Archivi Blog
Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition
The folks in Mountain View are starting to make a habit of getting hacked — intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it’s doing it again — hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don’t let that stop you — Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
Google’s Vulnerability Program ups the ante for helpful hackers
This is not your ordinary rewards program, it’s Google’s way of paying it forward… to hackers. After celebrating the one year anniversary of its unique initiative this past November — in which the coding-inclined are compensated for exposing critical flaws across its suite of web services — the folks over at Mountain View have updated the program’s policies with a bigger chunk of cash. Previously, the search giant had set a max payout of $3,133.7 for any discovered vulnerabilities (a bizarre sum, we know), but that cap has now seen an increase up to $20,000 depending on the severity of the reported bug. For a company with billion dollar coffers, the move appears to be none other than a good faith investment in the security research community. But if you lean a bit closer to the paranoiac line, it could also be viewed as a countermeasure to other, higher-paying firms with less than honorable intentions. Whether your rose-colored glasses are on or off, it’s still nice work if you can get paid for it. And who knows? You might even make it to the Security Hall of Fame.
Introducing Firefox 3D View for Developers
Firefox now includes a 3D View as part of its suite of built-in developer tools.
Helpful for debugging, the 3D view stacks elements as they are nested in the DOM and lets you see elements that are hidden or off the page. You can zoom in and out, rotate and pan the view to see the page from any angle that is helpful to you.
Go to the Developer Menu, select Inspect, and then 3D View to see your pages or any website in 3D.
Google Offers $1 Million To Hack Its Chrome Browser
Google has today announced that it’s putting up a bounty of $1 Million for anyone who can hack its Chrome browser and pinpointing vulnerabilities within it.
The competition called Pwnium will take place at this years CanSecWest security conference on March 7th. With prices totalling a million dollars, with prizes for $60,000, $40,000 and $20,000, for finding vulnerabilities in Chrome.
Pwnium is being organised by Google and is a splinter contest from the well known Pwn2Own hacking contest. The competition will be run on a first come first serve basis and winners will also be given a tasty new Chromebook.
Google decided to launch its own contest this year due to the organisers of Pwn2Own, Tipping Point say that contestants do not need to reveal the techniques used to breach the browsers’ security. Google explains:
“We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.”
During previous Pwn2Own competitions Google’s Chrome browser has with stood the onslaught of hackers and come away without being hack for three years on the trot. Unlike other well known browser such as Safari, Firefox and Internet Explorer that have all been hacked each year.
For more information on the competition and prizes jump over to the Google Pwnium Blog post.
Source: Google
Android-style FaceUnlock ported to iOS (video)
Samsung Galaxy S II gets new ICS ROM, offers Kies to the kingdom (video)
New year, new you ROMs. Yep, the Galaxy S II is getting even more attention, with a duo of Ice Cream Sandwich versions landing on that capacious 4.3-inch screen. They consist of an early Android 4.0.1 build made on December 20th and version 4.0.3 crafted just ten days later. The interesting part is that, according to YouMobile, both of these will arrive through Kies, Samsung’s Android connectivity software. The mobile news site also suspects that these are close (but still buggy) approximations of what we’ll see on our as-yet un-tinkered Galaxy S IIs in the very near future. These Kies-capable builds also have a few cosmetic differences to the build leaked earlier, like a distinct lack of Tron hues adorning the notification bar at the top. While we await a release through the official channels, you can check out a swift run-through right after the break.
Developer teases voice control of Zune, using PC and Windows Phone (video)
The great thinkers of the world have long known a secret that we’re now happy to disclose: it’s not necessity that’s the mother invention, but rather laziness. Fortunately, expending a great deal of effort on a project — simply to perform a task effortlessly — sometimes brings very cool results. A concept app known as ZuneVoice easily passes muster in this realm, which is used to control Zune software on the PC with only a standard microphone and spoken commands. As you can see in the demo video, its creator, keyboardp, is able to play individual songs, issue commands such a “pause” or “next song”, and even display full-screen music videos from YouTube. The developer even crafted an app for his Lumia 800 known as PhoneZune, which serves as a remote control for times when he’s away from the box. Neither application is yet publicly available, though feedback is welcome. Next, we’re told to expect Kinect integration. Perhaps one day, these gems will see the light of day.
