HTC Exec Leaks Trade Secrets

Three HTC Corp design executives were arrested on suspicion of illegally sharing trade secrets, sending the Taiwanese smartphone maker’s shares tumbling as its troubles deepened amid a wave of senior staff departures and disappointing sales.

Taipei prosecutors confirmed that HTC vice president of product design Thomas Chien, research and development director Wu Chien-Hung and senior manager of design and innovation Justin Huang were arrested on Friday.

Chien and Chien-Hung remain in custody, while Huang was released on bail, prosecutors office spokesman Mou Hsin Huang said.

The executives were also accused of making false commission fee claims totaling around T$10 million ($334,200). No further details about the allegations were immediately available.

The arrests came in response to a complaint filed by HTC last month accusing the executives of leaking trade secrets.

HTC declined to comment except to say the investigation had no impact on its operations. Chien and Chien-Hung could not be reached and Huang was not immediately available to comment.

Media reports citing the police said the executives were planning to use stolen new interface technology to set up a new mobile design company aiming at Chinese vendors.

Rocked by internal feuding and executive exits, and positioned at the high end of a smartphone market that is close to saturation, HTC has seen its market share slump to below 5 percent from around a quarter five years ago.

Source

Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

Is The Tesla Hackable?

It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.

Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.

Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.

According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.

“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.

However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.

“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.

Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.

Source

U.S. Cloud Vendors Hurt By NSA

Edward Snowden’s public unveiling of the National Security Agency’s Prism surveillance program could cause U.S. providers of cloud-based services to lose 10% to 20% of the foreign market — a slice of business valued at up to $35 billion.

A new report from the Information Technology & Innovation Foundation (ITIF) concludes that European cloud computing companies, in particular, might successfully exploit users’ fears about the secret data collection program to challenge U.S. leadership in the hosted services business.

Daniel Castro, author of the report, acknowledges that the conclusions are based, so far, on thin data, but nonetheless argues that the risks to U.S. cloud vendors are real.

Indeed, a month prior, the Cloud Security Alliance reported that in a survey of 207 officials of non-U.S. companies, 10% of the respondents said that they had canceled contracts with U.S. service providers after Snowden’s leak of NSA Prism documents earlier this year.

“If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry,” said Castro in the ITIF report. “Rival countries have noted this opportunity and will try to exploit it.”

To counter such efforts, the U.S. must challenge overstated claims about the program by foreign companies and governments, said Jason Weinstein, a partner in the Washington office of law firm Steptoe & Johnson and a former federal prosecutor and deputy assistant attorney general specializing in computer crime.

“There are a lot of reasons to be concerned about just how significant those consequences will be,” Weinstein said. “The effort by European governments and European cloud providers to cloud the truth about data protection in the U.S. was going on well before anyone knew who Edward Snowden was. It just picked up new momentum once the Prism disclosures came out.”

Weinstein contends that European countries have fewer data protection rules than the U.S.

For example, he said that in the U.K. and France, a wiretap to get content can be issued by a government official without court authority, but that can’t happen in the U.S.

“U.S. providers have done nothing other than comply with their legal obligations,” he said. But because of Snowden’s leaks, “they are facing potentially significant economic consequences.”

Gartner analyst Ed Anderson said his firm has yet to see any revenue impact on cloud providers since the Prism disclosures, but added, “I don’t think Prism does U.S. providers any favors, that’s for sure.”

Nonetheless, Anderson added, “I think the reality is [the controversy] is likely to die down over time, and we expect adoption to probably continue on the path that it has been on.”

One reason why U.S. providers may not suffer is because “the alternatives aren’t great if you are a European company looking for a cloud service,” he said.

Source

Apple To Acquire Embark

Apple is reportedly purchasing mapping app developer Embark, in a move that could lend more real-time navigation features for public transit to Apple’s own Maps app.

The acquisition, which was first reported by tech journalist Jessica Lessin, follows other recent mapping purchases for Apple: HopStop, another maker of apps for public transit directions; and Locationary, which provides data about local businesses; and WifiSLAM, an indoor location and mapping company.

Apple did not directly confirm its acquisition of Embark, but in an emailed statement said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.”

Apple declined to comment further on the deal.

Apple has faced some serious challenges over the past year in providing a consistently solid mapping product with its Maps app. Last September Apple CEO Tim Cook was forced to publicly apologize for a series of issues plaguing the company’s Maps app in Apple’s iOS 6 operating system.

Embark is a company based in the San Francisco Bay Area that makes a mobile mapping app designed to help people navigate mass transit systems. The company’s app provides “tailored trips” specific to the user’s region, along with notifications for late-running trains and other advisories and closures.

