posted 3 days ago on ars technica
Sony Pictures Entertainment's (SPE) computer hygiene in the years leading up to last month's hack was breathtakingly sloppy, with the movie studio's CEO regularly being reminded of e-mail, banking, and travel passwords in plaintext e-mails, according to an Associated Press report published Thursday. Headlined "Sony emails show a studio ripe for hacking," the article is based on a review of more than 32,000 stolen corporate e-mails released on the Internet by people connected to last month's hack of SPE. The e-mails show CEO Michael Lynton repeatedly receiving plaintext passwords in unencrypted e-mails for his and his family's e-mail, banking, travel, and shopping accounts. The unencrypted e-mails were frequently sent by executive assistant David Diamond. Other e-mails included images of passports, driver licenses, and banking statements. While the catastrophic hack that hit SPE is generating intense scrutiny of the company's security practices, it's widely believed that many if not most corporations and smaller businesses are no better at securing their data. Executives assume that e-mails they send can't be read by anyone other than the intended recipient. Employees have little awareness how easy it is for the computers and smartphones they use to be compromised and for those hacks to then spread to corporate networks. The AP quoted security expert Kevin Mitnick as saying, "It's pretty ordinary for CEOs and executive assistants to share confidential information by e-mail. They feel their e-mail is secure and they have nothing to worry about." Read 2 remaining paragraphs | Comments

Read More...
posted 3 days ago on ars technica
A legal advocacy group has sued the San Diego Police Department (SDPD) and the City of San Diego in an attempt to force the release of public records relating to stingrays, also known as cell-site simulators. Stingrays are often used covertly by local and federal law enforcement to locate target cellphones and their respective owners. However, stingrays also sweep up cell data of innocent people nearby who have no idea that such collection is taking place. Stingrays can be used to intercept voice calls and text messages as well. Earlier this week, a local judge in Arizona ruled that a local reporter could not receive similar stingray documents from the Tucson Police Department because disclosure "would give criminals a road map for how to defeat the device, which is used not only by Tucson but other local and national police agencies." Read 5 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
According to multiple reports, unnamed government officials have said that the cyber-attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal reports that investigators suspect the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit. But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it. Analysis of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures by researchers at Cisco revealed that the code was full of bugs, and anything but sophisticated. It was the software equivalent of a crude pipe bomb. Read 11 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
There seems to be nothing the broadband industry fears more than Title II of the Communications Act. Title II gives the Federal Communications Commission power to regulate telecommunications providers as utilities or "common carriers." Like landline phone providers, common carriers must offer service to the public on reasonable terms. To regulate Internet service providers (ISPs) as utilities, the FCC must reclassify broadband as a telecommunications service. It's a move that consumer advocacy groups and even President Obama have pushed the FCC to take. Under Obama's proposal, the reclassification would only be used to impose net neutrality rules that prevent ISPs from blocking or throttling applications and websites or from charging applications and websites for prioritized access to consumers. The FCC would be expected to avoid imposing more stringent utility rules in a legal process known as "forbearance." Read 62 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
On Wednesday Councilman Dan Garodnick introduced a bill to the New York City council seeking to ban all use of drones except those operated by police officers who obtain warrants. A second, parallel bill introduced by councilman Paul Vallone would place more stringent restrictions on drone use but stop short of banning drones for hobbyists and companies altogether. Both bills have been passed to the city's committee on public safety. An all-out ban on drones within the metropolis would be a quite wide-reaching step, especially as the Federal Aviation Authority (FAA) seems poised to adopt more permissive rules, with respect to commercial interests in particular. Earlier this year, the FAA formally granted six Hollywood companies exemptions to drone ban rules. A couple of months later, the FAA granted similar exemptions for construction site monitoring and oil rig flare stack inspections. Despite the FAA's tentative steps towards drone regulation, pilots of planes and helicopters have reported increased sightings of drones in their airspace, and several near-collisions. 