Analysts laud and lance new Microsoft browser armor

Analysts laud and lance new Microsoft browser armor

Terrific idea or band-aid that doesn't address Windows' real problems

Analysts today gave mixed reviews to Microsoft's new security model for its Edge browser, labeling it as both a landmark move and an attempt to mask the underlying problems of Windows that the company has refused to address.

"This is one of those ideas where you say, 'Why didn't someone do this before?'" said Patrick Moorhead, principal analyst of Moor Insights & Strategy.

Moorhead was talking about Windows Defender Application Guard, a new security feature that will roll out to some enterprise customers next year. Only organizations that subscribe to Windows Enterprise E3 or E5 -- plans under which businesses pay an annual fee to run the operating system -- will be offered Application Guard.

With Application Guard in place, Edge -- the default browser for Windows 10 -- will run in a virtualized Windows environment when it's aimed at websites not on a list pre-approved by the IT staff. That will isolate the browser from malware that normally burrows into a device via vulnerabilities, then steals credentials and pillages data.

Because Application Guard creates a disposable instance of Windows -- and in a sop to former Vice President Al Gore, a "lock-box" version to boot -- it not only prevents malware from reaching the real operating system, real applications, real code and the real device, but when the user is finished browsing and the tab is closed, it simply tosses the copy into an imaginary landfill.

The idea of quarantining the browser -- easily the most vulnerable application on a device due to its duties -- is not new: Technologies like "sandboxes" have attempted to sequester applications for years.

Application Guard, however, is different in that when directed to an unlisted website, the Edge tab generates a virtual copy of a pared-back Windows using the device's processor, then bricks up every opening between the copy and the real deal. Browser interaction with the rest of the physical device is forbidden, with the exception of printing.

Moorhead made much of the hardware virtualization, and applauded it as a first for a mainstream browser. "This is a different way to virtualize," he said, comparing it to the more traditional approach of crafting a virtual machine using software, such as VMware's line. In the virtual space thus created, "Malware can't access your files, it can't scrape passwords," Moorhead added.

Others weren't as impressed with Application Guard.

"The whole idea of containerization has a basic security flaw," said John Pescatore, director of emerging security trends at the SANS Institute. "The idea is that if malware starts running in the [container], you just shut it down. But what happened while the malware was running?"

Users could, Pescatore, noted, be duped into offering up their passwords inside an Edge tab guarded by Application Guard just as easily as if they were running a different browser.

Pescatore also argued that Application Guard, like other protective measures Microsoft has layered onto Windows, was simply another band-aid that did not address the real problem with the operating system's security.

"You don't need this on browsers running on iOS or Android," said Pescatore. "So why aren't they talking about an application store for Windows?"

To Pescatore, the openness of Windows has long passed its prime; instead, Microsoft should move to mimic the mobile environment rules, particularly of iOS, which unless the operating system is cracked, or "jailbroken," cannot run code that comes from any other place than Apple's App Store.

By continuing to push the old regime, under which code can come from anywhere, Microsoft must fight every skirmish, wage war against every hacker and every piece of malware. It would be simpler and safer, Pescatore argued, to restrict what Windows can run rather than to build one trench line after another surrounding the operating system, the browser and other critical applications.

"Application Guard is Microsoft saying 'When bad software happens, hopefully it won't hurt you as much,'" Pescatore said.

But that, in essence, is the same tune sung by other browsers that use less restrictive technologies to protect users. "This is more like Microsoft catching up to Google," said Pescatore, nodding to the latter's Chrome browser. "The difference is that Microsoft is holding out the promise that if you only browse [normally] to trusted sites, you can really get tough."

This story, "Analysts laud and lance new Microsoft browser armor" was originally published by Computerworld.

Make a Wi-Fi gadget with a $9.99 Orange Pi development board

Make a Wi-Fi gadget with a $9.99 Orange Pi development board

With Orange Pi i96, makers can create gadgets and robots on the cheap

If you want to fashion a smart gadget, robot, or drone with wireless capabilities on the cheap, a US$9.99 development board from Orange Pi will help you reach that goal.

