Month: July 2016

(credit: Ddxc)

A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."

As the first-ever Android phone from BlackBerry, the BlackBerry Priv was an interesting experiment. BlackBerry tried to go super-premium with a $700 phone, but the design, build quality, and specs couldn't back up the price tag. Now, BlackBerry is back with its second Android smartphone, the BlackBerry DTEK50. Rather than worry about the design and build quality itself, BlackBerry has taken the TCL Alcatel Idol 4 and given it a new back plate. The result is a $299 "BlackBerry" that features Alcatel's hardware and Blackberry's software.

The specs are nearly identical to an Alcatel Idol 4. The DTEK50 has a 5.2-inch, 1080p display (424 PPI), an eight-core 1.5GHz Snapdragon 617 (four 1.5 GHz Cortex-A53s and four 1.2 GHz Cortex-A53), 3GB of RAM, 16GB of storage with an SD card, and a 2,610 mAh battery. The rear camera has a 13MP sensor with a dual-LED flash, while the front sports an 8MP sensor. The USB port makes the device seem a tad dated: it still has a MicroUSB port instead of the newer, reversible USB Type C port. The one spec difference we see between the Alcatel Idol 4 and the DTEK50 is that the Idol 4 is clocked a little higher: 1.7GHz versus 1.5GHz.

The device has no keyboard—it's just your regular cheap slab phone with dual front-facing speakers. The rear has a new back piece with the all-important BlackBerry logo and almost looks like it's made out of rubber. The Idol 4 did ship with an extra side hardware button, which BlackBerry has turned into its trademark programmable "convenience" key. Other than that, the "Blackberryness" is going to come in the software and security side. Blackberry is promising a secure boot process with a hardware root of trust and "rapid" security patching.

It’s drizzling as I roll into the south-west London suburb of Surbiton, and every so often the automatic wipers on the Mini John Cooper Works I'm driving spring into life to sweep drops of water from the screen. It’s early, and the town is barely awake yet. But even as the pavements start to fill with Suburbiton commuters bustling between newsagents, big-chain coffee shops, and railway station, one part of the town remains empty and ignored. Yet that’s the place I’ve come here to see.

The new generation Mini JCW is named after the man whose vision and no-nonsense organisation created the Cooper racing cars that changed the face of Formula 1 motor racing in the 1950s, and the Mini Coopers that livened up 1960s circuit racing and rallying. So I’ve come to Surbiton—where the Cooper Car Company was based—to find the building that was the original works. From there I’ll head off in search of the greatest of the JCW’s distant ancestors.

First, to find the place where it all started. The Mini’s infotainment controller is on the console between the front seats, where the big rotary control is easy to reach and operate. Navigating the main mode buttons nearby is less easy; until you memorise the position of each one, you have to look down to choose between media, radio, phone, and nav. All set, the Mini navigates me precisely through the thick Surbiton traffic to the junction of Hollyfield Road and Ewell Road where the Cooper works stands. And it’s a bit of a disappointment.

It seems Ars readers are not ready to welcome our new IoT overlords. (credit: peyri)

AT&T has agreed to lead an "industry strike force" to limit robocalls, just a couple of months after its CEO claimed there's just about nothing it can do to block unwanted calls.

AT&T CEO Randall Stephenson said in May that his company doesn't have "permission" or "the appropriate authority" to block robocalls, even though the Federal Communications Commission clearly stated last year that carriers have the "green light" to offer robocall-blocking services to cell phone users. FCC Chairman Tom Wheeler last week urged carriers to "offer call-blocking services to their customers now—at no cost to [consumers]," and AT&T has dropped its previous reluctance in response.

In a post titled "Answering the call on robocalling," AT&T Senior VP Bob Quinn yesterday said that Stephenson will chair the new "Robocalling Strike Force, the mission of which will be to accelerate the development and adoption of new tools and solutions to abate the proliferation of robocalls and to make recommendations to the FCC on the role government can play in this battle."