SMARTPHONES ON WHEELSThe Connected CarThe way cars are made, bought and driven is changing with mobile communications. This paves the way to a driverless futureIN A generation from now, your journey home may go a bit like this. As you leave your office, an empty car rolls up. Perhaps you summoned it, or maybe this is a regular pickup. On the way home you listen to your favourite music, watch a television show or catch up with the news. You barely notice as the car slows down or speeds up to avoid other vehicles, except for when it pulls aside to let an ambulance through. Some of the other cars have drivers using a steering wheel, but many of them, like yours, have no wheel at all.Despite that hold-up your journey is much faster, even though there are more cars on the road than in 2014. When you arrive home, the car heads off to its next client, or to park somewhere and wait for a call. You don’t know or care. After all, it’s not your vehicle: you summon a car only when you need one.Tantalising glimpses of this future are common today, most notably in Google’s bubble-shaped prototype of an autonomous car. The internet giant has been running Toyotas and other models adapted for driverless travel up and down Highway 101 in Silicon Valley for a couple of years now, using on-board sensors to keep the vehicles on the straight and narrow.Other experiments use a different approach to ensure safe journeys. Some 3,000 drivers in Ann Arbor, Michigan, have had wireless internet connections fitted to their cars. These are used to feed information to and from other vehicles and the transport infrastructure. The system will, for instance, warn a driver about to overtake a car if there is a chance of a collision with an oncoming vehicle, or change a traffic light to green if safe to do so. The number of vehicles involved in the project, run by the University of Michigan and largely funded by America’s Department of Transportation, could triple over the next few years.What is happening in Michigan is part of a much broader trend: the rise of the “connected” car. This is the coming together of communications technologies, information systems and safety devices to provide vehicles with an increasing level of sophistication and automation. It is a process that will change not just how cars are used but also the relationship between a car and its driver. This, in turn, will affect the way vehicles are made and sold. Eventually, it is the connected car that may deliver a driverless future.The kit that enables this is starting to appear in new vehicles. Some of the most advanced driver aids can be specified in certain Mercedes-Benz models. These cars are already capable of doing a fair bit of autonomous driving. For instance, the German company’s new “Intelligent Drive” package has a feature which, in congested traffic moving at less than 60kph (37mph), allows the driver to let the car steer, brake and accelerate by itself. The system uses a combination of ultrasonic and radar sensors along with cameras that monitor all around the vehicle. Because Mercedes drivers like to be comfortable, it will even automatically adjust the suspension before the car hits a pothole in the road.Many features in modern cars are becoming accessible to smartphones that connect to the vehicle. A smartphone app allows the driver of an electric BMW i3, for example, to check the battery capacity of his vehicle while it is being topped up at a recharging station. Audi, part of the Volkswagen group, is working on a system which would allow a driver to get out of the car and use his smartphone to instruct the vehicle to park itself.Connected cars are a marriage of two types of mobile technology: the mechanical sort, which revolutionised transport in the 20th century, and the electronic variety, which has transformed telecoms in the 21st. A recent report by analysts at Citigroup, a bank, used data from IHS, a research firm, to divide the ways that mobile telecoms are influencing motoring into three useful groups.The car appThe first bunch is made up of services and applications delivered via mobile networks to a car—either to systems that are part of the vehicle or to devices, such as smartphones or tablets, carried by the driver or passengers and connected to the car wirelessly or with a cable. The most obvious example are “infotainment” systems, which stream music, video, satellite navigation and traffic information. The second consists of services based on data supplied from the car, such as advance warning that a part needs to be replaced. And the third category brings together multiple vehicles, communicating with each other and with smart infrastructure, from roadside sensors to traffic signals and remote data centres, to make traffic flow more smoothly and safely.Broadly speaking, services in the first group are the most widespread already. “The cards in infotainment have been dealt,” says Andreas Mai of Cisco, a network-equipment giant. People already have their favourite services, like iTunes, Spotify or TripAdvisor, on their smartphones. Surveys, though, suggest that car buyers place a higher value on services that make travelling safer, save them time or money, or alert them to problems with their vehicle. These services lie mainly though not wholly in the second and third groups. But widespread availability may take several years.The number of cars with some sort of networking ability today is small, perhaps only 8% of the global total, according to McKinsey, a consulting firm. But by 2020 around a quarter of all cars, mainly the more expensive sort, will be online. The build-up will be relatively slow because many old cars stay on the road for a decade or so. But for new cars things are changing rapidly. BMW has been embedding SIM cards for mobile connectivity in all its new cars since April. By 2020, around 90% of all manufacturers’ new models are likely to have them, according to Machina Research, another consulting firm. The market then starts to look particularly juicy. A recent report by GSMA, the mobile operators’ trade body, says revenues from the sale of in-vehicle services, hardware and the