IT Support and Hardware for Clinics
32.7K views | +2 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Samsung Touts Video Chops With Two More Big Screen Phones

Samsung Touts Video Chops With Two More Big Screen Phones | IT Support and Hardware for Clinics | Scoop.it

As expected (and amply leaked), Samsung has today whipped back the curtain on a pair of new flagship smartphones, announcing two new phablets: the Galaxy Note 5 (pictured above) and the Galaxy S6 Edge+ at press events in New York and London.


The focus for Samsung here is bigger handsets that can do more with multimedia content, letting the user make use of additional screen real-estate for video editing or livestreaming, or multitasking with multiple content windows on screen.


The Korean giant doesn’t normally drop flagship smartphones in August but is presumably hoping to hog the limelight by announcing new kit in what is typically a fallow month for tech news — before the hype cycle spins up again come September, when Apple typically unboxes new iPhones. (In the event, Chinese mobile maker Xiaomi stole a march on Samsung’s phablet new by announcing its own pair of newbies earlier today.)


Here’s a quick rundown of the new additions to Samsung’s handset Galaxy, which will be landing in some 7,000 retail stores in the U.S. for preview starting from tomorrow (but on sale globally later this month):


Galaxy Note 5


The Galaxy Note 5 is the sequel to the 5.7-inch display Note 4, which launched back in September 2014. The display remains the same size (and same quad-HD res), but RAM has been beefed up to 4GB.


The design has also been tweaked to be thinner and slimmer, with a narrower bezel and curved back. The rear camera is still 16MP, but there’s now 5MP on the front. Both are f1.9.


The S-Pen stylus has also had an update — with an “all new” design, and, says Samsung, improved writing capabilities (albeit it said that at the last Note update…), including the ability to jot down info even when the screen is off.


Users can also now annotate PDF files using the S-Pen, and capture a whole website from top to bottom using a Scroll Capture feature. And the pen is easier to extract from its kennel inside the Note, thanks to a “one click” extraction mechanism.


Available colorways for the Note 5 are “Black Sapphire” and “White Pearl”. There are 32GB and 64GB variants (but no microSD card slot — a factor that’s going to continue to grate on long-time Samsung fans).


Galaxy S6 Edge+


The Galaxy S6 Edge+ updates one of two new flagships Samsung unboxed back in March at the Mobile World Congress trade show — namely the S6 Edge.

The flagship feature of that handset was a screen with curved edges. Those curves spill over now to the S6 Edge+ but the overall size of the screen has also been increased to phablet size — so it’s been bumped up from 5.1 inches to 5.7 inches. As with the S6 Edge, the curved edges can be used as a shortcut from any screen to access top contacts and apps, by swiping along the edge.


As with the Note 5, RAM has also been increased to 4GB. And the rear camera is 16MP, with a 5MP lens on the front.


Available colorways for the S6 Edge+ are “Black Sapphire” and “Gold Platinum” (below). And there are also 32GB and 64GB variants (but again no microSD card slot).


 

Multimedia focus


Both devices sport improved video stabilization when shooting from the front or rear camera, according to Samsung.  There’s also a new video collage mode that allows users to shoot and edit short videos more easily, adding various frames and effects. And a 4K Video filming feature to record content for 4K TVs.


A full HD Live Broadcast option lets users instantly stream video straight from the phone to any individual, group of contacts, or through YouTube Live — a la live streaming apps like Meerkat and Periscope. While Samsung touts other camera and audio improvements such as a quick launch feature (by double clicking the home button from any screen to jump into the camera), and support for UHQA for richer audio quality.


Both handsets also support Samsung Pay — the company’s forthcoming NFC and magnetic secure transmission mobile payment tech which it’s lining up as an Apple Pay rival.


There’s also embedded wireless charging on both, but wireless charger pads aren’t included — so that’s an additional accessory you’d have to have or buy yourself.

more...
No comment yet.
Scoop.it!

Law Banning Default Encryption Unlikely

Law Banning Default Encryption Unlikely | IT Support and Hardware for Clinics | Scoop.it

Laws rarely, if ever, keep up with technology, but even if they could, the consequences could prove more harmful than the benefits.

