Archive for the ‘Apps’ Category
Monday, May 14th, 2012
Nearly a third of IT managers have reported a security threat as a result of personal devices accessing company data, Juniper finds
Nearly nine in 10 executives and employees are using their personal smartphones or tablets for business and about half are doing so without the permission of their companies, a new study shows.
Making the situation even more precarious, less than half of the more than 4,000 mobile device users surveyed by Juniper Networks in the U.S., U.K., Germany, China and Japan took even the most basic precautions in using mobile applications.
The findings, released this week, point to the need for all C-level executives to start taking mobile security seriously to avoid giving hackers an open door to the corporate network.
“You’re extremely hard pressed to find an enterprise that says, ‘Yes, we understand what’s going on with mobility, we did our research and we put together and have implemented a comprehensive solution to address our mobility concerns,’” Dan Hoffman, chief mobile security evangelist for Juniper, said Friday. “They’re just not there right now.”
As a security vendor, Juniper has a vested interest in scaring the bejeezus out of execs to get them to spend their company’s money on expensive security technology to lockdown mobile devices. Nevertheless, based on the study, there are some troubling trends within the enterprise.
Juniper found that 89 percent of business users, often called prosumers, are using their personal devices to access what the vendor says is “critical work information.” More than 40 percent of that group is using their tablets and smartphones without asking their companies for permission.
This risky behavior has already had some consequences. Nearly a third of IT managers have reported a security threat as a result of personal devices accessing company data, Juniper said. In China, that number doubles.
The fact that breaches have occurred is unsurprising, given the lack of commonsense in the use of mobile apps. Less than half of the respondents said they read the terms and conditions before downloading an app, manually set data security features and settings or researched applications to ensure they are trustworthy.
In the background to all this risky behavior is a growing malware threat. In 2011, the number of malware targeting mobile devices grew 155 percent year to year, according to Juniper. In the first three months of this year, the number has grown by an additional 30 percent.
Most troubling about the increase this year is the rise is spyware capable of stealing personal, financial and work information. Juniper found the number of spyware doubled in the first quarter.
The report had a bright side. Many people are willing to have their devices supported by IT staff, which would give their companies the needed control to secure the devices. The study found that more than four in 10 employees and execs are actually pressuring IT staff for support. Hoffman recommends CSOs give these employees and execs what they want.
“Providing security to the bring-your-own-device (BYOD) user has to be about protecting the enterprise, but I think it also has be about protecting the end user because fundamentally, they’re the same,” Hoffman said.
Source:Â infoworld.com
Posted in Apps, Electronics, Mobile, Network, Security | No Comments »
Tuesday, March 27th, 2012
When it comes to security, a large number of organizations have a glaring hole in their defenses: their applications.
A recent study of more than 800 IT security and development professionals reports that most organizations don’t prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0/social media applications.
Sixty-eight percent of developers’ organizations and 47 percent of security practitioners’ organizations suffered one or more data breaches in the past 24 months due to hacked or compromised applications. A further 19 percent of security practitioners and 16 percent of developers were uncertain if their organization had suffered a data breach due to a compromised or hacked application. Additionally, only 12 percent of security practitioners and 11 percent of developers say all their organizations’ applications meet regulations for privacy, data protection and information security.
Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security.
“We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” says Dr. Larry Ponemon, CEO of the Ponemon Institute, the research firm that conducted the study on the behalf of security firm Security Innovation. “We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it.”
The study found that security practitioners and developers were far apart in their perception of the issue. While one might expect that security practitioners held the more cynical views with regard to application security, in fact the opposite was true. Dr. Ponemon says 71 percent of developers say application security was not adequately emphasized during the application development lifecycle, compared with 49 percent of security practitioners who felt the same way. Additionally, 46 percent of developers say their organization had no process for ensuring security is built into new applications, while only 21 percent of security practitioners believed that to be the case.
Developers and security practitioners are also divided on the issue of remediating vulnerable code. Nearly half (47 percent) of developers say their organization have no formal mandate to remediate vulnerable code, while 29 percent of security practitioners say the same.