provision of connectivity itself will treble over five years to reach $39 billion by 2018. Machina reckons it could rise to a staggering $422 billion by 2022, most of it coming from connected services to and from vehicles.Description: http://cdn.static-economist.com/sites/default/files/imagecache/full-width/images/print-edition/20140906_TQD003_0.jpgCar buyers are expected to be keen on connected services once they get to know about them and see them in action. This much is clear from the limited offerings already available. The ability for the car itself to call the emergency services automatically in the event of an accident is reckoned by many drivers to be a valuable feature of GM’s OnStar, a connected safety and navigation system which in effect enables a vehicle to function as a phone. A separate app also allows OnStar users to lock and unlock the car’s doors remotely, start the engine and find the vehicle on a map if the driver forgets where he parked it. GM aims to have the service available in nearly all its cars worldwide by 2015.But regulators are also forcing the pace. The European Union wants a system that automatically calls for help in the event of a crash to be fitted to all new vehicles by 2015. Russia has similar plans and Brazilian cars will need to be fitted with trackers as a way to reduce theft. Encouraged by the Ann Arbor test, in February America’s National Highway Traffic Safety Administration said it would begin working on a regulation to require vehicle-to-vehicle (V2V) communication to be fitted in all new cars.On the digital dashboardDifferent applications require different technologies. A search for a parking space would probably go over public mobile networks from an app, whether on the driver’s smartphone or one running on a digital dashboard. For safety features, such as preventing a car from pulling out in front of another, V2V communication is essential, says Kurt Sievers of NXP, a semiconductor company. Public networks will be too slow for this and may lack the capacity. His company is making systems with dual antennae to cope with reception difficulties, because radio waves from moving vehicles tend to bounce off buildings and other surfaces. Authentication of signals matters too, to prevent cars taking unnecessary avoiding action.With increased connectivity between cars, driver aids will become much more sophisticated. A connected car would, for instance, receive not just information about a hazard detected by its own sensors, but also alerts from a vehicle farther along the road or around a blind corner.Description: http://cdn.static-economist.com/sites/default/files/imagecache/full-width/images/print-edition/20140906_TQD004_0.jpgConnectivity can also help provide more real-time information about traffic hold-ups, beyond that already provided by satellite-navigation devices. The addition of vehicle-to-infrastructure communication (V2I) takes things further still. Whereas the connected cars in Ann Arbor can change the timing of traffic lights, a combination of V2V, V2I and automated driving could do away with traffic lights completely. Cars could be co-ordinated so that they avoid one another at road crossings. Not having to stop at road crossings would reduce congestion.The sensors in vehicles that check things like tyre and oil pressures, as well as brakes and engine performance, will also have a role. Pavan Mathew of Telefónica, a mobile-network operator, points out that many drivers dread the moment when a dashboard warning light flicks on. Remote monitoring and messaging can swiftly send a note to the driver about the extent of the problem.Vehicles’ diagnostic systems could also pick up faults before they are manifested as black smoke pouring from an exhaust pipe or a horrible grinding noise from the engine. Cars could then be brought in for repair before trivial problems develop into big ones. Following the lead of Tesla, a Californian maker of electric cars, more faults might one day be fixed remotely over the internet by a software upgrade.Indeed, checking on cars remotely has plenty of other possibilities that may reduce (or worsen) stress levels. Online services will allow, for instance, closer monitoring of the driving behaviour of teenagers beyond the basic warnings of aggressive braking or exceeding speed limits that the “black boxes” supplied by some insurance companies presently provide. And not just younger drivers. Insurers are likely to offer any driver a lower premium if technological monitoring of his driving habits shows he is being careful.Exactly who will deliver all these new motoring services is far from clear. It is by no means certain that it will be traditional carmakers, even though they are all busily developing, making and marketing increasingly connected vehicles. In the past consumers have expected the new technologies that appear in cars quickly to become standard features for which they pay little if anything extra. Electric windows, anti-lock brakes and power steering are now almost universal.The connected car, however, has created powerful new competitors in the motor industry’s traditional supply chain. And some of those new competitors are keen to win themselves a big slice of the action. These are mobile-telecoms operators, makers of networking gear, developers of V2V and V2I technologies, producers of consumer hardware and systems, software firms and creators of mobile apps.Cars will become bundles of different technologies, not only of devices but also of consumer brands, all vying for the driver’s attention in a sometimes uneasy alliance with carmakers. Apple and Google are locked in competition for control of the digital dashboard. In response to CarPlay, a vehicle-infotainment system developed by Apple, Google in June launched a rival called Android Auto.Mobile-phone operators see the connected car as yet another device to be hooked up to their networks. In America, AT&T is letting drivers of GM cars add their vehicles to their data plans, alongside their smartphones and tablets, for $10 a month. In future, which mobile network you use may affect your choice of car. In a recent poll Nielsen, a