iPhone 6 Bendgate: Apple's Instructions Say Not to Keep Your Phone in Your Pocket Anyway

iPhone 6 Bendgate: Apple's Instructions Say Not to Keep Your Phone in Your Pocket Anyway

Zoë Schlanger

Newsweek 

As the Internet lights up with images of the iPhone 6 plus emerging from people’s pockets bent like a used paperclip, it may be useful to consider this: Apple explicitly tells you not to carry your phone in your pocket, due to the radiation exposure threat it poses.

In the little handbook that comes with every iPhone (the one that gets discarded almost immediately because, it’s a cell phone, we all know what to do with those, right?) Apple also explicitly states that the phone is not supposed to touch your body much, if at all.

In fact, in the manual for the iPhone 5, Apple says users should carry their iPhones a full 10 millimeters (or .39 inches) away from their bodies at all times. That means, if the device is in the pocket of your jeans, it’s much too close.

Previous manuals were more explicit. The iPhone 3G safety manual warns that radiation exposure may exceed government standards during “body-worn operation” if the phone is “positioned less than 15 millimeters (5/8 inch) from the body (e.g., when carrying iPhone in your pocket).” The iPhone, Apple says, should always be worn in a belt clip or holster.

Cell phone radiation, measured in radio-frequency exposure, is regulated in the U.S. by the Federal Communications Commission (FCC). All phones must be tested to ensure that they emit a specific absorption rate of not more than 1.6 watts of radio-frequency energy per kilogram of body tissue, a rule designed to prevent harm from the heat generated by radio-frequency waves.

But while cell phones are tested against a simulated human head in the “talking” position, they are not tested against the body (or in a pocket) in the “carrying” position. Instead, the tests assume the user is carrying the phone in a holster, away from the body, whenever the phone is broadcasting at full power. And since radio-frequency energy exposure increases sharply the closer the phone gets to your body, some worry that FCC testing is missing a lot of actual exposure.

In addition, the FCC tests do not consider biological effects caused by anything other than the heat generated from radio-frequency energy, like altered protein expression or DNA damage. Experts and organizations like the Environmental Working Group have expressed concern over the testing rules for cell phones, citing studies that show links between cancers and cell phone radiation exposure. In 2011, a World Health Organization report classified radiation from cell phones as “possibly carcinogenic to humans,” particularly as cell phone use relates to an increased risk for glioma, a malignant type of brain cancer.

Then there are the gaps in cell phone radiation testing. The American Academy of Pediatrics, for example, recently urged the FCC to begin taking child users of cellphones into account. “Children are not little adults and are disproportionately impacted by all environmental exposures, including cell phone radiation,” their letter to the FCC reads.

Yet the science is inconclusive. The National Cancer Institute points to several studies that have been unable to establish a relationship between cell phone use and cancer.

The FCC is currently conducting an ongoing reassessment of its policies.
"The U.S. has among the most conservative standards in the world. As part of our routine review of these standards, which we began last year, we will solicit input from multiple stakeholder experts, including federal health agencies and others, to guide our assessment,” a spokesman for the FCC tells Newsweek.

Radiation from cell phones is not an Apple-only problem, of course. Blackberry’s user manual advises .59 inches of separation between the body and the phone. Earlier manuals pushed for nearly a full inch (.98 inch) of separation, and told users to "use hands-free operation if it is available and keep the BlackBerry device at least 0.98 inch (25 millimeters) from your body (including the lower abdomen of pregnant women and teenagers)."

A manual for an earlier Blackberry model—the 8830 World Edition—includes a warning against carrying the phone directly on the body: “Carrying solutions, including RIM-approved carrying solutions and carrying solutions not approved by RIM, that do not come equipped with an integrated belt clip SHOULD NOT be worn or carried on the body.”

It adds that users should not try to use the phone where there is not a good signal, because radiation output grows higher and higher as the phone struggles to connect with a tower. Neither Apple nor Blackberry responded to a request for comment at the time of publishing.