“What emerged in this study was that companies don’t seem to be looking at the root causes of data breaches, and they aren’t moving very fast to bridge the existing gaps to fix the myriad of problems,” says Ed Adams, CEO of Security Innovation. “The threat landscape has grown substantially in scope, most notably as our survey respondents stated that Web 2.0 and mobile attacks are the targets of the next wave of threats beyond just web applications.”
The survey also found that nearly half of developers say there is no collaboration between their development organization and the security organization when it comes to application security. That’s a stark contrast from the 19 percent of security practitioners that say there is no collaboration.
Lack of Collaboration in Application Security
“We basically found that developers were much more likely to think there was a lack of collaboration,” Dr. Ponemon says. “The security folks, on the whole, thought the collaboration was OK. I think that one of the biggest problems is that the security folks think they’re getting the word out on collaborating or helping, but they’re not doing so effectively.”
In other words, Dr. Ponemon says, the security organization writes its security policy and gives it to developers, but the developers, by and large, don’t understand how to implement that policy. The security organizations think they’ve done their job, but they haven’t managed to make their policy contextual for developers.
“We find that process has no bearing whatsoever on the ability of an organization to write secure code,” Dr. Ponemon says. “It doesn’t take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write.”
Education Is Key to Application Security
But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of developers say their organization has a fully deployed application security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.
Adams believes providing that education will go a long way toward helping organizations secure their applications and minimize the risk.
“This is more of an education problem than anything else,” Adams says. “In the late 90s, everybody was putting their applications on the web. But they kept on crashing. It was really a performance problem: The developers didn’t know how to code for performance. Amazingly, that’s what’s happening in the world today. Organizations are buying application security tools before they get application security training. You have to get trained on the technique first.”
Source:Â networkworld.com
Posted in Apps, Network, Programming, Security, Software, SQL | No Comments »
Tuesday, March 27th, 2012
Google Web Toolkit, Apache Xerces among most downloaded vulnerable libraries, study says
A study of how 31 popular open-source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted.
The study was undertaken by Aspect Security, which evaluates software for vulnerabilities, with Sonatype, a firm that provides a Central Repository housing more than 300,000 libraries for downloading open-source components and gets 4 billion requests per year.
“Increasingly over the past few years, applications are being constructed out of libraries,” says Jeff Williams, CEO of Aspect Security, referring to “The Unfortunate Reality of Insecure Libraries” study. Open-source communities have done little to provide a clear way to spotlight code found to have vulnerabilities or identify how to remedy it when a fix is even made available, he says.
“There’s no notification infrastructure at all,” says Williams. “We want to shed light on this problem.”
He adds that Aspect and Sonatype are mulling how it might be possible to improve the situation overall.
According to the study, researchers at Aspect analyzed 113 million software downloads made over 12 months from the Central Repository of 31 popular Java frameworks and security libraries (Aspect says one basis for the selection of libraries were those being used by its customers). Researchers found:
- 19.8 million (26%) of the library downloads have known vulnerabilities.
- The most downloaded vulnerable libraries were Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x. (The other libraries examined were: Apache CXF; Hibernate; Java Servlet; Log4j; Apache Velocity; Spring Security; Apache Axis; BouncyCastle; Apache Commons; Tiles; Struts2; Wicket; Java Server Pages; Lift; Hibernate Validator; Java Server Faces; Tapestry; Apache Santuario; JAX-WS; Grails; Jasypt; Apache Shiro; Stripes; AntiSamy; ESAPI; HDIV and JBoss Seam.)
Security libraries are slightly more likely to have a known vulnerability than frameworks, the study says. “Today’s applications commonly use 30 or more libraries, which can compromise up to 80% of the code in an application,” according to the study.
The types of vulnerabilities found in open source code libraries vary widely.
“While some vulnerabilities allow the complete takeover of the host using them, others might result in data loss or corruption, and still others might provide a bit of useful information to attackers,” the study says. “In most cases, the impact of a vulnerability depends greatly on how the library is used by the application.”
The study noted some known well-publicized vulnerabilities.
- Spring, the popular application development framework for Java, was downloaded more than 18 million times by over 43,000 organizations in the last year. However, a discovery last year showed a new class of vulnerabilities in Spring’s use of Expression Language that could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies.
- in 2010 Google’s research team discovered a weakness in Struts2 that allowed attackers to execute arbitrary code on any Struts2 Web application.