market-research firm, found that half of Americans who owned cars made since 2009 would be less likely to buy a new car if it had a different data plan from their smartphone.Invisible competitorsNot everyone trying to get in on the act will be visible to the driver. All the data going to and from cars and infrastructure will have to be transmitted and processed. That adds to demand for chips, network equipment and data centres. Cisco, for example, envisages a lot of processing taking place not in the “cloud” of central data centres but more speedily and conveniently within a “fog” of intelligent networks.Fiat Chrysler’s boss, Sergio Marchionne, is worried that it will cost his company money to “provide a venue to host other people’s parties”Carmakers know they will have to share the benefits of the connected car. Some seem gloomy about their prospects of getting any of them at all. Fiat Chrysler’s boss, Sergio Marchionne, is worried that it will cost his company money to “provide a venue to host other people’s parties”. Some carmakers see more of an opportunity to profit as they could benefit beyond their share of the monthly charges for connectivity. Using the data to tweak the design and performance of their vehicles by identifying components that are more likely to cause problems will both help them to improve the cars they produce and cut warranty costs. Good connectivity should help to reinforce brand loyalty too.The relationship between carmakers and their customers is at arm’s length at present, operating through a dealership system that is reminiscent of that between handset-makers and operators. After selling a car through a franchised dealer, further interaction with car buyers is limited to a dealership visit every couple of years for a service (or sooner if there is a problem). Connectivity will bring the customer and carmaker closer together. Ship and forget will be supplanted by ship and update, which is what makers of computers and mobile devices do already. So far car companies seem unclear about what this will mean for how they do business.Getting closer to their customers should at least make the carmakers more responsive. The data can help manufacturers and dealers target customers more efficiently. As well as sending details of offers, dealers might better fit a particular car to a driver through an analysis of individual driving habits. They could suggest extra features that would suit some motorists, from hybrid technology to modest add-ons. Some carmakers are already miles along this road. Elon Musk, Tesla’s boss, laughs at the suggestion that his customers would accept anything less than a high degree of connectivity and interaction when he sells them an electric car.The data could help customers know more about cars too. Motorists will have the ability to find out the actual miles per gallon a car will do in the real world rather than trust the claims made by car companies, which use a box of tricks to make their vehicles unrealistically frugal during tests.Carmakers, usually conservative and slow-moving, are getting ready. Aside from the engine, body and interior, cars already contain lots of electrical architecture. Most of the big firms have set up connected-car groups to work alongside their electrical engineers to ensure that the hardware and software required for connectivity fit. Detroit’s car guys are deferring to techies, poached from the software industry, who are adept at dealing with app-makers and the like. Carmakers are looking closely at Tesla, which describes itself as a “software company that builds cars”, for inspiration.Connectivity will eventually change the way cars are integrated into transport systems. Car sharing, either through car clubs run by the big rental firms or peer-to-peer services, will be far easier when communication between vehicles and potential passengers is seamless and any car can be accessed and operated securely by any smartphone. Making journeys using several forms of transport, including a car, will be smoother if it is easier to find car-sharing locations or parking spaces close to connecting points for trains or buses.
And with increasing automation and connectivity there will be less need to have to own or drive these vehicles yourself. Today’s experimental autonomous cars stuffed full of on-board sensors are only part of the solution. The development of systems that let cars talk to cars, and to the world beyond, will be just as important on the road to a driverless future.
Apple’s iOS 8, the latest version of the operating system for iPhone, iPad, and iPod, is now available. It’s pretty darn slick, and it’s what everyone who orders a new iPhone 6 will get when those devices start arriving on Friday. But the upgrade is also available for existing Apple devices. Should you upgrade right now?If your answer is an instinctive, “Heck, yeah; I’m in!” then read our guide and get going.If you’re the more cautious type, take heed of these warnings:Warning 1: It takes a lot of space (temporarily).While the operating system itself is about a 1-gigabyte download (which is pretty big), your device needs even more breathing room to perform the update. Reports vary, but on an iPad 3, for example, you need at least 5.8 GB of free space. The update will not happen if you have less than that. On an iPad mini with Retina Display, one warning said 6.9 GB.
That may mean you’ll have to delete a lot of music, videos, or apps before you can update. If you have a 16 GB device, the winnowing process might make you cry. Hint: Look at your video files first.You don’t have to sacrifice all that room for good; it’s just a playground for the installer during the surgery. Once the upgrade is complete, iOS 8 will let you use that space you freed up for your apps and files again.One moment while I unload some videos.Warning 2: It’s slow to update (for now).On iOS 8’s birthday — today — there are millions of people trying to get the update simultaneously. That’s a lot of data coming out of Apple’s servers, and you won’t get the full-speed transfer you might see if you wait until the lines die down. Give the update some time.