12 incidents of dangerous encounters between drones and planes in the New York and Newark areas have been reported in recent months. In addition, in 2011, a man was fined $10,000 by the FAA for flying a remote-controlled plane recklessly through New York City. However, the National Transportation Safety Board struck down that fine. Read 4 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Speaking off the record, senior intelligence officials have told the New York Times, CNN, and other news agencies that North Korea was "centrally involved" in the hack of Sony Pictures Entertainment (SPE). This news comes as SPE cancelled the planned December 25th release of The Interview, a comedy about a plot to assassinate North Korean dictator Kim Jong-un. The film was withdrawn in response to threats to carry out attacks on those cinemas showing the film. This threat, transforming the hacks from an embarrassment to Sony to a potential risk to life and limb, sets the SPE hack apart from past attacks on corporate computer systems, according to officials speaking to NYT. Read 2 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Music has the Hard Rock Cafe. Film has Planet Hollywood. It's high time the game industry had its own cheesy, tourist-trappy theme restaurant to part visiting rubes from their money. Apparently, Namco agrees with that sentiment, given the company's plans to open Level 257, "a brand new restaurant and entertainment destination inspired by Pac-Man" in a former Sears warehouse at the Woodfield Mall in the Chicago suburb of Schaumburg, Illinois next month. According to the official Level 257 tumblr page, the 40,000 square foot, 180-seat restaurant will also integrate a larger entertainment complex, featuring "16 boutique retro-styled bowling lanes with smart technology, table tennis, pinball machines and our Lost & Found games parlor with original arcades alongside exciting new titles, plus custom-built game tables and free-to-play board games provide a unique entertainment experience." Fans of Pac-Man will also be able to shop at a "first-of-its-kind" Pac-Man retail shop and browse a "gallery space" devoted to the little yellow dot. "Level 257 seeks to explore Pac-Man’s impact upon our society and pop culture, reminding us all of the importance of play in our lives, while facilitating our desire to relive those times when beating the next level was the most important thing in our world," the site says. "All while indulging that which we love now—great food and drink with our friends and family." Read 2 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Microsoft will cease showing EU-based Windows users a selection screen offering a choice of different browsers to install, known as the browser ballot. In December 2009, and after lengthy negotiations, the European Commission and Microsoft finally agreed on the form and nature of the Windows browser ballot. The ballot was offered to all Windows users in the EU, giving them a choice of a dozen or so different browsers to install on their PCs, in response to complaints that Microsoft's bundling of Internet Explorer with Windows harmed competition in the browser market. The software company and industry regulator agreed that the ballot would be offered for five years. According to a Knowledge Base article that Microsoft published today, that five-year obligation has now ended and new Windows users will no longer be shown the screen. Read 2 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
While the Sony hack hogs media headlines and stolen credit card details are sold nearly everywhere, counterfeit documents and how-to-hack tutorials are some of the fastest growing sellers on online underground marketplaces, according to an annual study of prices published by Dell Secureworks on Monday. A scan of a Social Security card along with a name and address costs about $250, for example, with supporting documents—such as a credit card statement or utility bill—costing another $100. A fake driver’s license lists between $100 and $150. In total, a would-be identity thief could get all the information they needed to access health services, obtain government assistance, or apply for financial credit for under $500. Overall, illicit sites are now selling more types of identity documents than last year, when the researchers—Joe Stewart and David Shear of Dell Secureworks—conducted their first study. The increase is, in part, because proof of identity is required by more organizations and financial institutions, Shear said. Read 7 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Today, the health commissioner of the state of New York, Howard Zucker, announced that he has completed a study into the health impacts of hydraulic fracturing for the recovery of natural gas. Although there are few demonstrated health risks, Zucker noted that there are a great many uncertainties about the process, and these make it impossible to design intelligent regulations that minimize potential risks. As a result, the state will ban the practice indefinitely. Zucker's review describes a large number of possible