Category: Computers, Science & Technology

Java is having a bad – quarter! Another Zero Day security issue for Java!

Another Java Zero-Day Found, Dump That Browser Plugin

Researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild.

The security flaw, if triggered, leads to arbitrary memory read-and-write in the Java Virtual Machine, Darien Kindlund and Yichong Lin, two researchers at FireEye, wrote on the FireEye Malware Intelligence Lab blog Thursday. If successful, the attack code downloads a McRAT dropper and information-stealing Trojan onto the victim’s computer. It is a different type of flaw than some of the others we’ve seen recently.

FireEye said several of its customers saw the attack against browsers with Java enabled. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19, according to FireEye. The researchers have already disclosed the vulnerability to Oracle (CVE-2013-1493). No other information is currently available from Oracle.

More Zero-Days
FireEye researchers summed up the prevailing sentiment well in the post’s title, ‘YAJ0: Yet Another Java 0-Day.’ While Java has been a popular attack target for a long time, there seems to be an exploision of Java zero-days being exploited in the wild over the past two months. It’s the same cat-and-mouse game we’ve seen with other companies. A zero-day is found, the company patches it, a new zero-day is found. Wash, rinse, and repeat.

Oracle, the company well-known for its reluctance to release patches out-of-schedule, has released several emergency updates in the past year because the bugs have been so serious. The company released a scheduled update Feb. 19, but it is likely this bug will spur yet another emergency patch.

Turn It Off, Or Limit It
Are you tired of the whole merry-go-round and want a way to jump off? Turn off Java in the browser. Disable the plugin. We show you how to disable Java. Are you one of the many, many, people who need Java for work and school purposes and can’t turn off Java in the browser?

Here is what you can do. You disable Java in your default, primary browser. The browser you use the most should not have Java at all. And then you install the browser you don’t use all that often—most people generally have more than one browser installed on their computers, anyway—and enable Java in that. The important thing here, though, is that you don’t, never ever, absolutely never, use that browser to go to any site other than that handful of sites you need to run Java on. You need to use Blackboard? You fire up the Java-browser. You need to look up something that was mentioned during the Blackboard session? Instead of clicking, copy the link, fire-up your default browser, and paste it in.

It adds a lot of extra steps, and I can tell you that it is tremendously annoying. But I feel safer knowing that I am reducing my chances of getting hit with a watering hole attack. Think about all those mobile developers at Facebook, Twitter, Microsoft, and Apple. They visited a iOS developer Web site (probably a site they visited with regularity, considering their jobs) with browsers that had Java enabled, and were compromised.

If you are annoyed enough, you will do the next step, which is pressure the company to stop using Java. ‘There is no longer any reason for Websites to be using Java applets,’ Chester Wisniewski, of Sophos, told me at the RSA Conference this week. You can pressure IT to start switching to a different product. As customers, you can tell the vendor to come up with a non-Java alternative, or when it comes time to renew the subscription or contract, you will cancel and go to a different product. Money talks.

Wisniewski said he didn’t make the decision to recommend turning off Java lightly. He considered the ramifications carefully and came to the conclusion that at the moment, it was the safest thing to do.”

And, I still want one!

The Raspberry Pi: One year since launch, one million sold

“The folks who built the Raspberry Pi knew they had a great idea, but they probably didn’t anticipate just how successful it would be. The Raspberry Pi Foundation today is celebrating the computer’s first birthday, a million devices sold, and countless DIY and programming projects completed.

The credit card-sized, ARM-based computer was released on Feb. 29, 2012 and can be purchased for $25 or $35 depending on the model. In a blog post titled ‘Happy birthday to us!’ foundation community manager Liz Upton wrote that today is ‘as near as we can get [to the anniversary date]; we launched on a leap day last year. We’re going to have a really great party in 2016.’

‘We never thought we’d find ourselves in the position we’re in today, with a million Pis sold, a sprawling community, real evidence that kids are picking the Pi up and learning with it, and new friends from all over the world,’ she also wrote.