Dr. David Carpenter, the director of the Institute for Health and the Environment University at Albany, New York has spent several years reading research on radio-frequency exposure and has testified to Congress on the subject. He says he is very wary of cell phones.

“My personal sense is that the evidence for increases in cancer is quite strong. It’s not one hundred percent, but most studies have shown that [people with] high exposures have elevations in leukemia, brain cancers [and] some other kinds of cancers.”

He predicts that cancer rates will go up in the coming decades.
“Latency for brain cancer is 20 to 30 years. Cell phones haven’t been around for all that long. I think it’s likely that we’ll see an increase in cases over the next years,” Carpenter says.

Read More

Google is “tightening the screws” on Android to keep control over the web

Google is “tightening the screws” on Android to keep control over the web

Dan Frommer

Quartz

Google is in a fascinating position with its Android operating system. It dominates the world’s smartphone market—arguably the most important technology market in history—with only one serious competitor, Apple, behind it. It is also the world’s dominant online search and advertising company, where its leadership is extending to mobile.

Yet the company has no direct control over key parts of Android, such as device design, manufacturing, marketing, and distribution—tasks that are typically handled by its handset or operator partners, ranging from Samsung and Xiaomi to Verizon and Orange. But Google—which initially pitched Android as an “open” platform that anyone could customize—has been working to take more control over Android away from its partners.

The latest: Google’s recent contracts with manufacturers contain new requirements that favor Google’s mobile and web services over potential competitors, according to Amir Efrati at The Information (paywall). These include specific services that must default to Google—search, of course, and others—plus the amount and placement of pre-installed Google apps and services.
This year, the signed agreement said there must be a Google search “widget” on the “default home screen” of the device, along with an icon for the Google Play app store. It said an icon on the device home screen labeled as “Google,” when clicked, must provide access to a “collection” of 13 Google apps (Google Chrome, Google Maps, Google Drive, YouTube, Gmail, Google+, Google Play Music, Google Play Movies, Google Play Books, Google Play Newsstand, Google Play Games, Google+ Photos and Google+ Hangouts).

 The newer agreement also specified the order in which this
collection of apps must be listed, from left to right and top to bottom within the Google icon. Several other Google apps, including Google Street View, Google Voice Search and Google Calendar, must be placed “no more than one level below the Home Screen,” the agreement says. (Device owners can manually change the location of icons on their own.)

As Efrati notes, “hardware makers grumble about Google ‘tightening the screws’ on Android, which powers more than a billion active devices, but most are resigned to the fact they don’t have much choice.” To that point, another recent Efrati report (paywall) highlights a deal that HTC pursued with Amazon, which fell through:

The deal drew the attention of Google, which oversees Android. Google warned HTC that it wasn’t allowed to “fork,” or make substantial changes, to Android software or it would risk losing support from Google for its flagship devices, which include Google services such as search and maps, according to two people briefed on the matter.

While Google’s moves will always draw snickers from those who remember Android’s early pie-in-the-sky plans for an “Open Handset Alliance,” the company is smart to assert more control over its mobile ecosystem.

Android still suffers as a secondary platform for users and developers, in part because of its early fragmentation and inconsistency problems. There’s no reason Google should be pleased that its huge lead in market share is squandered with lower relative usage—especially as Google’s core search and advertising business relies on usage, engagement, and market dominance to generate profit.

Read More

Space agency sets Nov 12 date for comet landing

Space agency sets Nov 12 date for comet landing

Boris Roessler

AFP 

Europe's Rosetta spacecraft will attempt on November 12 to land a robot lab on a comet hurtling through deep space in a first for humankind, a statement said Friday.

Ten days after unveiling the preferred landing spot on Comet 67P/Churyumov-Gerasimenko, the European Space Agency (ESA) has now set a firm date for the high-stakes operation more than 450 million kilometres (280 miles) from Earth.