That was evident at an April 29 hearing of the House Oversight and Government Reform Subcommittee on Information Technology that addressed the encryption - and security - of mobile devices.

 Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger. 


Here's the problem the panel addressed that faces law enforcement: Encryption is the default setting for new Apple iPhone and Google Android mobile devices, meaning that law enforcement cannot gain access to encrypted data on the devices even if they have a search warrant. To gain access, the manufacturers would have to create a so-called "backdoor," and give law enforcement a special key to decrypt data on mobile devices. Without such a key, law enforcement could gain access only with the permission of the devices' owners, an unlikely scenario if the encrypted data contains incriminating evidence.

"We call it 'going dark,' and it means that those charged with protecting the American people aren't always able to access the information necessary to prosecute criminals and prevent terrorism even though we have lawful authority to do so," FBI Executive Assistant Director Amy Hess told lawmakers.

Backdoor Benefits

Hess furnished the subcommittee with examples on how accessing data enabled forensics experts to solve crimes, including kidnaping, false rape accusation and murder.


"Today's encryption methods are increasingly more sophisticated, and pose an even greater challenge to law enforcement," she said. "We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet or a laptop - evidence that may be the difference between an offender being convicted or acquitted - but we cannot access it."


Advocates of giving law enforcement a backdoor key include President Obama and FBI Director James Comey. At the Congressional hearing, Suffolk County (Mass.) District Attorney Daniel Conley voiced strong support: "The Fourth Amendment allows law enforcement access to the places where criminals hide evidence of their crimes, once the legal threshold has been met," Conley testified. "In decades past, these places were car trunks and safety deposit boxes; today they are computers and smartphones."

Questioning Motives of Apple, Google

Conley dismissed Apple's and Google's contention that the default encryption they offer on their devices safeguards consumers' privacy.

"Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customers' interests, search terms and consumer habits, but as we all know, that's not a step they're willing to take," Conley said. "Instead, they're taking full advantage of their customers' private data for commercial purposes while building an impenetrable barrier around evidence in legitimate, court-authorized criminal investigations."


Hess and Conley make a somewhat sound argument. After all, police, with the proper court order, can break into filing cabinets to retrieve evidence. But the rules of the physical world don't always translate well into the virtual one. And other witnesses at the hearing made more compelling arguments for why creating an electronic backdoor is a very bad idea.


"Unfortunately, harsh technical realities make such an ideal solution [a backdoor] effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation's infrastructure, the future of our innovation economy and our national security," said cryptographer Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. "We just can't do what the FBI is asking without weakening our infrastructure."

Undermining U.S. Cybersecurity

Providing a backdoor would undermine America's cybersecurity. "While the FBI would have us believe that law enforcement alone will be privy to our sensitive data, history demonstrates that bad actors will always be ahead of the curve and find an avenue to manipulate those openings," said Jon Potter, president of Application Developers Alliance, a trade group. "As one well-regarded cryptographer said, 'You can't build a backdoor that only the good guys can walk through.'"

Creating a backdoor could potentially cost the American economy billions of dollars in lost business. Kevin Bankston, policy director of the think tank New America's Open Technology Institute, says a backdoor would give foreign users, including corporations and governments that especially rely on the security of technologies, even more incentive to avoid American wares and turn to foreign competitors. "To put it bluntly," he said, "foreign customers will not want to buy or use online services, hardware products, software products or any other information systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA."

Encryption Mitigates Risks

But the most compelling argument for retaining default encryption that's beyond the reach of law enforcement is that it makes everyone safer, especially on smartphones. "The vast amount of personal information on those devices makes them especially attractive targets for criminals aiming to commit identity theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phone's owner," Bankston said.


"By taking this step for their customers and turning on encryption by default," he said, "mobile operating system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones' contents will remain secure even if they are stolen."


It's an argument that can persuade even the most ardent supporters of law enforcement and intelligence agencies. The subcommittee's chairman - freshman Republican William Hurd of Texas, a former undercover CIA agent and cybersecurity strategist, concluded the hearing by opposing offering law enforcement a backdoor. "I hold everyone in law enforcement and the intelligence community to a higher standard," he said. "Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger."


more...
Jan Vajda's curator insight, May 2, 2015 6:53 PM

Přidejte svůj pohled ...

