Google posts Windows 8.1 vulnerability before Microsoft can patch it
Google’s Project Zero tracks vulnerabilities in software systems and reports them to vendors “in as close to real-time as possible” — a noble cause, no? But what happens if said vendor then fails to push a fix within the 90-day window? Microsoft just found out: Google will go ahead and publish the bug anyway, complete with code that can be used to exploit it. A researcher found a Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they’d normally have no right to. Though it remains unpatched by Microsoft, the Zero team published it several days ago — right on schedule.
Microsoft was quick to point out that attackers would “need to have valid logon credentials and be able to log on locally to a targeted machine.” While that should limit the damage, it doesn’t mean the flaw is harmless — a disgruntled mid-level employee with some programming skills could wreak serious harm, for instance. Mountain View told us “just to make this absolutely clear, the (bug) was reported to Microsoft on September 30 (along with) the 90-day disclosure deadline statement… which in this instance has passed.”
Still, some observers have raised questions about whether Project Zero does more harm than good if Google isn’t flexible with its publishing deadline. Others argued that Microsoft had plenty of time to fix the bug, and Google was firm about its policy. “Project Zero’s disclosure deadline… allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.” But it also added that “we’re going to be monitoring the affects (sic) of this policy very closely.”
Meanwhile, Microsoft said that it’s currently “working to release a security update to address an Elevation of Privilege issue.” For full statements from both companies, see below.
Microsoft:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
Google:
There was some confusion yesterday about whether we had contacted Msft about this issue, so we posted an update (below).
Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the “Reported” label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.
Project Zero’s disclosure deadline policy has been in place since the formation of our team earlier in 2014. It’s the result of many years of careful consideration and industry-wide discussions about vulnerability remediation. Security researchers have been using roughly the same disclosure principles for the past 13 years (since the introduction of “Responsible Disclosure” in 2001), and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.
On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.
With that said, we’re going to be monitoring the affects of this policy very closely – we want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security. We’re happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors.
Filed under: Software, Microsoft, Google
Via: Slashdot
Source: Google
Twitter has a new way to keep you up to date while you’re AFK
It isn’t quite a “filtered feed” (yet), but it’s looking like Twitter’s rolling out a new feature to keep you up to speed when you aren’t constantly refreshing your timeline. It’s dubbed “while you were away,” and, as TechCrunch points out, it appears to be rolling out to a large chunk of the microblogging service’s users. What it does is compiles top tweets since you last logged in (likely based on amount of favorites and retweets, although the methodology isn’t quite clear), and places them at the top of your timeline on mobile. Along with those daily email summaries, it seems like another way to keep people in the loop if they aren’t the most hardcore users. And possibly to the dismay of them, it makes the service a bit more like Facebook’s non-chronological news feed. We’d love to hope this recap function won’t pull in sponsored tweets from a certain bikini model shilling a mobile game, but that likely won’t be the case.
Filed under: Cellphones, Internet, Software, Mobile
Source: TechCrunch
OnePlus celebrates the coming of 2015 with an Android Lollipop Alpha for the OnePlus One
It seems not even the New Year can stop work at some manufacturers. It appears OnePlus has been hard at work despite the festivities and released an Android Lollipop Alpha for the OnePlus One yesterday. The Android Lollipop Alpha comes in the form of a custom ROM, which OnePlus says will eventually become their custom ROM for the […]
The post OnePlus celebrates the coming of 2015 with an Android Lollipop Alpha for the OnePlus One appeared first on AndroidSPIN.
Android Lollipop memory leak issue marked as “FutureRelease”, could appear in next software update
Although Android Lollipop is a huge step forward in many ways for the Android platform, this latest update seems to have had no shortage of issues being reported. Unfortunately, many of these issues seem to manifest the worst on Nexus devices, if exclusively, perhaps because they are the most numerously updated devices at the moment. The worst […]
The post Android Lollipop memory leak issue marked as “FutureRelease”, could appear in next software update appeared first on AndroidSPIN.