problems that could affect the health of residents of the state. These include air pollution, both from the equipment and the chemicals used in the fracking, as well as leakage from the wells themselves. Concerns regarding water focus on the chemicals in the fracking fluid, which can both spread underground or contaminate surface waters through spills or incomplete processing. Finally, fracking has clearly resulted in elevated earthquake risks in some areas, although the quakes remained small. Right now, most of these risks are hypothetical; Zucker's report cites a large number of long-term, fracking-focused health studies that are in progress but aren't expected to yield results for several years. The studies that have been completed "raise substantial questions about whether the risks of HVHF [High Volume Hydraulic Fracturing] activities are sufficiently understood so that they can be adequately managed." In other words, although it might be possible to regulate fracking in a way that limits health risks, we don't know enough about the health risks themselves to design regulations. Read 3 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday that the breach also gave attackers administrative access to all files stored in its centralized zone data system, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs. "We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members." Read 4 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
As part of a surprise move to normalize relations between the United States and Cuba, the White House announced that it would be "initiating new efforts" to help the island nation access the Internet. In a statement published Wednesday, the Obama administration said that Cuba has a tiny Internet penetration rate—just five percent of the population is online. As such, most digital files are exchanged offline via USB sticks sold on the black market. The White House also noted: Read 2 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Purch, Inc. announced on Wednesday that it had purchased AnandTech.com, ending the site's 17-year run as an independent publication. Purch also owns a number of other long-running technology sites, including LaptopMag (founded as Laptop Magazine in 1991), Tom's Hardware (founded 1996), and a handful of other offshoot tech publications. Purch says the acquisition will help it "dominate the tech expert and enthusiast market." Anand Shimpi, founder and original editor-in-chief of the site, left his post for Apple in late August. Shimpi says he is "happy to see [AnandTech] end up with a partner committed to taking good care of the brand and its readers." Current Editor-In-Chief Ryan Smith says the site has "grown by leaps and bounds over the past several years" but that it was "nearing what's possible as an independent company." Smith goes on to say that Purch values AnandTech's exhaustive hardware testing and reviews, and that Purch would enable the site to grow "without compromising the quality that made us who we are today." Under Smith, AnandTech has continued to run reviews of individual PC components and, less frequently, complete consumer products like laptops, phones, and operating systems. While the site misses Shimpi's voice and expertise (and that of former mobile editor Brian Klug, who also left for Apple this year), its coverage and testing procedures continue to be deep and thorough, and they will hopefully remain that way post-acquisition. Read 1 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Though some pockets of the US have a competitive market for ultra-fast broadband, a new government report shows that Internet service of at least 100Mbps is limited, and where it exists there is usually just one provider that offers it. Fifty-nine percent of the US population can buy service of at least 100Mbps download speed, according to the Department of Commerce report released yesterday. But only eight percent can choose from at least two 100Mbps providers, and just one percent can choose from three. Further, “only 3 percent of the population had 1Gbps or greater available; none had two or more ISPs at that speed,” the report said. It’s not exactly “none”—data in the appendix shows a fraction of one percent of Americans can choose from multiple gigabit providers. This is beginning to change. For example, AT&T and Google are now offering gigabit service in Austin, Texas. The Commerce report is a bit outdated, using data from December 2013. Read 11 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
On Earth, the majority of the methane that finds its way into the atmosphere is produced by microbes. Once in the atmosphere, the gas is broken down by a number of processes, so its continued presence there is a testimony to Earth's activity, both biological and geological. Mars' atmosphere breaks down methane as well, but there are also low levels of methane in its atmosphere. Although this methane could come from sources that don't involve biological or geological activity, some Earth-based observations had suggested that Mars had localized sources that create plumes of methane in its atmosphere. Those are tougher to explain, but the observations have been difficult to replicate. Now, the Curiosity rover has settled the issue, observing spikes in the atmosphere's methane concentration that seem to indicate a sporadic, local source. Read 11 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
