Nuclear Monster

  • Fascinating attack on unmoderated package managers for programming libraries (via former TimeDoctor contributor, Vogon)  that would work just as well on unmoderated app stores:

    In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems

    […]

    So basically we create a fake package that has a similar name as a famous package on PyPi, Npmjs.com or rubygems.org. For example we could upload a package named reqeusts instead of the famous requests module.

    It ends up being very successful:

    In two empirical phases, exactly 45334 HTTP requests by 17289 unique hosts (distinct IP addresses) were gathered. This means that 17289 distinct hosts executed the program above and sent the data to the webserver which was analyzed in the thesis. The number of HTTP requests is for various reasons higher than the number of distinct IP addresses. The main reason is that pip executes the setup.py file twice on installation. Don’t ask me why.

  • Money in the Bank

    The decades-old institution of civil asset forfeiture just got amazingly worse through the new practice of  seizing cash in bank accounts at a whim without any due process:

    Now, the Oklahoma Highway Patrol has a device that also allows them to seize money in your bank account or on prepaid cards.

    It’s called an ERAD, or Electronic Recovery and Access to Data machine, and state police began using 16 of them last month.  

    Here’s how it works. If a trooper suspects you may have money tied to some type of crime, the highway patrol can scan any cards you have and seize the money.

    […]

    News 9 obtained a copy of the contract with the state. 

    It shows the state is paying ERAD Group Inc., $5,000 for the software and scanners, then 7.7 percent of all the cash the highway patrol seizes.  

    Yow.

    Also, this is the second website I’ve seen today that still requires Flash to watch their videos. Chrome makes an OK sandbox for that garbage but everyone should stop supporting it. 

  • Online DRM-free retailer Gog announced Gog Connect. Gog Connect connects your Gog account to your Steam account and receive DRM-free Gog versions of some games if you already have them on Steam.

    The list of supported games is short at just 23 currently, but Gog have said they will change the list up frequently by adding games and removing old ones. Unfortunately you will need to revisit the Gog Connect page when new games are added in order to receive DRM-free Gog copies.

  • E. Fylladitakis writing for Anandtech has this excellent review of the Corsair Lapdog. It is either the best or worst possible name for a product that connotates this:
    an actual dog that might fit on your lap if it deigns you worthy

    …but is actually this keyboard and mouse ergonomic nightmare for playing FPS games on a couch the right way:

    the corsair lapdog will let anyone put it on its lap

    Although it looks cool, it is actually going to cost you upwards of $200. $120 for the Lapdog, and a bunch more for the mouse and keyboard since only two Corsair keyboard models are going to fit. Though you could probably get away with not using a Corsair mouse.

  • Microsoft’s press release:

    Microsoft Corp. on Wednesday announced plans to streamline the company’s smartphone hardware business, which will impact up to 1,850 jobs. As a result, the company will record an impairment and restructuring charge of approximately $950 million, of which approximately $200 million will relate to severance payments.

    That’s a lot of weasel words to say they’re firing almost two thousand people. 

    “We are focusing our phone efforts where we have differentiation – with enterprises that value security, manageability and our Continuum capability, and consumers who value the same,” said Satya Nadella, chief executive officer of Microsoft. “We will continue to innovate across devices and on our cloud services across all mobile platforms.”

    The weasel wording continues on to say that Microsoft won’t be developing features for actual people with Windows phone devices and will instead focus on what businesses want, which is a shame since Windows phones were better and more secure than Android in many ways.

    Here Microsoft, I streamlined your press press release:

    Our phone business hasn’t been successful with people because we focused on what businesses want. We will continue to focus on businesses by firing almost two thousand people who worked on or supported features that people might want. Regrettably, we will have to pay them money so that they don’t cause a scene.