Month: December 2015

Last month Microsoft said that it was considering ending support for TLS and SSL certificates that used the SHA-1 hashing algorithm, after Mozilla previously described a plan to do the same. Google is now thinking about joining those two companies and ending Chrome's support for SHA-1 certificates in the middle of next year too.

The underlying problem is that it has become too cost-effective to create forged certificates that use the SHA-1 hashing algorithm. As computers get faster, the cost of creating a fraudulent certificate goes down. Based on 2012 estimates, it was expected that criminals would be able to readily create such certificates by 2018. This declining cost led all three browser vendors to plan to end supporting any SHA-1 certificates issued after January 1, 2016, and all SHA-1 certificates after January 1, 2017.

Newer estimates have brought the cost of certificate fraud down further still. Through the use of cloud services such as Amazon's EC2, the compute power to create bogus SHA-1 certificates both costs less and is more accessible, such that SHA-1 certificates are arguably unsafe already. This led to reconsideration of the 2017 timetable. Mozilla and Microsoft are now contemplating bringing that January 1, 2017 date forward, to July 1, 2016, as long as the impact in-the-wild is not too serious.

(credit: Alisha Vargas/Flickr)

Theranos, Inc., a beleaguered, multi-billion-dollar startup developing blood testing technology, is now under investigation by two federal agencies, according to a report in the Wall Street Journal.

Complaints from former employees sparked the two investigations, one by the Food and Drug Administration and the other by the Centers for Medicare and Medicaid Services (CMS). According to the WSJ, those complaints laid out concerns about breached research protocols as well as severe accuracy problems with the company’s blood tests.

Theranos gained prominence and drew skepticism earlier this year with claims that it could perform a multitude of medical tests with just a few drops of blood. While previous media reports have also raised questions about the accuracy of the fingerprick-based tests, the new report outlines concerns over the only blood test that has so far received FDA approval, a herpes test.

Way to go, Oracle. (credit: Oracle PR)

Oracle received a public slap on the wrist from the Federal Trade Commission over Java SE, the desktop runtime for Java. The FTC announced today that it had reached a settlement with Oracle Corporation over a complaint not about the security of Java itself, but about Oracle's patching process—and how it unintentionally left consumers to believe that the patches themselves were enough.

Java has been a source of perpetual security sorrow due to the number of exploitable flaws that have been discovered in various versions of Java SE. That's partially due to its huge installed base—over 850 million PCs are estimated to have Java SE installed on them, and it isn't always the most recent version. Older versions of Java create a major security risk—even when newer versions have been installed.

And there lies the rub of the FTC's complaint. Since at least 2010, Java SE updates have not done a thorough job of cleaning up the insecure versions—and, the FTC contends, Oracle failed to advise consumers doing the updating that the job was only half done.

(credit: Vincent Canfield)

In a new video statement posted on Monday, the administrator of novelty e-mail provider cock.li announced that one of the hard drives used to host the service in a Bavarian data center had been seized.

"That means that SSL keys and private keys and full mail content of all 64,500 of my users, as well as hashed passwords, registration time, and the last seven days of logs were all confiscated and now are in the hands of German authorities," Vincent Canfield said.

Cock.li was reportedly used last week to send a bogus bomb threat e-mail from "madbomber@cock.li" to several school districts nationwide, which led to the closure of all schools in the Los Angeles Unified School District. The New York City Department of Education however, dismissed the e-mail as an obvious hoax.

Apple and Swedish telecom Ericsson have ended a year-long patent dispute that spanned US federal courts, the International Trade Commission, and included lawsuits in the United Kingdom, Germany, and the Netherlands.

Exact financial terms weren't disclosed, but Apple will both make a one-time payment to Ericsson and pay ongoing patent royalties. Ericsson said in a press release that its patent-related income will rise between 4 and 5 billion Swedish krona this year, which equates to $470 to $590 million. The Swedish company's stock is up about 4 percent on the news.

"We are pleased with this new agreement with Apple, which clears the way for both companies to continue to focus on bringing new technology to the global market, and opens up for more joint business opportunities in the future," said Kasim Alfalahi, Ericsson's chief IP officer.

In my blog post on my 10th anniversary at Ars, I promised to answer readers' questions. This is one of my attempts to do so.

Quite a few people have asked me to go into more detail on the Ars editorial process—how do science news stories get chosen? So here’s a quick look at how the sausage gets made.

Everything starts the week or weekend before publication (depending on how organized I am). By Friday, Nature and PNAS have both put together lists of some of the stories they’ll be releasing the next week. Nature has its editors select some articles for full PR treatment, providing a several-paragraph summary that’s generally accurate. Others just have their titles listed; the majority aren’t released until the full edition of the journal appears online. PNAS also issues press releases for a few stories, but it also dumps the entire collection of articles. Science usually makes a list similar to Nature’s, and it's available on Sunday night.

Enlarge / Apple CEO Tim Cook. (credit: Chris Foresman)

In an interview last weekend with 60 Minutes, Apple CEO Tim Cook defended his company’s use of the legal overseas tax maneuvering that effectively keeps tens of billions of dollars in would-be American tax revenue out of the country.

In a short back and forth with host Charlie Rose, Cook gave a very legalistic—though accurate—answer as to why Apple does not repatriate its mounds of cash. Cook said that Apple pays more taxes in the United States than anyone else.

After all, it is the most profitable company in America and the second-most in the entire world.

Some of this could be yours if you enter our sweepstakes!

Just over two weeks ago, we kicked off the 2015 edition of our annual Charity Drive sweepstakes, where we urge readers to donate to a good cause for a chance to win some of the piles of vendor-provided swag we can't keep. Since then, Ars readers have turned the generosity meter up to 11, packing in a combined total of over $21,000 in donations to Child's Play and the Electronic Frontier Foundation so far ($21,112.60, to be precise).

That's a great start and already within spitting distance of last year's take of just over $25,000. We're aiming our sights higher than that, though... with two weeks to go until the January 4 deadline, I think we can beat our all-time Charity Drive record haul of $28,713.52 set back in 2012 (my first year running the sweepstakes). Let's prove just how deep Ars readers can dig for a good cause.

If that's not enough motivation, keep in mind that each donation helps settle a battle of generosity between two deserving charities. This is the first year that the total money given to both charities in the sweepstakes has been competitive; the EFF was actually bringing in the majority of donation dollars until rather recently, when a few generous Child's Play gifts put it back ahead.