Numerous people involved in the Pi’s development shared their thoughts. Among them was Gordon Hollingworth, who left a job at Broadcom to become head of software at the Pi foundation. ‘I remember [Raspberry Pi creator] Eben [Upton] telling me about the Foundation’s plan to create the hardware based on BCM2835 (a chip I had a lot of involvement in creating), and him saying that he thought 10K was a good number to start with!’

The Raspberry Pi is so popular that supply was often unable to meet demand over its first year. If you’re looking to buy one, they can be found at Element14, RS, and Allied Electronics.

The Pi has been used as a tool to teach and learn programming, and users have produced all sorts of cool stuff, including arcade cabinets, robots, and wearable computers. If you want to see some of the best projects from the Pi’s first year, check out our feature ’10 Raspberry Pi creations that show how amazing the tiny PC can be.'”

Wrong! I do! In fact, I would pay pretty decent money for it! They are clueless!

Time Warner Cable says there’s no consumer demand for gigabit internet

“Speaking at the Morgan Stanley Technology Conference, Time Warner Cable’s Chief Financial Officer Irene Esteves seemed dismissive of the impact Google Fiber is having on consumers. ‘We’re in the business of delivering what consumers want, and to stay a little ahead of what we think they will want,’ she said when asked about the breakneck internet speeds delivered by Google’s young Kansas City network. ‘We just don’t see the need of delivering that to consumers.’ Esteves seems to think business customers are more likely to need that level of throughput, and notes that Time Warner Cable is already competitive . ‘We’re already delivering 1 gigabit, 10 gigabit-per-second to our business customers, so we certainly have the capability of doing it.’ The executive claims that residential customers have thus far shown little interest in TWC’s top internet tiers. ‘A very small fraction of our customer base’ ultimately choose those options, she said.

That’s not to say the cable operator is totally blind to Google Fiber’s potential. ‘If Google finds the magic pill and finds applications that require that and develops a need for it, well terrific’ she said. ‘We would build our product base in order to deliver that.’ But for now the company’s stance is clear: there’s not enough demand. Clearly the industry giant isn’t as optimistic as Google’s Eric Schmidt, who not long ago classified Fiber as ‘a real business’ rather than a mere experiment. Google Fiber could reinvent the way we use the internet, but until Time Warner Cable sees clear evidence of that happening, the provider is perfectly content with its current offerings.”

IE10 has been released. Here’s hoping in “sucks less” than earlier versions of Internet Explorer.

More info: I downloaded IE10 and installed it. Guess what? It would not play the HTML5/WebM video posted here on the Dr. Bill.TV site. It says, “Invalid source.” I assume that it is because my video files are on Cloud storage (Amazon AWS S3, specifically) rather than local. Guess what, Microsoft? We live in a Cloud Computing based world these says! So, bottom line, guess what? It still sucks. Use Google Chrome. I can watch Dr. Bill.TV video via HTML5/WebM all day with Google Chrome (or Firefox, or Opera.)

Microsoft delivers final version of IE 10 for Windows 7

“Microsoft released to the Web the final (non-test) build of Internet Explorer 10 for Windows 7 on February 26.

As of today, Microsoft is making the final bits available for download from its IE site in 95 languages.

Microsoft plans to begin auto-updating customers with Windows 7 Service Pack 1 and/or Windows Server 2008 R2 and higher with the IE10 ‘in the weeks ahead,’ officials said. This will start with those who are running the IE10 Release Preview. Admins who aren’t ready to have IE10 pushed to their users can block it temporarily with Microsoft’s blocking toolkit.

IE10 is the latest version of IE and the one that is bundled with Windows 8 and Windows RT. Like IE10 for Windows 8 and Windows RT, IE10 for Windows 7 is optimized for touch first. Unlike the Windows 8 and Windows RT versions, IE10 for Windows 7 places the URL bar at the top of the screen, not the bottom. (I’ve never quite understood the bottom of the page thinking with Windows 8/RT. It seems to me like one could still maximize available browsing space even if the URL bar was in the more familiar top-of-the-page position.) And as is true with the Windows 8/Windows RT version, IE10 for Windows 7 has the Do Not Track (DNT) signal turned on by default, preventing users from having their behavior automatically tracked online.