- In Apache CXF, a framework for Web Services, which was downloaded 4.2 million times by more than 16,000 organizations in the last 12 months, two major vulnerabilities were discovered since 2010 (CVE-2010-2076 and CVE 2012-0803) that allowed attackers to trick any service using CXF to download arbitrary system files and bypass authentication.
Discovery of vulnerabilities are made by researchers, who disclose them as they choose, with some coordinated and “others simply write blog posts or emails in mailing lists,” the study notes. “Currently, developers have no way to know that the library versions they are using have known vulnerabilities. They would have to monitor dozens of mailing lists, blogs, and forums to stay abreast of information. Further, development teams are unlikely to find their own vulnerabilities, as it requires extensive security experience and automated tools are largely ineffective at analyzing libraries.”
Although some open source groups, such as OpenBSD, are “quite good” in how they manage vulnerability disclosures, says Williams, the vast majority handle these kinds of security issues in haphazard fashion and with uncertain disclosure methods. Organizations should strengthen their security processes and OpenBSD can be considered an encouraging model in that respect, the study says.
Williams adds that use of open source libraries also raises the question of “dependency management.” This is the security process that developers would use to identify what libraries their project really directly depends on. Often, developers end up using code that goes beyond the functionality that’s really needed, using libraries that may also be dependent on other libraries. This sweeps in a lot of out-of-date code that brings risk and no added value, but swells the application in size. “Find out what libraries you’re using and which are out of date,” says Williams. “We suggest minimizing the use of libraries.”
The report points out, “While organizations typically have strong patch management processes for software products, open source libraries are typically not part of these processes. In virtually all development organizations, updates to libraries are handled on an ad hoc basis, by development teams.”
Source:Â networkworld.com
Tags: Code libraries
Posted in Apps, Google, Programming, Software | No Comments »
Tuesday, January 3rd, 2012
These cutting-edge programming languages provide unique insights on the future of software development
Do we really need another programming language? There is certainly no shortage of choices already. Between imperative languages, functional languages, object-oriented languages, dynamic languages, compiled languages, interpreted languages, and scripting languages, no developer could ever learn all of the options available today.
And yet, new languages emerge with surprising frequency. Some are designed by students or hobbyists as personal projects. Others are the products of large IT vendors. Even small and midsize companies are getting in on the action, creating languages to serve the needs of their industries. Why do people keep reinventing the wheel?The answer is that, as powerful and versatile as the current crop of languages may be, no single syntax is ideally suited for every purpose. What’s more, programming itself is constantly evolving. The rise of multicore CPUs, cloud computing, mobility, and distributed architectures have created new challenges for developers. Adding support for the latest features, paradigms, and patterns to existing languages — especially popular ones — can be prohibitively difficult. Sometimes the best answer is to start from scratch.
Here, then, is a look at 10 cutting-edge programming languages, each of which approaches the art of software development from a fresh perspective, tackling a specific problem or a unique shortcoming of today’s more popular languages. Some are mature projects, while others are in the early stages of development. Some are likely to remain obscure, but any one of them could become the breakthrough tool that changes programming for years to come — at least, until the next batch of new languages arrives.
Experimental programming language No. 1: Dart
JavaScript is fine for adding basic interactivity to Web pages, but when your Web applications swell to thousands of lines of code, its weaknesses quickly become apparent. That’s why Google created Dart, a language it hopes will become the new vernacular of Web programming.
Like JavaScript, Dart uses C-like syntax and keywords. One significant difference, however, is that while JavaScript is a prototype-based language, objects in Dart are defined using classes and interfaces, as in C++ or Java. Dart also allows programmers to optionally declare variables with static types. The idea is that Dart should be as familiar, dynamic, and fluid as JavaScript, yet allow developers to write code that is faster, easier to maintain, and less susceptible to subtle bugs.
You can’t do much with Dart today. It’s designed to run on either the client or the server (a la Node.js), but the only way to run client-side Dart code so far is to cross-compile it to JavaScript. Even then it doesn’t work with every browser. But because Dart is released under a BSD-style open source license, any vendor that buys Google’s vision is free to build the language into its products. Google only has an entire industry to convince.
