MtGox chief refuses to travel to US

15 April 2014 Last updated at 11:31

MtGox's founder has refused a US court's demand that he testify this week about the collapse of what was the world's biggest Bitcoin exchange.

Mark Karpeles had been asked to attend a hearing in Washington on Friday.

MtGox reported in February that it may have lost nearly $500m (£300m) worth of the virtual currency and subsequently filed for bankruptcy protection in Japan and the US.

It later said it had "found" about a quarter of the missing sum.

A US judge ordered Mr Karpeles to travel from Japan to appear in front of the US Department of Treasury's Financial Crimes Enforcement Network to answer questions about the affair.

But a court filing by MtGox's lawyers said the France-born chief executive - who has not been charged with any crime - would not comply.

"Mr Karpeles is now in the process of obtaining counsel to represent him with respect to the FinCen subpoena," it said.

"Until such time as counsel is retained and has an opportunity to 'get up to speed' and advise Mr Karpeles, he is not willing to travel to the US."

The lawyers also asked the court to delay Mr Karpeles' deposition until 5 May, but added that they could not guarantee he would attend on that date either.

In the meantime MtGox's site continues to tell out-of-pocket investors that a "method for filing claims will be published on this site as soon as we will be in [a] situation to announce it".

One bitcoin is currently trading for about $500, down from its high of more than $1,100 last year.

23.43 | 0 komentar | Read More

Heartbleed may 'slow' web speeds

15 April 2014 Last updated at 14:13

The struggle to fix problems caused by the Heartbleed bug may slow browsing speeds, warns analysis firm Netcraft.

The sheer number of sites refreshing key credentials may trigger delays, reported the Washington Post.

The updates could force browsers to keep downloading and checking long lists of safe sites which would slow attempts to reach those destinations.

The updates will help stop attackers posing as well-known sites using stolen security credentials.

Security check

About 500,000 websites were thought to be vulnerable to the Heartbleed bug which, if exploited, would let attackers slowly steal data from web servers.

Many sites, including Google, Facebook, DropBox and OKCupid, have now patched the version of the security software they ran, called OpenSSL, that was vulnerable to Heartbleed.

However, said Paul Mutton, a security analyst at Netcraft, sites also had to take action to change a separate security measure if they wanted to be sure that visitors' data did not go astray.

This separate measure is known as a security certificate and is a guarantee of a site's identity.

Heartbleed raised questions about the worth of the guarantee security certificates offered, said Mr Mutton. Using the Heartbleed bug attackers could seize secret keys used in conjunction with security certificates as an identity check.

"It would be safest to assume that all of the 500,000 certificates have been compromised," he told the BBC. "Most Certificate Authorities are offering to reissue and revoke for free, so there is no excuse not to take action."

However, he said, the revoking and reissuing of hundreds of thousands of certificates could have a knock-on effect on web browsing speeds.

When a user visits a site, their browsing program typically checks to see if the security certificate for that site has been revoked, said Mr Mutton. Under normal circumstances, this rarely causes a delay as relatively few certificates are revoked every day.

Now, said Mr Mutton, the numbers of revocations were growing, thanks to Heartbleed, with thousands more every day being revoked and reissued.

Robin Alden, chief technology officer at certificate authority Comodo, told PC World that its renewal rates had gone up by a factor between 15 and 30 since news about Heartbleed broke.

It said it was providing tools to customers to help them check if sites were vulnerable to the Heartbleed bug.

"Certificate revocation has always been a bottleneck since SSL was invented," said Prof Mark Manulis, a cryptography expert from the department of computing at the University of Surrey.

If Heartbleed led to large scale revocations that could cause problems, said Prof Manulis, as not all browsers downloaded lists and there were potentially hundreds of certification authorities to contact,

"Each browser would have to contact each of those authorities and download the lists because those lists are not shared," he said.

Mr Mutton from Netcraft said an added complication was being introduced by firms that issued new certificates but had not revoked the older potentially vulnerable ones.

"This is dangerous," he said. "If the old certificates had been compromised, they could still be spoofed and used for man-in-the-middle attacks even if the affected sites are now using new certificates."

Dr Dan Page, a lecturer in cryptography from the University of Bristol, said updating certificates and issuing new ones can take time.

"It takes time for the revocations to filter through the system," he said.

"Previously there have been breaches but not across everyone," added Dr Page. "That's definitely different here and is much more worrying."

Code check

Also struggling to cope with its workload is the organisation behind the OpenSSL software in which the Heartbleed was found.

In an open letter Steve Marquess, president of the OpenSSL Software Foundation, issued a plea for more donations and funding to recruit more people to help maintain the widely used software.