Microsoft is touting IE10’s support for Web standards. Officials said IE10 on all platforms add support for more than 30 new Web standards beyond what IE9 supported, including support for new HTML5, CSS3, DOM, Web Performance, and Web Application specifications. Company officials also are saying IE10 on Windows 7 loads ‘real world’ sites 20 percent faster, based on tests in Microsoft’s labs. (I’ve never found IE to be noticeably fast in loading pages on my PCs/tablets, but your mileage may vary.)

Microsoft introduced its first test build of IE10 for Windows 7 in April 2011, the same time as it delivered its first test build of IE10 for Windows 8. The company went over a year between the time it delivered developer-focused IE10 for Windows 7 test builds and the updated public preview of the browser for Windows 7 in November 2012.

According to Net Market Share data, IE currently has about 55 percent of the desktop browser market share worldwide.

Today’s IE10 release does not work on either Windows Vista or Windows XP.”

MK802 IIIS Android 4.1 mini PC (with Bluetooth, 2 USB host ports) is a tiny, Android -based computer that plugs into your HDMI port on your HD TV. A computer for your living room! And, FYI, it is under $65.00 right now on Amazon. Just sayin’!

Rikomagic introduces MK802 IIIs, now with Bluetooth, more

“Rikomagic is giving the recently released MK802 III mini PC a slight spec bump. The new MK802 IIIs is still a tiny computer with a USB port on one end, an HDMI adapter on the other, and a Rockchip RK3066 dual core process in the middle.

But the new model adds two new features: Bluetooth support, an ESD circuit for better stability, and support for software apps that let you actually turn off the little computer without unplugging it.

Those might not sound like big changes… but while dozens of these Android mini PCs have come out of China in recent months, most have lacked an off switch. The only way to turn them off is typically to pull the plug when you’re done using them.

While the MK802 IIIs doesn’t have an off ‘switch’ per se, at least it will support software that lets you power down an Android computer.

The stick has a 1.6 GHz RK3066 ARM Cortex-A9 processor, quad-core graphics, 1GB of RAM, and 4GB to 8GB of storage and a microSD card slot. It supports 802.11b/g/n WiFi and runs Google Android 4.1 Jelly Bean.

Independent developers have also been making progress porting Ubuntu Linux to run on devices with RK3066 chips. But unless you’re a developer, I’d only recommend picking up a product like this if you’re cool with Android, because it could be a while before we see a stable release of Ubuntu or other desktop Linux software.

We might only be a few days away from seeing the first working version of Ubuntu for the MK802 III, but I wouldn’t expect it to run as well as Android for a little while.

In other words, like most other ‘mini PCs’ we’ve seen recently, the MK802 IIIs is basically an inexpensive device designed to let you run Android apps on your TV using a USB or wireless mouse, keyboard, or remote control.”

The most secure browser ever is now even more secure! Now you have to approve any add-ins in Chrome. An extra step. And, a good thing!

Google fixes 22 flaws in Chrome, slams silent add-ons

“Computerworld – Google yesterday released Chrome 25, patching 22 vulnerabilities and debuting a new security feature that blocks silent installations of add-ons.

The latter is Chrome 25’s most noticeable change to users. It automatically disables third-party add-ons that are installed on the sly by other software. Add-ons — Google calls them ‘extensions’ — that were previously installed by third-party software will also be barred from running.

Users can approve a silent-installed extension by clicking a button in the dialog box that appears when Chrome blocks the add-on.

Google’s move follows a similar one made by Mozilla more than a year ago, when it, too, crippled silently-installed add-ons. In November 2011, Mozilla debuted Firefox 8, which automatically blocked browser add-ons installed by other software.

Although silent add-ons have historically been more of a problem for Firefox than for Chrome, Google has been limiting add-ons since July 2012, when Chrome 21 began blocking add-ons hosted on a third-party website. Since then, only add-ons obtained from the Chrome Web Store, Google’s official distribution mart, have been allowed.

Website designers can, however, trigger an add-on install from their URL using what Google dubbed ‘inline installation.’ The actual add-on, however, is still hosted on the Chrome Web Store.