Web: http://www.zune.net/it-IT/products/windowsphone7/default.htm
SiriProxy enables voice control of third-party apps (video)
If you’ll rewind your mind in time to earlier this week, you might remember a clever proxy server from @plamoni that enabled Siri’s control of a thermostat through spoken commands. Now, the same bit of engineering has been exploited to enable voice control of third-party applications. In this example, FastPdfKit Reader is manipulated by various commands with SiriProxy acting in the middle. A plugin is used to add new commands to the ones recognized by Siri, and finally, the proxy then sends the final commands to the app. Those hoping to get hacking will find a complete list of instructions from the source link below. For everyone else, you’ll find the true magic after the break.
Siri ported to iPad, still getting silent treatment from Apple servers
Siri ported to an iPhone 4, old phone learns a new trick (Video)
Apple’s iPhone 4 may not have the fancy dual core CPU of its successor, but thanks to the efforts of developer Steven Troughton-Smith and the folks at 9to5 Mac, it may soon have Siri. The port of the sultry voice assistant was accomplished by using the 4S Siri and Springboard files, and some serious elbow grease, no doubt. As you can see in the video below, it’s far from perfect, but it can recognize spoken commands without issue. Currently, the hack is missing an iPhone 4 GPU driver that keeps things running buttery smooth on the elder phone, and Cupertino won’t authenticate Siri’s commands coming from it either. So, it isn’t quite ready for primetime, but it should only be a matter of time before all you iPhone 4 owners can tell Siri what to do, too.
Install Windows 8 onto your HTC Shift today, give it a reason to wake up in the morning (video)
If you’ve got an HTC Shift sitting around that’s collecting dust and not doing much else, it could find a new lease on life with the revelation of its (very unofficial) support for Windows 8. Like they did for Mac OS X previously, the folks at xda-developers have shoehorned Microsoft’s latest Developer Preview OS onto the dejected UMPC, and so long as you’ve got a bit of spare time, the right equipment and are good at following instructions, you can too. All the basic driver support appears to be in order, including support for video acceleration, the touchscreen and WiFi. Granted, you should keep in mind you’ll be installing pre-release software on unsupported hardware, but isn’t that half the fun? There’s a video after the break (heads-up: it’s in French), and if you’re looking to get started right away, you’ll find a full list of instructions in the source below.
Lion Ultimatum brings desktop-like functionality and file manager to jailbroken iOS (video)
Sure, OS X Lion borrowed many of its design cues from Apple’s iOS platform, but now users of jailbroken iPhone and iPod Touch devices may bring much of the desktop Mac’s functionality onto their handset with Lion Ultimatum. In essence, this beta project is a theme for Dreamboard (which is required software), but it’s rather far-reaching, with a functional file manager and Finder menus, a scrollable dock and draggable windows, along with Stacks, Launchpad, Mission Control and Dashboard. There’s also a customizable lock screen that provides access to the dialer, email and messages. Even the keyboard can be modified to resemble the design of MacBook Pro or the traditional Apple Keyboard, thanks to integration with ColorKeyboard. If you’re thirsty for more, hop the break for an extended video preview, or just follow the source for the full install instructions.
iOS 5 beta 3 already jailbroken, new features come to light (Video)
Who needs sleep, right? Rather than putting in the tried-and-true “eight hours” that your mum still insists that you get, you’re going to be doing something a bit more adventurous this evening. Something involving a “jailbreak” of your recently updated iPod touch, iPhone or iPad. Just hours after Apple pushed out iOS 5 beta 3 to its developers, the folks at iPhone Dev-Team have confirmed that a Sn0wbreeze update will support jailbreaking on that very build. Sadly, it’s still tethered for the time being, and the iPad 2 remains unsupported, but those with nerves of steel (and gobs of vacation days) can hit the source links to get started. Furthermore, we’re just starting to see what kind of wacky tricks beta 3 has up its sleeve — things like custom alerts for text messages and what appears to be a shattering of the app grid on the iPad. For more on that, hop on past the break; for more on the jailbreak, we’d encourage you to talk amongst yourselves in comments below.
Sega's online Pass hacked, 1.3 million user passwords stolen
Let’s bid a bitter welcome to Sega, the latest entrant to the newly founded club of hacked online communities. Sega Pass, the company’s web portal, suffered a breach of its defenses on Thursday, which has now been identified to have affected a whopping 1.29 million users. Usernames, real names, birth dates, passwords, email addresses, pretty much everything has been snatched up by the malicious data thieves, with the important exception of credit / debit card numbers. We’d still advise anyone affected to keep a watchful eye on his or her banking transactions — immediately after changing that compromised password, of course. In the meantime, Sega’s keeping the Pass service offline while it rectifies the vulnerability; it’ll be able to call on an unexpected ally in its search for the perpetrators in the form of LulzSec, a hacker group that boasted proudlyabout infiltrating Sony’s network, but which has much more benevolent intentions with respect to Sega. What a topsy-turvy world we live in!
