent.
The personal data gathering abilities of Google,Facebook and other technology giants has sparked growing unease among Americans, with a majority worried that Internet companies are encroaching too much upon their lives, a new poll showed.
Google and Facebook generally topped lists of Americans’ concerns about the ability to track physical locations and monitor spending habits and personal communications, according to a poll conducted by Reuters/Ipsos from March 11 to March 26.
The survey highlights a growing ambivalence towards Internet companies whose popular online services, such as social networking, e-commerce and search, have blossomed into some of the world’s largest businesses.
Now, as the boundaries between Web products and real world services begin to blur, many of the top Internet companies are racing to put their stamp on everything from homeappliances to drones and automobiles.
With billions of dollars in cash, high stock prices, and an appetite for more user data, Google, Facebook, Amazon and others are acquiring a diverse set of companies and launching ambitious technology projects.
But their grand ambitions are inciting concern, according to the poll of nearly 5,000 Americans. Of 4,781 respondents, 51 percent replied “yes” when asked if those three companies, plus Apple, Microsoft and Twitter, were pushing too far and expanding into too many areas of people’s lives.
This poll measures accuracy using a credibility interval and is accurate to plus or minus 1.6 percentage points.
“It’s very accurate to say that many people have love-hate relationships with some of their technology providers,” said Nuala O’Connor, the President of the Center for Democracy and Technology, an Internet public policy group which has received funding from companies including Google, Amazon and Microsoft.
“As technology moves forward, as new technologies are in use and in people’s lives, they should question ‘Is this a fair deal between me and the device?’”
Fears about the expanding abilities of tech companies crystallized when Google acknowledged in 2010 that its fleet of StreetView cars, which criss-cross the globe taking panoramic photos for Google’s online mapping service, had inadvertently collected emails and other personal information transmitted over unencrypted home wireless networks.
Yet many Americans remain ignorant of the extent to which Internet companies are trying to extend their reach.
Google is one of the most aggressively ambitious, investing in the connected home through its $3.2 billion acquisition of smart thermostat maker Nest. Google is also investing in self-driving cars, augmented-reality glasses, robots and drones.
Almost a third of Americans say they know nothing about plans by Google and its rivals to get into real-world products such as phones, cars and appliances. Still, roughly two thirds of respondents are already worried about what Internet companies will do with the personal information they collect, or how securely they store the data.
Traffic moving between Yahoo data centers is fully encrypted as of March 31, the company announced on its Tumblr blog. Last October, documents provided by former U.S. National Security Agency contractor Edward Snowden said the NSA had penetrated the main communications links that connect Yahoo and Google’s data centers.
Though it comes after those revelations, the encrypted data links is in keeping with a previous promise by CEO Marissa Mayer to encrypt all information between its data centers by the end of March.
Yahoo said that it had also turned on encryption for a range of other services. For one, encryption of mail between its servers and other mail providers that support the SMTPLS standard was enabled in the last month, the company said. Yahoo only just turned on encryption by default between users and its email service in January.
Yahoo said its homepage and all search queries that run on it and most other Yahoo properties now also have HTTPS encryption enabled by default.
But if users want an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance or Good Morning America on Yahoo, they must manually type “https” into the site’s URL on their browsers, Yahoo said.
Yahoo has faced pressure to encrypt more of its services for years. In 2012, the Electronic Frontier Foundation and other privacy activists called on CEO Marissa Mayer to enable HTTPS encryption for the company’s communications services. Yahoo began offering HTTPS encryption for mail in 2012, but on an opt-in basis.
Since then other companies like Google and Facebook have introduced more forms of encryption.
Last month, another leak of documents said that GCHQ, Britain’s surveillance agency, had captured webcam images from more than 1.8 million users of Yahoo’s Messenger product.
Yahoo said Wednesday that a new, encrypted version of Messenger would be rolled out in the coming months.
It said it was also working to bring more enhanced forms of encryption like Perfect Forward Secrecy, which is already supported for global properties like the homepage, to all of its sites.
Alex Stamos, chief information security officer at Yahoo, said the company had been working over the last several months to provide a more secure experience for its users. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem,” he said.