Rosetta will attempt to set down its lander, dubbed Philae, while orbiting the weirdly-shaped comet flying towards the Sun at about 16.79 kilometres per second (10.4 miles per second).
Comet "67P" is made of two lobes joined by a narrow neck — its silhouette resembling that of a rubber duck.

The ESA has identified "Site J" on the smaller lobe or "head", roughly where the duck's forehead would be, as the preferred landing site. A backup "Site C" is located on the larger lobe.
If all goes according to plan, Rosetta will release Philae at 0835 GMT on November 12 at a distance of 22.5 km from the comet's centre, to land seven hours later.

A delay of 28 minutes and 20 seconds in the one-way signal from Rosetta means that confirmation of landing will arrive on Earth at about 1600 GMT.

If the backup site is used, separation will happen at 1304 GMT, at a distance of about 12.5 km, to land four hours later, said an ESA press statement. In this scenario, confirmation will arrive at about 1730 GMT.

Rosetta is equipped with 11 cameras and sensors that have already yielded astonishing images of the comet.

But experts are hoping for even bigger discoveries from the 10 instruments aboard Philae.
They would like to learn more about comets — icy bodies that were born along with the Solar System some 4.6 billion years ago, and are credited by at least one theory of bringing life to Earth.
Comet 67P is on a 6.5-year Sun orbit.

Rosetta caught up with it after a six-billion-km trek that required four flybys of Earth and Mars, using the planets' gravity as a slingshot to build up speed.

At their closest approach on August 13, 2015, the comet and Rosetta will be 185 million km from the Sun.

Weighing in at about 100 kg, Philae would use harpoons to anchor itself to the comet before driving screws into the surface for better grip.

Its experiments would include drilling up to 30 centimetres (18 inches) into the comet to extract material for onboard chemical analysis.

Read More

Post-it Notes Get Digitized In A Clever New App From 3M

Post-it Notes Get Digitized In A Clever New App From 3M

Sarah Perez

TechCrunch 

Post-it Notes may be a product of the analog era, but they continue to stick around – literally, that is – covering walls, windows, monitor screens and more, remaining an office worker’s go-to-tool for small scribbles, quick thoughts, and ideas. Now the company behind Post-it, 3M, is hoping to port Post-it notes to the small screen, with a new mobile app that lets you capture, organize and share your notes from your iPhone or iPad.

The new app will be especially helpful for documenting collaboration sessions at work – the kind that leave the walls covered in colorful little stickies.

3M should be applauded for doing more than throwing out some lame alternative to using your phone’s camera to snap photos of Post-it’s, slapping the brand name on it and calling it a day. Instead, the Post-it Plus app, as it’s called, is surprisingly clever.

You can use the app to capture a photo of up to 50 square Post-it Notes at one time. These are then identified with little checkmarks on top of each note. Before creating your digital board, you can uncheck the notes you don’t want to save.

After the image is captured, you have a viral Post-it board where you can arrange, refine and re-organize the notes just by tapping and dragging them around with your finger.
The app lets you tap on the board for more options, like renaming the group of notes or choosing different arrangements for your notes, including a couple of grid-like patterns that stretch either horizontally or vertically. Or, if you want to return to the way the notes were positioned when you first snapped the photo, that’s also an option.

Meanwhile, individual notes can be rotated, brightened up, favorited and deleted after tapping on them to see them larger. But you can’t re-write the notes themselves.

Multiple boards can also be combined, allowing teams to work together on ideas. When you’re finished with an arrangement, you tap to either share the board via text, email, social media or other apps you use like Dropbox or Evernote, or you can export the board to PDF, PowerPoint, Excel, .zip or the Post-it Plus app’s own file type.

The free app is currently featured as one of the Best New Apps on the iTunes App Store today, and it doesn’t include any in-app purchases. (Hooray!) For those whose workflows still live and die by these little notes, Post-it Plus is worth the download.

Read More

Signaling Post-Snowden Era, New iPhone Locks Out N.S.A.

Signaling Post-Snowden Era, New iPhone Locks Out N.S.A.

