Read Write Web

Syndicate content
Updated: 9 min 58 sec ago

Taking My Diet To The Next Level

1 hour 56 min ago

ReadWriteBody is an ongoing series where ReadWrite covers networked fitness and the quantified self.

Quantifying your activity and nutrition, as I’ve done for years, can only take you so far. Sometimes gathering the numbers just tells you the same bad news you can see in the mirror. Here it is: After dropping 12 pounds last year, I’ve been stuck around 195 pounds for months.

I'm still very active, going on runs with my dog around Telegraph Hill, spiking my heart rate with gym workouts, and trying different training techniques while I continue to test new fitness gadgets and apps. It's pretty clear what I need to tackle next: what I eat.

And I have a short-term motivator: I've signed up to take my colleagues through a boot-camp exercise program in a month. My co-instructor is a former MMA pro. I’m feeling the heat.

Beyond Food Logging

As much as I love MyFitnessPal, an app in which I log everything I eat, it doesn't feel like a good meal-planning tool. I use it for accountability, recording what I eat as I go. Rigorously admitting my food slip-ups keeps me aware of my food habits and where I can improve them. I don't want to tinker with that part of my routine.

What I need is an app that plans my meals, generates a shopping list, and helps keep me on track.

Ideally, it would look ahead at my calendar. For example, this week, I packed five days’ worth of morning meals, forgetting that I had two breakfast meetings planned. Push notifications to remind me to eat at the right time would help—especially since the timing of meals may be a factor in weight loss.

And there's always the unexpected, like the leftover Chinese food I'm having for lunch today. An ideal meal-planning app would adjust on the fly for the occasional overindulgence.

The Ultimate Food App Hasn’t Been Invented Yet

The last thing I want is connectedness: I want an app that automatically populates MyFitnessPal with my planned meals as I eat them, that consults RunKeeper or MapMyFitness to get an eye on my calories burned through exercise, that picks up my sleep habits from my activity tracker, that pulls menus from restaurants when I schedule a meeting, and that outputs a shopping list I can import into grocery-delivery services like AmazonFresh, Postmates, or Instacart.

From what I've seen, there are plenty of meal planners that focus on organizing recipes. What they lack is contextual awareness of the vast amounts of data I throw off in my quantified life. Somewhere out there, someone must be building the perfect next-generation food-planning app, one that factors in my schedule, exercise, sleep, and other measurable habits. If you are, let me know.

In the meantime, I’ve got some old-fashioned work to do, with a familiar set of tools to rely on. I’ll let you know how it goes.

Categories: Technology

Dropbox Buys Loom For Photo Sharing, HackPad For Collaboration

2 hours 41 min ago

Dropbox is having a busy Thursday.

The file sharing giant has acquired Loom, a photo sharing app that offered mobile users up to five gigabytes of free storage. Loom announced the deal on its company blog.

Dropbox recently announced an update to its photo sharing capabilities with its Carousel feature, and the Loom team will likely join Carousel as the home for syncing and sharing the ever increasing amounts of photos people take on their devices.

Unfortunately, the acquisition means Loom will be shutting down its own service within a month. Loom is not allowing any new signups, and the company informed customers that the service will officially shut down on May 16. Current customers can choose to export their photos to Dropbox, where they'll automatically receive the same amount of cloud storage they had with Loom, or they can opt for a .zip file that contains every image they've ever uploaded to Loom's servers.

Also joining Dropbox—by way of acquisition—is a company called HackPad, a wiki-style collaboration and note-taking tool that could also boost Dropbox's own recently launched internal collaboration tools.

Unlike the Loom acquisition, Hackpad will continue to remain open to existing and new customers, and the company said it will be working with Dropbox to "bring new offerings to the market."

Image of Gentry Underwood of Dropbox by Adrianna Lee for ReadWrite

Categories: Technology

Suddenly, Mobile App Install Ads Are Popping Up Everywhere

2 hours 57 min ago

Developers love them, advertisers love them, and companies are raking in cash—all thanks to the little buttons in mobile advertisements that urge you to download an app.

See also: How Post-IPO Twitter Could Make Billions Without Alienating Users

Twitter is the latest company to introduce these new mobile advertisements. Today the company announced that developers and advertisers can urge mobile Twitter users to download applications through these so-called app install ads, and reach up to one billion mobile devices through the MoPub Marketplace, the advertising startup the company acquired last year

At first glance, this may look like Twitter’s latest copycat move on Facebook. But that doesn’t give app install ads enough credit. 

Mobile Is Eating The World

More than 85 percent of the time we spend on our mobile devices, we’re using one app or another. But finding good apps is still a problem for the majority of smartphone users, in part because app store search leaves something to be desired. So how do developers get people to notice their apps? Serve them up where people are spending all their time—in other apps. 

Facebook launched its own mobile app install ads in October 2012, and the product has been huge both for marketers and Facebook’s bottom line. Last year, the number of installs driven by Facebook’s ad program ballooned to 245 million, and accounted for hundreds of millions in revenue for the company, according to BuzzFeed.

Though Facebook remains mum on the exactly how lucrative the ad program is, CEO Mark Zuckerberg admits it’s been quite successful. “We’re finding that people also really want to buy a lot of app install ads, and that’s grown incredibly quickly and is one of the best parts of the ad work that we did over the last year,” he told the New York Times in January.

Yahoo is experimenting with similar ad products, too. In March, the company confirmed it was testing ads that sell users on apps in hopes of appealing to more developers and brands. So far the company hasn’t fully rolled out the ad program, but it’s likely we’ll see it in the coming months.

Some people might argue they have all the apps they need, but app install ads could drive even bigger traffic in markets that are just now buying smartphones—developing markets that tech giants are especially interested in. As more people get their hands on cheap smartphones, specifically in emerging economies, the business of pushing apps into consumer hands is only going to grow in importance.

Twitter is rolling out the new ad product today, and marketers can set up app install ad campaigns that target both mobile Twitter users and thousands of apps in the MoPub Marketplace on ads.twitter.com.

Image courtesy of Twitter

Categories: Technology

How To Ensure Your Homebrew OpenVPN Server Isn't Vulnerable To Heartbleed

3 hours 3 min ago

The Heartbleed bug has made April into a difficult month for Internet users, as we scramble to change our passwords and protect ourselves from the most pervasive security threat in ages. 

But if you've set up your own virtual private network (VPN), which gives you a secure channel back to your home network even on insecure public networks, you don’t have to worry, right? Unfortunately, that’s not necessarily true. 

See also: Building A Raspberry Pi VPN Part One: How And Why To Build A Server 

OpenVPN is an open source service that makes up the backbone of many independent VPN servers, including the one I built for a ReadWrite tutorial. Since OpenVPN uses OpenSSL as its default cryptography library, it can be vulnerable to the Heartbleed bug. That means a dedicated hacker could conceivably steal the master key that encrypts all connections to a particular OpenVPN server, essentially shredding its security (although doing so doesn't sound particularly easy).

Users that followed our ReadWrite tutorial probably aren't vulnerable to Heartbleed, and in fact, may be safer than the average user. That's because:

  • We published our tutorial published after the discovery of Heartbleed, so anyone who followed it should have installed the Heartbleed-patched version of OpenVPN.
  • We used a TLS-auth key, considered by some VPN builders to be an unnecessary security step. Generated in step eight of the tutorial, the pre-shared hash-based message authentication code (HMAC) key doesn’t just ward off DOS attacks, but also any bad actor who doesn’t know your private key. Even the OpenVPN wiki page on Heartbleed says the a TLS-auth key can make you less vulnerable.

Still, there are many reasons it’s a good idea to check your VPN for Heartbleed vulnerability, just in case. Fortunately, one programmer, Stefan Agner, has already developed an open source program that tests OpenVPN for you. You can access Agner's code on GitHub.  

Here’s how to download his program and test your OpenVPN-powered VPN for the bug: 

1) First, you need to access wherever your VPN lives, whether that's on your computer, a server, or a Raspberry Pi like in the tutorial. So in my case, I used SSH to access the Raspberry Pi where my VPN was built. 

See also: 5 Pointers To Supercharge Your Raspberry Pi Projects

2) Once you’re in, the first thing you need to do is make sure you’re using the right version of Python. This script requires Python 2. So type:

python -V

If it results in a version that starts with a 2, you are set. If not, you’ll need to install the latest version of Python 2 with:

sudo apt-get install python 2.7.3

3) Now you need to clone the Heartbleed test GitHub repository. Obviously, you need git installed. You can type “which git” to check if you have git already installed, and if so, which version. If it isn't already installed, you can type:

sudo apt-get install git

As long as it's the device on which your VPN is installed, any directory will do for this clone—I just used the default folder on Raspberry Pi. When you've picked one, type in the command:

git clone https://github.com/falstaff84/heartbleed_test_openvpn.git

4) Now it’s time to finally input the test command. Go into the folder you just installed:

cd heartbleed_test_openvpn

Then, run the command, calling your internal IP address—the same one you used to connect to on SSH. For me, that was 192.168.2.22, as shown in the example. Yours is probably different. 

