The UpStream (Page 177)

Security Alert - OAuth and OpenID Vulnerable

posted Sunday May 4, 2014 by Scott Ertz

Security Alert - OAuth and OpenID Vulnerable

Right on the heels of the disaster that was Heartbleed comes another pair of security issues. This time, rather than coming from OpenSSL, our security issue comes to us care of OpenID and OAuth, another pair of open technologies used by a lot of websites.

OpenID is an authentication system which allows you to login to a large number of websites with a single set of credentials. OAuth allows you to authorize an application or website to use your information from another system, such as Facebook or Twitter.

The new issue, dubbed Covert Redirect, was discovered by Wang Jing, a doctoral student at Nanyang Technological University in Singapore. The idea behind the exploit is that, when you click a link that asks for your information from Facebook, the exploiter can gain access to said information as well, without your knowledge or permission. This is because there is no registration for acceptable redirects on success.

So, how can this be fixed? Facebook told Jing that it is a huge problem and that it won't be fixed anytime soon. Jing says,

The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.

These paired vulnerability instances are going to start a conversation that I feel should have started years ago: is having the source code for software available to the public an inherent security issue? The open source community has always maintained that it is not an issue, but anyone who has ever run a WordPress website would disagree with that notion. WordPress is possibly the biggest, most popular open source software in the world, and it is constantly under attack from bot comments who exploit vulnerabilities in the software through code research.

Whether you believe in the value of open source as a concept or not, you can't deny that the easy access to vulnerabilities is a good thing. Take, for example, the recent discovery of an exploit in Internet Explorer, which has been there for many years, but not discovered until recently. There has never been an exploit in WordPress that has existed that long without attack, because it is so easy to find said issues.

Do you have an opinion on either these security issues or the concept of open source security in general? We'd love to hear from you - feel free to comment below.

Destiny Will Require Some Single-Player Before Multi-Player

posted Sunday May 4, 2014 by Scott Ertz

Destiny Will Require Some Single-Player Before Multi-Player

We've really been looking forward to Bungie's first post-Halo title, Destiny. We've seen it in action at the PlayStation 4 launch and E3 2013 presentations, which only heightened our excitement. As the months have gone by, we have gotten more information, a little at a time, but this week we got an interesting new tidbit.

As we have known, Destiny is a game about leveling. One part FPS, one part RPG and all Bungie, everything in the game is upgradable. Because of this upgrade path, one major variance from the traditional Bungie game is that you cannot jump right from power-on into multi-player. Unlike a Halo game, you will need to play through some of the single-player campaign to be able to unlike competitive multiplayer, or PvP.

This is a different approach to the issue of players skipping single player entirely. Titanfall decided to take the route of least resistance - cutting the single player out of the game entirely and only creating a multiplayer experience. Bungie, on the other hand, is going to force at least a little single player.

Tyson Green from Bungie said of the requirement,

We found early on that people here in the studio, when they jumped on the game - these were people who were already really familiar with the game mechanics - they would roll a new character, play through the first mission then go right into PvP, and they would just get really beaten up by the other players because they didn't have a super ability yet and they'd only got an auto rifle from the first mission.

And they said, 'this is really awful, this is a terrible experience!' And we said, 'you're right, we have to make sure that doesn't really happen.'

So when your first character unlocks PvP, you're a little bit further into the game. You've probably done one or two of the campaign missions, probably unlocked a special weapon and your super ability. And then once that's happened we unlock it for all the characters on your account. Once you know how the game works, if you want to take a Hunter into PvP at level three, yeah, we're okay with that. You know what the game is at that point, so that's your decision to make.

Luckily, the requirement will only be "a couple of hours, tops." It will also only require you to complete once per account, no matter how many characters you have in the game.

So, has this turned you off to the idea of Destiny, or are you still excited to see what Bungie has to deliver? Let us know in the comments.