Scoop.it!

Samsung takes record 20 million orders for Galaxy S6, S6 Edge

Samsung takes record 20 million orders for Galaxy S6, S6 Edge | IT Support and Hardware for Clinics | Scoop.it

Samsung’s Galaxy S6 and Galaxy S6 Edge set off a blistering pace of orders, already racking up 20 million before its official launch.

That’s according to a report in The Korea Times, which says it’s a record number of early orders for any of the company’s smartphones. The orders break down as 15 million for the Galaxy S6, and 5 million for the S6 Edge.

Note that these are orders placed by retailers and carriers, not pre-orders placed by consumers.

The Galaxy S6 is powered by Samsung’s own octa-core Exynos processor with 3GB of RAM. It also has a 5.1-inch Quad HD Super AMOLED display, a 16-megapixel rear-facing camera, and a 2,550mAh battery pack.

The Galaxy S6 Edge screen bends over on each side, though not as dramatically as the Galaxy Note Edge.

With this release, Samsung is trying to reverse its fortunes, which saw it losing marketshare to Apple and other competitors in the Android space. Samsung is stepping up its build quality, as many other devices like the HTC One and phones from LG have been far more remarkable to look at than the boring plastic build that Samsung used for its devices.

The story behind the story: Samsung gave its Galaxy flagship the most radical overhaul it’s done, going with a metal-and-glass build and eliminating removable batteries and an SD card slot. It left us impressed in our initial hands-on, though we’ll have to give it a more detailed review to see if it’s worth your money.


more...
No comment yet.
Scoop.it!

Apple Exploring iPhone Waterproofing Method

Apple Exploring iPhone Waterproofing Method | IT Support and Hardware for Clinics | Scoop.it

Apple has a patent application in with the USPTO (via AppleInsider) that describes a few different methods for waterproofing electronic devices like the iPhone. The patent describes coating certain internal components like the main circuit board with a hydrophobic coating, presumably not unlike the process used by Liquipel and other similar companies. The process for applying the waterproof layer would only result in a coating ranging between one and ten microns thick, Apple says in the filing, meaning it wouldn’t take up any additional space inside the device shell.

The patent by Apple includes a provision for leaving the EMI shield included in all of its iPhones, iPads, MacBooks able to perform its job while also allowing for the components protected therein to be fully water sealed by the process. Special processes are needed because the coating is applied to the assembled circuit board, meaning the EMI shielding could obscure key internal components from receiving the benefits of the sealing.

To keep the exposed soldered ends of connectors protected against water, the patent also talks about using silicone seals at the point where they connect to boards and the flex cables that often run between the internal circuits of devices.

Apple hasn’t yet shown much interest in waterproofing its smartphones and tablets, though other smartphone makers like Sony have made it a core component of their hardware. Samsung made the Galaxy S5 water-resistant last year, but has gotten rid of that kind of environmental protection with this year’s Galaxy S6, and given the relative performance of both the GS5 and Sony’s devices, it remains unclear how much value consumers actually put in waterproofing in terms of impacting their buying decision.

There’s no doubt that Apple being able to list ‘waterproof’ as one of the marquee features on a future smartphone or tablet would cause a splash, however. This patent was filed in March of last year, so it’s a relatively recent invention, meaning it’s too soon to say that Apple is just locking down the IP without any strong intent to necessarily bring this to future products.


more...
No comment yet.
Scoop.it!

Samsung Wants To Kill Your Charging Cables

Samsung Wants To Kill Your Charging Cables | IT Support and Hardware for Clinics | Scoop.it

Wireless charging technology goes back a long, long way—all the way back to 1891, when Nicola Tesla successfully transferred power wirelessly. More than 100 years later, the tech still remains a non-starter.

Samsung wants to change all that. A post by its top engineer for IT and mobile, Seho Park, suggests that the company’s upcoming Galaxy S6 may offer built-in support for the technology, which would be a first for the company.