"While OpenSSL does 'belong to the people' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support," he wrote in a blogpost.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted," he added.

Annual donations typically amounted to about $2,000 (£1,195), he said, though this had briefly spiked following publicity about Heartbleed.

More money would help the Foundation hire enough staff to cope with all the requests it gets for help and to maintain the core code.

"There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," he said.

"If you're a corporate or government decision-maker in a position to do something about it, give it some thought," he said.

23.43 | 0 komentar | Read More

Android devices await Heartbleed fix

14 April 2014 Last updated at 16:24 By Leo Kelion Technology desk editor

Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public.

Google announced last week that handsets and tablets running version 4.1.1 of its mobile operating system were at risk.

The search giant has since created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS.

It potentially places owners at risk of having sensitive data stolen.

In addition security firms warn that hundreds of apps available across multiple platforms still need to be fixed.

These include Blackberry's popular BBM instant messaging software for iOS and Android.

Continue reading the main story

Last week internet security firm Cloudfare questioned if Heartbleed was as dangerous as claimed.

The company - which had been one of the select few to be informed of the bug before it was made public - said it had been unable to exploit the flaw to reveal the server certificate private keys that would make sites vulnerable to impersonation.

On Friday it announced a test for others to try, but warned that it believed the task was "likely impossible".

It did not take long for the firm to be proved wrong.

The same day Russian security researcher Fedor Indutny managed to "steal" an SSL key from Cloudfare's servers. He said that it took him less than three hours to do so.

Since then a further three people - including a computer security researcher at the University of Cambridge - have completed the challenge.

"This result reminds us not to underestimate the power of the crowd and emphasises the danger posed by this vulnerability," blogged Cloudfare's software engineering leader Nick Sullivan.

The Canadian firm has said that it will not issue a fix until Friday, but said there was only an "extremely small" risk of hackers exploiting the bug to steal its customers' data.

In the meantime the program remains available for download from Apple's App Store and Google Play.

Data theft

News of the vulnerability with recent versions of the OpenSSL cryptographic software library was made public last Monday after researchers from Google and Codenomicon, a Finnish security firm, independently discovered the problem.

OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.

It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".

The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.

Although that is a relatively small amount, the attackers can repeat the process to increase their haul.

Futhermore, 64K is enough to steal passwords and server certificate private keys - information that can be used to let malicious services masquerade as genuine ones.

Press reports initially focused on the risk of users visiting vulnerable websites, but attention is now switching to mobile.

At-risk handsets

Google's own statistics suggest that fewer than 10% of Android devices currently run version 4.1.1.

However, since close to one billion people currently use the OS that is still a significant number.

Some of those device owners can protect themselves by upgrading Android to a more recent version.

But several machines are unable to be upgraded higher than 4.1.1.

Customer websites indicate these include Sony's Xperia E handsets, HTC's One S, Huawei's Ascend Y300 and Asus's PadFone 2.

"Privacy and security are important to HTC and we are committed to helping safeguard our customers' devices and data," said the Taiwanese firm.

"We're currently working to implement the security patch issued by Google this week to the small number of older devices that are on Android 4.1.1."

Asus said its device was "expecting an update imminently". Sony and Huawei were unable to comment.

Tab grab

Google has now created a fix to address the problem. However, manufacturers still need to adapt it for their devices and this software will need to be tested by the various operators before they release it.

Users can check which edition of Android they are running by going to the "about phone" or "about tablet" option in their Settings app.

Alternatively several free apps have been released that can scan phones and tablets to say if they are vulnerable.

Lookout - a security firm behind one of the products - explained how hackers might take advantage of a vulnerable handset.

"Someone could build a malicious website or advert designed to steal data from your memory," Thomas Labarthe, the firm's European managing director, told the BBC.

"If you happen to be browsing it and have other tabs open in your browser, it could take data from a banking site - for example.

"No-one could steal a whole document - they can only take 64K of data - but that's still enough to steal your credentials."

'Forgotten about'

Another security firm, Trend Micro, has focused on the issue of vulnerable apps.

These can affect any mobile operating system because the problem is caused by the servers that send data to the apps not having been updated to the latest version of OpenSSL.

Trend Micro said it was currently aware of 6,000 such risky apps, including shopping and bank-related services. That is 1,000 fewer than its figure for Friday - suggesting some server operators are addressing the problem.

But it acknowledged that it was hard for members of the public to know which of the hundreds of thousands on offer were safe to use.

"Some of these are services that were set up and then forgotten about," said senior malware researcher David Sancho.

