IT Support and Hardware for Clinics
32.7K views | +2 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

New Android 'Certifi-gate' Bug Found

New Android 'Certifi-gate' Bug Found | IT Support and Hardware for Clinics | Scoop.it

Following the news of the discovery of the Stagefright flaw - characterized by many security researchers as the worst vulnerability ever to be found on devices that run Google's Android operating system - details of yet another major flaw in were unveiled August 6 at the Black Hat conference in Las Vegas.


But Google and some original equipment manufacturers have finally promised that they will soon begin releasing monthly platform and security updates for some Android devices, to better safeguard users against such vulnerabilities.


Security vendor Check Point Software Technologies says the new flaw, which it has dubbed "Certifi-gate," is due to components present in the Android operating system that are digitally signed, but vulnerable to attack, and that these flaws could be "very easily exploited" to gain full, unrestricted access to vulnerable devices. As the result of a successful attack, accordingly, attackers could infect the devices with malware, exfiltrate data, remotely activate and monitor microphones or built-in cameras, and track the device's location.


"Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device," Check Point says in a blog post. "[These apps] allow remote personnel to offer customers personalized technical support for their devices by replicating a device's screen and by simulating screen clicks at a remote console."


Check Point says the vulnerabilities are present in hundreds of millions of Android devices, including smartphones and tablets manufactured by HTC, LG, Samsung and ZTE. It says the flaw affects a number of versions of the Android OS, including the latest Android "Lollipop" versions 5.0 and 5.1. The security firm says it has notified Google and all affected manufacturers, and that some related updates are starting to be released. Check Point also launched a free tool - the Check Point Certifi-gate Scanner - that will scan an Android device for the presence of the flaw.


Google did not respond to a request for comment about the flaw or related patches. But Check Point says that the vulnerable Android components' certificates cannot be remotely revoked by OEMs, and that they will have to issue a new, patched version of Android for each device they still support. But while some vendors patch quickly, others have been slow to release fixes - if at all.

Coming Soon: Stagefright Fixes

Google has long maintained Android as an open source project, and stated that it is up to manufacturers and carriers to decide how or if they will patch their own devices. The only exception to that approach has been the Nexus range of devices, which Google manufacturers, and which run a stock version of Android.


But the severity of the Stagefright flaw - and many equipment manufacturers' and carriers' slow or nonexistent patching practices - has triggered serious existential questions about the future of the Android operating system, including whether enterprises should now begin treating unpatched Android devices as a security threat and blocking them.


Appearing to respond to such criticism, Google this week reported that many manufacturers - including Samsung, HTC, LG, Sony, Android One and Google's own Motorola - will begin releasing Stagefright patches later this week. In an Aug. 5 blog post Adrian Ludwig, lead engineer for Android Security, and Venkat Rapaka, director of Nexus product management, reported that patches were already starting to be released for all devices from Nexus 4 to 10, as well as Nexus Player. "This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues," they said. "At the same time, the fixes will be released to the public via the Android Open Source Project."

The same day, speaking at Black Hat, Ludwig also promised that OEMs will soon begin releasing related fixes. "My guess is that this is the single largest software update the world has ever seen," Ludwig said. "Hundreds of millions of devices are going to be updated in the next few days. It's incredible."

Some Monthly Android Patches Promised

But the need for Google to rally manufacturers for a one-off fix for such a serious flaw also highlights how existing approaches too often fail to put fixes for critical bugs on users' devices, at least in a timely manner. Finally, responding to years of criticism from security experts over the paucity of patches for Android devices, Samsung and LG have promised to implement monthly patch updates for their Android devices, as has Google with its Nexus line.


"Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store," Ludwig and Rapaka say in their blog post.


The move echoes a similar monthly patch-release strategy introduced by Microsoft for Windows, beginning in October 2003, to combat the rise in serious vulnerabilities found in its operating system.

Samsung and LG have also promised to release monthly patches, although have not stated how long they will support devices, after they have been released. "With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," says Dong Jin Koh, who leads the mobile research and development group at Samsung Electronics, which makes the popular Galaxy series of smartphones and tablets, amongst other devices that run Android. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."


Likewise, an LG spokeswoman says in a statement that "LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately" and that "we believe these important steps will demonstrate to LG customers that security is our highest priority." What is not clear, however, is how quickly carriers might then distribute those fixes to their subscribers.

more...
No comment yet.
Scoop.it!

Microsoft Doubles Down On Office For Android Tablets

Microsoft Doubles Down On Office For Android Tablets | IT Support and Hardware for Clinics | Scoop.it

Call it the robot bear hug. Microsoft announced today that its Android hardware manufacturer (OEM) program that sees Office apps pre-installed on new hardware has been expanded to 20 new companies. According to the software company, there are now 31 “partners” in the program.


The play is simple: Microsoft wants its apps and services to win on every platform, and to do so, it wants space on every device’s home screen. If you don’t control the platform that is quickly becoming the most important platform ever, you have to play. But if one of your key competitors owns the platform in question, you might need new friends. Say, the firms that actually distribute the platform via their tablet hardware. Voilà, access.

Here’s the official statement:

These 31 partners will offer Android tablets pre-installed with Word, Excel, PowerPoint, OneNote, OneDrive and Skype in the near future. They will be available on a new LG tablet, and Sony will include them on their Xperia Z4 tablet in the next 90 days.

The new partnerships will continue the early success of the company’s push to bring Office to iOS and Android. Microsoft is pushing Office onto every major platform, ensuring that one of the key cash sources has the largest potential market to sell into.

Microsoft is, of course, planning similar work for its own Windows 10 platform, an operating system that is still the crux of its corporate soul. Office and Windows remain as Microsoft as apple pie, even as Azure, Skype for Business, Office 365 and other service offerings take on larger roles at the company.


The new deals are global in scale, targeting Asian, Latin American and European markets. That implies that Microsoft will pick up new users across the globe.

more...
No comment yet.
Scoop.it!

Google bursts into the wireless industry

Google bursts into the wireless industry | IT Support and Hardware for Clinics | Scoop.it

Google wants to be your wireless carrier.

The search giant on Wednesday announced its long-anticipated wireless service in the United States, called Project Fi.

Google hopes to stand out by changing the way it charges customers. Typically, smartphone owners pay wireless carriers like AT&T and Verizon a bulk rate for a certain amount of data. Google says it will let customers pay for only what data they use on their phones, from doing things like making calls, listening to music and using apps, potentially saving them significant amounts of money.

For now, the program is invite-only and will only be available on Google's Nexus 6 smartphone.

"It's important that wireless connectivity and communication keep pace and be fast everywhere, easy to use, and accessible to everyone," Nick Fox, vice president of communications products at Google, said in a statement.