Amazon pushes another $110 of free apps to customers for the New Year, includes République and Sparkle 2 Evo
Amazon pushed the largest app deals promo in their history for the Holiday with a grand total of $220 worth of apps up for free. I am more than certain a large number of you participated and grabbed at least a few of those. It looks like Amazon has one more big app push for […]
The post Amazon pushes another $110 of free apps to customers for the New Year, includes République and Sparkle 2 Evo appeared first on AndroidSPIN.
Samsung just added a 360-degree video store to its VR headset
Since launch in early December, the virtual reality headset released by Samsung and Oculus VR has received a steady drip of new content. Each Tuesday, a handful of new apps launches for Gear VR — new games (Temple Run!), new experiences (a Paul McCartney performance!). Thus far, nothing’s been spectacular enough to remark about; the overall selection of content, gaming or otherwise, is still on the light side. This week changes that, with the release of “Milk VR.”
The free app from Samsung contains a healthy dose of new 360-degree video content, in both streaming and downloadable format. The actual selection of videos is available on a Samsung website of the same name, right here. It’s not exactly a flood of videos, but it’s a hell of a lot more than the small sample packed in at launch.
What’s most interesting about the app is how it works: you slide your finger forward or backward on Gear VR’s touchpad, always keeping your finger attached to the headset. The video choices swirl around you on a cycle, and you can look up to select specific categories (“Fresh”, “Trending”, “Planet VR”, etc.). I’d love to point you to a demo, but there’s still no way to capture footage inside of Gear VR (not that we’ve figured out, anyway). That said, if you’ve got a Gear VR headset and the required Note 4 smartphone, downloading the (free, small) Milk VR app is a no-brainer. You’ll be jumping out of a plane in no time!
Filed under: Cellphones, Gaming, Peripherals, Wearables, Software, Mobile, Samsung, Facebook
FBI maintains that North Korea hacked Sony as detractors mount
Did North Korea’s government hack Sony Pictures? Though the United States government and FBI say yes, a growing chorus of detractors is pushing back on that claim. And the FBI is apparently listening: one firm, Norse, met with the FBI this past Monday to present its own claim that a group of six people were responsible. Moreover, at least one of those six is said to be an ex-Sony employee, reports Politico.
Norse says its been looking into the attack on Sony Pictures since before Thanksgiving, and it presented the results of that research to the FBI yesterday. For its part, the FBI is sticking to its story — at least for now. “The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS [Department of Homeland Security], foreign partners and the private sector,” an FBI statement provided to media reads.
Norse senior VP Kurt Stammberger says that his company traced at least part of the attack to a single former employee, known as “Lena”, who apparently had direct knowledge of the network infrastructure at Sony Pictures. The video above, from CBS Evening News with Scott Pelley, goes into more detail about the alleged former employee.
In a related report, Reuters spoke with an unidentified US official who’s close to the government’s investigation of the Sony Pictures attack. The source said the US government now believes that North Korea “likely” worked with outside parties to launch the attack. It’s not clear if the source is referencing an outside government or other party, just that the act may have been “contracted” out.
Taia Global, another security firm, analyzed 20 messages internal to the alleged hacking group (the “Guardians of Peace”) responsible for the attack on Sony Pictures. The firm determined, through “Native Language identification and L1 Interference analysis,” that the primary language of the hackers was likely Russian. Here’s Taia Global’s statement:
“We tested for Korean, Mandarin Chinese, Russian, and German using an analysis of L1 interference. Our preliminary results show that Sony’s attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.”
So, who hacked Sony Pictures?
Filed under: Networking, Internet, Software, HD, Sony
Amazon Fire TV Stick starts shipping, Fire TV Remote app hits the Play Store
Back at the end of October Amazon announced a new dongle for your TV called the Amazon Fire TV Stick. The small HDMI device compares itself to Google’s Chromecast but bolsters some more powerful hardware as well as its own UI with physical remote. At the time of the announcement Amazon placed the Fire TV Stick up for pre-order. If you happened to be a Prime member you were able to grab the $39 unit for $19 during a short 48 hour window. Amazon planned to start shipping the pre-ordered units today.
In an announcement from Amazon, they have indeed confirmed that shipments for the pre-orders have started to go out. However, the demand was quite a bit higher than they anticipated.