./heartbleed_test_openvpn.py 192.168.2.22

5) If your VPN is not vulnerable and you have a TLS-auth key, nothing will show up at all. The program is attempting to take advantage of Heartbleed and if it can't, the program won't work. It's the one time you want your program to fail. 

If your VPN is vulnerable, a fake Heartbleed attack will pop up. If it turns out your VPN is vulnerable, the only thing to do is to install the latest version of OpenSSL (Or OpenVPN, if that’s the backbone you’re using). 

Let us know if this works for you, and we'll do our best to lurk in the comments section to see if we can help troubleshoot. Best of luck.

Categories: Technology

Real-Time Data Streaming Gets Standardized

3 hours 34 min ago

One of the advantages of open source is that it can accelerate standards adoption on a level playing field. If there is a big enough problem to solve, smart people can attract the best minds to work together, investigate and share the solution.

That said, standards bodies often become little more than a parlor game for incumbent vendors seeking to position the standard to their market advantage.

In other words, there's lots of talk, but not much code.

In such a scenario, it's easy to end up with implementations of a standard that each works differently due to unclear or ambiguous specifications. I recently sat down with Viktor Klang, Chief Architect at Typesafe, one of the lead organizers of reactivestreams.org, an open source attempt to standardize asynchronous stream-based processing on the Java Virtual Machine (JVM). 

Klang and his group—along with developers from Twitter, Oracle, Pivotal, Red Hat, Applied Duality, Typesafe, Netflix, the spray.io team and Doug Lea—saw the future of computing was increasingly about stream-based processing for real-time, data-intensive applications, like those that stream video, handle transactions for millions of concurrent users, and a range of other scenarios with large-scale usage and low latency requirements.

The problem? Lack of backpressure for streaming data means if there's a step that's producing faster than the next step can consume, eventually the entire system will crash.

ReadWrite: What is driving this shift in computing to reactive streams today?

Viktor Klang: It’s not a new thing. Rather, it's more like it was becoming a critical mass as more people started using Hadoop and other batch-based frameworks. They needed real-time online streaming. Once you need that, then you don’t know up front how big your input is because it’s continuous. With batch, you know up front how big your batch is.

Once you have potentially infinite streams of data flowing through your systems, then you need a means to control the rate at which you consume that data. You need to have this back pressure in your system to make sure the producer of data doesn’t overwhelm the consumer of data. It’s a problem that becomes visible once you start going to real-time streaming from batch-based.

Users have been asking for more “reactive” streams for a long time, for building their own network protocols or for their specific application needs. Any time you need to talk to a network device, you want to use this abstraction. Anything that has an IP address.

With reactivestreams.org, we’re trying to address a fundamental issue in a compatible way to hook all these different things together to work while being inclusive. Long-term, the plan for this is to build an ecosystem to build implementations that can be connected to other implementations and then have developers building more things on top of it. For example, connect Twitter’s streaming libraries with RxJava streaming libraries, and pipe into Reactor, Akka Streams, or other implementations on the JVM.

RWWho are key members today?

VK: Certainly Typesafe jumped in early, since we have an open-source software platform that deals with a lot of what the industry calls "reactive application challenges." We were thrilled to have Twitter join, the Reactor guys from Pivotal, and Erik Meijer from Applied Duality, as well as Ben Christensen and George Campbell who work at Netflix. Red Hat’s in there with Oracle, and we also have some critical individuals like Doug Lea, inventor of “java util concurrent,” driving all concurrency stuff in the JVM. One of the goals of the project is to create a JSR for a future Java version.

Everyone pulls their weight. It’s just really hard to get engineering time from people at this level.

RWStandards don’t tend to be very popular with developers. How are you trying to approach this to attract more key people?

VK: You’re right, the average developer is about as interested in standards as cats are in water. Jokes aside, however, we start with open source. I think of this project as a non-standard standards thing. We are inverting the usual process. We have created a spec, a test suite that verifies the spec and we created a description of why the spec is what it is and why it isn’t what it isn’t. We’re really creating solutions, picking them apart, and confirming they do what they say they do and using this process to create the best specification.

RW: It sounds like developers in this case are also addressing an ops or a dev ops problem?

VK: As a developer, you can make life really difficult for your ops guys. This is about getting it right so your ops guys don’t come over and mess you up. Previously they’d have to make sure you don’t feed the system more information than it can process, so you’re not blowing up resources, making sure the processing is always faster than the input. It’s really tricky to do that for variable loads.

RWWhat are some examples that might inspire your core audience of Java developers?

VK: What’s a hard case for an enterprise Java developer? If you have a TCP connection with orders coming in and you need to perform some processing to it before passing it on to another connection, you need to make sure you aren't pulling things off the inbound connection faster than you are able to send to the outbound connection. If you don't, then you'll risk blowing the JVM up with an OutOfMemoryError.

For web developers, it could be streaming some input from a user and storing it on Amazon S3 without overloading the server, and without having to be aware of how many concurrent users you can have. That’s a challenging problem to solve now.

Image courtesy of Shutterstock

Categories: Technology

The Kill Switch Proposal: Why U.S. Carriers Win Either Way

7 hours 42 min ago

Cellular carriers in the U.S. want you to think they have your best interests at heart. That, hey, if your smartphone gets lost or stolen, they will have your back. At least that's what those carriers would have you believe with a new smartphone "kill switch" proposal from the CTIA, the largest U.S. trade organization that supports the cellular operators. 

Unfortunately, the CTIA's new proposal looks a lot more like it is covering its bases to avoid state and federal regulation than going out of its way to altruistically help users of lost or stolen smartphones.

The CTIA is putting the onus of anti-theft software on the platform makers and device manufacturers. The biggest carriers—Verizon, AT&T, T-Mobile and Sprint—are able to ride on the technology of others while hiding behind the CTIA for policy protection. In the end, nothing will drastically change for smartphone users in the U.S. The carriers win by protecting the lucrative smartphone insurance business while letting other companies do the heavy lifting.

The Voluntary Agreement

For the specifics, the CTIA announced the “Smartphone Anti-Theft Voluntary Commitment” on Tuesday, which is a new policy that promises consumers that smartphone makers and carriers will protect them if their devices are stolen.

The idea is that smartphones will be sold with pre-installed anti-theft software. Just about every company that matters in the U.S. mobile industry has signed the voluntary agreement, including Apple, Google, Microsoft, Samsung, HTC, Motorola, Huawei, AT&T, T-Mobile, Verizon and Sprint.

The anti-theft software will come at no cost to consumers and comes with four capabilities:

  1. The ability to remotely wipe the primary user’s data on the smartphone when it's lost or stolen.
  2. The ability to render the smartphone inoperable to anyone other than the primary user. This would entail locking the smartphone so it cannot be used without inputting a password or PIN.
  3. The ability to prevent the reactivation of the device without the primary user’s permission. This would include unauthorized factory resets (which is normally easily available to anybody that finds a device and can bypass the locked screen security, if there is any).
  4. Reverse the inoperability and restore the user’s data if they recover the device. 

The voluntary anti-theft agreement goes into effect for all devices manufactured after July 2015.

The Kill Switch

To a certain extent, this voluntary anti-theft agreement is the smartphone kill switch that legislators have been asking for. According to William Duckworth, an associate professor at Creighton University, Americans spend about $580 million a year on replacing lost or stolen devices. Americans also spend nearly $4.8 billion in insurance on their gadgets. The concept of the kill switch is not just a gift from manufacturers and carriers to consumers—it is big business.

According to a survey by Duckworth of 1,200 smartphone users, 99% said that they think their carriers should be able to employ a kill switch on their lost and stolen devices and 83% said it would help deter smartphone theft. Really, why steal a smartphone if you can’t use it, reset it or resell it?

See also: How A Smartphone Kill Switch Could Save Consumers A Ton Of Money

The question facing the voluntary agreement is if it will actually deter people from stealing smartphones. Thieves are, by definition, crafty people. At the very least, they are persistent. Thieves may go on stealing phones anyway because there is no guarantee that a user will even turn on the anti-theft mechanism provided by the new voluntary agreement.

How the anti-theft software will be implemented also remains to be seen. The operating systems all have their own versions of remote wipe plus cloud backup plans, like the ability to “Find My iPhone” and restore the phone's data from iCloud, or from the Android Device Manager from Google.

Will Apple, Google and Microsoft build these anti-theft deterrents as default, no-cost features? Will it come from third-party security vendors like Lookout or Boxtone? How will the pre-installed anti-theft software work with current mobile device management software, like that from Good Technology, BlackBerry or Samsung's Knox security suite?

For the carriers and the CTIA, all they really need to do is is let the manufacturers and platform providers do what they have been doing to protect users, all the while maintaining the status quo. For the carriers, the status quo is highly profitable.

The CTIA's Song And Dance

Industry insiders figured the CTIA would fight against the notion of a kill switch, mostly because it has two board members that are part of the lucrative smartphone insurance trade. Duckworth estimates consumers could save nearly $2 billion by purchasing a less costly insurance policy if a kill-switch policy was implemented. 