"There's no way from using an app you can know if it's good or bad.

"So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary."

23.43 | 0 komentar | Read More

City to get ultra-fast broadband

15 April 2014 Last updated at 13:14

A new fibre optic network is to be created in York to provide ultra-fast broadband speeds throughout the city.

The one gigabit (1,000 Mbps) network will be delivered directly to homes and businesses, with the first customers expected to be connected in 2015.

It is being created as a joint venture between Sky, TalkTalk and CityFibre.

The Labour leader of City of York Council, James Alexander, said it meant York would become the "digital infrastructure capital of the UK".

"I'm delighted that York has been chosen as the first city," Mr Alexander said. "Gaining ultra-fast broadband across the city is a huge boost for our economy."

The companies have not yet announced a launch date for the service, and said they planned to roll it out to two more cities "in due course".

About 78% of households and businesses in York currently have access to superfast broadband, according to Ofcom.

23.43 | 0 komentar | Read More

US Airways apologises for porn tweet

15 April 2014 Last updated at 11:27

US Airways has apologised after an explicit photo was sent from its official Twitter account in response to a customer complaint.

It said in a statement that it was trying to flag the image as inappropriate but instead mistakenly included it in a message.

The tweet was deleted after approximately an hour but not before it had been retweeted hundreds of times.

The airline said it regretted the error and was reviewing its processes.

The image, which featured a naked woman and a toy plane, had originally been sent to the company's Twitter account by another user, it said.

It was then attached to a tweet that was sent to a US Airways customer who had taken to the social network to express her frustration that her flight was delayed.

Once the mistake had been realised US Airways deleted the offending tweet and issued an apology.

"We apologise for an inappropriate image recently shared as a link in one of our responses. We've removed the tweet and are investigating," it said on its Twitter feed.

The company has more than 420,000 followers on its Twitter account and has not tweeted since.

US Airways is merged with American Airlines, who were also caught up in a Twitter controversy on Monday after a 14-year old Dutch girl sent a tweet to the airline implying she was part of al-Qaeda group and planning an attack.

American Airlines responded via Twitter saying that her details would be passed to the FBI for investigation.

Both tweets have now been deleted and the girl's Twitter account has been suspended.

Dutch police said that Twitter had disclosed to them the internet address that the tweet was written from and that they had questioned a 14-year-old girl who had now been released pending further enquiries.

However, other copycat tweets now appear to be being sent to American Airlines from other teenagers' Twitter accounts, according to the Washington Post.

23.43 | 0 komentar | Read More

Dutch unveil glow in the dark road

14 April 2014 Last updated at 17:25

Glow in the dark road markings have been unveiled on a 500m stretch of highway in the Netherlands.

The paint contains a "photo-luminising" powder that charges up in the daytime and slowly releases a green glow at night, doing away with the need for streetlights.

Interactive artist Daan Roosegaarde teamed up with Dutch civil engineering firm Heijmans to work on the idea.

The technology is being tested with an official launch due later this month.

It is the first time "glowing lines" technology has been piloted on the road and can be seen on the N329 in Oss, approximately 100km south east of Amsterdam.

Once the paint has absorbed daylight it can glow for up to eight hours in the dark.

Encourage innovation

Speaking to the BBC last year about his plans Mr Roosegaarde said: "The government is shutting down streetlights at night to save money, energy is becoming much more important than we could have imagined 50 years ago. This road is about safety and envisaging a more self-sustainable and more interactive world."

Mr Roosegaarde's projects aim to help people and technology to interact. His past projects have included a dance floor with built-in disco lights powered by dancers' foot movements, and a dress that becomes see-through when the wearer is aroused.

"I was completely amazed that we somehow spend billions on the design and R&D of cars but somehow the roads - which actually determine the way our landscape looks - are completely immune to that process," Mr Roosegaarde said.

Heijmans was already working on projects involving energy-neutral streetlights when Mr Roosegaarde teamed up with the company.

"I thought that was updating an old idea, and I forced them to look at movies of jellyfish. How does a jellyfish give light? It has no solar panel, it has no energy bill.

"And then we went back to the drawing board and came up with these paints which charge up in the daytime and give light at night," he said.

Heijmans says that the glow in the dark technology is also "a sustainable alternative to places where no conventional lighting is present".

Pilot project

Innovation on roads needs to be encouraged said Professor Pete Thomas, from Loughborough University's Transport Safety Research Centre but new technologies need to prove themselves.

"We have some high visibility markings already on roads in the UK, plus cats-eye technology etc. So the question is how much better than these is this alternative?