Samsung, of course, has dabbled in wireless charging before. Typically, those efforts required accessories like swappable backplates and charge mats. Park writes that his company’s first commercial wireless charging mat launched in the U.S. in 2011 as the Droid Charge. Since then, the tech giant has continued to look for ways to squeeze all that tech into the phone itself.

Shoot Out At The Wireless Corral 

Back in 2009, when Palm still had a horse in the mobile race, its Pre phone line and its wireless Touchstone charging dock grabbed the public's attention. Now Palm is dead in the water—though not done for quite yet—and the state of wireless charging has come to resemble a Mexican standoff. Three major, but incompatible, standards have been jockeying for the top spot.

All three essentially do the same thing: They use electromagnetic fields to charge a battery from a (usually short) distance, allowing you to ditch the charging cable. None have emerged victorious, although consumers have clearly been the losers.

According to Park, Samsung—which belongs to all three organizations—has had enough. It's been working on integrated components that can work with all the wireless-charging standards. Park writes:

We also discovered new ways to merge and combine components in a more efficient way, which allowed our technology to generate more power and take up less space.... We also focused on finding new ways to make the components themselves smaller and thinner. 

If that effort works, one day you might toss a Samsung device on a charging mat and it would just charge, without you giving a moment's thought as to whether your phone works with that particular brand of mat (or transmitter table or charging bowl).

It is, of course, possible that the warring standards might have eventually gotten their act together on their own. Last year, two of them joined forces, agreeing to support each other’s technology. One of those groups also partnered with Starbucks, whose cafés now feature charging tables and bars.


Promising steps. Too bad they still leave out the the third, and arguably most popular, wireless-charging standard, known as Qi. (It's a lot like being the biggest ant in the hill.) Currently, Qi technology is available in hundreds of consumer products, and if you hunt for them, you can find charging locations at a few dozen McDonald's joints in Europe.

Instead of waiting for a miracle to occur, Samsung looks ready to take matters into its own hands.

Smartphones Are Just The Start 

The timing of Park’s meditation on wireless charging is no coincidence. He strongly implies the new Galaxy phone will have built-in support, but he stops short of promising that—perhaps to preserve "the wow factor" for Samsung’s Unpacked media event in Barcelona in a couple of weeks.

Portable power and charging has been a vexing matter for the whole mobile industry, with players like Motorola, Apple and Samsung (of course) offering fast-charging technology to take some of the irritation out of juicing up. If the cable finally goes away and charging installations become more publicly available, it could go a long way toward easing the long wait for bigger and better batteries.

Park explains that Samsung has been working on the wire-free charging conundrum for the last five years. Apparently, the company figures the time is ripe now to stuff wireless charging directly into its phones, to drive adoption of the technology—and, of course, its own devices. 

Those efforts could have even greater significance beyond phones.

In addition to IT companies, leading brands from a wide range of industries, such as consumer electronics, semiconductors, mobile services, automotive, furniture, software and others have joined the effort and are working closely together.

Samsung, of course, has its fingers in several of those pies—including smartwatches and fitness bands, home theater equipment and kitchen appliances. With its SmartThings acquisition last year, it has a stake in smart homes and the broader movement dubbed the "Internet of Things." 

The Samsung global conglomerate has its hand in even more than that, from hospital-grade medical equipment to industrial machines, and many of the gadgets that hook into them. Anything not nailed down by a power cable could get a boost from streamlined charging technology.

But Phones Are a Crucial Start For Samsung

Support for the various industries could be Samsung's long game. For now, however, its focus is on phones, where it has been struggling recently.

For mobile consumers to flock to wireless charging, the process needs to be fast and convenient. Given that, there’s one curious tidbit in Park’s post:

Two or three years ago, wireless charging was only twenty to thirty percent as efficient as wired charging. But since then, we have been able to double the charging speed.

It’s tough to tell if Park is referring to Samsung’s work or wireless charging as a whole. If it’s the latter, then Daniel Schreiber, president of Powermat Technologies, might take some exception to this. He told me last November, when his group’s Starbucks initiative launched, that those wireless charging speeds rival cabled connections. I didn’t clock the action when I tried it, but at the time, the charging seemed pretty speedy.