Google's new wireless service represents a shift in its efforts to remake the wireless industry. The company began in 2005, when it purchased the nascent Android mobile phone software, and began giving it away to handset makers like Samsung, LG and Lenovo. Competitors, like Microsoft, typically charged for their software. The plan worked: Today, Android powers more than 80 percent of the world's smartphones, and commands significant influence in the wireless industry.

The next step for the search giant is to expand into how the cellular and wireless connections themselves are delivered to you.

Google said it would offer one plan at one price. For $20 a month, you get voice, text, Wi-Fi tethering and international coverage in more than 120 countries. Then it's $10 per gigabyte per month. But if you don't use all of the data you bought, Google refunds you for what you didn't use. Their service won't require an annual contract.

Google isn't just offering a different way to charge customers. It will also offer a new technology to allow users to switch between cellular and Wi-Fi signals while on a call. The nascent technology will help Google to keep costs down, and help customers avoid relying on cellular networks that are often overburdened by wireless traffic. The program will also store your phone number on Google's servers, so yo'll be able to use your number to talk and text from a phone, tablet or laptop.

Google isn't building its own wireless network to do this. Instead, the Internet giant has made a deal with US carriers Sprint and T-Mobile to use their networks.

"We are proud to enable Google's entry into the wireless industry as a service provider," Sprint said in a statement.

Still, for wireless companies, Google's entrance to the market could be worrisome. Google, with its financial resources and influence, has the power to shake up the entire industry.

When Google product chief Sundar Pichai confirmed the wireless service in February, he sought to reassure the carriers. He said Google's wireless service was meant to be a small scale experiment. Google's rationale is said to be trying to innovate new practices and pricing models, and trying to get the wireless industry at large to follow suit.

"I think it will be a small market initially, but I have to believe [the carriers] going to be watching it closely," said Tim Bajarin, president of tech research firm Creative Strategies.

Google is the highest-profile company to do this, but it's not the only company that will offer this kind of service. Republic Wireless, a small North Carolina-based wireless company, will offer a similar service this summer.

Google has been dipping into the Internet access business in other ways too. The company began taking on the home-and-business Internet service providers in 2010 with a project it calls Google Fiber. The a service offered Internet connections to people's homes in cities like Kansas City and Austin for much less than larger rivals Comcast, AT&T and Verizon charge.

Google is also hoping to bring its service efforts to developing countries. The company has been building a way to beam Internet connectivity to rural populations via high-flying balloons with a project called Loon. Google is also experimenting with satellites for the same purpose.


more...
No comment yet.
Scoop.it!

Google has delayed its Android encryption plans because they're crippling people's phones

Google has delayed its Android encryption plans because they're crippling people's phones | IT Support and Hardware for Clinics | Scoop.it

Google is delaying plans to encrypt all new Android phones by default, Ars Technica reports, because the technical demands of encryption are crippling people's devices.

Encryption slowed down some phones by 50% or more, speed tests show. 

In September 2014, Google — along with Apple — said that it planned to encrypt all new devices sold with its mobile OS by default. This means that unless a customer opted out, it would be impossible for anyone to gain access to their device without the passcode, including law enforcement (or Google itself).

This hardened stance on encryption from tech companies came after repeated revelations about the NSA, GCHQ and other government spy agencies snooping on ordinary citizens' data.

Default encryption has infuriated authorities. One US cop said that the iPhone would become "the phone of choice for the paedophile" because law enforcement wouldn't be able to access its contents. UK Prime Minister David Cameron has floated the idea of banning strong encryption altogether — though the proposal has been slammed by critics as technically unworkable.

Apple rolled out default-on encryption in iOS 8 back in September. Google's Android Lollipop system was first released in November — but because the phone manufacturers, rather than Google itself, are responsible for pushing out the update, it can take months for a new version of the OS to reach the majority of consumers.

But as Ars Technica reports, Lollipop smartphones are now finally coming to the market, and many do not have default-on encryption. So what's the reason? The devices couldn't actually handle it.

Speed tests show that even Google's flagship phone, the Google Nexus 6, suffers serious slowdown when encryption is turned on. A "random write" test measuring writing data to memory showed that the Nexus 6 performed more than twice as fast with encryption switched off — 2.85MB per second as compared with 1.41 per second with it on. The difference was even more striking in a "sequential read" test to measure memory reading speeds. An unecrypted device achieved 131.65MB/s; the encrypted version managed just 25.36MB/s. That's a third of even the Nexus 5, the previous model, which came in at 76.29MB/s.

As such, Google is now rowing back on its encryption stance. Its guidelines now say that full-disk encryption is "very strongly recommended" on devices, rather than the necessary requirement promised. Users can still encrypt their devices (even if it slows them down), but it won't happen by default.

Google says it still intends to force it in "future versions of Android".


more...
No comment yet.
Scoop.it!

Google backtracks on Android 5.0 default encryption

Google backtracks on Android 5.0 default encryption | IT Support and Hardware for Clinics | Scoop.it

When the Nexus 6 handset arrived late last year, it came with full data encryption enabled out the box. Google also pushed its hardware partners to do the same at first, but now appears to have quietly changed the requirement with a strong recommendation to enable encryption by default, reports ArsTechnica.

The same site noted performance issues with Google’s Nexus 6 in November, particularly with regards to read and write disk speeds, which it attributed to the encryption. How much of an impact did the tests show? In some cases, the new Google Nexus 6 was slower than the Nexus 5 it was designed to replace, even though the handset had much improved internal components.

Google did say in September of 2014 that the then called Android L software — later to become Android 5.0 Lollipop — would have encryption enabled by default out of the box. New devices with Android 5.0, however, don’t have the security feature enabled: The new $149 Moto E with LTE, is a perfect example. So what’s changed?

According to Ars, Google’s Android Compatibility Definition document is what’s changed; specifically, the section on disk encryption with Google making emphasis on what it recommends:

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data partition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

Essentially, Google has gone back to having encryption as an option for new Android 5.0 devices, not a requirement: They must support it but it isn’t necessary to enable it by default. However, the last sentence in the guidelines indicates that hardware partners should be ready for this to change back in a future version of Android.

From security standpoint, this is a bit of a disappointment. If encryption impacts performance, however, Google has little choice here.

The concern I have is that most mainstream Android users won’t know that they should enable encryption their device or simply don’t know how. My hope is that if Google reduced the requirements due to performance, it finds a way to address the root cause of the issue and then get device encryption back as a default option.


more...
No comment yet.
Scoop.it!

Android Wear update improves Google Fit syncing, squashes bugs

Android Wear update improves Google Fit syncing, squashes bugs | IT Support and Hardware for Clinics | Scoop.it

Android Wear is getting a bump up to version 5.0.2, with some fixes for Google Fit syncing and other all-around housekeeping.