“Fire TV Stick has been our most successful device launch ever,” said Dave Limp, Senior Vice President, Amazon Devices. “We built a ton of these, but customer demand still outpaced our supply. We’re excited by the overwhelming customer response and the team is working hard to build more as quickly as possible.”
Needless to say, many pre-order buyers are going to be waiting quite a while for their Fire TV Sticks to arrive. I myself ordered one on October 28th, the last possible minute for the Prime promotion, and my estimated deliver date is set for January 9th. Currently Amazon has the Fire TV Stick
For those of you that are getting yours a bit sooner, then you will most likely want to go get your hands on the new Android app that was released today, Amazon Fire TV Remote. The Fire TV Remote app is the companion app for your phone and/or tablet. While the Fire TV Stick does come with a physical remote, the app gives you voice search functionality along with the ability to type on your device’s screen keyboard. Those that have experienced trying to type out something with a pointer on a TV screen knows just how painstaking that task can be.
The app is available now and is, of course, free. Feel free to pick it up below so you don’t forget, but don’t expect it to be functional at all until your Fire TV Stick arrives and is connected to your Wi-Fi network.
//<![CDATA[
ord = window.ord || Math.floor(Math.random()*1E16);
document.write('‘);
//]]>
The post Amazon Fire TV Stick starts shipping, Fire TV Remote app hits the Play Store appeared first on AndroidSPIN.
Why celebrities like Lindsey Lohan are suing video game studios
In July 2014, Lindsay Lohan sued Take-Two Interactive and Rockstar Games, claiming that Grand Theft Auto V featured a character who is allegedly based on the Mean Girls actress. According to the suit, filed in the New York Supreme Court, the cover of the game depicts a bikini-clad woman who bears a striking resemblance to LiLo. And the game itself apparently consists of more similarities, including the fact that the character runs from paparazzi, takes cover in the Chateau Marmont and incorporates Lohan’s “image, likeness, clothing, outfits, [Lohan’s] clothing line products, ensemble in the form of hats, hair style, sunglasses [and] jean shorts.”
Also in July, former Panamanian dictator Manuel Noriega filed suit in California Superior Court against Activision Blizzard Inc., the makers of Call of Duty: Black Ops II, for using his likeness without permission. According to the complaint, Activision depicted Noriega as “a kidnapper, murderer and enemy of the state,” (the audacity!) and the makers implied that he was “the culprit of numerous fictional heinous crimes, creating the false impression that defendants are authorized to use [his] image and likeness.”
Lohan’s and Noriega’s suits were filed in two different states, and because of this, the applicable laws vary a bit. Lohan’s battle is ongoing while Noriega’s has been dismissed. One involves a celebrity, and the other a political figure. On the face of it, these two suits don’t have all that much in common. The thread that connects them both — and most lawsuits involving the use of a person’s likeness in a video game — is the right of publicity.
WHAT IS IT?
In general, the right of publicity grants individuals the authority to control the commercial use of his or her own name and/or likeness. This right means that you can’t create an ad for new basketball shoes with Michael Jordan in it unless he’s given his consent. Simple enough!
Noriega’s Call of Duty likeness
Naturally, there are a couple of considerations that make it a little more complicated. First of all, as previously mentioned, right of publicity laws vary from state to state. A number of states have passed specific statutes regulating the right of publicity; others just have common law rights (meaning precedent established by case law); some have both; and a handful have neither.
In New York, where Lohan’s suit was filed, the right of publicity law is codified as part of its Right of Privacy statute and is primarily covered in two sections (Section 50 and Section 51). As is pretty typical, Lohan sued with reference to both sections. Section 50 is much shorter than Section 51, basically just defining a right of publicity violation as a misdemeanor. Section 51, on the other hand, provides protection for a person’s name, portrait, picture and voice. To constitute a violation of Section 51, a use of a person’s identity must be: within New York state, for advertising or trade purposes and without written consent.