That’s not good. Eventually I was forced to give up on this (see next screenshot) and got the file in about 40 minutes through my desktop computer.If you really can’t wait, you’ll have better luck if you can do the update via iTunes on your Mac or PC, with your device connected to the computer. As of Wednesday, it looks like a 30- to 50-minute download for the update file that way. Downloading the update file over WiFi to your iPhone or iPad generally takes longer. This morning, at the office where I work, the update app was projecting between five and seven hours to download. And then, after two hours, it gave up.It didn’t even say why.Warning 3: Allow time for the installation.While you’re downloading the iOS 8 installer, you can keep using your phone or tablet. But after the download, the actual installation can take 30 minutes or more (it took me an hour) — during which time you can’t use your device. Don’t start the upgrade if you’ll need your gadget during that time.
Warning 4: It might slow down your older device.iOS 8 works best on the latest Apple devices, which have much faster components than older ones. Apple says iOS 8 officially works on phone models as old as the iPhone 4s, and iPads as old as the iPad 2. But, in truth, you won’t get the same snappy responsiveness on those older devices, especially with processor-intensive services like Siri.
Warning 5: Don’t accept the upgrade to iCloud Drive (yet).Apple is changing its online storage product. The older iCloud is being phased out, and the newer iCloud Drive is where Apple will now store all your files. It’s a Dropbox-like “online disk,” and it looks like an improvement from iCloud. You’ll be able to put files on it and access them from any Apple phone, tablet, or computer.
Just one thing, though: It requires the latest operating system on every device: iOS 8 on mobiles and OS X Yosemite on computers. And Yosemite isn’t out yet. So if you allow your device to upgrade from iCloud to iCloud Drive, your Mac won’t be able to see files saved from iOS, and your iOS device won’t be able to see the older iCloud files from your computer.So when given the option to “Upgrade to iCloud Drive,” decline. Once your Mac has the new operating system, go into Settings on your phone or iPad and turn iCloud Drive on at that point.Warning 6: Save your iPhoto projects first.Apple is also discontinuing the iPhoto app on iOS devices; its replacement is an expanded version of the Photos app that’s always come on iPhones and iPads.
If you use only the built-in Photos app, no problem; everything keeps working. But the Photos app doesn’t recognize the photo books and other projects created by the iPhoto app for iOS; you’ll lose that once you upgrade to iOS 8, since iPhoto doesn’t work at all on the new OS.Apple explains here how to make the shift, what you’ll be able to keep, and what you’ll lose.
Heartbleed is bad, but you can mitigate its damage, albeit via different approaches for users, admins, and developersLet's face it: Heartbleed is a bloody mess. Worse, it's a different kind of mess for everyone who has to clean up after it. Administrators, end-users, and software developers will all be confronted with aspects of Heartbleed that each can only deal with alone.Here's what each of them needs to do to mitigate the threats that matter most to them individually.Users
In some ways users have it hardest since the only measures they can take are entirely reactive. They can't patch the actual sites they use (unless they've actually built them), but users can still do a great deal on their own.1. Check sites you visit for the vulnerability. When news of Heartbleed first broke, the only way to find if a given site was vulnerable was to check against one of a number of manually maintained lists of vulnerable sites or to use a third-party website that tested for the vulnerability. Fortunately, you don't have to do that by hand anymore as both Firefox and Chrome now have add-ons that can manually check the status of a visited site.2. Rotate passwords, but only after a site has been patched. This is the tricky part. On the whole, it's a good idea to rotate passwords after any security breach, but only after the breach itself has been closed. Otherwise, it's like changing locks on a door that's never closed anyway. To that end, rotate passwords on affected sites, but only after you're certain Heartbleed is no longer an issue there.If you're not already using a password manager, this is as good an excuse as any to get set up with one. And if you're using sites that support two-factor authentication of some kind but haven't bothered with it, this is also a good excuse to make use of it.Users of the LastPass password management service get two -- possibly three -- benefits for the price of one. The service not only manages passwords and syncs them across devices, but even lets you know if services are Heartbleed-vulnerable and whether or not it's a good idea to update the password yet (whether or not the site has patched and it's OK to rotate passwords).3. Enable certificate revocation checks in your browser. Certificate revocation determines if the SSL/TLS certificates used by your browser have been revoked, which many sites are in the process of doing to avoid reliance on keys that might have been compromised courtesy of Heartbleed. In Google Chrome, this is in Settings: Advanced Settings, under "Check for server certificate revocation." With Firefox, this is enabled by default, so you don't need to do anything. The CloudFlare blog has further notes about the behavior of each browser when dealing with certificate revocation.Administrators