Experimental programming language No. 2: Ceylon
Gavin King denies that Ceylon, the language he’s developing at Red Hat, is meant to be a “Java killer.” King is best known as the creator of the Hibernate object-relational mapping framework for Java. He likes Java, but he thinks it leaves lots of room for improvement.
Among King’s gripes are Java’s verbose syntax, its lack of first-class and higher-order functions, and its poor support for meta-programming. In particular, he’s frustrated with the absence of a declarative syntax for structured data definition, which he says leaves Java “joined at the hip to XML.” Ceylon aims to solve all these problems.
King and his team don’t plan to reinvent the wheel completely. There will be no Ceylon virtual machine; the Ceylon compiler will output Java bytecode that runs on the JVM. But Ceylon will be more than just a compiler, too. A big goal of the project is to create a new Ceylon SDK to replace the Java SDK, which King says is bloated and clumsy, and it’s never been “properly modernized.”
That’s a tall order, and Red Hat has released no Ceylon tools yet. King says to expect a compiler this year. Just don’t expect software written in “100 percent pure Ceylon” any time soon.
Experimental programming language No. 3: Go
Interpreters, virtual machines, and managed code are all the rage these days. Do we really need another old-fashioned language that compiles to native binaries? A team of Google engineers — led by Robert Griesemer and Bell Labs legends Ken Thompson and Rob Pike — says yes.
Go is a general-purpose programming language suitable for everything from application development to systems programing. In that sense, it’s more like C or C++ than Java or C#. But like the latter languages, Go includes modern features such as garbage collection, runtime reflection, and support for concurrency.
Equally important, Go is meant to be easy to program in. Its basic syntax is C-like, but it eliminates redundant syntax and boilerplate while streamlining operations such as object definition. The Go team’s goal was to create a language that’s as pleasant to code in as a dynamic scripting language yet offers the power of a compiled language.
Go is still a work in progress, and the language specification may change. That said, you can start working with it today. Google has made tools and compilers available along with copious documentation; for example, the Effective Go tutorial is a good place to learn how Go differs from earlier languages.
Experimental programming language No. 4: F#
Functional programming has long been popular with computer scientists and academia, but pure functional languages like Lisp and Haskell are often considered unworkable for real-world software development. One common complaint is that functional-style code can be difficult to integrate with code and libraries written in imperative languages like C++ and Java.
Enter F# (pronounced “F-sharp”), a Microsoft language designed to be both functional and practical. Because F# is a first-class language on the .Net Common Language Runtime (CLR), it can access all of the same libraries and features as other CLR languages, such as C# and Visual Basic.
F# code resembles OCaml somewhat, but it adds interesting syntax of its own. For example, numeric data types in F# can be assigned units of measure to aid scientific computation. F# also offers constructs to aid asynchronous I/O, CPU parallelization, and off-loading processing to the GPU.
After a long gestation period at Microsoft Research, F# now ships with Visual Studio 2010. Better still, in an unusual move, Microsoft has made the F# compiler and core library available under the Apache open source license; you can start working with it for free and even use it on Mac and Linux systems (via the Mono runtime).
Experimental programming language No. 5: Opa
Web development is too complicated. Even the simplest Web app requires countless lines of code in multiple languages: HTML and JavaScript on the client, Java or PHP on the server, SQL in the database, and so on.
Opa doesn’t replace any of these languages individually. Rather, it seeks to eliminate them all at once, by proposing an entirely new paradigm for Web programming. In an Opa application, the client-side UI, server-side logic, and database I/O are all implemented in a single language, Opa.
Opa accomplishes this through a combination of client- and server-side frameworks. The Opa compiler decides whether a given routine should run on the client, server, or both, and it outputs code accordingly. For client-side routines, it translates Opa into the appropriate JavaScript code, including AJAX calls.
Naturally, a system this integrated requires some back-end magic. Opa’s runtime environment bundles its own Web server and database management system, which can’t be replaced with stand-alone alternatives. That may be a small price to pay, however, for the ability to prototype sophisticated, data-driven Web applications in just a few dozen lines of code. Opa is open source and available now for 64-bit Linux and Mac OS X platforms, with further ports in the works.