DARPA setting up a $130 million 'virtual firing range' to help battle cyber attacks
The US government is serious about online security, just ask any one of its cyber commandos. Adding to its arsenal for battling the big bad hackers, Reuters reports that DARPA is working on a National Cyber Range, which would act a standalone internet simulation engine where digital warriors can be trained and experimental ideas tested out. Lockheed Martin and Johns Hopkins University are competing to provide the final system, with one of them expected to soon get the go-ahead for a one-year trial, which, if all goes well, will be followed by DARPA unleashing its techies upon the virtual firing range in earnest next year. The cost of the project is said to run somewhere near $130 million, which might have sounded a bit expensive before the recent spate of successful hacking attacks on high profileprivate companies, but now seems like a rational expenditure to ensure the nuclear missile codes and the people crazy enough to use them are kept at a safe distance from one another. DARPA has a pair of other cleverly titled cybersecurity schemes up its sleeve, called CRASH and CINDER, but you’ll have to hit the source link to learn more about them.
Microsoft decides to pass on WebGL over security concerns
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn’t be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system’s GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole — with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won’t necessarily kill WebGL and, as it matures, Microsoft may change its tune — but it’s still a pretty big blow for all us of hoping the next edition of Crysiswould be browser-based.
Codemasters website hacked, 'tens of thousands' of personal accounts compromised
This must be the season of the hacking witch as we’ve now seen yet another company’s online security walls breached. Independent UK games developer Codemasters, responsible for titles like Dirt 3 and Overlord, has reported that its website was hacked on the third of June, exposing the names, addresses (both physical and email), birthdays, phone numbers, Xbox gamer tags, biographies, and passwords of its registered users. Payment information wasn’t compromised, but when you consider that almost everything else was, that feels like hollow consolation. For its part, Codemasters says it took the website offline as soon as the breach was detected and a subsequent investigation has revealed the number of affected users to be in the tens of thousands.
Microsoft Wireless Desktop 2000 protects that sensitive area between your peripherals
Microsoft’s new wireless keyboard-and-mouse duo aims to thwart keystroke spies with full AES 128-bit encryption on over-the-air data — an improvement on older wireless models that have proven to be easy pickings for hacker-types. You can pick up the Wireless Desktop 2000 now for $40, but that won’t buy you protection from more common threats like Shandong phishmongers, nor will it make up for security loopholes in your other peripherals. Speaking of which, are you still using that seemingly innocent USB coffee-cup warmer?
Researchers hack Kinect for glasses-free 3D teleconferencing (video)
Since the dawn of Kinect hacking, we’ve seen cameras strung together (or rotated) to create 3D, video game-like environments, while others have tweaked it for headtracking. Others, still, have used it for teleconferencing (albeit, the flat, two-dimensional variety). Now, a team of researchers have gone and thrown it all together to achieve 3D video chats, and if we do say so, the result is greater than a sum of its parts. The group, based out of UNC-Chapel Hill, uses 3D mapping (and at least four Kinects) to render the video, and then employs headtracking on the receiving end so that people tuning in will actually see the live video in 3D, even without wearing 3D glasses. The result: a tableau that follows you as you move your head and spin around restlessly in your desk chair waiting for the meeting to end. That’s mighty impressive, but we can’t help but wonder: do you really want to see your colleagues in such lifelike detail? Have a gander at the video and decide for yourself.
Sony Pictures hacked by Lulz Security, 1,000,000 passwords claimed stolen
Oh, Sony — not again. We’ve just received numerous tips that Lulz Security has broken into SonyPictures.com, where it claims to have stolen the personal information of over 1,000,000 users — all stored (disgracefully) in plain text format. Lulz claims the heist was performed with a simple SQL injection — just like we saw the last time around. A portion of the group’s exploit is posted online in a RAR file, which contains over 50,000 email / password combos of unfortunate users. We’ve downloaded this file (at our own risk, mind you) and can verify these sensitive bits are now in the wild, though it remains unclear if what’s published matches reality. In addition to user information, the group has blurted out over 20,000 Sony music coupons, and the admin database (including email addresses and passwords) for BMG Belgium employees. Fresh off the heels of the PlayStation Network restoration, we’re guessing the fine folks in Sony’s IT department are now surviving solely on adrenaline shots.