Android Police reports a build number of LWX49K is hitting the LG G Watch and Smartwatch 3, with LWX49L for the Moto 360.

The Moto 360 release notes don’t give us too many more details, indicating an update to Google Play services and a “variety of system optimizations and security updates to improve performance and stability.”

One clue is found in the Android Wear help forums, where Google employee Soji Ojugbele posted Wednesday that an update to Android Wear and Google Play Services would fix the issues with Fit. 

Presumably this update will roll out to other Android Wear watches, it’s just going to be a matter of waiting for it to arrive. If we spot any other feature improvements we’ll be sure to let you know.

The impact on you: If you have an Android Wear watch, this may fix some of the inconsistencies with Google Fit, which turns your wearable into a step counter and fitness tracker. Google Fit isn’t nearly as popular as the fitness platforms developed by Nike, Fitbit, or Jawbone, but it’s a useful enough feature that Google can’t just let any bugs go unsquashed.



more...
No comment yet.
Scoop.it!

Apple Watch Gets Another Competitor in the Android-Based LG Watch Urbane

Apple Watch Gets Another Competitor in the Android-Based LG Watch Urbane | IT Support and Hardware for Clinics | Scoop.it

LG Electronics today announced a new device in the line of Android Wear smartwatch products, called the LG Watch Urbane. Planned for a full unveiling at Mobile World Congress next month, the watch is said to combine the traditional aspects of a luxury timepiece with the "high-tech flare" of a modern smartwatch.

The LG Watch Urbane follows in the footsteps of LG's previous foray into the world of smartwatches with the LG G Watch R, launched last October. LG says while the G Watch R was designed with a more active lifestyle in mind, the Watch Urbane has taken a more formal, classic route that will suit both men and women. Despite the formal look, the Watch Urbane is powered by a smartwatch-style touch-based interface that is compatible with any smartphone running Android 4.3 or above.

“The LG Watch Urbane’s classic design and smart features make it the perfect smartwatch to complement our G Watch and G Watch R, which were designed as more casual and active devices,” said Juno Cho, president and CEO of LG Electronics Mobile Communications Company. “LG Watch Urbane is an important part of our strategy to develop wearable devices that are worn and viewed as everyday accessories, not electronic gadgets.”

The LG Watch Urbane includes the same 1.3-inch full circle P-OLED display as the LG G Watch R - which was the first smarwatch to include such a display - but features a narrower bezel this time around, offering it that more formal, sleeker look touted by LG. The watch comes in gold and silver options with a natural leather strap that can be replaced by any 22mm wide band, according to the company.

Not many specific details were given on the device's smartwatch capabilities, but LG confirmed the LG Watch Urbane will be able to measure a user's heart rate for fitness purposes thanks to a photoplethysmography (PPG) sensor built into the device. Other key factors, like pricing and whether the new Android-based smartwatch will hit around the Spring launch of the Apple Watch, was not yet disclosed by LG.

Key Specifications:

- Chipset: 1.2GHz Qualcomm® Snapdragon™ 400
- Operating System: Android Wear™
- Display: 1.3-inch P-OLED Display (320 x 320, 245ppi)
- Size: 45.5 x 52.2 x 10.9mm
- Memory: 4GB eMMC/ 512MB LPDDR2
- Battery: 410mAh
- Sensors: 9-Axis (Gyro / Accelerometer / Compass) / Barometer / PPG (Heart Rate Sensor)
- Colors: Gold / Silver
- Other: Dust and Water Resistant (IP67)

LG's newest foray into the increasingly crowded world of smartwatches is the latest in a long line of companies announcing new iterations of older products, or new products altogether, preparing to do battle with Apple's April launch of the Apple Watch.


more...
No comment yet.
Scoop.it!

Slow Android Wear sales underline the challenges Google's smartwatches face

Slow Android Wear sales underline the challenges Google's smartwatches face | IT Support and Hardware for Clinics | Scoop.it

The Android smart watch’s time may not yet have come: Despite heavy promotion of Android Wear, Google’s hardware partners, including LG Electronics, Motorola Mobility and Samsung Electronics, only shipped 720,000 of the devices last year.

With the arrival of products such as Motorola’s hotly anticipated Moto 360, the smartwatch market was expected to take off. But the data from market research company Canalys shows that consumers are still far from convinced that they need buy one.

“Android Wear will need to improve significantly in the future, and we believe it will do so,” said Daniel Matte, analyst at Canalys.

Those improvements have to happen across the board, including a better user interface and improved battery life, according to Francisco Jeronimo, research director for European mobile devices at IDC.

“I use a lot of mobile devices, and found the Android Wear interface difficult to learn. And when I finally had learned how to use it, I really didn’t like the experience,” he said.

Battery life is also a concern, and one that can’t be easily solved. The arrival of customized chipsets will help but that can’t change the size of smartwatches, which means you can only use a small battery.

“It will take several years before battery life improves,” Jeronimo said.

Some vendors are also tripping up themselves and users with their design choices. For example, users of Samsung’s smartwatches need a cradle to fill an empty battery, instead of plugging a charger directly into the device. That just adds an extra level of complexity for users, according to Jeronimo.

However, the biggest obstacle isn’t these technical constraints, but that Google, vendors and application developers haven’t come up with a reason why consumers should invest in an Android Wear smartwatch, Jeronimo said.

With these shortcomings Android Wear hasn’t been able to dominate the smartwatch market in the way Google’s platform has taken over smartphones.

Rival Pebble shipped a total of 1 million units from its 2013 launch through to the end of 2014. Continual software updates, more apps in its app store and price cuts in the fall helped maintain strong sales in the second half of the year, according to Canalys.

But all eyes are now on Apple and its Watch, which is scheduled to go on sale in April. Jeronimo goes so far as to say the future of smartwatches now rests on Apple’s shoulders.

“If Apple can’t get it right it may kill the category, because if Apple can’t succeed which company can,” he said.

Apple’s CEO Tim Cook seems convinced the Watch can deliver, saying that users will find enough features to not be able to live without one, he said this week. Just as the company changed the markets for MP3 players, smartphones and tablets, Apple’s Watch will change the smartwatch market.


more...
No comment yet.
Scoop.it!

Samsung reportedly to unveil two versions of Galaxy S6 - CNET

Samsung reportedly to unveil two versions of Galaxy S6 - CNET | IT Support and Hardware for Clinics | Scoop.it

Samsung may try to challenge the competition with not one but two new variations of its upcoming Galaxy S6 smartphone.