What the CTIA is doing here may be a pre-emptive strike. As a trade group, its primary duty is to protect its members and help create policy while avoiding regulation. The CTIA was not necessarily against a kill switch, but it wants the policies set on its own terms and not signed into actual law by either state or federal governments. Government regulation can be costly to companies, especially those in the infrastructure business like the cellular operators.

By coming up with its own voluntary agreement and getting all the major players on board, the CTIA can thwart actual government regulation while still protecting its members. And by getting the smartphone manufacturers and the platform providers (Apple, Google and Microsoft) on board, the CTIA is able to spread the responsibility of the anti-theft mechanism to corporations outside of the carriers, its primary constituents. 

Categories: Technology

Microsoft's Data Culture: It Just Might Work

8 hours 22 min ago

No one would accuse me of being a Microsoft shill. Having grown up in Linux, I have a longstanding antipathy to Microsoft's machinations against open source (which have been thawing of late, thankfully). But after more than 10 years of raging against the Redmond machine, I've also developed a profound appreciation for Microsoft's ability to make difficult technologies approachable to average users. 

I'm therefore encouraged by Microsoft's foray into Big Data. Given surveys indicating that enterprises still don't have a clue as to what to do with their data, it's very possible that Microsoft's penchant for end-to-end, easy-to-use solutions could make Big Data consumable by the masses.

Raising A Data Culture In Redmond

Microsoft has a long history of data, providing data management tools to front-office workers (Excel) and back-office database administrators (SQL Server), consumer-facing services like Bing and Hotmail, not to mention its new work with Hortonworks to offer Hadoop. Given this history of data, Microsoft CEO Satya Nadella called out Microsoft's ability to make Big Data accessible:

Developing the ability to convert data into the fuel for ambient intelligence is an ambitious challenge. It requires technology to understand context, derive intent and separate signal from noise. Building out a comprehensive platform that can enable this kind of ambient intelligence is a whole company initiative that we are uniquely qualified to undertake. 

Of course, Microsoft's plans at the present are merely visions. And visions can take a looooong time to realize. Anyone remember when Oracle first announced Fusion? How about when it finally delivered? Still waiting?

To Microsoft's credit, its vision is still very cool, especially given the rampant confusion over Big Data, as Gartner discovered:

Could Microsoft do better than the existing vendor tools or open-source projects? Definitely, maybe.

A DNA Of Ease-Of-Use

Consider what Microsoft did for system administrators—or developers. Microsoft made managing networks or servers much easier by building excellent tools so you didn't have to be a UNIX gearhead to get a good job and be productive. The same is true of Microsoft's effect on enterprise development: The company built developer tools that made it really easy for good developers to be great, and average developers to be good. 

If anyone could make Big Data accessible to rank-and-file employees, Microsoft can.

And that's what Microsoft wants to do. As Microsoft corporate VP Quentin Clark noted, "[Microsoft's] view is that it takes the combined effect of three elements to bring big data to a billion people: robust tools that everyday people can use, easy access to all kinds of data sets, and a complete data platform." Nadella furthers this—he said he looks forward to a time "when every employee can harness the power of data once only reserved for data scientists and tap into the power of natural language, self-service business insights and visualization capabilities that work inside familiar apps such as Office."

Earlier this week, Nadella started to lay out more specifics to his Big Data plan. According to Nadella, the idea is to "take an architectural approach that brings together Excel on one end and SQL Server and Hadoop on the other end." It's still not a very concrete course of action, but it points to a future where Big Data is what everyone uses, not some special thing that an enterprise enlists PhDs to tackle.

From the front-end data analyst to back-end data infrastructure, Microsoft seems to have a holistic view of Big Data—one that seems very promising, given the company's history of making complicated technology accessible to the average system administrator, office worker, or developer.

But will it work? That is, of course, the trillion-dollar question. Microsoft, for all its problems over the years, has the right DNA to answer "yes."

Lead image courtesy of Shutterstock

Categories: Technology

Google Eyes A Creepier Glass—A Camera-Bearing Contact Lens

9 hours 36 min ago

Imagine the Google Glass headgear, which currently makes some camera-shy onlookers nervous, shrinking down to near-invisibility—say, into a super-thin transparent layer that sits on the cornea. Google certainly has, as we now know from a recently published patent filing from October 2012.

The notion of smart contact lenses itself isn't particularly new. Earlier this year, in fact, Google introduced the "moonshot" idea of an eye-worn lens embedded with a wireless chip for health monitoring.

But this latest concept could be way smarter than that, as it would—in theory—allow wearers to snap photos with just the blink of an eye.

Here’s Looking At You, Kid See also: Google X Marks The Spot On 'Smart' Contact Lenses

Back in January, Google announced its Google X experimental lab was testing a glucose-reading contact lens for diabetics. The project had nothing to do with Google Glass, the tech giant claimed. And yet, it was hard to ignore that Glass founder Babak Parviz was a co-founder on the contact project.

Parviz is also listed as a co-inventor in the newly disclosed Google patent filing brought to light by Patent Bolt—likely No. 20140098226, titled “Image Capture Component On Active Contact Lens.” He's similarly listed on several other related patents.

The “image capture component” is exactly what it sounds like: a camera. The idea is to embed a minuscule camera right on or in the lens that would be controllable through blinking gestures. According to the filing, it would be “configured to generate raw image data corresponding to a gaze of a wearer of the contact lens...."

In other words, when the user’s gaze shifts, the view of the camera would follow right along without compromising the wearer’s vision. In some cases, it might even take the place of sight. For instance, blind pedestrians using Google's smart lenses could get a warning—like a voice alert from their Android smartphone—when they approach a busy intersection.

The camera would work in concert with a control circuit and a sensor—whether a photodiode, a pressure sensor, a conductivity sensor, a temperature sensor, an electric field sensor or a micromechanical switch. The sensor would determine the eye’s orientation and status, which could be key for other functions.

Taken together with Google’s other related patents, the company seems to be looking at advanced eye-tracking that can trigger functions in, say, an Android phone, Google Glass, smart television, gaming or audio system, or car navigation.

If this invention ever comes to market—and that’s a huge “if”—we might see people turning pages in their ebooks by just blinking, or flipping through their music library by fluttering their eyes.

That all sounds great, but it won’t work without power, and you can’t stick a battery pack on a contact lens. To tackle this, Google figures a separate transceiver could transmit power wirelessly, or the sensors could somehow generate the necessary energy. Of course, anything can sound cool on paper. The big question is whether users would feel comfortable with having a power source or receiver on their eyeballs.

Well, that’s one of the big questions.

Eye Spy

In the past, variations on eye control typically depended on hi-definition cameras pointed at the user. But this approach takes the opposite tack, by building the sensors and cameras into the lenses themselves.

This could allow for an unprecedented level of accuracy. If it works well, and if it ties in with existing and emerging technologies, then it could genuinely change quite a few games—fields from medical to law enforcement and military. The stakes could be high for individuals as well.

The first adopters would probably be tech enthusiasts pining for cutting-edge human-to-computer gesture control—or harboring deep-seated Six Million Dollar Man bionic-eye fantasies. But think of what it could do for people suffering with limited mobility or sight impairments.

A primary issue with this appliance, however, could have to do with those miniature camera components. This is, after all, a world in which Google Glass wearers get targeted for attacks. And the system, as proposed, would be capable of facial recognition. If people are uncomfortable with face-worn cameras pointing at them, how will they feel if teensy, undetectable cameras show up in contact lenses?

It’s very possible they may never have to face that scenario. Tech companies often file one-off patents for all sorts of things that never see the light of day. On the other hand, this is no random occurrence. Google has applied for at least seven related contact lens patents, which may suggest that Parvik and his company are serious about making Google smart contacts a reality. 

Feature image courtesy of Google; patent image via Patent BoltSix Million Dollar Man image screencapped and slightly altered from the DVD release (via YouTube user jamiesurgener)

Categories: Technology

Google Eyes A Creepier Glass—A Camera-Bearing Contact Lens

9 hours 36 min ago

Imagine the Google Glass headgear, which currently makes some camera-shy onlookers nervous, shrinking down to near-invisibility—say, into a super-thin transparent layer that sits on the cornea. Google certainly has, as we now know from a recently published patent filing from October 2012.

The notion of smart contact lenses itself isn't particularly new. Earlier this year, in fact, Google introduced the "moonshot" idea of an eye-worn lens embedded with a wireless chip for health monitoring.

But this latest concept could be way smarter than that, as it would—in theory—allow wearers to snap photos with just the blink of an eye.

Here’s Looking At You, Kid See also: Google X Marks The Spot On 'Smart' Contact Lenses

Back in January, Google announced its Google X experimental lab was testing a glucose-reading contact lens for diabetics. The project had nothing to do with Google Glass, the tech giant claimed. And yet, it was hard to ignore that Glass founder Babak Parviz was a co-founder on the contact project.