DAVID E. SANGER, BRIAN X. CHEN
The New York Times 

WASHINGTON — Devoted customers of Apple products these days worry about whether the new iPhone 6 will bend in their jean pockets. The National Security Agency and the nation’s law enforcement agencies have a different concern: that the smartphone is the first of a post-Snowden generation of equipment that will disrupt their investigative abilities.

The phone encrypts emails, photos and contacts based on a complex mathematical algorithm that uses a code created by, and unique to, the phone’s user — and that Apple says it will not possess.
The result, the company is essentially saying, is that if Apple is sent a court order demanding that the contents of an iPhone 6 be provided to intelligence agencies or law enforcement, it will turn over gibberish, along with a note saying that to decode the phone’s emails, contacts and photos, investigators will have to break the code or get the code from the phone’s owner.
Breaking the code, according to an Apple technical guide, could take “more than 5 1/2 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.” (Computer security experts question that figure, because Apple does not fully realize how quickly the N.S.A. supercomputers can crack codes.)

Already the new phone has led to an eruption from the director of the F.B.I., James B. Comey. At a news conference on Thursday devoted largely to combating terror threats from the Islamic State, Mr. Comey said, “What concerns me about this is companies marketing something expressly to allow people to hold themselves beyond the law.”

He cited kidnapping cases, in which exploiting the contents of a seized phone could lead to finding a victim, and predicted there would be moments when parents would come to him “with tears in their eyes, look at me and say, ‘What do you mean you can’t’ ” decode the contents of a phone.
“The notion that someone would market a closet that could never be opened — even if it involves a case involving a child kidnapper and a court order — to me does not make any sense.”

Apple declined to comment. But officials inside the intelligence agencies, while letting the F.B.I. make the public protests, say they fear the company’s move is the first of several new technologies that are clearly designed to defeat not only the N.S.A., but also any court orders to turn over information to intelligence agencies. They liken Apple’s move to the early days of Swiss banking, when secret accounts were set up precisely to allow national laws to be evaded.

“Terrorists will figure this out,” along with savvy criminals and paranoid dictators, one senior official predicted, and keep their data just on the iPhone 6. Another said, “It’s like taking out an ad that says, ‘Here’s how to avoid surveillance — even legal surveillance.’ ”

The move raises a critical issue, the intelligence officials say: Who decides what kind of data the government can access? Until now, those decisions have largely been a matter for Congress, which passed the Communications Assistance for Law Enforcement Act in 1994, requiring telecommunications companies to build into their systems an ability to carry out a wiretap order if presented with one. But despite intense debate about whether the law should be expanded to cover email and other content, it has not been updated, and it does not cover content contained in a smartphone.

At Apple and Google, company executives say the United States government brought these changes on itself. The revelations by the former N.S.A. contractor Edward J. Snowden not only killed recent efforts to expand the law, but also made nations around the world suspicious that every piece of American hardware and software — from phones to servers made by Cisco Systems — have “back doors” for American intelligence and law enforcement.

Surviving in the global marketplace — especially in places like China, Brazil and Germany — depends on convincing consumers that their data is secure.

Timothy D. Cook, Apple’s chief executive, has emphasized that Apple’s core business is to sell devices to people. That distinguishes Apple from companies that make a profit from collecting and selling users’ personal data to advertisers, he has said.

This month, just before releasing the iPhone 6 and iOS 8, Apple took steps to underscore its commitment to customer privacy, publishing a revised privacy policy on its website.
The policy described the encryption method used in iOS 8 as so deep that Apple could no longer comply with government warrants asking for customer information to be extracted from devices. “Unlike our competitors, Apple cannot bypass your passcode, and therefore cannot access this data,” the company said.
Under the new encryption method, only entering the passcode can decrypt the device. (Hypothetically, Apple could create a tool to hack into the device, but legally the company is not required to do that.)