The company, whose current marquee phone is the Galaxy S5, will reportedly roll out one model with a metal design, a change from the usual plastic, Business Insider said Monday, citing "sources familiar with the company's plans." The sources didn't say whether the new Galaxy S6 would offer a full unibody metal chassis or simply adopt metal accents. But an alleged metal frame for the S6, leaked a few weeks ago, revealed a unibody design, Business Insider said.

Samsung has traditionally used plastic for the frame of its smartphones, unlike rival Apple, which uses metal for its iPhones. But plastic has sometimes been criticized as looking and feeling cheap, so Samsung has moved toward metal with such phones as its Galaxy Alpha.

The second S6 model purportedly in the works would feature a curved edge, just like Samsung's Galaxy Note Edge. The Note Edge uses the curved border to display icons and widgets to supplement the content you see on the main screen.

Whether or not these rumors are true, Samsung may feel the need to try something different with its Galaxy S6 in order to battle back against its rivals. The company has seen its operating profits and market share drop in the wake of greater competition. During the third quarter of 2014, Samsung sold 73.2 million smartphones across the world, earning it 24.4 percent market share, research firm Gartner said last month. During the same quarter in 2013, the company sold 80.4 million smartphones and snagged a 32.1 percent market share.

Though still tops in the smartphone market, Samsung has been facing more competition on the higher end from Apple, which last September launched its bigger-screened iPhone 6 and iPhone 6 Plus. On top of that, Samsung is being hit on the lower end by makers of less pricey mobile phones such as Xiaomi and Huawei, notably in key emerging markets such as China. As such, Samsung's challenge will be to show that the Galaxy S6 is still worth its premium price and features in an increasingly competitive global market.

Likely to be unveiled at Mobile World Congress in February, the Galaxy S6 would be outfitted with Android 5.0 Lollipop. No other details were revealed by Business Insider's sources. But previous rumors claim the S6 could sport a 5.5-inch Quad HD display with a resolution of 1,440x2,560 pixels along with a 20-megapixel rear camera. Samsung has also reportedly conjured up a code name for the S6 known as Project Zero, which suggests the company will rethink the phone's design from scratch.

Samsung may have more in the works for MWC. The company will also reportedly unveil a new smartwatch with a round screen, similar in design to Motorola's Moto 360, Business Insider added.


more...
No comment yet.
Scoop.it!

Kodak is launching a line of Android smartphones in 2015

Kodak is launching a line of Android smartphones in 2015 | IT Support and Hardware for Clinics | Scoop.it

Kodak has announced that it’s licensing its name to a range of mobile devices that make it easier to print and share images. The company’s first smartphone will be unveiled at CES in January followed by a "4G handset, a tablet, and a connected camera" arriving in the second half of 2015. The actual hardware will be built by Bullitt Group, an English company that makes a range of ultra-rugged smartphones for construction company Caterpillar and claims to create products "using the unadulterated DNA of the brands we work with."

There's no talk of megapixels - this is all about branding

"Kodak is one of the world's most recognizable brands. It is trusted by consumers as a marque of quality and innovation," said Bullitt Mobile CEO Oliver Schulte in a press release. "We've taken that heritage and used it to inspire a range of beautifully designed devices that will let users take great pictures and edit, share, store and print them in an instant." As Schulte suggests, the emphasis is very much on software solutions rather than quality hardware. Neither Kodak nor Bullitt mention any details about megapixels, sensor size, or the like, and instead both seem intent on selling the devices for their ease of use — even including remote management software that will let "family members and friends … provide help and support."

Licensing its brand is a strategy in keeping with the radical restructure that helped Kodak exit bankruptcy last September. The company spun off or shut down its various consumer divisions (including its digital photography team) and is instead concentrating on commercial printing. It won’t be the only struggling firm trying to jump on the mobile bandwagon either: back in September, Panasonic unveiled the experimental Lumix CM1 smartphone, equipped with a large sensor and Leica lens. Kodak can get people interested with its name alone, but it'll have to contribute more than just branding to actually win customers' respect.


more...
No comment yet.
Scoop.it!

Microsoft's Cortana Is Coming to Android and iPhone

Microsoft's Cortana Is Coming to Android and iPhone | IT Support and Hardware for Clinics | Scoop.it

Starting in June, you’ll be able to download Cortana as an app on your Galaxy or iPhone even if you’d rather die than use Windows. The rumors are true: Microsoft is giving the non-Windows crowd a taste of its powerful voice assistant, bringing Cortana to Android and iOS.

People love Cortana so much, some developers have already created a ported version for Android called “Portaña.” This switch to multi-platform availability will make Cortana seem more like a standalone product than a Windows feature. And Cortana has been getting increasingly sophisticated, so this could be a real threat to Siri and Google Now.

There is a catch, though: The Android and iOS versions of Cortana will be limited. You won’t be able to say “Hey, Cortana” to activate the voice assistant hands-free, and you won’t be able to open apps or toggle settings, since there won’t be the same level of integration.

more...
No comment yet.
Scoop.it!

Law Banning Default Encryption Unlikely

Law Banning Default Encryption Unlikely | IT Support and Hardware for Clinics | Scoop.it

Laws rarely, if ever, keep up with technology, but even if they could, the consequences could prove more harmful than the benefits.

That was evident at an April 29 hearing of the House Oversight and Government Reform Subcommittee on Information Technology that addressed the encryption - and security - of mobile devices.

 Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger. 


Here's the problem the panel addressed that faces law enforcement: Encryption is the default setting for new Apple iPhone and Google Android mobile devices, meaning that law enforcement cannot gain access to encrypted data on the devices even if they have a search warrant. To gain access, the manufacturers would have to create a so-called "backdoor," and give law enforcement a special key to decrypt data on mobile devices. Without such a key, law enforcement could gain access only with the permission of the devices' owners, an unlikely scenario if the encrypted data contains incriminating evidence.

"We call it 'going dark,' and it means that those charged with protecting the American people aren't always able to access the information necessary to prosecute criminals and prevent terrorism even though we have lawful authority to do so," FBI Executive Assistant Director Amy Hess told lawmakers.

Backdoor Benefits

Hess furnished the subcommittee with examples on how accessing data enabled forensics experts to solve crimes, including kidnaping, false rape accusation and murder.


"Today's encryption methods are increasingly more sophisticated, and pose an even greater challenge to law enforcement," she said. "We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet or a laptop - evidence that may be the difference between an offender being convicted or acquitted - but we cannot access it."


Advocates of giving law enforcement a backdoor key include President Obama and FBI Director James Comey. At the Congressional hearing, Suffolk County (Mass.) District Attorney Daniel Conley voiced strong support: "The Fourth Amendment allows law enforcement access to the places where criminals hide evidence of their crimes, once the legal threshold has been met," Conley testified. "In decades past, these places were car trunks and safety deposit boxes; today they are computers and smartphones."