Experimental programming language No. 6: Fantom
Should you develop your applications for Java or .Net? If you code in Fantom, you can take your pick and even switch platforms midstream. That’s because Fantom is designed from the ground up for cross-platform portability. The Fantom project includes not just a compiler that can output bytecode for either the JVM or the .Net CLI, but also a set of APIs that abstract away the Java and .Net APIs, creating an additional portability layer.
There are plans to extend Fantom’s portability even further. A Fantom-to-JavaScript compiler is already available, and future targets might include the LLVM compiler project, the Parrot VM, and Objective-C for iOS.
But portability is not Fantom’s sole raison d’être. While it remains inherently C-like, it is also meant to improve on the languages that inspired it. It tries to strike a middle ground in some of the more contentious syntax debates, such as strong versus dynamic typing, or interfaces versus classes. It adds easy syntax for declaring data structures and serializing objects. And it includes support for functional programming and concurrency built into the language.
Fantom is open source under the Academic Free License 3.0 and is available for Windows and Unix-like platforms (including Mac OS X).
Experimental programming language No. 7: Zimbu
Most programming languages borrow features and syntax from an earlier language. Zimbu takes bits and pieces from almost all of them. The brainchild of Bram Moolenaar, creator of the Vim text editor, Zimbu aims to be a fast, concise, portable, and easy-to-read language that can be used to code anything from a GUI application to an OS kernel.
Owing to its mongrel nature, Zimbu’s syntax is unique and idiosyncratic, yet feature-rich. It uses C-like expressions and operators, but its own keywords, data types, and block structures. It supports memory management, threads, and pipes.
Portability is a key concern. Although Zimbu is a compiled language, the Zimbu compiler outputs ANSI C code, allowing binaries to be built only on platforms with a native C compiler.
Unfortunately, the Zimbu project is in its infancy. The compiler can build itself and some example programs, but not all valid Zimbu code will compile and run properly. Not all proposed features are implemented yet, and some are implemented in clumsy ways. The language specification is also expected to change over time, adding keywords, types, and syntax as necessary. Thus, documentation is spotty, too. Still, if you would like to experiment, preliminary tools are available under the Apache license.
Experimental programming language No. 8: X10
Parallel processing was once a specialized niche of software development, but with the rise of multicore CPUs and distributed computing, parallelism is going mainstream. Unfortunately, today’s programming languages aren’t keeping pace with the trend. That’s why IBM Research is developing X10, a language designed specifically for modern parallel architectures, with the goal of increasing developer productivity “times 10.”
X10 handles concurrency using the partitioned global address space (PGAS) programming model. Code and data are separated into units and distributed across one or more “places,” making it easy to scale a program from a single-threaded prototype (a single place) to multiple threads running on one or more multicore processors (multiple places) in a high-performance cluster.
X10 code most resembles Java; in fact, the X10 runtime is available as a native executable and as class files for the JVM. The X10 compiler can output C++ or Java source code. Direct interoperability with Java is a future goal of the project.
For now, the language is evolving, yet fairly mature. The compiler and runtime are available for various platforms, including Linux, Mac OS X, and Windows. Additional tools include an Eclipse-based IDE and a debugger, all distributed under the Eclipse Public License.
Experimental programming language No. 9: haXe
Lots of languages can be used to write portable code. C compilers are available for virtually every CPU architecture, and Java bytecode will run wherever there’s a JVM. But haXe (pronounced “hex”) is more than just portable. It’s a multiplatform language that can target diverse operating environments, ranging from native binaries to interpreters and virtual machines.
Developers can write programs in haXe, then compile them into object code, JavaScript, PHP, Flash/ActionScript, or NekoVM bytecode today; additional modules for outputting C# and Java are in the works. Complementing the core language is the haXe standard library, which functions identically on every target, plus target-specific libraries to expose the unique features of each platform.
The haXe syntax is C-like, with a rich feature set. Its chief advantage is that it negates problems inherent in each of the platforms it targets. For example, haXe has strict typing where JavaScript does not; it adds generics and type inference to ActionScript; and it obviates the poorly designed, haphazard syntax of PHP entirely.
Although still under development, haXe is used commercially by its creator, the gaming studio Motion Twin, so it’s no toy. It’s available for Linux, Mac OS X, and Windows under a combination of open source licenses.