Embark’s technology, if it does find its way into a future Apple product, could enhance Apple’s mapping products and make the company a stronger competitor to rivals like Google. Google’s Maps app already offers real-time public transit navigation features, as do some smaller players like iTransitBuddy.

Embark’s app is available for free on the iPhone for 10 transit systems including Boston’s MBTA, Chicago’s L, the New York City Subway and San Francisco’s Bart and Caltrain systems, with more on the way, according to Embark’s website.

It is not clear whether Embark’s app will be shut down as part of the acquisition. The app was still available in Apple’s App Store at the time of this article’s posting.

Embark’s team could not be immediately reached to comment on the deal.

Source

FTC Warns Google And FB

The Federal Trade Commission (FTC) has promised that her organisation will come down hard on companies that do not meet requirements for handling personal data.

FTC Chairwoman Edith Ramirez gave a keynote speech at the Technology Policy Institute at the Aspen Forum. She said that the FTC has a responsibility to protect consumers and prevent them from falling victim to unfair commercial practices.

“In the FTC’s actions against Google, Facebook, Myspace and others, we alleged that each of these companies deceived consumers by breaching commitments to keep their data confidential. That isn’t okay, and it is the FTC’s responsibility to make sure that companies live up to their commitments,” she said.

“All told, the FTC has brought over 40 data security cases under our unfairness and deception authority, many against very large data companies, including Lexisnexis, Choicepoint and Twitter, for failing to provide reasonable security safeguards.”

Ramirez spoke about the importance of consumer privacy, saying that there is too much “shrouding” of what happens in that area. She said that under her leadership the FTC will not be afraid of suing companies when it sees fit.

“A recurring theme I have emphasized – and one that runs through the agency’s privacy work – is the need to move commercial data practices into the sunlight. For too long, the way personal information is collected and used has been at best an enigma enshrouded in considerable smog. We need to clear the air,” she said.

Ramirez compared the work of the FTC to the work carried out by lifeguards, saying that it too has to be vigilant.

“Lifeguards have to be mindful not just of the people swimming, surfing, and playing in the sand. They also have to be alert to approaching storms, tidal patterns, and shifts in the ocean’s current. With consumer privacy, the FTC is doing just that – we are alert to the risks but confident that those risks can be managed,” she added.

“The FTC recognizes that the effective use of big data has the potential to unleash a new wave of productivity and growth. Like the lifeguard at the beach, though, the FTC will remain vigilant to ensure that while innovation pushes forward, consumer privacy is not engulfed by that wave.”

It’s all just lip service, of course. Companies might be nominally bound by US privacy laws in online commerce, and that might be overseen by the FTC, but the US National Security Agency (NSA) collects all internet traffic anyway, and makes data available to other US government agencies and even some private companies.

Source

Hackers Dupe Apple

Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.

According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.

They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.

The instructions for reassembly of the app arrive through a phone-home after the app is installed.

The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Source

Chinese Hackers Go After Dissidents

The “Comment Crew,” a group of China-based hackers whose outing earlier this year in major media outlets caused a conflict with the U.S., have resumed their attacks against dissidents.

FireEye, a security vendor that specializes in trying to stop sophisticated attacks, has noticed attackers using a fresh set of tools and evasion techniques against some of its newer clients, which it can’t name. But Rob Rachwald, director of market research for FireEye, said in an interview Monday that those clients include an organization in Taiwan and others involved in dissident activity.

The Comment Crew was known for many years by security analysts, but its attacks on The New York Times, described in an extensive report in February from vendor Mandiant, thrust them into an uncomfortable spotlight, causing tense relations between the U.S. and China.

Rachwald said it is difficult to determine if the organizations being targeted now were targeted by the Comment Crew previously, but FireEye said last month that the group didn’t appear to be hitting organizations they had compromised before.

Organizations opposing Chinese government policies have frequently been targeted by hackers in what are believed to be politically motivated surveillance operations.

The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.

“If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”

FireEye researchers Ned Moran and Nart Villeneuve described the new techniques on Monday on FireEye’s blog.

Two malware samples, called Aumlib and Ixeshe, had been used by the Comment Crew but not updated since 2011. Both malware programs have now been altered to change the appearance of their network traffic, Rachwald said.

Many vendors use intrusion detection systems to spot how malware sends data back to an attacker, which helps determine if a network has been compromised. Altering the method and format for how the data is sent can trick those systems into thinking everything is fine.