Questioning Motives of Apple, Google

Conley dismissed Apple's and Google's contention that the default encryption they offer on their devices safeguards consumers' privacy.

"Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customers' interests, search terms and consumer habits, but as we all know, that's not a step they're willing to take," Conley said. "Instead, they're taking full advantage of their customers' private data for commercial purposes while building an impenetrable barrier around evidence in legitimate, court-authorized criminal investigations."


Hess and Conley make a somewhat sound argument. After all, police, with the proper court order, can break into filing cabinets to retrieve evidence. But the rules of the physical world don't always translate well into the virtual one. And other witnesses at the hearing made more compelling arguments for why creating an electronic backdoor is a very bad idea.


"Unfortunately, harsh technical realities make such an ideal solution [a backdoor] effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation's infrastructure, the future of our innovation economy and our national security," said cryptographer Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. "We just can't do what the FBI is asking without weakening our infrastructure."

Undermining U.S. Cybersecurity

Providing a backdoor would undermine America's cybersecurity. "While the FBI would have us believe that law enforcement alone will be privy to our sensitive data, history demonstrates that bad actors will always be ahead of the curve and find an avenue to manipulate those openings," said Jon Potter, president of Application Developers Alliance, a trade group. "As one well-regarded cryptographer said, 'You can't build a backdoor that only the good guys can walk through.'"

Creating a backdoor could potentially cost the American economy billions of dollars in lost business. Kevin Bankston, policy director of the think tank New America's Open Technology Institute, says a backdoor would give foreign users, including corporations and governments that especially rely on the security of technologies, even more incentive to avoid American wares and turn to foreign competitors. "To put it bluntly," he said, "foreign customers will not want to buy or use online services, hardware products, software products or any other information systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA."

Encryption Mitigates Risks

But the most compelling argument for retaining default encryption that's beyond the reach of law enforcement is that it makes everyone safer, especially on smartphones. "The vast amount of personal information on those devices makes them especially attractive targets for criminals aiming to commit identity theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phone's owner," Bankston said.


"By taking this step for their customers and turning on encryption by default," he said, "mobile operating system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones' contents will remain secure even if they are stolen."


It's an argument that can persuade even the most ardent supporters of law enforcement and intelligence agencies. The subcommittee's chairman - freshman Republican William Hurd of Texas, a former undercover CIA agent and cybersecurity strategist, concluded the hearing by opposing offering law enforcement a backdoor. "I hold everyone in law enforcement and the intelligence community to a higher standard," he said. "Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger."


more...
Jan Vajda's curator insight, May 2, 2015 6:53 PM

Přidejte svůj pohled ...

Scoop.it!

Apple, Android Prep 'Freak' Fix

Apple, Android Prep 'Freak' Fix | IT Support and Hardware for Clinics | Scoop.it

Numerous Apple and Android devices, as well as websites, are vulnerable to a serious flaw, which an attacker could exploit to subvert secure Web connections. The flaw exists in SSL and TLS and results from the ability to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

The researchers who discovered the vulnerability have dubbed it "Freak," for "Factoring RSA-EXPORT Keys," and warn that it can be used to crack a cipher key and then impersonate legitimate sites - such as the public-facing National Security Agency website - to vulnerable clients. In some cases it could also be used to hijack third-party tools, such as the Facebook "like" button functionality, and inject JavaScript into vulnerable clients and steal passwords.


"In case you're not familiar with SSL and its successor TLS, what you should know is that they're the most important security protocols on the Internet," Johns Hopkins University cryptographer Matthew D. Green says in a blog post. "In a world full of untrusted networks, SSL and TLS are what makes modern communication possible."

Security researchers warn that the flaw exists in versions of OpenSSL prior to 1.0.1k, and affects all Android devices that ship with the standard browser, although they say Google Chrome is immune. The flaw also exists in Apple TLS/SSL clients, which are used by both Mac OS X clients, as well as iOS mobile devices. The vulnerability has been designated as CVE-2015-0204.

Researchers say it's not clear how many users, devices or websites are vulnerable to the Freak flaw, or if it has yet been exploited in the wild. But 6 percent - or 64,192 - of the world's 1 million most popular websites (as ranked by Amazon.com Web traffic monitoring subsidiary Alexa) are currently vulnerable to the flaw, according to the Tracking the Freak Attack site, which is run by researchers at the University of Michigan, and can be used to check if clients are vulnerable to Freak attacks.

Researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research have been credited with discovering the flaw and detailing how it can be exploited. "You are vulnerable if you use a Web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites," they say. "If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."

In recent weeks, the researchers - together with Green - have been alerting affected organizations and governments. Websites such as Whitehouse.gov, FBI.gov, and connect.facebook.net - which implements the Facebook "like" functionality - were vulnerable to related attacks, but have now been fixed, Green says. But he notes that numerous sites, including the public-facing NSA.gov website, remain vulnerable.

Apple, Google Prep Patches

Apple tells Information Security Media Group that it is prepping a patch, which it plans to release next week. OpenSSL released a related patch in January, and content delivery networks - such as Akamai - say they've either put fixes in place or will do so soon.

While Google didn't immediately respond to a related request for comment, a spokeswoman tells Reuters that the company has already prepped an Android patch and distributed it via the Android Open Source Project to its business partners. She notes that it's now up to those businesses - which include such equipment manufacturers as Samsung, HTC, Sony, Asus and Acer - to prep and distribute patches to their customers. But while some OEMs have a good track record at prepping and releasing patches in a timely manner, others delay, or never release patches.

Businesses and users should install related patches as quickly as possible, says information security consultant and SANS Institute instructor Mark Hofman in a blog post. "To prevent your site from being used in this attack you'll need to patch OpenSLL - yes, again. This issue will remain until systems have been patched and updated, not just servers, but also client software," he says. "Client software should be updated soon - hopefully - but there will no doubt be devices that will be vulnerable to this attack for years to come - looking at you Android.

Crypto Wars 1.0 Legacy

Experts say that the Freak flaw is a legacy of the days when the U.S. government restricted the export of strong encryption. "The SSL protocol itself was deliberately designed to be broken," Green says, because when SSL was first invented at Netscape, the U.S. government regulated the export of strong crypto. Businesses were required to use the relatively weak maximum key length of 512 bits if they wanted to ship their products outside the country.

While those export restrictions were eventually lifted, and many developers began using strong crypto by default, the export-grade ciphers still linger - for example in previous versions of OpenSSL - and can be used to launch man-in-the-middle attacks that force clients to downgrade to the weak crypto, which attackers can crack. "The researchers have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not 'officially' supported," Hofman says.