On Wednesday, a Netflix PR director spoke definitively on the subject of offline video watching, declaring that the option was "never going to happen" for users of the Netflix streaming app. In an interview with TechRadar, Netflix Director of Corporate Communications and Technology Cliff Edwards responded to the question, which was posed comparing Netflix to British services such as BBC's iPlayer and Channel 4's 4oD that offer such offline viewing. TechRadar also quoted Edwards as saying the option was a "short term fix for a bigger problem," which they characterized as "WiFi access and quality." It's a cold response just in time for the holiday travel season—one in which we'd all prefer to silence an in-flight child by bombarding his or her little eyes with a Netflix-ready tablet. Based on Gogo's no-streaming policy and general lack of bandwidth, we don't see either WiFi access or quality getting that much better in the skies any time soon, and Edwards' statement doesn't offer much relief for vacationers in rural, no-Internet parts of the world, either. Read 3 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
The nation's fourth-largest cinema chain has decided not to screen Sony Pictures Entertainment film The Interview, following a terrorist threat Tuesday from hackers who said moviegoers could face doom while watching the comedy. Carmike Cinemas, with 278 theaters across 41 states in the US, was the first chain to pull the film slated for a Christmas release. The hackers who attacked Sony Pictures posted a message to Pastebin and other sites, warning: Read 4 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
Back in 2011, video games as a medium won a couple of major victories against government censorship. In the US, a landmark Supreme Court case gave games the full First Amendment protection, invalidating a litany of state-based attempts to limit the sale of certain games to minors. In Australia, meanwhile, squabbling states finally came to an agreement on the introduction of an R18+ rating in 2011, eventually allowing the sale of violent and sexually explicit games that were previously "refused classification" and therefore banned from sale in the country. Though these specters of government censorship are gone, retailers and platform holders still often impose their own restrictions on what kind of content they're willing to sell, in some cases making the games at issue less commercially viable and more difficult to obtain. These content-based distribution issues have been in the news a lot of late. A few weeks ago, Target Australia and Kmart Australia started things off by removing Grand Theft Auto V from store shelves, following a popular online petition against the game's depiction of violence against sex workers. Read 16 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
If you thought the BlackBerry Passport was a strange experiment, get a load of this: BlackBerry has begun selling the BlackBerry Classic, a phone that takes the retro stylings of the BlackBerry Q10 to the next level by reintroducing hardware navigation buttons and a trackpad. You might think BlackBerry would be more interested in winning back the users who have left its platform in droves for the greener pastures of iOS and Android, but the company's launch presentation focused overwhelmingly on comparisons to the BlackBerry Bold. The Classic is positioned as a product that will move people away from that old, BlackBerry 7 device to something running BlackBerry 10, but that's not exactly a big target market. BlackBerry did mention competing phones during its presentation, but usually in ways that didn't make any sense. For example, a complaint we had about the Q10 was that its physical keyboard ate up space that could otherwise be used for a bigger screen. To this, BlackBerry would point out that an iPhone 6 with the software keyboard pulled up will leave about the same amount of usable screen space for apps and media. This might make sense for productivity stuff, but it ignores all of the times you dismiss the software keyboard so you can actually do other things. Read 3 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
The Federal Communications Commission is reportedly on the verge of fining Sprint $105 million for cramming charges that brought complaints from tens of thousands of customers. The $105 million fine would match one levied on AT&T, which was accused of the same illegal practice. The US government has also sued T-Mobile over cramming charges. The FCC has not confirmed the action against Sprint, but it was reported Monday in the National Journal and yesterday in The Wall Street Journal. "According to the enforcement action, which hasn't been finalized, Sprint billed customers for third-party services it knew they hadn't asked for and didn't want," National Journal wrote. Read 2 remaining paragraphs | Comments

Read More...