If Park is talking about Samsung’s development, then the tech—slow as it seems to be—still has a ways to go. Because by my math, if the cable-free version is 30% as efficient as traditional charging, and the company can achieve twice that speed, it’s still much slower than physically plugging in. 

So it may be a bit too early for Galaxy customers to completely ditch the cord. Samsung's wire-free tech could be somewhat handy, since it may come built into those Galaxy S6 phones. But it might not be the shot of power needed to really juice up Samsung’s mobile business.


more...
No comment yet.
Scoop.it!

Smartphone thefts drop as kill switch usage grows

Smartphone thefts drop as kill switch usage grows | IT Support and Hardware for Clinics | Scoop.it

Phone theft used to be a growth industry. The snatch-and-run stealing of iPhones even had its own clever moniker: Apple picking. But such thefts might be in decline. Last year, 2.1 million Americans had phones stolen, according to a nationally representative survey conducted by the Consumer Reports National Research Center. (Another 3.1 million smartphones were lost.) In 2013, about 3.1 million phones were stolen, according to our previous survey.

The two Consumer Reports surveys employed slightly different methodology, which could account for some of the drop, but there is other evidence of a decline—and the trend might accelerate now that Android devices seem poised to embrace kill switches, which allow you to deactivate your stolen or lost phone. 

Smartphones have allowed users to remotely wipe their data for years. But in 2013 prosecutors across the country started calling for technologies that disable, or “brick,” stolen phones to deter thieves from stealing them for resale overseas. Minnesota and California both passed laws requiring manufacturers to make progress on installing anti-theft features by July 1, 2015.

Apple is well ahead of the deadline. After the company added a kill switch to its Find My iPhone app in 2013, police departments around the country reported that iPhone thefts dropped. Then, Activation Lock became a default feature last fall with the launch of the iPhone 6 and 6 Plus. Samsung also added a kill switch—called Reactivation Lock—to a few phone models in 2013. But, in general, Android phones haven’t had the technology. To protect their devices, consumers had to download aftermarket security apps.


Many expected Android Lollipop 5.0 to resolve that problem in late 2014, but manufacturers didn’t implement the kill switch, presumably because of performance issues. Now, all eyes are trained on Lollipop 5.1, due to roll out this summer. Given the helter-skelter, one-off approach phone companies take to their mobile operating systems, however, it will be a long time before a kill switch comes to all Android models.

The technology could eventually save U.S. consumers $3.4 billion,according to calculations by William Duckworth, a statistics and data science professor at Creighton University. (His 2014 study included the costs of replacing handsets and a portion of the money consumers spend on phone insurance.)

Kill switches aside, many phone owners do an abysmal job of protecting their mobile devices, the new Consumer Reports survey found. Among survey respondents, only 46 percent set a screen lock using a four-digit PIN or a stronger method such as a lengthy password or fingerprint. Just 33 percent backed up their data, including photos and contacts, to a computer or online service. Built-in security technology can only get a consumer so far—to reap the benefits, you actually have to use it.

more...
No comment yet.
Scoop.it!

The Apple Store will give you credit for old Android phones

The Apple Store will give you credit for old Android phones | IT Support and Hardware for Clinics | Scoop.it

If you’re ready to defect to the iPhone from Android or BlackBerry, the Apple Store will welcome you with open arms—and some store credit.

Apple retail stores are expanding their trade-in programs beyond the iPhone and iPad to include “select” smartphones from other manufacturers. Word of the new program first appeared on individual store websites, as spotted by 9to5Mac.

Apple has been offering credit for old iPhones and iPads at its retail stores since 2013. The company also accepts old Apple products and Windows PCs through its Reuse and Recycle website. This is the first time Apple will be offering store credit for Android and BlackBerry phones.

It’s unclear how much you’ll get for these devices compared to other tech buyback services such as Gazelle, NextWorth, and EcoATM. Apple hasn’t posted any trade-in details for its U.S. stores, and Engadget reports that employees some locations aren’t even aware that the program has begun. We’ve reached out to Apple for clarification.

Why this matters: It’s extremely convenient to be able to dump your old phone while getting a discount on a new one, which might explain why all four major U.S. carriers now have their own trade-in programs. Apple is just making sure that its own stores have the same option—especially for users who can’t wait to switch platforms.


more...
No comment yet.
Scoop.it!

Wireless Charging May Not Be Doomed To Irrelevance

Wireless Charging May Not Be Doomed To Irrelevance | IT Support and Hardware for Clinics | Scoop.it

Wireless charging is a decent idea that’s been held back for years by double and sometimes triple or quadruple vision: Instead of picking one standard that works well enough, the industry has fragmented itself among competing, incompatible implementations that may each flop and leave buyers stuck with useless hardware.

Yes, you’ve seen this format-war movie before… on Beta, Laserdisc, and HD-DVD.

But this year’s Mobile World Congress provided a little more room for optimism than before.

First off, Samsung’s debut of the Galaxy S6 and S6 Edge—each of which support both Qi and Powermat wireless charging, the two most widely deployed versions—means devices capable of wireless charging will soon occupy millions of pockets and purses.

Qi, pronounced “chee,” has been around for a while. A handout from the Wireless Power Consortium, the trade group behind the specification, cites 79 phones that are compatible. But none of these 79 phones has been a flagship model you could expect to find sold by all four major U.S. wireless carriers, or bought by millions of shoppers. Note that while the S6 and S6 Edge will be able to draw current from both Qi and Powermat chargers, Samsung told me its own wireless-charging accessory will be a Qi surface.

It’s also getting slightly easier to find Qi charging surfaces. Last October, Marriott began putting Qi hardware in the lobbies of some of its hotels, and at MWC Ikea announced that it would soon sell furniture with Qi chargers built in.

A new smartphone app by the Qi developer Aircharge aims to show off all the places that its wireless charging surfaces are available; in Manhattan, it only found three publicly accessible Qi locations, all Marriott properties. So much for progress in the Big Apple.

And as the S6’s ambidextrous wireless charging capability illustrates, there are two sides to this story. Powermat’s longstanding technology is being folded into a developing rival to Qi called Rezence, a name that alludes to its use of magnetic resonance instead of Qi’s inductive charging.


more...
No comment yet.
Scoop.it!

Apple, Android Prep 'Freak' Fix

Apple, Android Prep 'Freak' Fix | IT Support and Hardware for Clinics | Scoop.it

Numerous Apple and Android devices, as well as websites, are vulnerable to a serious flaw, which an attacker could exploit to subvert secure Web connections. The flaw exists in SSL and TLS and results from the ability to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

The researchers who discovered the vulnerability have dubbed it "Freak," for "Factoring RSA-EXPORT Keys," and warn that it can be used to crack a cipher key and then impersonate legitimate sites - such as the public-facing National Security Agency website - to vulnerable clients. In some cases it could also be used to hijack third-party tools, such as the Facebook "like" button functionality, and inject JavaScript into vulnerable clients and steal passwords.


"In case you're not familiar with SSL and its successor TLS, what you should know is that they're the most important security protocols on the Internet," Johns Hopkins University cryptographer Matthew D. Green says in a blog post. "In a world full of untrusted networks, SSL and TLS are what makes modern communication possible."

Security researchers warn that the flaw exists in versions of OpenSSL prior to 1.0.1k, and affects all Android devices that ship with the standard browser, although they say Google Chrome is immune. The flaw also exists in Apple TLS/SSL clients, which are used by both Mac OS X clients, as well as iOS mobile devices. The vulnerability has been designated as CVE-2015-0204.

Researchers say it's not clear how many users, devices or websites are vulnerable to the Freak flaw, or if it has yet been exploited in the wild. But 6 percent - or 64,192 - of the world's 1 million most popular websites (as ranked by Amazon.com Web traffic monitoring subsidiary Alexa) are currently vulnerable to the flaw, according to the Tracking the Freak Attack site, which is run by researchers at the University of Michigan, and can be used to check if clients are vulnerable to Freak attacks.

Researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research have been credited with discovering the flaw and detailing how it can be exploited. "You are vulnerable if you use a Web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites," they say. "If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."