Jonathan Zdziarski, a security researcher who has taught forensics courses to law enforcement agencies on collecting data from iPhones, said to think of the encryption system as a series of lockers. In the older version of iOS, there was always at least one locker that was unlocked, which Apple could enter to grab certain files like photos, call history and notes, in response to a legal warrant.
“Now what they’re saying is, ‘We stopped using that locker,’ ” Mr. Zdziarski said. “We’re using a locker that actually has a combination on it, and if you don’t know the combination, then you can’t get inside. Unless you take a sledgehammer to the locker, there’s no way we get to the files.”
The new security in iOS 8 protects information stored on the device itself, but not data stored on iCloud, Apple’s cloud service. So Apple will still be able to obtain some customer information stored on iCloud in response to government requests.

Google has also started giving its users more control over their privacy. Phones using Google’s Android operating system have had encryption for three years. It is not the default setting, however, so to encrypt their phones, users have to go into their settings, turn it on, and wait an hour or more for the data to be scrambled.

That is set to change with the next version of Android, set for release in October. It will have encryption as the default, “so you won’t even have to think about turning it on,” Google said in a statement.

A Google spokesman declined to comment on Mr. Comey’s suggestions that stronger encryption could hinder law enforcement investigations.

Mr. Zdziarski said that concerns about Apple’s new encryption to hinder law enforcement seemed overblown. He said there were still plenty of ways for the police to get customer data for investigations. In the example of a kidnapping victim, the police can still request information on call records and geolocation information from phone carriers like AT&T and Verizon Wireless.

“Eliminating the iPhone as one source I don’t think is going to wreck a lot of cases,” he said. “There is such a mountain of other evidence from call logs, email logs, iCloud, Gmail logs. They’re tapping the whole Internet.”

Read More

Five ways the internet of things is already broken - and how to fix it

Five ways the internet of things is already broken - and how to fix it

Leo Mirani

Quartz 

There are some 10 billion internet-connected devices in the world today. These include phones, computers, cars, and the assorted grab-bag of devices that fall under the rubric of the “internet of things” (IoT). By 2050, there will be over 100 billion internet-connected devices. The vast majority of those will be “things”: lightbulbs, doorknobs, coffee machines, and, yes, fridges.
But there are some big obstacles before the internet of things can become a viable business. A recent research paper from IBM lays out the top five:

1) Cost. If IoT devices are to sell at scale, they need to be cheap enough to replace the “dumb” devices they’re replacing, whether those are lightbulbs or keychains. If they are cheap, the businesses that make them need sources of revenue beyond the product itself. And customers will want service and maintenance. But “the cost of supporting and serving billions of smart devices will be substantial—even something as simple as maintaining centralised servers that distribute regular software updates,” write the authors of IBM’s paper.

2) Trust. Trust in the internet has taken a beating over the past year with revelations of mass spying and increasing awareness of corporate surveillance for advertising purposes. It will take some convincing for people to trust that the connected devices in their homes, cars, and on their person will not be open to similar abuse.

3) Longevity. Computers are replaced every few years. Smartphones every 24 months. Doorknobs tend to stay in service in decades. IoT companies need to figure out how to convince potential customers that their devices will last—or that they will be updated at regular intervals without substantial cost.

4) Utility. What is the point of a connected device? “A smart, connected toaster is of no value unless it produces better toast,” write the paper’s authors. Connected devices must offer more than just connectivity.

5) Making money. “We’ve been working with clients who make smart homes, IoT networks, and they’re struggling with a twofold problem,” says Paul Brody, IBM’s vice-president of mobile and internet of things, and one of the paper’s authors. “They are almost uniformly finding that they’re getting less revenue than they hoped. They had built business plans on unrealistic assumption that’s I’m going to get user revenue, sell user data, and going to have ads. But didn’t realize how much its going to cost and how many years devices are going to be in service.” There is, after all, only so much valuable information to be gleaned from a smart kettle.