The Orange Pi i96 shouldn't be confused with the $35 Raspberry Pi 3, which is much more powerful and can be a full-fledged Linux PC. The smaller Orange Pi has limited horsepower and is targeted at smart gadgets, drones, and internet of things devices.

If you want to create a gadget to show off at a Maker Faire event, the Orange Pi i96 is the kind of board you'll rely on. The board was first announced at the Linaro Connect conference, happening this week in Las Vegas.

For its price and target market, the Orange Pi has features not found on competitive boards. It includes Wi-Fi, 4GB of flash storage, and 2GB of RAM. It also has a micro-SD slot, a micro-USB connection, and includes the Linux-based Ubuntu OS.

Compare the board to the $5 Raspberry Pi Zero or Intel's $15 Quark Microcontroller Developer Kit D2000, which have no Wi-Fi or internal storage. Storage slots aren't a common feature on Arduino microcontroller boards, which are also used to make basic electronics.

The Orange Pi i96 also has a camera interface and low-end 32-bit Cortex-A5 processor. Cameras are important to give computer vision to robots and drones.

"We can't wait to see what developers are going do with this in the areas of vision and recognition systems and robotics," said George Grey, CEO of Linaro.

The board is based on specifications set by 96boards, an organization encouraging the development of ARM-based board computers.

The exact shipment date for Orange Pi i96 wasn't available.

Linaro is also encouraging the development of other IoT boards. In the near future, there will be billions of IoT devices collecting and sending information, and more boards will be used to support this growing ecosystem, Grey said.

Wyoming's open source enterprise code library a secret no more

Wyoming's open source enterprise code library a secret no more

NASCIO award-winning project speeds app development, slashes costs

Wyoming’s 250-person Enterprise Technology Services (ETS) group knew it had a good thing in its Enterprise Extensible Code Library, but it chose to keep things under wraps outside of the state until last week when members of that team attended an annual confab for state government CIOs.

It was at the National Association of State Chief Information Officers (NASCIO) convention in Orlando that the ETS code library project was honored with a Recognition Award for Enterprise IT Management Initiatives, and the inquiries from other states and organizations started streaming in.

MORE: Cisco names winners of Innovate Everywhere Challenge

As described in Wyoming’s NASCIO awards program entry submitted by Deputy State CIO Meredith Bickell, the project launched in 2013 and its main purpose is to serve as a repository of reusable code modules (or “lego blocks”) that can be employed and added to by state agencies building applications. ETS provides internet and enterprise IT services to Wyoming’s executive branch, agencies, boards and commissions.

The upshot of the code library is that apps can be built faster and less expensively – in some cases reducing costs from hundreds of thousands of dollars to less than a thousand. As you might imagine, plenty of what needs to go into such apps, from secure logins to reporting and notifications, is common across agencies.

“Agencies no longer need to navigate the procurement process requesting significant funds to build solutions,” the NASCIO awards entry reads. “With the reuse of code and standardization, ETS has created a new synergy previously absent from many state government projects.”

Or put another way by Wyoming Enterprise Solutions Architect and Geographic Information Officer Anthony Witbrod, “We hope to see an influx of new application development in-house using the lego libraries. Our goal is to see each new app dev project become a minimally viable project, create the new necessary capabilities and provide an even larger toolset that other agencies can continue to leverage.”

The reality was that often agencies would look to build seemingly unrelated applications that might actually share more than half of the same coding needs. Via the code library, an agency can employ reusable code to get, say 70% or 80% or even 90% of the way through an application, then seek funding for the rest, being sure to architect that additional code so that it too can be reused.

Among the apps built using the code library have been an educator credentialing system used by the Wyoming Professional Teaching Standards Board and a fully-automated Bid Waiver solution that has shortened to a couple of days a process that could take weeks via the old paper-based system.

The project’s NASCIO award win even got the attention of Wyoming Gov. Matt Mead, who said that “The extendable code cloud library helps Wyoming pursue high goals with cutting-edge technology. We are building out solutions for agencies and our partners to expand upon and creating opportunities as we take to the cloud.” 