FDA Drafts Laser Pointer Restrictions

posted Sunday May 4, 2014 by Scott Ertz

FDA Drafts Laser Pointer Restrictions

Here's a weird one for you folks. The Food & Drug Administration has published a new draft guidance on acceptable consumer laser products. Now, I know what you're thinking, "Why does the FDA care at all about lasers?" While this is a good question, I do not have a good answer. There are a lot of agencies who might be interested in regulating lasers. Let's look at the reasons and what agency might have an interest there.

The most likely reason for this document is the increasing threat of laser strikes on aircraft. While a $5 laser from the drug store probably isn't going to cause a lot of harm, a $600 4-watt laser has a lot of potential. Currently there is a $10,000 reward for information leading to the arrest of someone involved in a laser strike. Obviously, the desire to protect aircraft, both big and small, is a high priority. This would, of course, fall under the jurisdiction of the FAA, which has regulations against shining a laser at a plane, and the FBI, who is tasked with finding and prosecuting those who disobey. No FDA to be found here.

Another fear would be the types of lasers to be found at laser light shows. Often these come from previous medical equipment and, therefore, have the capability to cut through some pretty substantial materials. One of those materials is you. Now, the use of these lasers is currently regulated, and not just anyone can own one. If someone were to get ahold of one, however, their actions would be considered an attack with a deadly weapon, meaning that the regulation and laws regarding this usage would come from the Bureau of Alcohol, Tobacco, Firearms and Explosives, not the FDA.

So, why would the FDA weigh in now? I'm still not sure, other than to try and plant their flag at a time when government agencies are overstepping their bounds on a regular basis. For example, remember when the FCC declared war on the Internet and Congress fought back? The Supreme Court ruled that they were out of line, but it might have prompted this kind of power-grab mentality.

Patrick Murphy, the editor of told Ars Technica,

In my personal opinion, FDA is wrong. First, pointers do not fit the existing FDA regulations which clearly define SLA lasers. Second, if you look at any lasers used for surveying, leveling, or alignment, they do not look like or operate like handheld laser pointers...

I'm not saying that (high-powered lasers) shouldn't be banned. I'm saying that (the FDA doesn't) have the authority under current law. You need to go through Congress to get the authority.

The FCC has learned that lesson the hard way, and the FDA might be the next government agency to take a trip to the Supreme Court.

Netflix to Increase Streaming Prices for New Customers Now, Existing Later

posted Sunday Apr 27, 2014 by Scott Ertz

Netflix to Increase Streaming Prices for New Customers Now, Existing Later

It's numbers time for Netflix and this quarter saw a steady increase in the number of subscribers, bring its total to nearly 50 million worldwide. Earnings are also up, from $962 million to $1.06 billion, but overall profit was fairly flat, mobbing from $48 million to $53 million. This shouldn't be a surprise, however: more subscribers means more royalties for content, both existing and original.

Because of this, Reed Hastings, Netflix CEO, said that new customers can expect to see a $1-2 raise in the monthly subscription price. Ireland has already seen this price increase, starting in January, and Netflix says they saw very "limited impact," meaning very few customers left. This has left them with a positive feeling about the possibility of raising prices, something that has not officially happened for streaming-only customers since the plan's creation in 2011.

Now, that is 4 years of added content, original programming and increased speed and video quality, all without the price changing. We all knew that was not going to be able to last forever. Hastings said,

If we want to continue to expand, to do more great original content... we have to eventually increase prices a little bit.

These price changes will be different from the last time, however, with Netflix learning their lesson from the Qwikster debacle. As it turned out, splitting its DVD business away from the streaming service, with a new name and price to match, drove a lot of customers away. Now, with physical media rentals nearly irrelevant, a small price increase doesn't seem to scare them, or the market.

In fact, Netflix stock rose over 6% after the announcement. Apparently being able to pay for things is big for investors. It is important to note here, while the price increase will not affect current customers immediately, they will receive the price increase after "a generous time period," whose length is still unknown.

Microsoft-Nokia Deal Finally Closes

posted Sunday Apr 27, 2014 by Scott Ertz

Microsoft-Nokia Deal Finally Closes

It has been a hard-fought battle since Microsoft first announced intentions to purchase Nokia Devices and Services last September. There have been factory worker strikes in China, tax liens in India and regulatory approvals in 17 countries. All of those issues have been resolved and this week Microsoft has welcomed Nokia Devices and Services to its family.