Compare that to California, where Noriega brought suit. California not only offers a statutory right, but also offers a common law right. California’s statutory right is fairly similar to New York’s, protecting against the unauthorized use of a person’s name, voice, signature, photograph or likeness for purposes of advertising, selling or soliciting. The common law right, however, is much broader and requires a person bringing suit to show that the use of his or her identity was for another’s advantage (commercially or otherwise), it was without consent and there’s a resulting “injury.” So, unlike the statutory right, the common law right is not limited to a commercial use of a person’s identity. Oftentimes, a lawsuit in California claims a violation of both the common law and the statute.
And second, as with most things involving the law, there is a heavily relied-on defense to a right of publicity claim. Gaming companies that are sued related to a right of publicity often claim First Amendment protection in the use in question.
When a court is faced with a First Amendment defense to a right of publicity claim, the “transformative use test” is applied to determine whether or not a company’s First Amendment rights trump a right of publicity. Whoa, legal jargon! Not to worry: All this really means is that a court is looking to see if there are substantial “transformative” elements added to the use of a person’s likeness instead of just the mere depiction of a person. In essence, when “a product containing a celebrity’s likeness is so transformed that it has become primarily the defendant’s own expression rather than the celebrity’s likeness,” the First Amendment is a legitimate defense to a right of publicity claim.
WHAT’S THE ARGUMENT?
On one hand, a person should obviously have the right to control the use of his or her own likeness. In the same way that a brand can protect its name with a trademark, a celebrity or public figure should be able to limit where his or her likeness is used. Their “brand” is their identity.
And when there’s no change — or not enough to be deemed “transformative” — to a celebrity’s likeness, courts tend to agree. In one case, the Court of Appeals of California for the Second District found that Band Hero‘s use of avatars that looked like No Doubt band members was not transformative. The court reasoned that the graphics and other elements in the background were not enough to transform the avatars into anything other than “literal recreations of the band members.”
But the First Amendment is a pretty huge trump card, and courts are apt to tread lightly when it comes to limiting the First Amendment’s protection of artistic and creative works. In 2006, a California court held that the First Amendment protected Sega’s use of attributes from singer Kierin Kirby for the character Ulala (from Space Channel 5). The court pointed out, “The freedom of expression protected by the First Amendment exists to preserve an uninhibited marketplace of ideas and to further individual rights of self expression.” And it went on to note, “Video games are expressive works entitled to as much First Amendment protection as the most profound literature.”
WHY SHOULD I CARE?
One reason to care is that lawsuits like the ones brought by Lohan and Noriega have potential First Amendment implications. These cases will often ask a court to consider whether or not using someone’s likeness in an expressive work like a video game should qualify for First Amendment protection. And if and when a court says that certain uses do not qualify for said protection, the argument is often made that free speech is being stifled.
As if that’s not enough, maybe you care simply because you’re involved in the creation of video games. If you’re in this group, it’s definitely worthwhile to know what can be expected before you decide to incorporate a public figure or celebrity likeness into a game.
And finally, you might just care because you buy and play video games and want to know if any of your beloved characters could be at the center of a lawsuit. You know, caveat emptor and all.
WANT TO KNOW MORE?
And why wouldn’t you? If you want to know whether or not your state has a statute and what it says, rightofpublicity.com is the place to go. Or, if you’re interested in the general do’s and don’ts related to using the name and likeness of another, the Digital Media Law Protect has you covered.
[Image credits: Rockstar Games (GTA V); Activision (Call of Duty, Band Hero)]
‘Dragon Age: Inquisition’: The Joystiq Review
Dragon Age: Inquisition is an immense fantasy epic, a sprawling adventure across the many landscapes of Thedas, unapologetically mature in its exploration of politics and brazen in its combat. Inquisition is also developer BioWare’s redemption song. It’s everything that a sequel to Dragon Age: Origins should have been, and time will slip by as players enjoy the hundred hours of escapades it delivers.
The end of Inquisition‘s spectacular first act gave me chills. The last time I can recall that feeling is when the Normandy was reintroduced in Mass Effect 2. It’s the chill of being at the beginning of a grand story and anticipation for what’s to come.
Click here for more
Filed under: Gaming, Software, HD, Sony, Microsoft
Source: Joystiq
AIVAnet 