Parviz is also listed as a co-inventor in the newly disclosed Google patent filing brought to light by Patent Bolt—likely No. 20140098226, titled “Image Capture Component On Active Contact Lens.” He's similarly listed on several other related patents.

The “image capture component” is exactly what it sounds like: a camera. The idea is to embed a minuscule camera right on or in the lens that would be controllable through blinking gestures. According to the filing, it would be “configured to generate raw image data corresponding to a gaze of a wearer of the contact lens...."

In other words, when the user’s gaze shifts, the view of the camera would follow right along without compromising the wearer’s vision. In some cases, it might even take the place of sight. For instance, blind pedestrians using Google's smart lenses could get a warning—like a voice alert from their Android smartphone—when they approach a busy intersection.

The camera would work in concert with a control circuit and a sensor—whether a photodiode, a pressure sensor, a conductivity sensor, a temperature sensor, an electric field sensor or a micromechanical switch. The sensor would determine the eye’s orientation and status, which could be key for other functions.

Taken together with Google’s other related patents, the company seems to be looking at advanced eye-tracking that can trigger functions in, say, an Android phone, Google Glass, smart television, gaming or audio system, or car navigation.

If this invention ever comes to market—and that’s a huge “if”—we might see people turning pages in their ebooks by just blinking, or flipping through their music library by fluttering their eyes.

That all sounds great, but it won’t work without power, and you can’t stick a battery pack on a contact lens. To tackle this, Google figures a separate transceiver could transmit power wirelessly, or the sensors could somehow generate the necessary energy. Of course, anything can sound cool on paper. The big question is whether users would feel comfortable with having a power source or receiver on their eyeballs.

Well, that’s one of the big questions.

Eye Spy

In the past, variations on eye control typically depended on hi-definition cameras pointed at the user. But this approach takes the opposite tack, by building the sensors and cameras into the lenses themselves.

This could allow for an unprecedented level of accuracy. If it works well, and if it ties in with existing and emerging technologies, then it could genuinely change quite a few games—fields from medical to law enforcement and military. The stakes could be high for individuals as well.

The first adopters would probably be tech enthusiasts pining for cutting-edge human-to-computer gesture control—or harboring deep-seated Six Million Dollar Man bionic-eye fantasies. But think of what it could do for people suffering with limited mobility or sight impairments.

A primary issue with this appliance, however, could have to do with those miniature camera components. This is, after all, a world in which Google Glass wearers get targeted for attacks. And the system, as proposed, would be capable of facial recognition. If people are uncomfortable with face-worn cameras pointing at them, how will they feel if teensy, undetectable cameras show up in contact lenses?

It’s very possible they may never have to face that scenario. Tech companies often file one-off patents for all sorts of things that never see the light of day. On the other hand, this is no random occurrence. Google has applied for at least seven related contact lens patents, which may suggest that Parvik and his company are serious about making Google smart contacts a reality. 

Feature image courtesy of Google; patent image via Patent BoltSix Million Dollar Man image screencapped and slightly altered from the DVD release (via YouTube user jamiesurgener)

Categories: Technology

How Arduino And Raspberry Pi Can Enhance Your Connected Home

Wed, 2014-04-16 14:17

ReadWriteHome is an ongoing series exploring the implications of living in connected homes.

The connected home, the ultimate ideal in technology-driven luxury, promises easy living by passing along our drudgery to computers.

But it’s not perfect.

Even if you’re willing to shell out for expensive devices for your house, are you willing to trust them? There’s always the concern that when a middleman is involved, you’re relinquishing at least some control of your own domain.

See also: Hacking The Connected Home: When Your House Watches You

In that case, why not roll your own connected home?

Arduino, a microcontroller board, and Raspberry Pi, a fully functional mini-computer, are both cheap solutions for harnessing the Internet of Things at home. Unlike your regular computer, both devices are very good at reading the world around them. That’s because they both include plenty of inputs and outputs for sensory add-ons to test light, temperature, humidity and more. 

These DIY sensors and components are cheaper and easier to use than ever. With minimal coding knowledge, you can copy and paste open-source Python scripts to tell your house which tasks to automate. And since you’re retaining total control of your connected devices, you can double down on security measures to your heart’s content. 

Here are some of the ways to implement connected home features on a DIY device like Arduino or Raspberry Pi. 

Arduino Projects See also: Arduino Rising: 10 Amazing Projects For The Tiny Microcontroller

The Arduino isn’t a fully functional computer, so you’re going to need to connect it to a computer first to program it, and it'll need to run off a battery or outlet after that. But at half the size of the Raspberry Pi, it’s a small and unobtrusive sensor for your home. 

  • Make an Arduino safety alarm. Connect the device to a beeper and a bell to warn you of an intruder or a fire. The creator of this open-source project said he successfully scared off an intruder by using this device. 
  • Build an thermostat that connects to your air conditioning unit, or, if you’re in the United Kingdom, your combination boiler. Both projects include an LCD screen so you can monitor and adjust the temperature. It's not as cute as Nest, but totally custom. 
  • Monitor your home while you’re away with an Arduino-powered "Internet of Things" camera. You can install an Eye-Fi SD card in an Arduino Uno to program it to take photos and then push those photos to a site or device of your choice. 
  • Get the most out of an Arduino by programming it to control central heating, lighting and security in your house. This tutorial uses Home Easy, a wireless home automation tool that enhances Arduino’s connected capabilities significantly.
Raspberry Pi Projects See also: 12 Cool Projects For Your Raspberry Pi

Raspberry Pi can double as a second PC. Just give it a screen and a keyboard and you can use it to program itself. That means you can either run it in the background as it collects data off of the sensors you’ve installed, or you can use it as an Internet of Things control hub. 

  • Never forget to feed your pets again; let Raspberry Pi do it. This dual pet feeder could work for dry cat or dog food, and can be assembled in four to six hours. Have a pet that’s more scaly than furry? Try our IoT fishtank tutorial
  • If you have more time than money, make Pi into an automated sprinkler system. The creator set it up with wireless so he could control it through a simple SSH login. Read more about how to login with SSH here
  • Build an app to control your lights from your computer screen. Raspberry Pi’s general purpose input output (GPIO) pins emulate pressing on and off switches. That way, instead of physically visiting the light switch, you can activate your lights with one click of your mouse. 
  • Last but not least, if you’re a DIY genius you might as well build a Pi home automation center that wouldn’t look out of place at Starfleet. There’s no tutorial for this Star Trek inspired control panel that monitors doors, windows, lights, weather and more, but watch the video below and see just how polished a DIY solution can look:

Photo by Lauren Orsini for ReadWrite

Categories: Technology

The Rear-View Camera Is No Longer Just An Option For Cars—It's The Law

Wed, 2014-04-16 13:04

ReadWriteDrive is an ongoing series covering the future of transportation.

Here’s something gruesome to consider: More than 200 people are killed every year when cars are reversing—most of these deaths are children. Back-up accidents also injure more than 15,000 people each year.

These factoids get more tragic when you consider that it’s usually a parent behind the wheel, and the cost of preventing nearly all of these accidents is a cheap piece of technology: A $50 camera.

Take heart. The U.S. National Highway Traffic Safety Administration (NHTSA) took a big step on March 31 to prevent those horrific accidents when it ruled that all new cars must be equipped with back-up cameras by May 2018.

Auto companies usually dig in their heels and fight against any new mandate that adds cost to a vehicle. But in this case, the cost is modest—about $150 if both a camera and screen are required, and just $50 for a car that already has a dashboard screen.

“There’s a reason we have a timeline now,” said Thilo Koslowski, a Gartner analyst for vehicle information and communication technology. “Most manufacturers are planning to put displays and screens in the cars anyway. The cost of doing this is less than one-percent of purchase price of your average new vehicle.”

Inevitable Migration

The Volkswagen XL1 concept car doesn't have side-view mirrors or a direct window view to the side. Drivers rely strictly on a camera and monitor.

There's a well-established process of flashy new car technology eventually migrating to more proletariat vehicles. In the case of safety technologies, it started decades ago with air bags, pre-collision warning systems, and electronic stability control—first seen in brands like Mercedes or BMW models as costly options, and then finding its way to Ford, Chevy and the like.

These days, when everybody loves geek gear, consumers are only too happy to pay another fifty bucks for something cool like a back-up camera.

“Heads-up displays used to be luxury,” Koslowski said. “Now, it’s in cars from Toyota and Mazda.”

Koslowski believes more futuristic features—like self-parking and 360-degree cameras for parking assistance—will also become commonplace. That’s because these technologies, usually developed by tier-one automotive suppliers, are designed and priced at a premium when introduced in low volume. Then, these features ramp-up to larger quantities and the cost drops as they go mainstream.

“This is all planned,” he said. “It doesn’t happen by accident.”

We are already at mainstream levels with back-up cameras, which are found in approximately half of today’s new cars. Even more models have screens, due to an insatiable consumer desire for entertainment, navigation and connectivity features.

Independent car technology expert Doug Newcomb said “any automaker that’s going to have an infotainment experience needs some kind of screen." At the same time, the cost of cameras has significantly dropped in recent years—mainly because camera components have integrated into hundreds of millions of smart phones and mobile devices.

Common Sense, Mandated

To recap in simple terms: Back-up cameras are cheap and they save lives. Unfortunately, that wasn’t enough to get the government or the auto industry to make them ubiquitous. It took a lawsuit by Consumers Union, publishers of Consumer Reports, to get NHTSA to act—even after it blew past deadlines established by the Cameron Gulbransen Kids Transportation Safety Act of 2007. Backup safety regulations were expected in 2011.

Cars with rear-visibility technology already earn brownie points in NHTSA safety scores—the same way the federal safety agency gives higher scores to cars with electronic stability control, autonomous braking systems, early collision warnings and lane keep assist.

“NHTSA and others have shown, statistically, that a lot of lives can be saved by these systems,” Newcomb said.

The side-view camera on the Volkswagen XL1 concept car.

The final rules on the rear-visibility mandate, which applies to cars built after May 1, 2018, requires the field of view from the camera and screen to include a 10-foot by 20-foot zone directly behind the vehicle. The system must meet other requirements including image size, linger time, response time, durability and deactivation.

Now that we’re on course for back-up cameras, perhaps it’s a matter of time before side-view-mirrors are replaced with cameras. One week after the NHTSA ruling on back-up cameras, Tesla Motors applied to the safety agency to allow side-view cameras to replace side-view mirrors—a move that increases the efficiency of cars through better aerodynamics. And they also look pretty cool, to boot.

Images courtesy of Chrysler, Ford, and VW

Categories: Technology

How Microsoft's Cortana Stacks Up Against Siri And Google Now

Wed, 2014-04-16 11:53

Cortana doesn’t want you to know where Master Chief is hiding. But for just about everything else, Microsoft's new voice-controlled personal assistant is ready and available to do your bidding.

See also: Introducing Cortana, Plus 8 Other Things To Know About Windows 8.1

Cortana, a new feature in Microsoft’s Windows Phone operating system, is both a search engine and a helper, just like its counterparts: Apple's Siri and Google Now for Android. Cortana—who says she's female, though not a woman—is Microsoft’s attempt to counter Google's domination of Web search on smartphones while also serving as its counterpoint to the cheeky and informative Siri on the iPhone.

In this way, Cortana—like almost everything in Windows Phone—emerges as a combination of iOS and Android features embellished with some of Microsoft's own unique elements.

Cortana Leans On And Learns From Bing See also: Windows Phone 8.1—The Good, The Bad And The Ugly [Review]

The first thing to know about Cortana for Windows Phone is that it is, at heart, Microsoft’s Bing search engine. At Microsoft Build 2014, one press session bore the title “The Bing Platform”—and it was all about Cortana.

Bing is no longer its own separate app, nor are there any specific Bing features like news or weather. It's now all Cortana, all the time. On Windows Phone, the two are basically indistinguishable.

By using Bing as the backbone of Cortana, Microsoft has made it a lot like the Google Now assistant on Android. Cortana recognizes your interests and uses Bing to mine various information categories to deliver news and contextual information that you are supposed to find particularly useful.

During setup, you can choose among pre-defined interests like health, sports, technology or headline news. You can set your favorite sports teams or neighborhoods where you like to eat and explore. Cortana will then deliver you information based on what you like and where you are, using both Bing and the sensors in the smartphone that help keep track of what you do and where you do it. The information is delivered in Cortana’s notebook, the equivalent of using a homescreen on Android for Google Now.

Where Google Now differs is that it uses a variety of factors to determine what information it delivers users. If you sign in to your Google profile, you can have it access Gmail, search, navigation, calendars … all of Google’s core services. It will also note what websites you visit when you are signed into Chrome and note those in the Google Now feed as well.

Cortana (left) Notebook vs. Google Now news stream.

Developers can tap Bing to power their apps as well, which then can bring third-party customization to Cortana. Only five third party apps have been built for Cortana at the time of launch: Flixster, Hulu, Twitter, Facebook and Skype (which is owned by Microsoft). Cortana has an open software developer kit for interested app makers that want to integrate it into their products.

Cortana's voice-control and language interpretation functions rely on a hybrid of on-device and cloud computation. When you speak to Cortana, your phone will use key speech patterns to interpret what you've said. If Cortana doesn’t understand a particular word, it will reach out to its neural network in the cloud to filter for possibilities. This hybrid approach is designed to let Cortana learn better speech recognition over time.

An Assistant Like Any Other

Cortana straddles the line between what Google Now provides as a search engine and how Siri acts as a personal assistant.

Google Now is an assistant without a personality. It is essentially Google delivering information you might want or need and allowing you to control your phone through voice actions. It wants to tell you stuff before you think you want to know about it. The other day, for instance, Google Now told me that I had to leave for a meeting at 1:57 p.m. to get to a meeting by 3 p.m.

You can set reminders, tasks, timers, send texts or emails through Google Now as well, just like you would with an actual assistant. But for a variety of reasons, Google decided not to make Google Now a search experience driven by a particular character the way Siri and Cortana are.

Siri doesn't provide the precognitive abilities that Google Now or Cortana do, because its fundamentally different under the hood and doesn't have a search engine spine the way the Microsoft and Google offerings do. Instead, Siri hooks through both partner databases and search engines, relying on Wolfram Alpha and Microsoft's Bing (to a certain extent) for computational search power.

Siri provides contextual, relevant information like stocks or sports or weather by creating hooks to third-party databases Apple has partnered with. Siri can also set reminders and alarms, open apps, post to Facebook or Twitter and navigate. Siri set the standard of personal assistants on smartphones, which Google Now and Cortana have now largely matched in different ways.

Cortana has a couple of additional capabilities that set it apart from its rivals—for instance, by personalizing your communications with trusted people. If you establish someone as a member of you “inner circles” within the app, you can then use Cortana's voice control to set reminders by name.

So you could tell Cortana to “remind me to read Rebekah’s essay this evening,” and it would understand who you're referring to. Siri and Google Now have similar capabilities, but Cortana takes it a step further.

Cortana also has a personality all its own. The assistant is named after an artificial-intelligence character in the game series Halo—a guide that gets you through missions and helps along the way. On Windows Phone 8.1, Cortana (which is voiced by the same Halo actress, Jen Taylor), will respond to Halo-related questions. For instance, if you ask where Master Chief (the main character in Halo) is, Cortana will give a variety of answers.

Where is Master Chief?

Cortana also knows that it is a computer. Yes, it will identify as female, but will also give answers such as “I contain multitudes” (a Walt Whitman reference) and “Is there a third option?”

Cortana: Still A Beta

Microsoft’s goal was to imbue Cortana with a personal touch. It combines the semantic search of Google with the personality of Siri while still being fun and dorky in a Microsoft kind of way. Which you may or may not like, depending on your view of Windows Phone and whether you play Halo.

That said, Cortana is still in beta. After using it for a little more than a week, it's easy to see that the assistant is still coming into its own. Cortana's voice recognition is good but often requires precise enunciation (Cortana often confuses itself with Cortado, apparently a city in Italy), it doesn't always connect contacts with data correctly and its navigation sometimes misfires.

It also doesn’t have a touchless command, the way Google Now on Android devices activate when a user says “OK Google.” These types of problems are fairly easy to fix, so Microsoft can presumably work them out ahead of the formal launch of Windows Phone 8.1 later this year.

Lead image of Cortana in Halo 3 by Flickr user Brian, CC 2.0

Categories: Technology

Atlassian's Geeky Software Carves Out A Big Home With Developers

Tue, 2014-04-15 17:54

f you're not a developer, you're not going to understand Atlassian's success. Atlassian employs no salespeople, yet it's doing over $200 million in annual sales, according to a recent report in The Wall Street Journal.

While enterprise software companies struggle to make their wares more consumer-friendly, Atlassian builds software that only a developer could love: It's geeky, not super intuitive and frankly somewhat unpleasant to use for a business user like myself.

Yet it's now worth $3.3 billion. How's that?

Of The Developer, For The Developer

Atlassian co-founder Scott Farquhar told The Wall Street Journal that "These days, people are making decisions based on how good the products are." The definition of "good" may not be the same for developers as it is for the average business user, however.

Wikis, issue tracking systems, Git code hosting, etc.—these are not tools your head of marketing really wants to use. I should know: Every time I have to fill out a JIRA request to get content changed on my company's website, a little part of me dies inside.

Then again, I'm not Atlassian's target market. The developer is. And developers love Atlassian.

In the world of developers, the definition of "ease of use" differs. This is a world that still thinks fondly on the command line. Even among this crowd, however, Twitter's Chris Aniszczyk posits that Atlassian's software may not be the best, but rather the best of a bad lot:

@mjasay best option from the crap pile and they have an great a la carte model where you don't have to buy into the whole stack

— Chris Aniszczyk (@cra) April 15, 2014

I'll take Chris' word since I'm not much of a developer tools power user myself, but it's his latter argument that I find so compelling: Atlassian succeeds, in part, because it treats its developer audience with serious respect.

Giving Tribute To Developers

This reason behind Atlassian's success is echoed by Fintan Ryan of Strand Weaving, who suggests Atlassian tools are "the best of a limited bunch, and relatively configurable."

While the first part of Ryan's comment suggests Atlassian doesn't deserve much credit, it's the second half that really sets Atlassian apart. Developers don't want unnecessary frills that get in the way of productivity. This same desire is what has driven GitHub, AWS and other developer-focused software to succeed. 

That group of tools developers love is a very small club. As it turns out, it's very hard to develop tools a wide array of developers want to use. 

Not only does Atlassian support the things developers already do, but as Operational Results web developer Cody Nolden notes, Atlassian's tools may actually expose problems in team workflows:

They’re very configurable and can match whatever workflow your team uses. I’ve found that when I struggle to use Atlassian tools it’s because of more underlying struggles as a team not knowing what process we follow and we haven’t configured accordingly.

Ultimately, Atlassian succeeds not because it's the best tool among a bad bunch, but because it respects developers' time and concerns. Tools like JIRA are intentionally not flashy. They're utilitarian, not because Atlassian lacks creativity, but because the company cares more about what developers want than what marketing or sales or other groups within a company may want. This shows not only in the software itself, but also in how it's sold: Atlassian is salesperson-free, over-the-web, and costs a reasonable amount of money.

That's a great strategy for appealing to developers.

Categories: Technology

With Gnip, Twitter Is Ready To Sell Your Tweets

Tue, 2014-04-15 17:04

Gnip was once a neutral provider of social data, but now that neutrality is gone, and it's in the hands of Twitter.

Twitter on Tuesday announced the acquisition of social data analytics startup Gnip, which is one of the only companies with access to Twitter’s firehose of data—all the tweets and activity streams on Twitter since the platform launched in 2006. The terms of the deal were not disclosed.

Twitter will bring both the revenue and data streams from Gnip in-house, exerting full control over our tweets and how they’re used. 

Gnip has worked with Twitter for years. It’s one of the handful of partner companies, or certified products, that Twitter partners with to handle its data. In fact, selling the firehose, that treasure trove of Twitter data, to Gnip and other analytics providers was one of the first ways Twitter made money. (Topsy and DataSift still have access to Twitter's firehose as well.)

With the Gnip acquisition, no longer is there a man in the middle that deals your data to advertisers and other folks relying on your personal information to sell you things. Now, Twitter can deliver that data directly to buyers, effectively making you a product. 

Twitter Owns All The Data

With complete access to Gnip’s entire data set, Twitter can sell much more than just its own data: The analytics company has exclusive access to all Foursquare and Tumblr data, and it also works with Facebook and Google+. 

And Twitter wants Gnip to expand its offerings. Jana Messerschmidt, VP of global business development for Twitter, wrote in a blog post

Together we plan to offer more sophisticated data sets and better data enrichments, so that even more developers and businesses big and small around the world can drive innovation using the unique content that is shared on Twitter ... And with the help of Gnip’s Boulder-based team, we will be extending our data platform — through Gnip and our existing public APIs — even further.

It will be interesting to see if Gnip’s other partners will sever access to their information. While the majority of Gnip’s data comes from managed public API access, a handful of companies like Tumblr and Foursquare allow Gnip complete access, and now that access belongs to Twitter. 

Hopefully this signals to companies and interested users that Twitter is better prepared to provide more in-depth data, rather than arbitrary statistics, like the conversation surrounding #Sochi2014 during the Winter Olympics. But even if it can, it’s going to make you pay for it. 

Categories: Technology

After Heartbleed, "Forward Secrecy" Is More Important Than Ever

Tue, 2014-04-15 16:35

Internet users have spent the last week changing their passwords and checking their online accounts for potential hacks resulting from Heartbleed, a bug in the open-source security software OpenSSL that left nearly two-thirds of the Web vulnerable to malicious attacks. 

See Also: Protect Yourself Against Heartbleed, The Web's Security Disaster

Heartbleed has caused security nightmares for dozens of websites, especially since companies initially thought it was impossible to steal private certificate keys from servers. That assessment was quickly debunked—just ask the 900 Canadians that had their taxpayer data stolen by hackers over a six-hour period after the bug was publicly announced. 

There is a silver lining to the madness, however: If websites are using encryption called perfect forward secrecy, there is no way for hackers to retroactively decrypt your data, even if they get control of your server’s private key. 

What's Wrong With HTTPS?

First, let's get to know HTTPS, the connection that protects your data on most secure websites.

When you’re on a secure website using traditional HTTPS encryption, your username, password, and all other personal communications are supposedly safe from being intercepted and decrypted by hackers (or the NSA). OpenSSL made it possible for websites to deliver that secure connection, locking down the data sent to and from the browser and server.

Normally, when a secure connection is created, a website generates a master key between the browser and server—this master key is used to encrypt millions of sessions, not just yours. Since only the holder of the private key can “unlock” your session key, all your information is secure. But by exploiting the Heartbleed vulnerability, an attacker could access the website’s private key and then decrypt the information hidden in your session key. 

That’s not all: Any recorded data from HTTPS servers can be retroactively decrypted using private keys exposed by Heartbleed, so if an eavesdropper has been recording website traffic for some reason, they could access the private keys for those sites thanks to Heartbleed.

Why Does Forward Secrecy Matter?

Now we know why HTTPS isn't good enough to stop Heartbleed. So what can websites do about it?

Perfect forward secrecy is an encryption technique that prevents people from “unlocking” your private information history, even if they get their hands on the server’s private key. With forward secrecy, a new temporary session key is created each time you access a secure website, instead of relying on one master key. Essentially, it creates ephemeral encryption—where the keys disappear—so hackers can't decrypt your data like they would with HTTPS. 

“Forward secrecy gives you client and server that use a different method for agreeing on a session key,” said Timo Hirvonen, senior researcher at security firm F-Secure. “The main point there is the key that is used for decrypting that session is a short-lived key used only for that session.”

If we compare security to messaging apps, forward secrecy would be similar to Snapchat—once you’re done with the session, your key disappears. Websites that enabled forward secrecy disallowed hackers from unlocking any of the information they previously connected.

But it’s not just software vulnerabilities users have to worry about. Documents released by Edward Snowden reveal the National Security Agency vacuums up troves of encrypted data with the hopes of one day being able to crack it. Luckily for users, forward secrecy even prevents NSA agents from reading your email—a fear that no doubt pushed companies to rethink their encryption methods. (The NSA reportedly knew about Heartbleed before it was made public, a claim the agency flatly denies.) 

Who Uses Forward Secrecy? 

Forward secrecy is over 20 years old, but most websites don’t implement it. According to SSL Labs, over half of the most popular websites on the Web don't implement forward secrecy, and just 42% of popular websites have some forward secrecy suites enabled.

Google, ever a pioneer in securing user information, made forward secrecy mandatory in November 2011. The company then published its work on OpenSSL with the hopes that other companies would follow suit.

Unfortunately, it took two more years for other tech giants to get on board.

In mid-to-late 2013, Facebook, Microsoft, and Twitter began expanding security to include forward secrecy, and earlier this year (just one week before Heartbleed was made public), Yahoo announced it would implement forward secrecy across many of its properties. Apparently it didn’t move quick enough: Yahoo Mail was one of the biggest services affected by Heartbleed.

One of the main reasons websites don’t use forward secrecy, according to Hirvonen, is because there is a performance penalty—it requires more CPU resources. If you think of a server like a human, enabling perfect forward secrecy requires more brain power than what it takes to enable HTTPS encryption. 

Network engineer Vincent Bernat notes that forward secrecy can use up to 30% more CPU than traditional HTTPS security. 

“Configuration shouldn’t be that difficult,” Hirvonen said. “It’s more about the CPU resources, hardware requirements, and the impact on performance.”

It also takes someone with knowledge of configuring website encryption to deploy forward secrecy. Assuming you have the desire and skill to implement it, you have to configure your server to select forward secrecy, and place the two most common cipher suites at the top of your list. Help Net Security provides a tutorial here

Heartbleed reminded us all that our secure data is never as secure as we think it is on the Internet, and it will still be a while before the mess created by Heartbleed is entirely cleaned up. 

As we’ve learned, however, there are some simple but significant steps that can improve how users are protected, and most of the big tech companies are leading the charge. Hopefully Heartbleed can act as a catalyst to prompt more websites to adopt forward security and make the Web—and our data—safe from harm. 

Lead image courtesy of Alonis on Flickr

Categories: Technology

Developers, Check Your Amazon Bills For Bitcoin Miners

Tue, 2014-04-15 14:47

Amazon Web Services gives developers access to massive computing capability. Now hackers have found ways to hijack some accounts and use that power to make money on someone else's dime.

Joe Moreno’s bill for Amazon Web Services is usually about $5 a month. But last Thursday, he learned his AWS credentials had been compromised. An unknown person started renting computing power from Amazon on his account, racking up more than $5,300 in charges on servers in Amazon data centers as far away as Tokyo, São Paulo, Sydney, and Singapore.