In the acquisition, the most obvious new division will be the Lumia handsets - most certainly the reason for the acquisition. In addition to the obvious, however, are Nokia Asha and Nokia X handset lines, the latter being announced only recently. Luckily, Microsoft has also licensed Nokia's name for the next decade, meaning Microsoft has plenty of time to figure out what to do with Nokia X.

Microsoft's new CEO, Satya Nadella, said,

Today we welcome the Nokia Devices and Services business to our family. The mobile capabilities and assets they bring will advance our transformation. Together with our partners, we remain focused on delivering innovation more rapidly in our mobile-first, cloud-first world.

Along with Nokia's hardware division comes Nokia House, Nokia's now former headquarters, which will continue to operate as the Microsoft Mobile offices. Reporting directly to Nadella will be now former Nokia President and CEO Stephen Elop, who will become executive vice president of Microsoft Devices Group, which will oversee Nokia/Microsoft devices, Perceptive Pixel (PPI) products, Surface and Xbox hardware, as well as all accessories pertaining to these brands. Elop rejoins the company, having worked for Microsoft before moving to Nokia.

Part of the transition is an even stronger commitment to developers. Nokia (or Microsoft under the Nokia name) posted both on their DVLUP Rewards blog and their Nokia Developer blog about the new, enhanced focus on development for the Microsoft ecosystem, including Asha and X platforms.

Facebook Gives $600,000 to Re-open Police Substation in Silicon Valley Suburb

posted Sunday Apr 27, 2014 by Nicholas DiMeo

Facebook Gives $600,000 to Re-open Police Substation in Silicon Valley Suburb

Just down the road from Facebook's corporate headquarters, in the neighborhood of Belle Haven, now stands a police station, that has been reopened thanks to a large amount of funding from the social network giant. $600,000 will be given to the police station over the next two years and will include payment for rent, renovation and one officer's salary.

While the city of Menlo Park is actually a very high-class area, with houses selling at an average of $1.5 million, it is said that Belle Haven has a high crime rate, some homes are run down and all of Menlo Park's eight shootings took place in this neighborhood. Test scores also aren't too great in the school district, with scores falling in the bottom 12 percent of all California schools in the past 4 years. So I guess having a police station there isn't a bad idea, in that first world problem, "I asked for two limes and you gave me one" kind of way.

At any rate, Facebook has created what Belle Haven is calling the "Neighborhood Service Center" sits on the end of a strip mall and has been converted from a former store front. Facebook was also in charge of all of the interior design of the project, per the police force's request. The Center will also have three officers on duty Monday through Friday from 8am through 6pm.

It really takes seeing this place to realize that it is nothing like your average police department. Free Wi-Fi, an ATM, iPads, couches and even a credit union fill in the space, along with live surveillance cameras from around the entire city, displayed on a large wall of monitors.

It's also interesting to note that the space costs $3,600 per month for rent, which was more than what they were paying for before, and that substation closes in January. The mayor of Menlo Park, Ray Mueller, said that his taxpayers were already paying enough and that Facebook's generous offer would help fix the crime rate in the area.

I think there is precedent for taking money from private companies putting it to public good... We had violent crime in this area. We had drive-bys. The number one priority is that when kids go to school that they have the same opportunity as kids on the other side of the freeway. Facebook came forward to us, we didn't ask them. We're going to save money in the long-term.

Mueller did take time to mention that Facebook employees wouldn't get any special treatment after this, saying that, "If a Facebook employee gets caught doing something, there will be extra attention to make sure they don't get an extra benefit."

What do you make of all of this? I mean the place definitely looks cool and bridging a gap between police and their community is certainly needed as of late, but is this type of establishment appropriate for the area? Sound off in the comments section because I'm dying to know what everyone else out there thinks. I'm still trying to wrap my head around this myself.

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats