Month: December 2016

Enlarge / A website bot as it distributes CVV guesses over multiple sites. (credit: Ali, et al.)

Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers at Newcastle University in the UK. Bad actors can use browser bots to distribute guesses across hundreds of legitimate online merchants.

The attack starts out with a card's 16-digit number, which can be obtained in a variety of ways. Attackers can buy numbers on black-market websites, often for less than $1 apiece, or use a smartphone equipped with a near-field communication reader to skim them. The numbers can also be inferred by combining your first six digits—which are based on the card brand, issuing bank, and card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card. Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds.

The technique relies on Web bots that spread random guesses across almost 400 e-commerce sites that accept credit card payments. Of those, 26 sites use only two fields to verify cards, while an additional 291 sites use three fields. Because different sites rely on different fields, the bots are able to enter intelligent guesses into the user field of multiple sites until the bots hit on the right ones. Once the correct expiration date is obtained for a given card—typically banks issue cards that are valid for up to 60 months—the bots use a similar process to obtain the CVV number. In other cases, when sites allow the bots to obtain the CVV first—a process that can never require more than 1,000 guesses—the bots then work to obtain the expiration date and, if required, the billing address.

Enlarge / "Let's go shopping!" "No, let's Amazon Go shopping." "Dave, I hate your puns." (credit: Sam Machkovech)

SEATTLE—Amazon's foray into the world of brick-and-mortar grocery shopping has been all but confirmed for nearly a year thanks to leaks such as spotted permit applications. The rumor became reality on Monday with the announcement of Amazon Go, an experiment in grocery shopping that removes the clerks.

This is not just another idle announcement, either: the company's pilot store is now open for business. It's attached to one of Amazon's headquarter buildings in Seattle's South Lake Union neighborhood and is already stocked with food options (and a giant staff of cooks and food preparers). There's just one catch—only full-time "blue badge" Amazon staffers can get in right now.

Never one to take "no" for an answer, I grabbed a camera and walked up to the front door with hopes that my shining blue eyes would make up for my lack of a blue badge. That didn't work out, but I did gather a few more details while receiving death glares from staffers and security personnel.

Microsoft is going to make the Windows 10 PC a more family-focused device, taking on Amazon's Echo and Google Home as it does, according to the latest reports and rumors about forthcoming features.

The story starts with Twitter user Walking Cat poking around preview builds and finding reference to a feature named Home Hub. This appears to take the multi-user features of Windows 10 in a new direction. In addition to individual per-user accounts on shared machines, Home Hub will enable a shared Family Account and Family Desktop. This account will have its own calendar, music, pictures, and other resources that are used by and shared between several different people.

Mary Jo Foley tied that to job postings from November, where Microsoft outlined its desire to build family-oriented sharing features for Windows and its desire to compete with Google, Amazon, Apple, and AT&T

A Charleston, South Carolina judge declared a mistrial Monday in the case of a white South Carolina police officer on trial for the video-taped shooting of Walter Scott, a 50-year-old black man. The video was secretly taken last year by a passerby, and it has been viewed online millions of times. This week after four days of deliberations, the 12-member jury announced it was hopelessly deadlocked.

Michael Slager testifying. (credit: Today/YouTube)

On trial is Michael Slager, a 35-year-old now-fired North Charleston officer. He's accused of killing Scott by shooting the man in the back. Scott was pulled over in April 2015 for a routine traffic stop—a tail-light that was not working. He had a warrant for his arrest and fled the scene, prompting a chase. The officer testified that there was a brief altercation in a park over his Taser, and the cop then shot Scott five times as he fled. Slager has said he acted out of "total fear."

The killing is yet another instance of police shooting a black man in the US. According to various watchdog sources—the Washington Post, The Guardian, and the Killed by Cops database—between 706 and 844 people have been killed by US cops during the first nine months of 2016. Of that total, the North Carolina ACLU notes there were 194 deceased black Americans.

Enlarge / Pioneer Courthouse Square in Portland, Oregon, was the site of an attempted bombing on November 27, 2010. (credit: Craig Mitchelldyer / Getty Images News)

A federal appeals court has rejected an effort to overturn the Portland Christmas tree bomber’s conviction on the grounds that the surveillance to initially identify the suspect did not, in fact, require a warrant. On Monday, the 9th Circuit Court of Appeals also rejected an entrapment argument raised by lawyers for suspect Mohamed Osman Mohamud.

As Ars reported back in January 2016, the case (United States v. Mohamud) involves a Somali-American accused of trying to blow up a 2010 lighting ceremony in Portland. Undercover FBI agents posed as jihadis and presented Mohamud with the means to conduct the operation, which turned out to be wholly bogus. Mohamud was eventually found guilty and sentenced to 30 years in prison.

But after the conviction, the government disclosed that it used surveillance under Section 702 of the FISA Amendments Act to collect and search Mohamud's e-mail. Seeing this, Mohamud’s legal team attempted to re-open the case—but the judge denied their motion. Mohamud's defense raised this issue on appeal, but they have now been rejected by the 9th US Circuit Court of Appeals.

The USS Freedom (LCS-1), designed by Lockheed Martin... or perhaps by a jilted British designer who is pressing IP theft claims against the Navy. (credit: US Navy)

This has not been a good year for the US Navy's newest ships. Four ships from the Navy's two classes of Littoral Combat Ship (LCS)—the high-tech, modular warships that were supposed to be the future of naval warfare in areas close to shore—have suffered major engineering problems, including breaking down at sea. Three of the LCS ships that suffered engineering failures were from the Freedom class, ships built by Lockheed Martin for the LCS program: USS Freedom, USS Fort Worth, and USS Milwaukee. The program has also seen other setbacks, including the USS Montgomery (an Independence-class LCS built by Austal USA) suffering a cracked hull after bumping the wall of a Panama Canal lock.

But the LCS' engineering woes may not be the end of the trouble its shipbuilding programs are facing. As defense writer David Axe reports, David Giles, a British aerospace engineer-turned-marine architect, has filed a lawsuit accusing the Navy of stealing elements of the Freedom's design from work he did to commercialize a wave-piercing, "semi-planing" hull—work Giles patented in the early 1990s.

Giles' design, called the Prelude, was derived from work his firm first pitched to the British Royal Navy. The patents were filed for a design for high-speed container ships, called Fastships. Giles formed a company by the same name to build them. The design patents expired in 2010, but Giles' company—which is now bankrupt—filed suit against the Navy in 2012 after years of seeking compensation.