Silent add-on installation has been possible only on Windows; OS X and Linux do not offer slippery websites a way to sneak an add-on into a browser.

The new version also adds the Web Speech API (application programming interface) that lets website and Web app developers add speech recognition features in their creations. Web Speech API is based on JavaScript, one of the Internet’s foundational scripting languages.

Google has created a dictation demonstration of the Web Speech API that users can try out with Chrome 25.

Chrome 25 also patched 22 vulnerabilities, two fewer than January’s Chrome 24. Google labeled nine of the flaws as ‘high,’ the company’s second-most-serious threat rating, eight as ‘medium,’ and five as ‘low.’

Five of the vulnerabilities were reported to Google by three outside researchers, who received $3,500 for their work. So far this year, Google has paid out $10,500 from its bug bounty program.”

Maybe! Will it be awesome enough for you to upgrade? Maybe!

Microsoft likely to reveal Xbox 360 successor at April event

From The Verge: “Sony may have gotten the jump on Microsoft in announcing its next-generation console, but odds are the public will be introduced to the Xbox 360’s successor well ahead of this year’s E3. Computer and Video Games is today reporting that the folks in Redmond are planning to hold a press event sometime in the month of April, two months ahead of the annual industry games show. The Verge is able to corroborate this timeframe, as we’ve heard similar rumblings from reliable sources.

Adding further fuel to the idea of a standalone reveal, users at NeoGAF have discovered a domain, XboxEvent.com, that’s been registered by Eventcore. The agency has handled preparation work for some of Microsoft’s previous preparations, so it’s a good sign that planning is already underway. Let’s just hope that whenever Microsoft chooses to unveil its long-awaited third console, it will be so kind as to show us what the hardware actually looks like.”

A computer that never crashes and just runs and runs! It’s called “Linux!” No, wait, it is something else… but, just sayin’! This article from New Scientist, explains it!

The computer that never crashes

“A revolutionary new computer based on the apparent chaos of nature can reprogram itself if it finds a fault. Out of chaos, comes order. A computer that mimics the apparent randomness found in nature can instantly recover from crashes by repairing corrupted data.

Dubbed a ‘systemic’ computer, the self-repairing machine now operating at University College London (UCL) could keep mission-critical systems working. For instance, it could allow drones to reprogram themselves to cope with combat damage, or help create more realistic models of the human brain.

Everyday computers are ill suited to modelling natural processes such as how neurons work or how bees swarm. This is because they plod along sequentially, executing one instruction at a time. ‘Nature isn’t like that,’ says UCL computer scientist Peter Bentley. ‘Its processes are distributed, decentralised and probabilistic. And they are fault tolerant, able to heal themselves. A computer should be able to do that.’

Today’s computers work steadily through a list of instructions: one is fetched from the memory and executed, then the result of the computation is stashed in memory. That is then repeated – all under the control of a sequential timer called a program counter. While the method is great for number-crunching, it doesn’t lend itself to simultaneous operations. ‘Even when it feels like your computer is running all your software at the same time, it is just pretending to do that, flicking its attention very quickly between each program,’ Bentley says.

He and UCL’s Christos Sakellariou have created a computer in which data is married up with instructions on what to do with it. For example, it links the temperature outside with what to do if it’s too hot. It then divides the results up into pools of digital entities called ‘systems’.

Each system has a memory containing context-sensitive data that means it can only interact with other, similar systems. Rather than using a program counter, the systems are executed at times chosen by a pseudorandom number generator, designed to mimic nature’s randomness. The systems carry out their instructions simultaneously, with no one system taking precedence over the others, says Bentley. ‘The pool of systems interact in parallel, and randomly, and the result of a computation simply emerges from those interactions,’ he says.

It doesn’t sound like it should work, but it does. Bentley will tell a conference on evolvable systems in Singapore in April that it works much faster than expected.

Crucially, the systemic computer contains multiple copies of its instructions distributed across its many systems, so if one system becomes corrupted the computer can access another clean copy to repair its own code. And unlike conventional operating systems that crash when they can’t access a bit of memory, the systemic computer carries on regardless because each individual system carries its own memory.