1. Patch affected systems. Before you say "duh," the trick is to find out which systems are affected. There may be more of these than you think, since OpenSSL may be employed in ways that aren't exclusively external, client-facing applications. Those are clearly the most important ones, but don't assume the inventory of affected systems ends there. Some Cisco products, for instance, may be vulnerable; ditto for Juniper Networks.Another, even trickier, example: Microsoft's implementations of TLS in Windows Server systems do not appear to be affected by Heartbleed, but that doesn't mean all software running on Windows boxes is unaffected. Some of that software may implement OpenSSL in its own way and need to be updated separately from anything else.2. Reissue and revoke certificates. Don't flinch. Reissuing and revoking certificate keys is dirty work, but it needs to be done, and even (especially!) big outfits like Akamai have started that difficult job since compromised certificates have to be revoked within 24 hours. Make sure the new certificates are properly credentialed and follow proper guidelines; don't end up like PayPal, which had some of its new certificates issued in the wrong name ("PayPal, Inc.\0a").Developers
1. Audit your code for the use of OpenSSL. Do an audit on all your own projects to determine where or if you are using OpenSSL, then patch or update appropriately. The bigger the project, the more likely it is to contain some dependency on OpenSSL.2. Get the changes out there. Make sure any products you've updated can get into the hands of users all the faster. For example, Android 4.1.1 is affected (but not earlier versions of Android), and while Google is distributing patches to its hardware partners, who knows how long it'll take before those patches actually hit affected devices. Don't be like that if you can help it.3. Consider alternatives to OpenSSL if it's feasible. OpenSSL is not the only game in town; other libraries exist. This isn't to say they're drop-in replacements or won't manifest problems of their own, but now might be the time to think about where they could be of use.
Mobile phones may be treated like playthings these days. However, these flashy gadgets can prove dangerous if not handled with care. Several instances have been reported about the phones blasting off suddenly, the latest victim of which was a 14-year-old child of daily wage workers from Seoni. The blast was so bad that the boy narrowly escaped death and ended up with severe disfigurement to his jaw, nose, mouth and face. TOI tells you the do's and don'ts of handling mobile phones.
What are the things to be kept in mind while buying mobile phones?
Buy a branded phone as far as possible. Ensure that the phone has a proper IMEI number, which is a code that identifies each phone. Check that the number on the phone corresponds to that on the box and receipts.
How and why do mobile phone blasts happen?
The most common reasons for a cell phone to explode are using it while the phone is being charged and 'call bombing'. Charging puts pressure on the motherboard of the phone, using it during charging increases this pressure manifold. This causes the cheap electronic components in some mobiles to explode. Call bombing refers to calls or missed calls received from international numbers. If one receives or calls these numbers back and the call exceeds a certain amount of time, the phone will blast. There is also a malware, or bug, found in some Android-based smartphones, that can also cause explosion by exerting extra pressure on the motherboard during charging.
What care should be taken to ensure not much pressure is put on the phone?
Avoid using the phone while the battery is being charged. If you wish to receive a call during this time, disconnect the phone from charger before connecting the call. Ensure it is not over-charged by removing the electric supply when the battery is fully charged. If your battery seems to have swollen, replace it immediately.
Why is it dangerous to buy cheap phones?
Most cheap models, like those of Chinese make, use hardware and components that are not branded and often substandard. The quality of vital accessories such as battery and earphones are compromised which can have disastrous outcome. Such components cannot be used continuously for as long as their high-quality substitutes. Their shelf life is also shorter.
Is it more harmful to surf internet or download anything on mobile phones?
Yes, because the anti-virus softwares for mobile phones are not as effective. That is why one should avoid downloading anything from a third party vendor, ie directly from the internet browser. Instead use the in-built store or market application provided by the operating system. Malware, which is software that creates a bug in the operating system of the phone, often gets downloaded with third party tools. The sites that you visit using the phone must start with an https (which means they are encrypted or safe sites).
Avoid using public or unsecured Wi-Fi connections. A hacker could access the mobile device through a port that is not secured. Make sure the Bluetooth connectivity is not switched on in public places as it can be used to send malicious files which corrupt the operating system.
Are there certain precautions that must be practiced while using a mobile phone?
While communicating using your cell phone, try to keep the cell phone away from the body as this would reduce the strength of the electromagnetic field of the radiations. Whenever possible, use the speaker-phone mode or a wireless bluetooth headset. For long conversations, use a landline phone.
Avoid carrying your cell phone on your body at all times. When in pocket, make sure that key pad is positioned toward your body so that the transmitted electromagnetic fields move away from you rather than through you. Do not keep it near your body at night such as under pillow or a bedside table, particularly if pregnant. You can also put it on 'flight' or 'offline' mode, which stops electromagnetic emissions. Avoid using your cell phone when signal is weak or when moving at high speed, such as in car or train.
How to deal with a wet phone?