Experimental programming language No. 10: Chapel
In the world of high-performance computing, few names loom larger than Cray. It should come as no surprise, then, that Chapel, Cray’s first original programming language, was designed with supercomputing and clustering in mind.
Chapel is part of Cray’s Cascade Program, an ambitious high-performance computing initiative funded in part by the U.S. Defense Advanced Research Project Agency (DARPA). Among its goals are abstracting parallel algorithms from the underlying hardware, improving their performance on architectures, and making parallel programs more portable.
Chapel’s syntax draws from numerous sources. In addition to the usual suspects (C, C++, Java), it borrows concepts from scientific programming languages such as Fortran and Matlab. Its parallel-processing features are influenced by ZPL and High-Performance Fortran, as well as earlier Cray projects.
One of Chapel’s more compelling features is its support for “multi-resolution programming,” which allows developers to prototype applications with highly abstract code and fill in details as the implementation becomes more fully defined.
Work on Chapel is ongoing. At present, it can run on Cray supercomputers and various high-performance clusters, but it’s portable to most Unix-style systems (including Mac OS X and Windows with Cygwin). The source code is available under a BSD-style open source license.
Source:Â infoworld.com
Tags: Code
Posted in Apps, Database, Google, Microsoft, Programming, Software | No Comments »
Thursday, November 3rd, 2011
 VMWare this week showed off a solution to separate the personal and professional lives of smartphone users – on the same phone.
VMWare’s Mobile Virtualization Platform software essentially places two copies of the operating system on the phone. One, unlocked and modifiable, is for personal use. The other, provisioned by a company’s IT administrator, uses the apps and policies used by the company’s internal network.
In the future, callers will be able to dial one number for business and another for personal use, and reach the same phone, executives said.
The software was originally announced earlier this year at the Mobile World Conference in Barcelona. Phones based on the technology from LG and Samsung are expected “in the coming months,” VMware said. VMware executives showed off the technology running on a Galaxy S II smartphone.
 VMWare’s solution addresses the so-called “consumerization of IT,” where consumer devices owned by company employees are being asked to do dual duty as corporate devices. In some cases, that can mean data that should otherwise remain confidential can be exposed to an employee’s child, who picks up the phone.
“You need to separate those two, and give the employee the best of both worlds,” said Hoofar Razavi, director of product management for mobile solutions at VMware. “And, given the choice, every employee would choose to have a single device.”
The solution? Two copies of the phone’s operating system running on the phone, with the more secure corporate environment running in a virtualized state. Doing so will require the phone to “check in” on a regular basis to report its secure status. But that can also be done according to an IT admin’s policies, so a phone could be left out of range while on an overseas vacation, Razavi said.
 A demonstration of the Horizon Mobile software was exceedingly simple: on the surface, the Galaxy S II appeared as a standard consumer phone, with the sort of apps and widgets you might use in your own personal life. Tapping a “work phone” icon brought up a screen where Razavi entered a PIN. From there, he was launched inside the work environment. At least in the demonstration, the shift was fast and seamless. When he was completed, another click on a “personal phone” icon brought Razavi back to the original personal phone screen.
In the demo, the virtualized phone even ran a different version of the operating system: Android 2.2, versus the Android 2.3 version used on the “personal” version of the phone.
Provisioning the device requires a manufacturer to add a portion of the software, and then the IT administrator to provision the phone over the air. That process should take between 10 to 15 minutes, Rasavi said.
The data and operating systems are isolated from one another, so that recording a long birthday party video, for example, won’t erase sensitive data. But the software also includes a shared notification bar, so that alerts for emails for the work environment can notify the phone in personal mode, Rasavi said.
Source:Â pcmag.com
Tags: Horizon Mobile, virtual OS, VMware
Posted in Apps, Electronics, Mobile, Network, OS, Security, Wireless | No Comments »
Friday, August 5th, 2011
The Square reader makes any iPhone into a credit card reader. Set up an account with Square and you can take credit card payments, and the reader comes free with your account. It’s a great thing for craft vendors and other small-scale merchants. And it’s perfectly secure… isn’t it?
 Adam Laurie (also known as Major Malfunction) and Zac Franken of Aperture Labs wondered just how secure such a thing could be. It just uses the earphone jack, after all. So it must be converting the magnetic stripe data into sound. Confirming this was simple enough.