It appeared that he was running processes that "mined" Bitcoin—creating units of the digital currency in exchange for processing transactions.

We Have Met The Enemy, And He Is Us

Given the timing of the attack, Moreno initially thought the Heartbleed bug was to blame, until he tracked down the breach and realized it was his own error.

In addition to developers' usernames and passwords for their accounts, AWS uses "access keys" which are easier to include in software. And that's the problem—developers include them in software, including copies of the software they store in public source-code repositories like GitHub.

Moreno had uploaded code to a GitHub repository, inadvertently including his Amazon credentials. 

You might think this is an isolated case, but a security expert in Australia discovered almost 10,000 AWS credentials in a search of GitHub last month.

Ty Miller, founder of security testing firm Threat Intelligence, found exposed credentials for Amazon, Google's Cloud Platform, and Microsoft Azure in GitHub repositories, but the largest number were for Amazon.

"These credentials are likely to provide full access to the AWS account," Miller told ReadWrite. That means hackers could delete data or add data and start new computing processes which could perform just about any task.

Amazon appears to be aware of the problem. The company specifically warns developers against including their credentials in code that they upload. But it's not clear how Amazon can police the problem.

Amazon For Nothing And Your Servers For Free

Moreno discovered the breach to his account after receiving email from Amazon asking him to update his credit-card information. Moreno, a former software developer at Apple, logged in and noticed the charges. He immediately contacted Amazon.

"Your AWS credentials have been compromised," the Amazon representative said. Bitcoin mining was a common goal of these hackers, though the AWS computing resources could be used for all kinds of money-making schemes.

When software consultant Ted Howard learned of Moreno’s experience, he commiserated. On April 5, he had learned that his Amazon account had been hacked.

“I immediately changed my password, disabled my access key and created a new key," he told ReadWrite.

Howard also believes the breach was likely his fault. After checking his GitHub repository, he found that he had committed a file that contained his AWS access key.

“I seem to be incapable of escaping my own stupidity,” he said. But the unintentional publication of AWS credentials appears to be a common problem. It even happened to security researcher Rich Mogull in January.

Keys To The Computing Kingdom

Howard thought his immediate problem was over, though he still had the bill to settle with Amazon.

But on Friday, after communicating with Moreno, he discovered yet another security breach on his AWS account, despite the steps he had already taken to secure it.  

After Moreno’s Amazon troubles came to light, Howard logged back into his own Amazon account and saw that 13 new EC2 instances in Oregon had been started—on April 9, days after he learned of $6,000 in fraudulent charges on his account.

“Of course I changed my password and disabled my new access key," he said. "This time I didn't even bother creating a new one.”

Since he hadn't used the new access key anywhere, or uploaded or shared it anywhere, he was worried.

“Whether it's related to Heartbleed is anyone's guess,” Howard said. "It's possible that they still accepted requests with the old access key after I killed it. Perhaps the attacker was notified of the new key somehow. I really have no idea."

Amazon: "We've Been Seeing More And More Of This"

Later on Friday, Amazon told Howard that the hacker may have used a feature called "Spot Requests" on his account before he reset his credentials. He checked out his account and found many of them.

As an Amazon developer, you can bid on unused computing resources via Spot Requests, and when Amazon accepts the price you set, it automatically starts using the designated computing resources. Amazon told Howard he had to check each of Amazon's geographical region for such requests, as deleting one would not affect instances in any other region.

"The nefarious way to use this is to set up a ton of requests with a high max price," Howard said. "Even once all the credentials are changed, this request is still present, so new instances continue to be spun up and down over time. This is apparently what happened to me."

That's what an Amazon representative told Moreno the day he discovered the breach. The Amazon employee also told Moreno to check his EC2 spot instances in other regions, and predicted he would see high end instances running. Which he did.

Like Howard, Moreno changed his password, but took the extra precaution of removing his code from GitHub. That's not a trivial process: Because the way repositories are backed up, his old keys may still be discoverable.

A helpful GitHub tutorial explains how to purge files from your repositories permanently and avoid accidental commits in the future.

Plugging The Holes

Recently, Amazon has changed the way it generates credentials, Moreno and Howard both said. To allow programs to access AWS resources, you used to need an access key ID and a secret access key—strings of characters generated by Amazon. In the past, you could log into your account and retrieve the secret key at any time. That's no longer the case.

"If you lose [the secret key], you must disable and generate a new access key," Howard said.

An Amazon guide for managing AWS credentials suggests removing, or not generating, an access key for your root account; and using AWS Identity Access Management (IAM) to create temporary security credentials for applications that interact with AWS resources. It also explains how to manage IAM access keys.

“We take security very seriously at AWS, and we provide many resources, guidelines and mechanisms to help customers configure AWS services and develop applications using security best practices," an AWS spokesperson said. "When we become aware of potentially exposed credentials, we proactively notify the affected customers and provide guidance on how to secure their access keys.”

It seems that Amazon could do more, however. If security researchers can easily scan public sites like GitHub and find access keys, couldn't Amazon do the same, and save itself and its customers from these incidents by immediately deactivating the keys?

How To Protect Yourself

It may go without saying, but if you've uploaded code to GitHub, you might want to check whether you inadvertently included your credentials for anyone, including hackers, to access.

"I'm sure many developers have made the mistake I've made," Moreno said. He and Howard offer the following advice.

  • Use two-factor authentication. Although this would not have helped either Howard or Moreno, additional security through a second type of authentication helps protect email and other accounts which might also hold your cloud keys. Take advantage of it.
  • Never hardcode your cloud computing credentials. Even if you're using a private source-code repository, that may change in the future. You may decide to contribute code to an open-source project, for example. "After looking through my code, I see that I had hardcoded my credentials and then commented out that code, later, when I moved the credentials to a preferences file," Moreno said. But, even that isn't good enough since preferences files are usually checked into repositories with code.
  • Use Identity Access Management. This feature from Amazon lets you create individual accounts that have limited privileges. If you wanted to create an applications that stores its data in S3, you can create an account that only has access to one S3 bucket. "If that app got compromised or those credentials got accidentally checked in to GitHub, then only that particular S3 bucket would be exposed," Howard said.

And if that doesn't stop a hack, you'll still want to gather information about what happened. Mogull explained in a post how to take a snapshot and apply forensic analysis to a hack.

The most important advice Howard offers?

"Don't put your Amazon credentials into source code and then share that source code in a public place like GitHub!"

It seems obvious. But it's clear that thousands of developers haven't taken this obvious step.

Update: After we published this story, Joe Moreno received this email from Amazon. 

no-reply-aws@amazon.com wrote:

Hello Joseph,

I have good news!  As a one-time exception, we've approved a credit of the charges for April for the amount of $5360.23  This credit will offset the amount of your compromised resources!

Please make sure to monitor your AWS usage periodically to avoid unexpected charges. By selecting Bills in your Account Billing console, you can see current and past usage activity by service and region.

Photo courtesy of Joe Moreno

Categories: Technology

Why Pinterest Is The Google Competitor You Weren't Expecting

Tue, 2014-04-15 12:05

There are now nearly one billion "Place Pins" on Pinterest, the company said in an email Monday. And with that announcement, Pinterest moves one step closer to becoming a true search engine alternative to Google.

See also: Pinterest 'Place Pins' Put Travelers On The Map

Now, Pinterest's Place Pins aren't going to replace Google Maps anytime soon—or ever. But for users that would rather graze than pinpoint one exact spot, Place Pins are great for browsing various locales around the globe.

Place Pins are enhanced Pinterest images, better known as “pins,” with the addition of location metadata. Powered by Foursquare, you can use Place Pins to give a pin a physical address that you and other users can find on a map. Pinboards can collect arbitrary travel hotspots, like this board of world beaches, along with their physical locations recorded on a map. 

A Very Pinteresting Search Dilemma

Pinterest's visual search engine is powered by millions of individuals that curate and organize its content according to what users deem most relevant. But with billions of pins, that’s a ton of data—and users simply can’t organize all of it alone. 

Place Pins are just one of the ways Pinterest is working on surfacing that data—by tying topic-specific metadata to various pins to make them show up in more relevant searches. Thanks to Rich Pins, which appear as normal pins with auto-generated captions, Pinterest can categorize those pins into verticals for movies, recipes, articles, products and places.

Before Pinterest and other Visual Web networks came along, we generally thought of the Web as a place where text begot text—you input some text, press search, and get a bunch of relevant results, also in text form. On Pinterest, however, a text-based search leads to relevant image results—without losing any of that context in the transfer. 

So far, Pinterest is trying to improve search by going vertical and providing more metadata for different types of pins, including locations. That way—ideally—searching for pins about backpacking through Europe won’t result in a bunch of European-made backpacks. 

See also: Why Pinterest Needs To Update Visual Search Stat

You might be thinking, "So what? Google has a visual search engine." But what makes Pinterest unique is that it's not just a visual search engine; it’s a user-curated one. That means to guarantee accurate search results, Pinterest needs to nudge users into actually using Rich Pins.