In recent weeks, the researchers - together with Green - have been alerting affected organizations and governments. Websites such as Whitehouse.gov, FBI.gov, and connect.facebook.net - which implements the Facebook "like" functionality - were vulnerable to related attacks, but have now been fixed, Green says. But he notes that numerous sites, including the public-facing NSA.gov website, remain vulnerable.

Apple, Google Prep Patches

Apple tells Information Security Media Group that it is prepping a patch, which it plans to release next week. OpenSSL released a related patch in January, and content delivery networks - such as Akamai - say they've either put fixes in place or will do so soon.

While Google didn't immediately respond to a related request for comment, a spokeswoman tells Reuters that the company has already prepped an Android patch and distributed it via the Android Open Source Project to its business partners. She notes that it's now up to those businesses - which include such equipment manufacturers as Samsung, HTC, Sony, Asus and Acer - to prep and distribute patches to their customers. But while some OEMs have a good track record at prepping and releasing patches in a timely manner, others delay, or never release patches.

Businesses and users should install related patches as quickly as possible, says information security consultant and SANS Institute instructor Mark Hofman in a blog post. "To prevent your site from being used in this attack you'll need to patch OpenSLL - yes, again. This issue will remain until systems have been patched and updated, not just servers, but also client software," he says. "Client software should be updated soon - hopefully - but there will no doubt be devices that will be vulnerable to this attack for years to come - looking at you Android.

Crypto Wars 1.0 Legacy

Experts say that the Freak flaw is a legacy of the days when the U.S. government restricted the export of strong encryption. "The SSL protocol itself was deliberately designed to be broken," Green says, because when SSL was first invented at Netscape, the U.S. government regulated the export of strong crypto. Businesses were required to use the relatively weak maximum key length of 512 bits if they wanted to ship their products outside the country.

While those export restrictions were eventually lifted, and many developers began using strong crypto by default, the export-grade ciphers still linger - for example in previous versions of OpenSSL - and can be used to launch man-in-the-middle attacks that force clients to downgrade to the weak crypto, which attackers can crack. "The researchers have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not 'officially' supported," Hofman says.

Hacking NSA.gov

The researchers who discovered the Freak flaw have published a proof-of-concept exploit on the SmackTLS website, demonstrating a tool they developed, together with a "factoring as a service" capability they built and hosted on a cluster of Amazon Elastic Compute Cloud - EC2 - servers. The exploit was first used against the NSA.gov website. "Since the NSA was the organization that demanded export-grade crypto, it's only fitting that they should be the first site affected by this vulnerability," Green says. Cracking the key for the NSA.gov website - which, it should be noted, is hosted by Akamai - took 7.5 hours, and cost $104 in EC2 power, he adds. Were the researchers to refine their tools, both the required time and cost to execute such attacks would likely decrease.

The researchers have reportedly been quietly sounding related alerts about the Freak flaw in recent weeks to vulnerable governments and businesses, hoping to keep it quiet so that patches could be rolled out in a widespread manner before news of the flaw went fully public. But The Washington Post reports that Akamai published a blog post on March 2, written by its principal engineer, Rich Salz, which brought attention to the problem sooner than the researchers had hoped.

Still, the Freak flaw has existed for well over a decade, and follows the 2014 discovery of such new "old" bugs as Heartbleed, POODLE and Shellshock, which existed for years before being found.

Moral: Encryption Backdoors

In the post-Snowden era, many technology giants have moved to use strong encryption wherever possible, in part to assuage customers' concerns that the NSA could easily tap their communications. Apple and Google also began releasing mobile devices that use - or could be set to use - strong crypto by default. And many U.S. and U.K. government officials have reacted with alarm to these moves. Often citing terrorism and child-abuse concerns, many have demanded that the technology firms weaken their crypto by building in backdoors that government agencies could access.

But Green says the Freak flaw demonstrates how any attempt to meddle with strong crypto can put the user of every mobile device, Internet browser or website at risk. "To be blunt about it, the moral is pretty simple: Encryption backdoors will always turn around and bite you ..." he says. "They are never worth it."


more...
No comment yet.