Inside the Wyoming code library

As for some of the particulars of the code library, Wyoming chose Java with Sencha GXT for its development language, figuring this would be the language most employees would be familiar with, and ETS uses BitBucket Git as its code repository.

Google App Engine, which plays nicely with Java, was selected for the NoOps cloud platform, and tools such as Maven are used to prototype new apps in a flash. Agile development frameworks such as Scrum and Kanban are used to keep development teams on track.

One beauty of the project, Witbrod says, is that the reusable code blocks are open source, so that developers from other state agencies – or from anywhere for that matter – can tap into them.

“It’s GPL, so it’s open to anyone once we get our release going, which hopefully will happen soon,” Witbrod says. “It’s open source code. It’s literally open to anyone, to you, to me, to any application shop, to any state government.”

After it was announced that ETS had won the NASCIO award, one state CIO immediately swung by the ETS table and expressed interest in learning about Wyoming’s upgraded Help Ticketing System 2.0, which was built via the code library.

“That state is about to go purchase a $300,000 ticketing application, so they want to see what they can do with ours,” Witbrod says. His hope is that there would be a reciprocal benefit by having other states build apps from the code library, then contribute code that they built on top of it. Thinking big picture, this could result in consolidated app development across the country, he says

The code library also grabbed the attention of the National Association of State Technology Directors and it has asked ETS to do some presentations and webinars with its community, Bickell says.

Another benefit of the code library is that even relatively simple application components and apps, such as helpdesk ticketing, can become hardened for more sophisticated uses, such as handling money or other sensitive information.

“It’s kind of like running through a gauntlet… just a simple application has to be very stout to get through all that,” Witbrod says. “It helps us build better lasting applications that we hope will be here for a very long time.”

MORE: Mobile apps still have a long way to go in state government

This story, "Wyoming's open source enterprise code library a secret no more" was originally published by Network World.

Oracle Visual Code brings cloud-based app dev to business users

Oracle Visual Code brings cloud-based app dev to business users

The competitor to Salesforce Lightning lets citizen developers create apps out of prebuilt components

With its Project Visual Code platform, Oracle is taking a swing at Salesforce in cloud-based application development.

Detailed this week, the platform for low-code development provides a browser-based interface for building standalone applications or extensions to existing applications. Geared to "citizen developers," Visual Code is a direct competitor to the Salesforce Lightning component-based development platform.

Oracle's Bill Pataky, vice president of mobile development and developer tools, said that Visual Code's advantage over Lightning is in extending applications, with users able to integrate with third-party data from sources like Facebook or Google Maps.

Applications are created with prebuilt components from the Oracle Cloud Marketplace, which can be supplemented with a small degree of JavaScript coding. "The goal is to allow business users to meet needs when they come up without relying on IT," Pataky said.

The package features a visual tool for building and hosting Web and mobile applications, a UI design system, a UI component architecture, and business objects for building applications over any REST-based service. Components are dragged onto the UI; back-end data access also can be set up. Applications can be built on any device with a browser, although Pataky does not recommend using a smartphone -- the browser would be too small, and they can be sold in the Oracle Cloud Marketplace.

Components are built with standard JavaScript and REST, using Oracle's JavaScript Extension Toolkit. Users can extend Oracle SaaS applications, bringing in data from the Oracle SaaS platform Pataky said, but apps don't have to work with data in Oracle's cloud. As an example of how the platform can be used, Pataky said Oracle built an application to keep track of who was going to the company's OpenWorld conference in San Francisco this week and where they were staying.

CouchDB 2.0 adds clustering and an easier query language

CouchDB 2.0 adds clustering and an easier query language

The latest release of the NoSQL database lowers the bar to entry with an easier-to-use query language, and adds clustering to provide scale-out power

Nearly two years after its initial availability as a developer preview, version 2.0 of the Apache Software Foundation's NoSQL database solution CouchDB is finally out.

Many of the major features address performance, especially CouchDB's newly added support for clustering. But the most notable improvement appears to be a query language that helps address the long-standing complaint that CouchDB is tough for beginners to work with.