After removing the phone from water, dismantle it by removing battery, SIM and memory cards and switch it off (only SIM card in case of an iPhone). Dry each component thoroughly (but gently) with a towel until the phone is dry to the touch. Then put all components in a bowl of uncooked rice in a way that all components are totally covered. If you have any silica packets (the ones that come with products like new shoes), put them in to the bowl too. Leave it there for 12-24 hours.
Never use a hair dryer to try to dry the phone quicker. Drying it with a heated hair dryer can cause important parts to melt, while forcing water further into the phone. Drying it will a cold hair dryer will just force water deeper into the phone.
Why you shouldn't hold your mobile in your mouth?
Using mobile phones too close to your mouth regularly or holding cell phone in your mouth frequently could lead to malignant salivary gland cancer and tumors in mouth. Regular cell phone users who speak with the phone held too close to the mouth face the problems of sleep disturbance, migraine and headache.
When the internet of things misbehave!“THE internet of things” is one of the buzziest bits of jargon around in consumer electronics. The idea is to put computers in all kinds of products—televisions, washing machines, thermostats, refrigerators—that have not, traditionally, been computerised, and then connect those products to the internet.If you are in marketing, this is a great idea. Being able to browse the internet from your television, switch on your washing machine from the office or have your fridge e-mail you to say that you are running out of orange juice is a good way to sell more televisions, washing machines and fridges. If you are a computer-security researcher, though, it is a little worrying. For, as owners of desktop computers are all too aware, the internet is a two-way street. Once a device is online, people other than its owners may be able to connect to it and persuade it to do their bidding.On January 16th a computer-security company called Proofpoint said it had seen exactly that happening. It reported the existence of a group of compromised computers which was at least partly comprised of smart devices, including home routers, burglar alarms, webcams and a refrigerator. The devices were being used to send spam and “phishing” e-mails, which contain malware that tries to steal useful information such as passwords.The network is not particularly big, as these things go. It contains around 100,000 devices and has sent about 750,000 e-mails. But it is a proof of concept, and may be a harbinger of worse to come—for the computers in smart devices make tempting targets for writers of malware. Security is often lax, or non-existent. Many of the computers identified by Proofpoint seem to have been hacked by trying the factory-set usernames and passwords that buyers are supposed to change. (Most never bother.) The computers in smart devices are based on a small selection of cheap off-the-shelf hardware and usually run standard software. This means that compromising one is likely to compromise many others at the same time. And smart devices lack many of the protections available to desktop computers, which can run antivirus programs and which receive regular security updates from software-makers.Ross Anderson, a computer-security researcher at Cambridge University, has been worrying about the risks of smart devices for years. Spam e-mails are bad enough, but worse is possible. Smart devices are full-fledged computers. That means there is no reason why they could not do everything a compromised desktop can be persuaded to do—host child pornography, say, or hold websites hostage by flooding them with useless data. And it is possible to dream up even more serious security threats. “What happens if someone writes some malware that takes over air conditioners, and then turns them on and off remotely?” says Dr Anderson. “You could bring down a power grid if you wanted to.”
That may sound paranoid, but in computer security today’s paranoia is often tomorrow’s reality. For now, says Dr Anderson, the economics of the smart-device business mean that few sellers are taking security seriously. Proper security costs money, after all, and makes it harder to get products promptly to market. He would like legislation compelling sellers to ensure that any device which can be connected to the internet is secure. That would place liability for hacks squarely on the sellers’ shoulders. For now, he has had no luck. But Proofpoint’s discovery seems unlikely to be a one-off.Good people, lets have your opinion(s).
JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.Article originally posted on the Infoworld website.Recently, I was asked by an instructor at a technical college if I would mind responding to some of his students' questions. I happily agreed. Ultimately, this resulted in a lively back-and-forth session, so I decided to share the exchange with you. Enjoy!Question 1: Microsoft just announced a huge list of security patches for "Patch Tuesday." Why doesn't it just focus on a single product and fix all of the security holes in one shot?
Finding bugs in products doesn't work that way. Every product that Microsoft codes goes under dozens of manual and automated tool reviews. That scrutiny is vital because Microsoft is the biggest target, and as a result Microsoft products actually have fewer vulnerabilities than those of its nearest competitors. But even with the right tools and processes, you can't catch everything.New techniques are found, mistakes are made, and until you have perfect humans, you'll never have perfect code and you'll never have perfect bug detecting.Here's a good example. Years ago someone discovered they could buffer-overflow the HTLM color attribute field located on Web pages as it was rendered in a popular browser. No browser vendor at the time ever thought the color attribute field could be abused. The vendor's security reviewers didn't know to look for it and neither did any of the private or third-party tools, despite the fact that every field should be boundary-tested. Now all vendors check for it. Everything looks easier in hindsight -- improving software is an evolving process.Question 2: In one of your blog posts, you mentioned something like: "The NSA could be hiding small snooping programs in, let's just say, a picture of a cute kitten or a fun Android game." So how can the average Joe ever know that what they download is the real picture or app with no hidden malware in it?
The short answer is you can't -- not even close. The only thing you can do is decide to trust the entity that created the device or code, especially if it is digitally signed. Because as long as their digital-code signing cert wasn't compromised or the machine the code was signed on wasn't compromised, at least you can say that the code the developer signed was what they signed when they signed it. But the truth is you really don't know.It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet and make hacking and snooping, even by the NSA, easier to prosecute and easier to detect. It disturbs me greatly that what the NSA does is completely legal ... and most countries don't even have the laws that we do. I wish everyone's privacy laws were stronger. In the United States, we need to modify our Constitution to guarantee more personal privacy. I thought the amendment against unreasonable search and seizure did that, but it's not even close to being enough these days.Question 3: I liked your article "Crazy IT security tricks that actually work." Someone dismissed your points of "security through obscurity." If these things work, then why would the IT Industry be so quick to discount them?People repeat dogma as fact, when all you're really talking about are cute little sayings that were a stretch from the beginning. Obscurity is one part of security. It shouldn't be relied upon as the only defense, but it certainly plays a big part. If it didn't, every army would tell the other army what all their capabilities were, where all the weapons and troops were, and make everything "transparent."The best thing I can say to anyone trying to learn is not to accept everything you hear at face value. Respect what other, more learned people say, but don't accept anything as gospel unless you do it or see it yourself. Stay skeptical.Question 4: If Stuxnet was the most complex piece of malware ever created, then couldn't the "sons of Stuxnet" wreak havoc across all of the Internet and not just at the Iranian nuclear facility?
This is a huge, huge fear of a lot of people. However, I expect that one day a much less complex piece of malware will "crash" the Internet. Sophisticated malware is needed only for sophisticated scenarios. Crashing the Internet or stealing from banks is easily accomplished with conventional malware. Hackers are likely stealing tens of millions of dollars every day, if not hundreds of millions. They are allowed to get away with it, and the public accepts it as a cost of doing business because they stay below a certain threshold. One day one of them will make a mistake, steal too much, and the world will freak out and finally fix the Internet.Question 5: It has been widely reported that the NSA put backdoors into a bunch of different programs. How do we know these backdoors have been closed?
Most of them probably haven't been closed. Until we get their complete list of software exploits, which is highly unlikely, we'll never be able to do it. And it's not just the NSA you have to worry about, but every sophisticated government and hacker group. Software is full of exploitable holes that only certain people have knowledge of.Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking is actually fairly easy. It's like a cookbook recipe: Once you know how to hack, it's mostly a repeatable process. Most hackers simply mimic what someone else did. They seldom think of anything new. You want to impress me? Do something new. Most hackers are followers.The smartest hackers are the good guys. It's easy to hack; it's much harder to defend. It's easy to tear down a barn with a saw and a sledgehammer; it's much harder to build the barn. It's even more impressive to build a barn that can resist the saw and the sledgehammer.You shouldn't hack illegally for the same reason you shouldn't assault someone. It's morally wrong. I've had the skills to hack illegally for over two decades. I get paid to hack legally all the time. Over the past nine years it's never taken me more than an hour to break in (except one time, when it took me three hours). This includes banks, hospitals, government agencies, and Fortune 500 companies. It's not that hard to hack. And guess what? I make a very good living -- far better than I could ever have imagined. I am living the dream.Legal hacking allowed me to accomplish this, and I don't have to worry about the feds arresting me. If you go the illegal route, it's going to catch up with you eventually. It always does. You can make more money and sleep well at night by hacking legally. You'll have a better career and a better life doing the right thing.Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks require that the attacker obtain local administrator status on the box they are stealing hashes from (or obtain domain administrator on a domain controller). If you have that sort of access, then what can't you do?That said, if attackers steal the ultimate authentication secret -- for example a password, a password hash, a Kerberos token, a ticket, and so on -- they have the ultimate authentication they need to do almost anything. Length of password, hash, digital certificate key, and so on will not protect you.PtH attacks are a valid concern, but if they went away completely (Windows Server 2012R2 has plenty of PtH defenses built in), it would not stop attackers in the slightest ... because they already own the box. They can just do keylogging, Trojan the machine, or modify the operating system. We should be more concerned about how attackers get that elevated access in the first place, not focused on what they do with it once they have that access. ... Because sky is the limit and there is no defense.Question 8: Is the NSA leaker a hero or a traitor?