Hacking NSA.gov

The researchers who discovered the Freak flaw have published a proof-of-concept exploit on the SmackTLS website, demonstrating a tool they developed, together with a "factoring as a service" capability they built and hosted on a cluster of Amazon Elastic Compute Cloud - EC2 - servers. The exploit was first used against the NSA.gov website. "Since the NSA was the organization that demanded export-grade crypto, it's only fitting that they should be the first site affected by this vulnerability," Green says. Cracking the key for the NSA.gov website - which, it should be noted, is hosted by Akamai - took 7.5 hours, and cost $104 in EC2 power, he adds. Were the researchers to refine their tools, both the required time and cost to execute such attacks would likely decrease.

The researchers have reportedly been quietly sounding related alerts about the Freak flaw in recent weeks to vulnerable governments and businesses, hoping to keep it quiet so that patches could be rolled out in a widespread manner before news of the flaw went fully public. But The Washington Post reports that Akamai published a blog post on March 2, written by its principal engineer, Rich Salz, which brought attention to the problem sooner than the researchers had hoped.

Still, the Freak flaw has existed for well over a decade, and follows the 2014 discovery of such new "old" bugs as Heartbleed, POODLE and Shellshock, which existed for years before being found.

Moral: Encryption Backdoors

In the post-Snowden era, many technology giants have moved to use strong encryption wherever possible, in part to assuage customers' concerns that the NSA could easily tap their communications. Apple and Google also began releasing mobile devices that use - or could be set to use - strong crypto by default. And many U.S. and U.K. government officials have reacted with alarm to these moves. Often citing terrorism and child-abuse concerns, many have demanded that the technology firms weaken their crypto by building in backdoors that government agencies could access.

But Green says the Freak flaw demonstrates how any attempt to meddle with strong crypto can put the user of every mobile device, Internet browser or website at risk. "To be blunt about it, the moral is pretty simple: Encryption backdoors will always turn around and bite you ..." he says. "They are never worth it."


more...
No comment yet.
Scoop.it!

Google Reportedly Preparing Android Wear for iPhone and iPad

Google Reportedly Preparing Android Wear for iPhone and iPad | IT Support and Hardware for Clinics | Scoop.it

Google is reportedly preparing to release an Android Wear app on the App Store for iPhone and iPad, according to French technology website.

The report claims Android Wear with extended iOS support could be announced at Google's I/O developer conference in late May, although Google may push the agenda depending on sales of the Apple Watch.

Google may be interested in capitalizing on iPhone and iPad users that are not planning to purchase an Apple Watch when the wrist-worn device is released in April, the report adds. Last month, an unofficial video of an iPhone paired with Android Wear for notifications amassed over 300,000 views on YouTube.

Android Wear smartwatches such as the LG G Watch, Moto 360 and Samsung Gear Live are currently limited to pairing with smartphones running Android 4.3 or later, such as the Samsung Galaxy S5, HTC One M8 and LG G3. Pairing an Android smartphone and smartwatch requires the official Android Wear app on the Google Play Store.

While 01net is one of the largest technology publications in France, its exclusive report has not yet been corroborated by other sources and its veracity cannot be confirmed. But given that Google is generally more open about cross-platform compatibility, and has an existing portfolio of apps on the App Store, there is a possibility that Android Wear for iOS could one day be a reality.


more...
Eduardo Vaz's curator insight, March 25, 2015 3:15 PM

#Google wants #AndroidWear to work with #Apple products even though #AppleWatch only works with #iOS. #ygk

Scoop.it!

New Android Trojan fakes device shut down, spies on users

New Android Trojan fakes device shut down, spies on users | IT Support and Hardware for Clinics | Scoop.it

A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers.

They dubbed it, and AVG's security solutions detect it as PowerOffHijack.

PowerOffHijack has been discovered in China, where it has already infected over 10,000 devices. It is apparently being propagated via third-party online app stores, but the researchers haven't mentioned what apps it masquerades as.

The Trojan is capable of infecting Android versions below v5.0 (Lollipop).

How does it work?

"After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on," the researchers explained.

That's because the malware, after having previously obtained root access, is capable of injecting the system_server process that hooks the mWindowManagerFuncs object, and ultimately prevents the mWindowManagerFuncs.shutdown function to do its job, which is to first shut down radio service and then invoke the power manager service to turn the power off.

After keeping the power button pressed long enough to initiate the shut down procedure, the victims are presented with a fake pop-up that asks confirmation of the process, and see a fake shut down animation. The malware and the phone will continued working, but the screen will be black.


more...
No comment yet.
Scoop.it!

Apple is now an existential threat to Android

Apple is now an existential threat to Android | IT Support and Hardware for Clinics | Scoop.it

For the first time ever, sales of Google's Android mobile devices have gone into decline — an astonishing defeat for a product that is given away free to manufacturers. And in the US, iPhone alone now outsells all Android devices, for the first time in three years.

Google ought to be terrified at this news. Apple's iOS operating system for iPhone and iPad is trampling all over the Android world right now. This isn't just an incremental shift in market share.

This is, if left unchecked, an existential turning point for Android and its developers and manufacturers. After all, if you can't win a battle against a product that costs about $700/£550 with a product that's equally good but free, then you're screwed. 

"Defeat" for Android is relative, of course. Apple sold 75 million phones in Q4 worldwide, whereas Android sold 206 million. So Android is still King Kong to Apple's Fay Wray. But Android has never seen a quarter of sales declines. Usually, market share shifts between Apple and Android, but Android always sells more phones. Now Android is selling fewer phones. And iPhone sales continue to spiral upward.

It has never been more depressing to be an Android fan than right now.

It wasn't supposed to be like this.

In the official playbook, the iPhone is the phone of the rich, that handful of Western countries where $700 isn't a month's wages. Android is for everyone else — the poor, the working class, the ordinary people. For years, 80% of phones sold have been Android phones. While it might "feel" like everyone in London, New York and San Francisco has an iPhone, the reality is that outside those wealth bubbles it's an Android planet. In country after country, Apple could only muster market share in the single digits.

Android's noble mission

Android's mission is a noble one, too. Google didn't just launch a new phone product. It launched a free mobile computing platform that would let everyone have access to the internet at almost any price-point. Google introduced the Android One in India and other countries for just $100. Xiaomi launched a bestselling Android phone brand in China that looked and felt as cool as an iPhone but for a fraction of the price. While Apple rejoiced at selling 75 million expensive phones, Google wanted Android to get into the hands of the next 5 billion people. Developing countries are buying phones at a rate of 100 million units a quarter, and not because of Apple. That's Android's doing.

iPhone was for the 1%.

But Android was The People's Phone.

The People, however, appear to have had other ideas.