Easier to talk to

Mango Query is based on a MongoDB-like syntax that was donated by commercial CouchDB outfit Cloudant (now part of IBM) under its original name, Cloudant Query. CouchDB has given it a new name and reintroduced other features separately developed by Cloudant, such as full-text search.

Mango is far easier to work with than the JavaScript-based Views query system CouchDB used before. Views involved writing a map-reduce function, even for relatively trivial operations. Queries in Mango, though, are JSON structures passed to a REST API via HTTP POST.

Developers can now run Mango queries without having to first construct an index for a CouchDB instance, thereby solving another common complaint.

The upshot of all these changes: CouchDB should be a lot more useful from the outset, easier to dive into and start experimenting with, and less difficult to program to overall.

A more cluster-y Couch

CouchDB has also been knocked for not scaling well. To address that problem, version 2.0 adds clustering, another feature built for CouchDB by Cloudant and open-sourced.

Cloudant's inspiration was the Amazon Dynamo distributed key-value store, which shards the database evenly across nodes and keeps redundant copies of each shard. The developer can tune the number of shards and copies if needed, but CouchDB's documentation claims the default settings should suit most scenarios.

According to CouchDB's developers, using clustering requires almost no changes in how existing CouchDB applications work. CouchDB VP Jan Lehnardt noted in an earlier discussion that CouchDB has "always said no to features that we know couldn't be scalable in a cluster or even doable in a cluster," even if he knew it would take time for clustering to show up in the product.

One thing that isn't likely to change with CouchDB is its model for consistency, or how quickly changes made to the database are reflected in queries made against it. With CouchDB, changes are eventually consistent, but not guaranteed to be available at the time they're made.

Many other NoSQL databases have also used this consistency model, although it means they shouldn't be used in situations where every change has to be reflected immediately. MongoDB, one of the other major NoSQL offerings available, is consistent by default, but provides eventual consistency as an option for those who need it.

Samsung ships 500,000 replacement Note7s for recall exchange

Samsung ships 500,000 replacement Note7s for recall exchange

Any Note7 sold before Sept. 15 should be powered down due to potential fire hazard

Samsung said Tuesday that 500,000 new Note7 devices have been shipped to U.S. carriers and retailers to replace the smartphones recalled because of a fire hazard.

The devices will be available for exchange starting Wednesday, the company said in an emailed statement.

In all, 1 million Note7 devices were recalled by the U.S. Consumer Product Safety Commission last Thursday after reports surfaced that Note7s could catch fire. The problem was related to problems with the phones' lithium-ion batteries. The CPSC said Samsung had received 92 reports in the United States of batteries overheating, including 26 reports of burns and 55 reports of property damage, including fires in cars and a garage.

While Samsung has worked to provide replacement Note7s, the CPSC said consumers could also seek a full refund.

In a video posted Friday, a top Samsung executive in the United States said the replacement units were safe, that the battery issue was resolved, and the findings were affirmed by a recognized battery expert. As of Friday, Samsung had exchanged about 130,000 Note7 smartphones in the United States.

Samsung also announced a software update for the new Note7 devices in partnership with carriers that displays a green battery icon on the phone’s status bar (in the top right portion of the screen). The green icon indicates that consumers have a new Note7 with a new battery deemed safe.

Samsung and the CPSC said all users of Note7s sold prior to Sept. 15 need to power down their devices. For those who aren’t aware of the warnings, a software update will be pushed to all recalled devices that prompts the user to power down and exchange the device every time the user powers up or charges the device.

More information is available at Samsung’s recall website.

This story, "Samsung ships 500,000 replacement Note7s for recall exchange " was originally published by Computerworld.

Majority of US users opt to stay with Galaxy Note 7 after recall

Majority of US users opt to stay with Galaxy Note 7 after recall

Samsung said 90 percent of owners are opting for new Note 7 smartphones after the recall

Samsung Electronics may have some comfort after its debacle with faulty batteries in the Galaxy Note 7 smartphone.

The South Korean company reported Thursday that about 500,000 devices, or half of the recalled Galaxy Note 7 phones sold in the U.S., have been exchanged through its program.