So what is to be done? Brody has a wild idea: He suggests looking to the infrastructure of Bitcoin; more specifically, to the Blockchain, the open ledger that the Bitcoin system uses to ensure accountability while remaining anonymous and decentralised. The paper suggests that using a Blockchain-like mechanism to coordinate IoT devices would allow the devices to use each others’ spare processing power (thus reducing the need for expensive centralized servers), verify each other through consensus, and reduce the risk of failure thanks to its decentralized nature.

This would, Brody admits, necessitate a “quiet period” and for companies to “go back to the drawing board.” Brody predicts that it is only in 2016 or 2017 that we will see a flood of new devices that actually add value, and in sustainable ways. That matches up with a recent Gartner prediction that hype around the internet of things had peaked. Still, rethinking the architecture of the internet of things seems a pretty wild idea. Brody says IBM is working on a proof of conept with Samsung, which it will show early next year, but he doesn’t disagree: “It is both a ridiculously impractical and undesirable,” he says. “And also very feasible.”

Read More

New York scientists unveil 'invisibility cloak' to rival Harry Potter's

New York scientists unveil 'invisibility cloak' to rival Harry Potter's

Caurie Putnam

Reuters

Watch out Harry Potter, you are not the only wizard with an invisibility cloak.
Scientists at the University of Rochester have discovered a way to hide large objects from sight using inexpensive and readily available lenses, a technology that seems to have sprung from the pages of J.K. Rowling's Harry Potter fantasy series.
Cloaking is the process by which an object becomes hidden from view, while everything else around the cloaked object appears undisturbed.

"A lot of people have worked on a lot of different aspects of optical cloaking for years," John Howell, a professor of physics at the upstate New York school, said on Friday.
The so-called Rochester Cloak is not really a tangible cloak at all. Rather the device looks like equipment used by an optometrist. When an object is placed behind the layered lenses it seems to disappear.

Previous cloaking methods have been complicated, expensive, and not able to hide objects in three dimensions when viewed at varying angles, they say.

"From what, we know this is the first cloaking device that provides three-dimensional, continuously multidirectional cloaking," said Joseph Choi, a graduate student who helped develop the method at Rochester, which is renowned for its optical research.

In their tests, the researchers have cloaked a hand, a face, and a ruler – making each object appear "invisible" while the image behind the hidden object remains in view. The implications for the discovery are endless, they say.

"I imagine this could be used to cloak a trailer on the back of a semi-truck so the driver can see directly behind him," Choi said. "It can be used for surgery, in the military, in interior design, art."
Howell said the Rochester Cloak, like the fictitious cloak described in the pages of the Harry Potter series, causes no distortion of the background object.

Building the device does not break the bank either. It cost Howell and Choi a little over $1,000 in materials to create it and they believe it can be done even cheaper.
Although a patent is pending, they have released simple instructions on how to create a Rochester Cloak at home for under $100:

There is also a one-minute video about the project on YouTube: https://www.youtube.com/watch?v=_EB6WYo6d-s

Read More

Apple Says Majority Of OS X Users Are Safe From Bash Exploits

Apple Says Majority Of OS X Users Are Safe From Bash Exploits

Darrell Etherington

TechCrunch

Apple has issued a public statement in response to the so-called Shellshock vulnerability, assuring OS X users that for the most part, they’re safe from any potential attacks. An Apple spokesperson provided the following to TechCrunch regarding the vulnerability, which affects bash, a Unix shell that’s part of Apple’s desktop OS:

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

Earlier, we provided a guide regarding what you need to know about Shellshock to protect yourself, but as Apple notes here, in OS X you should be safe so long as you haven’t configured advanced access (which means probably most of our readers are okay). Apple will also issue an OS X update shortly to close the potential hole, so also just make sure you don’t go enabling any advanced UNIX options before that happens.

Read More

Austin Mahone Is Releasing a Book

GETTY

Days after Austin Mahone surprised his fans with his “Secret” music video, he has even more exciting news. He’s releasing a book!