The pair wrote a simple PC-based tool to record the credit card sound and play it back on demand. They bought a $10 cable to connect a laptop to the iPhone. In a small press preview at the Black Hat conference they demonstrated that playing the credit card sound has the same effect as scanning the card with the Square reader. The researchers notified Square in February; Square responded that they see no significant threat.
This hack also allowed them to effectively pull cash from a gift card that officially can’t be used for cash. All they had to do was “pay” themselves using the hack software. Laurie pointed out that malefactors can use this technique to directly get money from stolen credit card data, rather than having to purchase goods and resell them.
The hack poses no risk to users of the Square service. Quite the contrary; the risk is to everyone else from Square users misusing the device. This hack won’t last forever. A new version of the Square device is in the works.
In addition, this hack doesn’t really demonstrate a weakness with Square. The real problem is in the mag stripe concept itself. Using the Square reader simply lets people skim credit card data with no special knowledge or hardware. Now don’t you feel secure?
Source:Â pcmag.com
Tags: credit card, Square reader
Posted in Apple, Apps, Electronics, Mobile, Security, Wireless | No Comments »
Friday, June 17th, 2011
 Apple isn’t the only entity trying to ease users’ transitions between devices. Tsung-Hsiang Chang, a graduate student at MIT’s Computer Science and Artificial Intelligence Lab, and Yang Li, a Google employee, have developed an application that lets users transfer the state of an application from a computer to a smartphone or vice versa just by snapping a picture of the computer’s screen. Once the picture is taken, the application is opened right where the user left off.
The application is called Deep Shot, and was designed to work with Web apps. Most Web apps can describe the state they’re in with a combination of symbols, called the unique resource identifier (URI), which Deep Shot can use to seamlessly transfer the working state of an open app without the need for cables or interacting with a third-party app to handle the syncing. Deep Shot is technically a third party, but it appears to work in the background and doesn’t involve itself in a visible way with the transfer process.
With Deep Shot’s software installed on a computer and phone, users can take a picture with the phone of an open application on the computer—like a restaurant’s page on Yelp. The phone’s software will then use digital vision algorithms to figure out what application is in the picture and open it. Meanwhile, the computer transmits the corresponding URI to the phone using a WiFi connection, though “the medium can be replaced with any networking protocols,” Chang tells Ars.
The phone opens the Yelp app, reads the URI, and produces the same page without the user having to search for the restaurant again, e-mail the page to himself, or use other workarounds. Changing how much of the screen is photographed even changes how the information is displayed on the phone.
Likewise, users can throw an app’s state from a phone to the computer by taking a picture of the computer’s screen with the phone again. The phone uses the picture to figure out which computer it should connect with based on the appearance of the screen in the picture, and then pushes the app or page and its state to the computer.
Deep Shot’s system also doesn’t require linear transactions between different versions of the same app. URI transactions could also work more generally between two different kinds of mapping apps or review services, if desired. The creators note that Deep Shot could work with other software and non-Web applications, though Jeffrey Nichols, a researcher at IBM’s Almaden research center, notes that it would require an agreement on interoperability standards, which are tough to set up and maintain. Nichols told MIT News he hopes that “companies like Microsoft would really consider adding it,” but cautions that he thinks computing is moving away from native apps toward Web ones.
Deep Shot currently only works with a handful of Web apps, including Google Maps and Yelp, but the creators note that it could be made to work with any Web app that determines its state using URIs. The problem is that URIs are often used less plainly than in applications like Google Maps, so they can be harder to extract and exchange between devices.
There are some features we’d like to see added, like the ability to move working states between devices in the background, without having to have the relevant app pop open each time Deep Shot is used. We could also envision simpler additional services that could fill out Deep Shot, like if photos of text on a PC screen could become copy- and paste-able on the phone.
The app was developed at Google, so Google holds the rights, but it hasn’t put forth any official plans for it. In a space where companies are falling over each other to offer cloud and syncing services, Deep Shot could be a serious contribution to Google’s syncing arsenal.
Source:Â arstechnica
Posted in Apple, Apps, Electronics, Google, Microsoft, Mobile, Shortcuts, Software, Web, Wireless | No Comments »
|