In another improvement, encryption is now employed to mask certain components of the programs’ networking communication, Rachwald said. The malware programs themselves, which are designed to steal data and log keystrokes, are basically the same.

Mandiant’s report traced the hacking activity to a specific Chinese military unit called “61398.” The company alleged that it waged a seven-year hacking spree that compromised 141 organizations.

Rachwald said it is strongly believed the Comment Crew is behind the new attacks given its previous use of Aumlib and Ixeshe. But the group has also re-engineered its attack infrastructure so much over the last few months that it is difficult to say for sure.

Source

Will The Tegra Processor Pay Off?

Last year Nvidia’s Tegra gamble seemed to be paying off nicely, but the insanely competitive SoC market moves fast and all it takes for things to go badly wrong is one botched generation. The Tegra 4 was late to the party and Nvidia eventually ended up with a big and relatively powerful chip that nobody wanted.

In its latest earnings call Nvidia made it clear that revenues from Tegra are expected to decline $200 to $300 million this year from about $750 million last year. Even this seems like a relatively optimistic forecast. Tegra 3 ended up in quite a few high-volume products, such as the Nexus 7, HTC One X, LG Optimus X4 and a bunch of other phones and tablets. On paper, Tegra 4 will end up with a similar number of design wins, maybe even more, but nearly all of them are low-volume products.

At the moment there are only a handful of Tegra 4 products out there. These include HP’s Slatebook 10, Toshiba eXcite Pro and eXcite Write tablets and Nvidia’s own Shield console. Nvidia’s 7-inch Tegra Tab is also on the way, along with the Surface RT 2. Some Chinese vendors like ZTE are also expected to roll out a Tegra 4 phone here and there, but the chip won’t end up in any big brand phones.

Nvidia does not release any Tegra unit shipment info, so we can only guess how many Tegra 3 and Tegra 4 chips are out there, but it doesn’t take much to realise Tegra 4 is a flop. Shipments of the original Nexus 7, powered by the Tegra 3, are estimated just north of six million units. Surface RT shipments were abysmal. Earlier this year analysts put the figure at just 900,000 units after a full quarter of sales. Microsoft eventually took a massive write-down on its Surface RT stock. LG and HTC didn’t reveal any shipment figures for the Optimus 4X and HTC One X, either. HTC shipped about 40 million phones last year, while LG managed about 27 million. We can’t even begin to estimate how many of them were flagship products powered by Tegra, but the number was clearly in the millions.

This time around Nvidia can’t count on strong smartphone sales, let alone the Nexus 7 and Surface RT. Even if it scores high-end tablet design wins, the truth is that high-end Android tablets just aren’t selling well. Nvidia needed high-volume design wins and Android tablets just won’t do the trick. Qualcomm is in the new Nexus 7 and the HTC One. Back in May analysts reported that HTC One sales hit the 5 million mark in the first two months of sales, although shipments have slowed down since then. Millions of Snapdragons found a home in the HTC One and millions more will end up in the new Nexus 7.

Nvidia’s talk of a $200 to $300 million hit this year doesn’t exactly paint the full picture. Tegra 3 shipments in the first two quarters of 2013 were modest, but relatively good. However, nothing took its place and the true extent of the Tegra 4 flop will only become visible in the first quarter of 2014 and beyond. The big hope is that the Tegra 4i and Tegra 5 will start to come online by then, so the numbers for the full year won’t be as terrible, but it is abundantly clear that Nvidia cannot afford another Tegra 4.

As for Nvidia’s Tegra Tab and Shield, they might do well. Nvidia knows a thing or two about hardware, but even if they prove successful, they just won’t be enough, at least not in this cycle.

Source

Is Apple Doomed?

The necromancy department of Apple has been summoning the spirit of Steve Jobs in the hope of turning around its current dismal growth figures. For a while now, even amongst Apple fanboys, there has been a belief that Jobs’ Mob has gone done the tubes since Jobs croaked.

It is a myth of course, Jobs’ specialty was not innovation but to market a working ideas as if it were his own. But either way Apple is attempting to try and convince everyone that the new iPhone was personally designed by its former CEO. Even after being dead for a while now, and having no impact over the disasters the company has since suffered, Jobs apparently was on board for the iPhone 5S.

According to Apple’s government liaison Michael Foulkes, Jobs oversaw the design of two models of iPhone to go on sale after his death. We suspect that it will take full resurrection before anyone takes this particular spin seriously. If Jobs could really see into the future and predict where his toys would be three years after he died, we would have thought he would have also seen that was a stupid idea not to accept conventional medical treatment for his cancer until it was too late.

Source

« Previous Page — Next Page »