“I got my own book coming out!!!” the singer wrote on Instagram, asking fans to vote for their favorite

The book will be titled Just How It Happened: My Official Story and will include exclusive photos Mahomies haven’t seen yet.

No matter what cover fans pick, Fans so can't wait for it to come out!

Read More

Justin Bieber's New Haircut Gives Us Major Flashbacks

ANTHONY HARVEY/FILMMAGIC

Fans of jb could pretty much tell you the exact date a picture of Justin Bieber was taken by just looking at his hair. The singer has had so many different memorable hair phases, ranging from his side swoop to his gelled-up spikes, and now it looks like he's re-visiting one of his old looks.

Fans on Twitter noticed that Justin's latest haircut makes him look like a more mature version of his teenage self.

For reference, this is 2011 Justin:

Read More

3D Printing With Sand Using The Power Of The Sun

3D Printing With Sand Using The Power Of The Sun

Greg Kumparak

TechCrunch

“So what are you doing this weekend, Markus?”
“Oh, you know. Heading out to the desert and harnessing the power of the sun to make a 3D printer that can print objects out of sand. You?”
“… catching up on Breaking Bad.”

You know the kid in your old neighborhood that spent his spare time frying ants with a magnifying glass? This is like that — except instead of a magnifying glass, he’s using an big ol’ fresnel lens. And instead of roasting insects, he’s melting freaking sand into stuff.

Built by artist Markus Kayser, the “SolarSinter” concept isn’t too disimmilar from laser sintering printers used by operations like SpaceX to print otherwise impossible objects out of metal. A focused sun beam is a whole lot less precise than a finely-honed laser, of course — but the core concepts are the same.

I bet this guy could make a mean sand castle.

Read More

The Internet Braces for the Crazy Shellshock Worm

The Internet Braces for the Crazy Shellshock Worm

Robert McMillan

Wired

A nasty bug in many of the world’s Linux and Unix operating systems could allow malicious hackers to create a computer worm that wreaks havoc on machines across the globe, security experts say.
The flaw, called Shellshock, is being compared to last spring’s Heartbleed bug because it lets attackers do some nasty stuff—in this case, run unauthorized code—on a large number of Linux computer servers. The flaw lies in Bash, a standard Unix program that’s used to connect with the computer’s operating system.

The good news is that it doesn’t take long to patch the bug. At internet infrastructure provider CloudFlare, admins scrambled for about an hour this morning to fix the flaw, which was disclosed late on Tuesday. “We got 95 percent of it done within 10 minutes,” says Ryan Lackey a security engineer at the company.

Because Shellshock is easy to exploit—it only takes about three lines of code to attack a vulnerable server—Lackey and other security experts think there’s a pretty good chance that someone will write a worm code that will jump from vulnerable system to vulnerable system, creating hassles for the world’s system administrators. “People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that,” Lackey says.

To exploit the bug, the bad guys need to connect to software such as PHP or DHCP—which use bash to launch programs within the server’s operating system

There are still some important questions about the bug. One is whether other operating systems that use Bash—Mac OS, for example—are vulnerable. Another big one: how many linux server applications and appliance-like Linux devices—things like storage servers or video recording devices—might be vulnerable to the flaw. Many of these Linux systems to not use the Bash software, but those that do could be vulnerable to attack and difficult to patch.

In the grand scheme of things, Shellshock is not as big of a problem as, say, phishing attacks, which continue to trick internet users, says Robert Graham, CEO of Errata Security. However, it’s “slightly worse than Heartbleed,” he says. “It’s in more systems. It’s going to be harder to track them down and patch them, and you can immediately exploit it with remote code execution.” Heartbleed let criminals steal your username and passwords, but it didn’t make it quite so easy to run your own malicious software on a vulnerable system, Graham says.

Like Heartbleed, the new bug has been around for a long time, and was introduced in a widely used piece of open source software. In the wake of Heartbleed, the open source community came up with some money to beef up the security of several popular open-source tools. And it may be time to add a few more—including Bash— to that list.

Read More