It's not simply the case that one product is better than the other. Android is arguably superior for users — you can do more with it in more flexible ways. Android had NFC payments years before Apple Pay showed up. And Android has a back button! iOS is great but it's also boring — there is only one way to use it. And Apple is about to ship an update to iOS that is focused on "stability" and "optimisation." In plain English, iOS is currently full of bugs and Apple wants to fix them. Remember when Apple shipped that iOS 8 update that prevented phones from making phone calls? That's how "superior" iOS is to Android. 

All that turned out to be irrelevant, however. In Q4 2014, Apple didn't just sell a lot of iPhone 6 units. That was expected: Apple always sells a lot of its newly launched phones in Q4, right after launch. Rather, Apple went a step further and actually stole market share from Android that — according to the playbook — Google should never have ceded.  

What's going on?

One thing that might be changing are assumptions around the role of price competition. The received wisdom is that when consumers are faced with two relatively equal products, but one is priced much lower than the other, then the cheaper product will solidify healthy market share. That iPhones are the most expensive phones on the market suggests that the poor will plump for Android.

But the ABI numbers (above), if they're accurate, suggest we're seeing a situation where even consumers on modest incomes are saving up and buying iPhones. There are very few products where poor people feel compelled to do that — cars and weddings are two of them. Apple is making inroads much further down the economic ladder than it used to, perhaps.

And then there are the manufacturers. Samsung is essentially imploding. For years it sold big-screen phones and took advantage because Apple only sold small screens. They were great phones, but those days are over. Now, Samsung phones — filled with self-promotional Samsung bloatware — don't look so good by comparison to iPhone 6.

Xiaomi has "forked" Android and is making its own great models — but they're only available in some Asian countries. Competing Android system developers like Cyanogen and Amazon are working to end Google's stewardship of the system.

Android is in disarray

StatistaDon't believe that strategic decisions about mobile platforms are important? Consider that it only took a couple of years for iPhone and Android to wipe BlackBerry off the map.

Android is in disarray, in other words. It has never faced so many threats from without and within. If Google makes the incorrect strategic decision about the direction of Android over the next five years, then it will be in serious trouble.

One hesitates to write Android's obituary, of course. Google really is intent on bringing the next billion people online (and Facebook is helping the company do it). For those people, people who are on a dollar a day or more but who need to be online, the iPhone may well be out of reach. Earth may once again become the Android Planet, and iOS may revert to its default status as the Rolls Royce of computer operating systems, used by people who think that having two cars, two televisions, and two showers a day is completely typical human behaviour.

But Apple has proved one major fact that Google must now accept: The reach of iPhone will be far greater than previously thought, and simply being the cheap/adequate alternative may not be good enough.


more...
No comment yet.
Scoop.it!

Microsoft may be on the cusp of a major move to invade Android

Microsoft may be on the cusp of a major move to invade Android | IT Support and Hardware for Clinics | Scoop.it

Microsoft may put its apps on what's likely to be the most popular Android phone of the year, the Galaxy S6, according to a new report from Sam Mobile.

The blog claims to have received information about Samsung's plans for the software that will be on the Galaxy S6.

The company will supposedly remove all of its own apps and offer them as downloadable options instead, but Microsoft's apps are said to come pre-loaded on the phone. This would include apps such as Microsoft Office Mobile, OneNote, OneDrive, and Skype. 

In general, it sounds like Samsung is making major improvements to its software. The Galaxy S6 is expected to come with software that's very similar to the stock version of Android, just like Google's Nexus 6.

If true, this would be a big move on Microsoft's part too. Ever since CEO Satya Nadella took over about one year ago, he's emphasized the fact that Microsoft will be expanding outside it's own platforms.  

The company has released several apps for iOS and Android over the past few months, including its Outlook Mail app for iPhone  and Office for iPad, both of which has received generally positive reviews so far. Microsoft is also reportedly getting ready to invest $70 million in Cyanogen, a startup that builds its own version of Android and eventually wants to take Android away from Google.

Putting its own apps and services on a phone that's bound to be popular like the Galaxy S6 would obviously benefit Microsoft, but it's a puzzling move on Samsung's part. We expect to know more on March 1 when Samsung officially introduced it's new phone. 


more...
GuerillaStockTrading.com's curator insight, February 13, 2015 9:09 PM

Microsoft making big moves. I don't think it's puzzling what Samsung is doing. They want a phone that targets business professionals and that integrates with Microsoft Office and cloud.

Scoop.it!

930 Million Android Devices at Risk?

930 Million Android Devices at Risk? | IT Support and Hardware for Clinics | Scoop.it

Information security experts are calling on Google to rethink its patch priorities after it confirmed that it will no longer update a critical component that runs on Android 4.3 "Jelly Bean" and older devices. As a result, 61 percent of all Android smart phones and tablets - or about 930 million devices - will be running a version of Android that contains known vulnerabilities that an attacker could remotely exploit to seize control of the device or steal the data it stores, according to data security firm Rapid7.


At issue are the versions of WebView, which is used by Android to render Web pages, that are present in pre-Android 4.4 devices. Rapid7 researchers say that after finding and reporting a newly discovered vulnerability in older versions of WebView to Google's security@android.com team, Google responded that it was not going to issue a related patch.

Google says that if it receives a patch for older versions of WebView from a third party, it will distribute it to anyone who develops Android distributions. But Google says it no longer plans to create and distribute its own patches for such flaws. "If the affected version [of WebView] is before 4.4 [KitKat], we generally do not develop the patches ourselves but do notify partners of the issue," Google's e-mail to Rapid7 says. "If patches are provided with the report [from a third party] or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."

But Rapid7, citing data published by market researchers Gartner and Strategy Analytics, says Google's policy will leave the estimated 930 million mobile devices that run pre-KitKat versions of Google's open source Android operating system at risk, because they will be stuck running outdated - and vulnerable - versions of WebView. Device manufacturers could, theoretically, issue related patches themselves, but to date they have not done so.

A Google spokeswoman declined to comment on Rapid7's report.

Numerous hardware and software developers stop issuing updates for their products after they have been on the market for a specified period of time. But today, only 37 percent of in-use Android devices run version 4.4 of the operating system - introduced in November 2013 - and just 1.5 percent run the most recent version 5 - code-named Lollipop - according to market research firm Net Market Share.

In other words, 61 percent of still-in-use Android devices won't be receiving WebView updates from Google, and thus could be at risk from "mass-market exploits" designed to seize control of millions of devices at once, says Tod Beardsley, who's the technical lead for the Metasploit open source penetration testing framework, which is maintained by Rapid7.

"This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy," Beardsley says in a blog post. "Unfortunately, this is great news for criminals," because it gives them potential new ways to penetrate devices, implant malware, steal data or intercept communications.