"If we put this technology on all unlit roads that would be a lot of kilometres and it would be a big investment so if safety improvement is the target then we need hard evidence about how this compares to what we already have and to back up any safety claims," he said.

The UK Highways Agency said it was watching the trial in the Netherlands with interest but said that previous studies had shown that "luminescent road paint would be unsuitable for use in this country".

It said it would take several things in to account when deciding whether to include luminescent road markings in its design standards. These would be include how far in advance road markings could be seen, how skid resistant they were, how visible they were during the day and how they would perform in winter when there are fewer hours of daylight.

Initially the team also had plans to develop weather symbols that appeared on the road once the temperature reached a certain level. A temperature-sensitive paint mixture would be used to create giant snow flake-shaped symbols on the tarmac to warn users that the road may be icy.

The current stretch of glow in the dark road in Oss does not include this temperature sensitive technology.

It is a pilot project at this stage and is expected to expand internationally later this year. Dutch media report that Heijmans is keen to use the paint on other roads but has not yet negotiated any contracts.

23.43 | 0 komentar | Read More

Pentagon eyes drone wi-fi hotspots

14 April 2014 Last updated at 15:22

The Pentagon is planning to turn old drones into wi-fi hotspots.

The equipment needed for long-range high-bandwidth wi-fi is often unavailable to troops in the field.

Engineers hope this will be remedied with airborne wi-fi hotspots that can remain close to isolated troops.

The move is similar to Facebook's initiative to bring the world online with blanket wi-fi, but some critics fear the drones will compromise security.

Getting access to a secure, stable and fast internet connection might become easier for remote US troops if the Defense Advanced Research Projects Agency's (Darpa) latest wi-fi hotspot programme successfully launches.

Continue reading the main story

Again we see drones being used to enable the projection of lethal military force in remote locations"

End Quote Chris Cole Drone Wars UK

Engineers at Darpa recently completed the first of three test phases, which saw the development of key technologies to be integrated into a complete system.

"We're pleased with the technical achievements we've seen so far in steerable millimetre-wave antennas and millimetre-wave amplifier technology," said Dick Ridgway, Darpa programme manager.

"These successes - and the novel networking approaches needed to maintain these high-capacity links - are key to providing forward deployed units with the same high-capacity connectivity we all enjoy over our 4G cell-phone networks."

The accomplishments of the initial phases include: smaller, steerable antennas; signal boosters; increased power efficiency and a light pod to carry the device on the unmanned aerial vehicle (UAV) itself. The network is said to be potentially capable of a 1 gigabit per-second (Gb/s) capacity, which is as fast as Google Fiber's.

'More war, less security'

Darpa's move is reminiscent of Mark Zuckerberg's recent announcement that he wishes to connect the two-thirds of the world that has no net access, using drones, satellites and lasers - albeit for different reasons.

However, Chris Cole editor of Drone Wars UK, has criticised Darpa, warning that the drones will ultimately provide less security.

"Again we see drones being used to enable the projection of lethal military force in remote locations.

"Regardless of whether drones are delivering weapons or wi-fi it seems that the growing use of unmanned systems simply means more war and less overall security in the future."

23.43 | 0 komentar | Read More

Google buys solar drone maker

14 April 2014 Last updated at 20:03

Internet search giant Google has bought US high-altitude drone maker Titan Aerospace for an undisclosed sum.

Google said the acquisition was intended to help the firm's efforts to expand internet access.

Titan Aerospace, which is building two types of solar-powered drones that can fly for years, says it expects "initial commercial operations" by 2015.

The firm, which has about 20 employees, will continue to be based in Moriarty, New Mexico.

"It's still early days, but atmospheric satellites could help bring internet access to millions of people, and help solve other problems, including disaster relief and environmental damage like deforestation," Google said in a statement.

"It's why we're so excited to welcome Titan Aerospace to the Google family."

Google's purchase follows Facebook's announcement earlier this year that it had bought UK-based drone maker Ascenta for $20m (£12m).

The two firms are competing to be able to use cutting-edge technology, like drones and high-altitude balloons, to deliver internet to more of the world's population.

23.43 | 0 komentar | Read More

NSA stories take Pulitzer Prize

14 April 2014 Last updated at 23:23

The Guardian and Washington Post have shared the Pulitzer Prize for public service journalism for a series of stories on US electronic spying.

Their reporting was based on documents leaked by former National Security Agency contractor Edward Snowden.

Among other winners of the top prize in US journalism was the Boston Globe, for breaking news reporting.

Two staff writers of the Reuters news agency were awarded the prize for international reporting.