posted 4 days ago on ars technica
People have grown so dependent on websites to shop, travel, and socialize that we often forget how easy it is to slow or completely shut down the underlying server. A case in point is a new lightweight script that causes many websites to falter. Dubbed FlashFlood, the looped JavaScript bombards a website with requests in a way that bypasses server defenses designed to protect against crashes. It can be run from computers with modest bandwidth and hardware resources. Researchers from security firm WhiteHat Security said attackers could lure unwitting participants into taking part in denial-of-service attacks, through cross-site scripting (XSS) attacks, or by tricking large numbers of people into visiting an innocuous-looking link. In a blog post published Tuesday, they wrote: It works by sending tons of HTTP requests using different parameter value pairs each time, to bypass caching servers like Varnish. Ultimately it’s not a good idea to ever use this kind of code as an adversary because it would be flooding from their own IP address. So instead this is much more likely to be used by an adversary who tricks a large swath of people into executing the code. And as Matt points out in the video, it’s probably going to end up in XSS code at some point. FlashFlood is particularly potent against heavy database-driven sites if they rely on caching to protect themselves. Many sites running on Drupal are a good example. The researchers estimate it would take anywhere from four to 40 machines to take down an average Apache system. "I've run into the problem before where people seem to not understand how this works, or even that it's possible to do this, despite multiple attempts at trying to explain it multiple times," WhiteHat Security researcher Robert Hansen wrote. Read on Ars Technica | Comments

Read More...
posted 5 days ago on ars technica
On Tuesday Apple announced that ten new banks have agreed to work with Apple Pay to offer credit card support. With those additions, plus the recent additions of SunTrust, Barclaycard, and USAA banks, Apple Pay now accepts credit cards that represent about 90 percent of US credit card transaction volume, according to the New York Times. That number bodes well for Apple and its nascent mobile payment platform that launched in October of this year. The service lets users buy goods at NFC-enabled terminals in brick-and-mortar stores, as well as pay with a single tap in the iTunes store and in other compatible apps. The challenge for the adoption of mobile payments platforms like Apple Pay and Google Wallet, which debuted three years prior to Apple Pay’s announcement but failed to gain popular traction, is that the platform developers must build an entire ecosystem—from making sure banks will support the platform and let their users upload cards to it, to making sure that NFC-enabled terminals are in enough retailer checkout counters to make it worthwhile for customers to remember to pull out their phones to pay rather than their credit cards. Apple Pay gained a lot from the groundwork that Google Wallet laid when it pushed mobile payments years ago, and Google gained a lot from the work that MasterCard did with PayPass. Still, even the most bullish analysts currently predict that by the end of 2015, only 25 percent of retail terminals in the US will be NFC-enabled. Read 2 remaining paragraphs | Comments

Read More...
posted 5 days ago on ars technica
Bloomberg reported on Tuesday that Apple has ceased all online sales in Russia as the country has been unable to keep its currency from fluctuating dramatically. In the last month, Apple had already increased the price of its iPhone 6 in that country by 25 percent due to currency uncertainties. “Our online store in Russia is currently unavailable while we review pricing,” Alan Hely, a spokesman for the Cupertino, California-based company, told Bloomberg. “We apologize to customers for any inconvenience.” It is uncertain when Apple will reinstate its operations in Russia. Bloomberg noted that the Ruble sank 19 percent today, "with a surprise interest-rate increase failing to stem a run on the currency.” At one point during the day, the ruble sank to 80 on the dollar. Read 3 remaining paragraphs | Comments

Read More...
posted 5 days ago on ars technica
At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core. That song, "All the Things," features the chorus: Drink all the booze, hack all the things! The hacker didn't have long to drink all the booze and hack all the things, fortunately; by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in an encrypted form (hashed using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Read 2 remaining paragraphs | Comments

Read More...
posted 5 days ago on ars technica
"A shadowy organization with ties to the Koch Brothers" spearheaded an anti-net neutrality form letter writing campaign that tipped the scales against net neutrality proponents, according to an analysis released today by the Sunlight Foundation. The first round of comments collected by the Federal Communications Commission were overwhelmingly in support of net neutrality rules. But a second round of "reply comments" that ended September 10 went the other way, with 60 percent opposing net neutrality, according to the Sunlight Foundation. The group describes itself as a nonpartisan nonprofit that seeks to expand access to government records. The foundation used natural language processing techniques to analyze 1.6 million reply comments. Read 7 remaining paragraphs | Comments

Read More...