A Scheme To Get Rich Pins Quick

Pinterest’s Place Pins milestone is proof that users are adopting the Rich Pin feature in droves. Keep in mind, however, Place Pins are only five months old; Foursquare and Pinterest announced the partnership in late November 2013. 

The month before Place Pins was revealed, Pinterest filed a trademark infringement suit against PinTrips, a Pinterest clone built specifically for flight search. The suit was notable because Pinterest revealed in the legal complaint just how many pinners use Pinterest for travel: 

“Pinterest users have posted more than 660 million PINS in Pinterest’s ‘Travel’ category to date. Many people use Pinterest as a travel-planning tool.”

That number is nothing to sneeze at, but it’s assumed the ‘Travel’ category was built up over the course of Pinterest's five-year existence. Meanwhile, Place Pins have nearly hit the one billion mark in fewer than five months of existence. 

We also have some data about Article Pins, another kind of Rich Pin. Last fall, the company said five million of its daily pins included article metadata. However, Place Pins are opt-in, while article metadata attaches itself automatically when a user pins from a news site. 

See also: Pinterest Cofounder Evan Sharp: How The Visual Web Helps You See The Future

If one thing is certain, it’s that Pinterest is not here to compete against Google. Pinterest's search weaknesses are Google's strengths, and likewise, what Google is bad at doing Pinterest is really, really good at. As co-founder Evan Sharp told ReadWrite:

“People don’t think about searching 'living room inspiration' on Google. They literally don’t do that because the results don’t work, and they become accustomed to not searching that. But on Pinterest that can be a really fruitful and valuable thing to search.”

In its exploration of visual search, Pinterest is attempting to meet its userbases’ unique set of requirements by creating a search engine that solves different problems—or at least solves them differently. So Pinterest may never reach Google's level of popularity, but when it comes to exploring the world through search, Pinterest's plan is looking awfully good.  

Photo by Kellee Gunderson

Categories: Technology

Mozilla Names Former Exec Chris Beard As Interim CEO

Mon, 2014-04-14 19:07

Mozilla has a new leader, at least in the short term. The custodian of the Firefox browser named former vice president of products and chief marketing officer Chris Beard as its interim chief executive officer.

Beard, who most recently was an executive-in-residence at Greylock Partners venture capital firm, takes over the top spot at Mozilla after former chief technology officer Brendan Eich. Mozilla appointed Eich as the CEO at the end of March, although his stay was short lived after a firestorm of controversy around his support of the Proposition 8 initiative in California that banned gay marriage in the state until overruled by the courts.

Beard started at Mozilla in 2004 as VP of products before becoming the chief innovation officer and later head marketing officer. Even after leaving Mozilla in June 2013, he has listed himself as an advisor to the company. Beard will also be joining Mitchell Baker, Reid Hoffman and Katharina Borchert on Mozilla's board of directors.

Baker summed up the introduction of Beard on the company's official blog:

Mozilla is building these kinds of alternatives for the world. It’s why we’re here. It’s why we gather together to focus on our shared mission and goals. We intend to use recent events as a catalyst to develop and expand Mozilla’s leadership. Appointing Chris as our interim CEO is a first step in this process. Next steps include a long-term plan for the CEO role, adding board members who can help Mozilla succeed and continuing our efforts to actively support each Mozillian to reach his or her full potential as a leader.

Beard follows Jay Sullivan as a top executive at Mozilla to be named interim CEO. Sullivan was the chief operating officer of Mozilla and also held the role of CEO after Gary Kovacs resigned from the role in the spring of 2013. Sullivan left Mozilla after Eich was named CEO.

Mozilla still has plenty of work to do to reestablish its leadership. It also needs two more board members after three left when Eich was made CEO. Mozilla also needs to find a new chief technology officer to replace Eich. Li Gong is set to take over the role of COO this year.

Categories: Technology

This Vending Machine Uses Arduino To Tweet-Shame Your Sweets

Mon, 2014-04-14 14:37

Editor's note: This post was originally published by our partners at PopSugar Tech.

Meet the vending machine that tweet shames candy bar buyers. Would you think twice about your sweet treat if you knew that an automated dispensary would tell the world about it?

A UK-based group of creative crafters called Nottingham Hackspace has revamped its snack dispensary into a tweeting machine that keeps its members accountable for what they eat. After a successful pledge drive, the group was able to buy the vending machine off eBay. The hackers then enhanced the purchase with Arduino, an open source electronics prototyping platform.

Using Arduino, they've modified the cash payment system with a little reader onto which members tap their cards. The cards have a little RFID (radio-frequency identification) chip that wirelessly transmits who they are and how much money is on their card to the vending machine.

It also communicates with the Nottingham Hackspace server, Holly, who then tweets your candy bar purchase. We're thinking that we'll need to get one of those in our office.

Image courtesy of YouTube user Computerphile

More stories from PopSugar Tech:

The Little Gadget That Goes Grocery Shopping For You
7 Lesser-Known Subreddits to Bookmark
Xbox Is Recruiting Hollywood to Make the Next House of Cards
The Most Epic Minecraft Tributes on the Web
You Will Never Text and Drive Again After Watching This PSA

Categories: Technology

Who Should Buy Google Glass?

Mon, 2014-04-14 13:04

For one day only, Google will put its futurewear optics on sale to the general public. On Tuesday, April 15 at 9am ET, Google will be "opening up some spots in the Glass Explorer Program,” allowing any U.S. resident to buy the before-its-time wearable computer known as Google Glass.

At $1500, the device’s early adopter tax remains as steep as ever, although this time around, Google will toss in a pair of its handsome new prescription-compatible frames or the original shades that shipped with the very first Glass kits a year ago (much to the chagrin of previous Glass buyers who only scored the awkward shades).

After sating the collective appetite of many early adopters, it’s not clear who out there still hasn’t had a shot at buying Glass. But for anyone still “waitlisted” the opportunity sounds like a direct ticket to Glasstown. Here’s Google’s logic behind the one-day sale, as explained on its Glass Google+ account:

Our Explorers are moms, bakers, surgeons, rockers, and each new Explorer has brought a new perspective that is making Glass better. But every day we get requests from those of you who haven’t found a way into the program yet, and we want your feedback too. So in typical Explorer Program fashion, we’re trying something new.

Unfortunately, beyond the sky-high price, one big caveat remains: Glass is open to U.S. residents with a U.S. shipping address only.

 

Who Should Buy Google Glass

Public perception of Glass vacillates between intense curiosity and something resembling a cartoonish eye-roll, but I stand by the fact that Glass is a remarkably cool technology. The device remains cost prohibitive to a large swath of the population, but if you, your organization or your company can stomach the price, there are still valid reasons to consider signing up come Tuesday.

Developers: Ostensibly, the majority of folks who’ve signed up to date are building something cool with Glass. Due to limitations of the device, its adopters or perhaps our collective imaginations, there’s still plenty of room for innovation. For every mind-blowing Glass app out there, there are twenty that do something incredibly boring.

Like virtual reality, augmented reality directly alters the way we interact with the world around us—and that’s really, really cool. If Google can lower the barriers to entry, getting Glass into the hands of a more diverse sample population geographically and socioeconomically speaking, I suspect that innovation would soar. In the meantime, Glass needs more people who can build things outside the box.

Science: There are so many incredible applications for the sciences that I don’t even know where to start. Medicine, astrophysics, geology, botany, science education—there’s a lot of possibility here.

Even on a more meta level, we don’t yet know how augmented reality changes the way we think, both from a social perspective and a neural imaging one. Researchers, we need you!

Photographers/Artists: Silicon Valley can only take us so far. Its portability, low profile (well, in some situations anyway) and hands-free operation is transforming for experimental photographers. You really can interact with people and environments in a totally different way by capturing moments with Glass. And while photographers are already a thriving Glass-wearing tribe, interactive, experimental artists should consider turning the wearable into a sociotechnological medium.

Real Explorers: Google throws this term around about all Glass owners, but we need more real explorers. You know, the people who trek to the world’s most fascinating, extreme and remote locales. Hey, even I went on a hike or two. Explorers of the world: Get a Patagonia sponsorship and go forth!

Google Glass Remains An Expensive Habit 

Google first made Glass available only to attendees of its 2012 Google I/O developers conference (including press, like us), where the device was first revealed. After a long wait, Google then opened Glass sales to successive waves of so-called “Explorers” through a hashtag contest known as #ifihadglass before allowing each existing Explorer to dole out three “invites” each. Roughly a month later, Google quietly slipped a Glass waitlist onto its website, though it’s unclear how many of those orders have been filled.

After all of those rounds of availability, it’s hard to imagine who out there still hasn’t had a chance to buy Glass. Still, encounters with Google’s augmented reality visor remain rare outside of San Francisco, the device’s indigenous habitat.

We look forward to seeing what happens when (and if) Glass takes its Silicon Valley blinders off.

Categories: Technology