He's a bit of both. Ultimately, he broke his NDA and many laws. He has put other people's lives at risk. He should be punished for that. The only rationale to do what he has done is if what you are revealing is illegal or unconstitutional. So far nothing he has revealed is either of those things. Nothing he has revealed is a surprise to those of us who follow the NSA.Just read any James Bamford book. He was writing about the NSA's capabilities 25 years ago. The only new things that he revealed, to those of us who follow the NSA, is names of programs and perhaps some individual exploits.That said, he is to be applauded for bringing the excesses of what the NSA is legally allowed to do to the public masses. I'm hoping that everyone being upset with the NSA will lead to laws being changed, so the NSA cannot legally collect everything they are already collecting. It upsets me, and others, that it took a single employee breaking the law to make the rest of the world up in arms about something we've known for years if not decades.Question 9: We discussed the FBI takedown of the Silk Road in class and I was wondering: If the NSA has all of the access to our personal lives, why did it take the FBI three years to take them down?
Law enforcement is always slow, especially when it crosses multiple jurisdictions. It takes time to start legal projects, collect evidence, obtain warrants, and proceed. But I suspect that most of the time was spent just getting on the FBI's already busy radar. The FBI, like your own company, has a budget and a project plan each year. I bet Silk Road wasn't on the radar until enough people started complaining. Plus, many times the investigation goes on far longer than what's needed to collect evidence, as perpetrators go after bigger targets and commit more crimes, resulting in easier-to-prove court cases and longer jail sentences.Also, the NSA and the FBI don't always share information. The NSA, for the most part, doesn't care about drug trafficking, money laundering, theft, and a lot of the other things the FBI cares about. As bad as our laws are, the NSA can't simply share what it has with other legal entities.Question 10: I want to work in information security, first as an administrator then ultimately as a consultant. What is the best certification to pursue?
I have about 50 certifications, and I learned something new from each one of them. Each cert made me a more knowledgeable technician, and each gave me something that made me more employable. But if you're talking about which ones count the most, that's a slightly different answer: It's the certification most relevant to your potential employer or its customers.Fortunately or unfortunately, experience counts more. Because of that, you want to pick certs that give you both credentials and real hands-on experience. I like the CompTIA stuff. It teaches a lot. But their certs are basically thought of us "base" certifications. When you earn one of those, you know the basics. Still, great to know, and you will learn something.Personally, I'm not a huge fan of the CISSP (because it's a lousy test), but it's probably the one cert that most employers and clients like to see. I think it's because bosses and clients often have it and think it was hard, so they like to know other people they are hiring had the same hard time with it.I'm a huge fan of anything SANS does or offers. I think the SANS courses, books, instructors, and certs teach you more hands-on experience than any of the other relative certs. When I see someone with a SANS cert, I immediately trust them. It's the security geek's CISSP. I also like the CEH and other certified auditor exams. Each has its benefits. Each teaches you something.Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?I never recommend a particular product. They are all fairly accurate, and they all fail miserably on a daily basis. Don't believe any of the "accuracy tests" you read. It's not that the tests are inaccurate, it's that they often set specific parameters that (accidentally or otherwise) benefit particular products.I've been in the AV field since 1987. Accuracy goes up and down on every product over time. Just pick one that is reasonably accurate and one that doesn't kill your system's performance. You should run AV, but remember that 99 percent of all successful exploits are caused by unpatched software.Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?It can be hard, especially if your computer has been hit with a rootkit. AV is supposed to detect that sort of stuff, but it often misses it. I love to do two things to look for bot programs myself. First, I use the free utility Autoruns. It will show you everything that is running when your PC starts. It will be a hundred things. Research anything you don't recognize. When in doubt, uncheck the program and reboot. If it breaks something, run Autoruns again and recheck.Second, download TCPView from Sysinternals. Close every program you think could possibly be communicating with the Internet. Then run TCPView. Research any programs or processes that are communicating with the Internet. Most of the time you'll see one or more things connecting to the Internet that you didn't know about. This is normal. Usually they are just legitimate programs connecting back to the vendor doing something the vendor programmed them to do. Research the destination connection points. If you can't figure out what the program is connecting to and whether it is legitimate, consider using Autoruns to disable it.But the truth is that malware programs can be very difficult to discover and remove. When in doubt, back up all your data, reformat (or reset), and reinstall everything again. This is the only way to truly know that you are starting with a clean state.Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?Yes and no. No, in that OS X has far more vulnerabilities than Windows -- and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS X gets two to three times as many, if not more.With that said, because OS X runs on only 5 to 10 percent of the world's computers, it still isn't a very big target. Bad guys target popular things because they are more likely to get something of value. Running OS X will probably incur less risk compared to a Windows computer -- probably significantly less risk.Note that computer viruses aren't nearly as common as worms, Trojans, and other sorts of malware. Use the term "malware" or "malicious program" instead of "virus." Virus indicates only one type of malware.