The pair are now working on teaching the computer to rewrite its own code in response to changes in its environment, through machine learning.

‘It’s interesting work,’ says Steve Furber at the University of Manchester, UK, who is developing a billion-neuron, brain-like computer called Spinnaker (see ‘Build yourself a brain’). Indeed, he could even help out the UCL team. ‘Spinnaker would be a good programmable platform for modelling much larger-scale systemic computing systems,’ he says.”

Wow! You have to see this! Go to the link:

Near Miss of Today’s Asteroid!

This happened today! Did you feel your hair stand on end? Yow! The caption reads: “An animation depicting the trajectory of asteroid 2012 DA14 as it travels within the Earth-moon system on Feb. 15, 2013.”

The Evil Empire speaks… it is done!

Microsoft is forcing Messenger users over to Skype starting April 8th

“Microsoft is planning to force existing Windows Live Messengers users to upgrade to Skype from April 8th. In an effort to phase out its Messenger service, Windows Live Messenger clients will be restricted from signing into the service gradually starting in early April. Microsoft will be migrating users depending on their language, starting with English first and ending with Portuguese no sooner than April 30th.

Contrary to Microsoft’s confusing email to some Windows Live Messenger users, and other reports, Windows Live Messenger will not cease functioning on March 15th for everyone. Microsoft has been testing its migration plans with a test cell, so a very small number will move over on March 15th, but 99 percent of users will start shifting across from April 8th onwards. “The upgrade process itself has been going really well, we’ve had millions of customers move over,” says Skype’s Parri Munsell.

Existing Windows Live Messenger users will be greeted with an upgrade notification from April 8th onwards that will prevent them from signing into the service. Microsoft is pre-caching the Skype installer to existing machines to allow users to simply accept the notification and switch over to Skype, while the installer removes Windows Live Messenger.

Munsell says Microsoft is upgrading other apps that access the Messenger service on a case-by-case basis, including mobile apps. ‘On products like Xbox, we’ll make announcements at a later date when we have dates to actually announce to customers.’ The software maker has also notified third parties about its plans to retire the entire Messenger service. ‘They do have end of life dates that we’ve given them privately,’ says Munsell. The dates vary by third-party, but official documentation suggests that existing clients using the XMPP protocol will end in October, while MSP clients will cease functioning in March 2014.

We reached out to several popular third-party Messenger apps, but developers seem to be confused over Microsoft’s retirement. Trillian’s Scott Werndorfer says ‘we’re not sure how the shutdown will occur or what additional steps Microsoft has planned.’ Adium, a popular client for Mac, says communications have been ‘pretty fuzzy’ and that it hasn’t heard anything directly regarding an official date. Microsoft says only official licensees of Messenger will get specific end dates.

Microsoft’s own Windows 8 and Windows Phone clients will continue to function, and the company says April 8th is strictly focused on phasing out the Windows Live Messenger desktop client. The switch over to Skype does present a few issues for Windows 8 and Windows Phone users though. Windows 8 uses a Messenger Windows Store client that triggers notifications for Messenger messages. If you install a Skype client then you’ll run into an issue with dual notifications. Munsell admits this is a possibility, but that “the customer just needs to configure those clients so that they’re doing pop-up notifications on the one that they want to reply on.”

It’s not an ideal situation, and if you have linked Facebook contacts to your Skype account then you could end up with three contact entries for the same person: Messenger, Skype, and Facebook. The company doesn’t have any immediate plans to link these in the client, so it raises questions over an upgrade that also removes functionality for Windows Live Messenger users. Skype does not currently support mail notifications, Messenger status updates, and the ability to add additional Messenger contacts. Microsoft is helping users transition with a set of online tutorials.

Still, Microsoft is pushing ahead and this marks the first major change to the Skype and Microsoft relationship since the $8.5 billion acquisition. If this first sign of integration helps move Microsoft towards Skype in every product to compete against services like WhatsApp, iMessage, Google Talk, and others then it will benefit all who rely on Microsoft’s ecosystem of software and services in the long run.”