Beardsley says that in the past year, two researchers have discovered nearly a dozen exploits in WebView - most of which affect versions of the component that run on Android 4.3 "Jelly Bean" and earlier devices - and that Metasploit currently ships with 11 exploits for known WebView flaws.

Newer WebView Auto-Updates

WebView is a widely used Android component. Indeed, Google's developer guide encourages Android developers to use WebView "to deliver a Web application - or just a Web page - as a part of a client application." Google's developer documentation further outlines a number of scenarios in which it might be employed, ranging from retrieving an end-user agreement or user guide from inside an app, to accessing any type of information that requires an Internet connection, such as retrieving e-mails.

When Google introduced Android 4.4 KitKat, it debuted a new, stand-alone WebView component, based on its Chromium open source project, that was decoupled from the Android operating system. "The new WebView includes an updated version of the V8 JavaScript engine and support for modern Web standards that were missing in the old WebView," Google's developer documentation states.

From a security standpoint, the big-impact change was the ability - now found in all modern browsers - for WebView to be automatically updated by Google. In other words, thanks to Google uncoupling WebView from the innards of the Android operating system, WebView updates can be piped directly to all users of Android 4.4 and newer, just as Google does with any other app that's available via the Play Store and Google Play services, news site Android Police reports.

Here is why that change is good: Many Android devices run a version of the operating system that's customized by whichever OEM produces the device. As a result, every time Google releases an Android operating system update, the OEM has to test the update, then create a customized version for its devices. Thanks to the newer version of WebView, however, Google can now directly update that component on all Android 4.4 and newer devices, without the OEM having to build the patch into their version of Android and then distribute it to their users.

Android Is Open Source

But the question of whether it's right for Google to cease updating older versions of WebView, an important component that still runs on nearly 1 billion Android devices, remains. Rapid7's Beardsey notes that Android is technically an open source project, and that OEMs could, in theory, obtain patches for newly discovered flaws in older versions of WebView from third parties. But he says that to date, the OEMs that do patch Android have relied on updates issued directly from Google. "The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business," he says. "After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?"

Some OEMs have a relatively good track record at keeping customers' Android devices updated with the latest security fixes. But others rarely - if ever - release security patches for devices.

With Google ceasing to update a core component of Android that runs on pre-4.4 versions, the risks to users will only increase, Beardsley warns. "Please reconsider, Google," he says. "As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives."


more...
No comment yet.
Scoop.it!

Google reveals Windows flaw mere days before Patch Tuesday fix, irking Microsoft

Google reveals Windows flaw mere days before Patch Tuesday fix, irking Microsoft | IT Support and Hardware for Clinics | Scoop.it

Google just spilled the beans on a Windows 8.1 vulnerability that could give an attacker elevated privileges and Microsoft is not happy about it.

Currently, Google’s policy is to publish any vulnerabilities it finds 90 days after notifying the software vendor of the issue. Google publicized this latest flaw on Google Code on Sunday before Microsoft had a chance to release a fix. A similar Windows bug was publicized in late December.

What’s got Microsoft so miffed is that Google released the information just two days before the Windows maker planned to release a fix during the company’s usual “patch Tuesday” on January 13, 2015. What’s more, Microsoft claims it was in touch with Google and that the search giant was well aware of Microsoft’s timeline.

“The decision [to publish the bug] feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” Microsoft said in a recent blog post.

Why this matters: How and when companies and researchers decide to release software bugs can have serious implications if businesses, home users, or large organizations are left without a patch. Nevertheless, putting vulnerability fixes on some kind of timeline is also important since larger organizations sometimes delay fixing problems if not faced with a firm deadline, thereby leaving users exposed. But security researchers and companies with affected software need to work together on publishing the flaw and a fix in a timely manner so that end users are not left vulnerable.

Turned tables

Although Microsoft isn’t happy about Google’s decision, at least one security researcher says Microsoft’s complaints are too little, too late.

Ten years ago, “Microsoft dictated the ‘industry standard’ of how security problems were reported,” Rob Graham, CEO of security consultancy Errata Security, recently said on his company’s blog.

According to Graham, Microsoft would sometimes delay fixing bugs for years and rely on its industry muscle to keep researchers and critics quiet. Now, however, Google is the company setting the “industry standard” for reporting, Graham says. “It’s just whining...They [Microsoft] resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”

Microsoft certainly has its hands full when it comes to bug fixes, and the company does move more slowly than other companies. But Google couldn’t delay publication for two days when Microsoft had already promised a fix?

Putting companies on a deadline for timely, responsible patching is a great policy to have. Keeping to that deadline even when a promised fix is mere days away, however, doesn’t help users. It just makes Google look like it’s trying to stick it to Microsoft.



more...
No comment yet.
Scoop.it!

Apple and IBM reveal 10 iOS apps that aim to change the way you work

Apple and IBM reveal 10 iOS apps that aim to change the way you work | IT Support and Hardware for Clinics | Scoop.it

The way banks, airlines, wireless carriers, and even governments do business could soon change if Apple and IBM have anything to say about it. The two companies now have 10 apps designed to streamline business operations behind the scenes, which may lead to better service for the rest of us.

The new apps are the first wave in a lineup that’s expected to include up to 100 iOS apps for business. IBM is firmly entrenched in enterprise, while Apple’s presence in the halls of giant corporations has been largely unofficial, in the form of employees using their personal iPhones to send company emails. So the two companies partnered up in July to bring their complementary strengths to businesses on iOS.

One app called Incident Aware will give police a real-time look at maps and video from crime scenes, as well as information about victims and suspects, and better backup request capabilities.

Another, Sales Assist, is designed to help retail employees offer better service to shoppers by giving them access to customer profiles with past purchase history for improved recommendations. The app also helps staffers manage inventory.

Apple and IBM produced a pair of apps for airlines: Plan Flight for pilots offers a look at flight schedules, flight plans, and crew manifests and the ability to report in-flight problems to crew on the ground. The other, Passenger+, gives flight crews information about passengers so they can tailor special offers to them.

Citi, Sprint, Air Canada, and Banorte are the first four IBM clients using the apps at launch. Apple is offering AppleCare for Enterprise, a 24-hour customer service line, while IBM takes care of on-site issues.

The two companies will continue to release apps throughout 2015.

Why this matters: This isn’t the first time Apple has ventured into enterprise, or the first time the company has worked with IBM (remember the PowerPC?). The partnership is still in early days, but with IBM’s expertise in enterprise needs like data analytics and Apple’s deft design touch, IBM MobileFirst for iOS could become the enterprise suite of tools to beat—and make everyone’s lives a lot easier.




more...
No comment yet.