The Pulitzer Prizes are awarded by the Columbia University journalism school.

'Authoritative and insightful'

Continue reading the main story

• Accessing internet company data
• Tapping fibre optic cables
• Eavesdropping on phones
• Targeted spying

In giving the top prize to The Guardian US and the Washington Post, the Pulitzer committee said the Guardian helped "through aggressive reporting to spark a debate about the relationship between the government and the public over issues of security and privacy".

It said the Post's stories were "marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of naional security".

Mr Snowden, in a statement published by The Guardian, called the award "a vindication for everyone who believes that the public has a role in government.

"We owe it to the efforts of the brave reporters and their colleagues who kept working in the face of extraordinary intimidation," added Mr Snowden, who has been charged with espionage in the US and is currently a fugitive in Russia.

Meanwhile, the Boston Globe provided "exhaustive and empathetic coverage of the Boston Marathon bombings and the ensuing manhunt that enveloped the city", the committee wrote of the paper's coverage of the 15 April 2013 attack.

Chris Hamby of the Center for Public Integrity was awarded a Pulitzer for his reporting on how lawyers and doctors conspired to deny benefits to coal miners stricken with black lung disease.

Times wins two

The top prize for US reporting was awarded to The Gazette in Colorado for its examination of mistreatment of wounded combat veterans, while the prize for international reporting went to Reuters for reports of persecution of a Muslim minority group in Burma, also known as Myanmar.

The editorial staff of the Oregonian in Portland won the prize for commentary for pieces explaining pension costs.

Tyler Hicks of the New York Times won for breaking news photography for images captured during a terrorist attack at Westgate Mall in Kenya. Also for the Times, Josh Haner won in the feature photography category for a "moving" essay on a Boston Marathon bomb blast victim who lost most of both legs.

Among other categories, Donna Tartt, author of The Goldfinch, was awarded the Pulitzer for fiction writing, while Don Fagin received the award for general nonfiction for his work, Tom's River: A Story of Science and Salvation.

Members of this year's selection committee included Katherine Boo, a staff writer for The New Yorker, and Eugene Robinson, a columnist for The Washington Post.

23.43 | 0 komentar | Read More

Privacy fears over FBI database

15 April 2014 Last updated at 15:33

Campaigners have raised privacy concerns over a facial recognition database being developed by the FBI that could contain 52m images by 2015.

The civil liberties group Electronic Frontier Foundation (EFF) obtained information about the project through a freedom of information request.

It said it was concerned that images of non-criminals would be stored alongside those of criminals.

The FBI say the database will reduce terrorist and criminal activities.

The facial recognition database is part of the bureau's Next Generation Identification (NGI) programme which is a large biometric database being developed to replace the current Integrated Automated Fingerprint Identification System (IAFIS).

The programme, which is being rolled out over a number of years, will offer "state of the art biometric identification services" according to the bureau's website.

As well as facial recognition images the programme is being developed to include the capture and storage of finger prints, iris scans and palm prints.

'Increasing risks'

EFF said that the records it had seen showed the facial recognition element of the NGI already contained 16m images by 2013 and had the capability to contain as many as 52m by 2015.

In the current system, the fingerprints of criminals and non-criminals are kept in separate databases. Non-criminals may have their prints stored by the FBI if they have applied for a job that requires fingerprints for a background check.

However, under the new system if a candidate is asked by an employer to submit a photo along with their fingerprints this will now be stored by the FBI, too. The difference is that all photos will be stored on the same database regardless of whether someone has been arrested for a crime.

"This means that even if you have never been arrested for a crime, if your employer requires you to submit a photo as part of your background check, your face image could be searched - and you could be implicated as a criminal suspect, just by virtue of having that image in the non-criminal file," said the EFF.

It says documents from the FBI show that 4.3m photos contained in the database by 2015 will be for non-criminal purposes.

The group also cites research that shows the risk of falsely identifying someone increases as the size of the dataset being examined increases.

"This means that many people will be presented as suspects for crimes they didn't commit."

At a US senate subcommittee meeting held in 2012 to discuss the privacy implications of facial recognition technology, the official in charge of the NGI programme at the time said the the FBI intended to limit the system to criminal information.

It was also stressed that annual audits of local agencies' systems will be carried out to "detect any type of misuse" and that the FBI would back this up with their own audits.

The EFF points out that the Privacy Impact Assessment for the facial recognition element of NGI has not been updated since 2008.

"This is not how our system of justice was designed and should not be a system that Americans tacitly consent to move towards," the EFF said.

23.43 | 0 komentar | Read More