Interestingly, "90 percent of Galaxy Note 7 owners have been opting to receive the new Galaxy Note 7," since the phones became available on Wednesday, Samsung said. That figure suggests that most of the users of the Note 7 have chosen to stay with the smartphone model, with new batteries, rather than go in for a refund or exchange the phone with another Samsung model.

Under an official program announced by the U.S. Consumer Product Safety Commission, 1 million Note 7 smartphones were recalled following concerns about faulty lithium-ion batteries in the devices, which could overheat and even explode. CPSC said it had received 92 reports of the batteries overheating in the U.S., including 26 reports of burns and 55 reports of property damages, including fires in a car and garage.

As part of the arrangement with the CPSC, Samsung said users could return the phones for a refund, or exchange it for a new Note 7 device, in which the battery issues had been resolved. The company also announced an exchange of the Note 7 with Samsung’s Galaxy S7 or Galaxy S7 edge devices, and replacement of any Note 7 specific accessories, with a refund of the price difference between devices.

The company said Tuesday that over 500,000 new Galaxy Note 7 replacement devices had arrived in the U.S. and been shipped to carrier and retail stores, and would be available for exchange at retail locations nationwide on Wednesday.

It is not clear how soon Samsung plans to meet the balance demand for replacement Note 7 devices. The company could not be immediately reached for comment.

Samsung and CPSC have urged consumers of Note 7 phones sold before Sept. 15 to power down their device.

A number of countries have issued recalls for the phones, including Canada. The Note 7 was banned from use or charging on U.S. airlines by the Department of Transportation.

Samsung releases the worldโ€™s fastest gumstick SSD

Samsung releases the world’s fastest gumstick SSD

The SSDs can withstand up to 1.2 petabytes of writes

Samsung on Wednesday released two of its highest-capacity SSDs for consumers. The drives are based on the M.2 "gumstick" form factor, which is quickly being adopted in the latest ultra-thin notebooks and PCs.

The new 960 Pro and 960 EVO SSDs are based on the ever-more popular non-volatile memory express (NVMe) specification and Peripheral Component Interconnect Express (PCIe) Gen.3 x4 lane motherboard interface.

The 960 Pro sports blazingly fast sequential read/write speeds of up to 3.5Gbps and 2.1Gbps, respectively. The 960 EVO has sequential read/write rates of 3.2Gbps and 1.9Gbps, respectively.

960 EVO SSD Samsung

A front and rear view of the 960 EVO SSD.

Samsung said the 960 series is ideal for intensive workloads such as computer-aided design, 4K rendering, data analysis, engineering simulations and gaming.

The 960 PRO will come in capacities of 512GB (MSRP - $329), 1TB ($629) and 2TB ($1,299). The 960 EVO comes in 250GB ($129), 500GB ($249) and 1TB ($479) versions.

Both SSD models are equipped with Samsung's TurboWrite technology, which the company first unveiled in 2013 in its 840 EVO internal 2.5-in SSD. TurboWrite creates a high-performance write buffer to which new data is first written to high performance single-level cell (SLC) NAND flash and later moved to multi-level cell (MLC) flash.

In addition to its record-breaking performance and capacity, the 960 Pro SSD boasts the greatest endurance Samsung has ever produced for an M.2 form factor SSD; it's able to accommodate up to 1.2 petabytes (1,200 gigabytes) worth of writes over its warrantied lifetime. The 960 EVO can withstand up to 400TB of writes over its warrantied lifetime.

The 960 Pro comes with a 5-year limited warranty and the 960 EVO has a 3-year limited warranty.

960 Pro 960 EVO SSD Samsung Samsung

Samsung's new 960 Pro and 960 EVO M.2 SSDs.

Both SSD models sport Samsung's new Polaris controller, with the company's new SM951 NVMe SSD last June, and has an eight-channel chip packed with five processing cores.

The new controller, combined with the NVMe interface, allows the 960 Pro to deliver peak sequential read and write transfer speeds of 3,500 MB/s and 2,100 MB/s, respectively, and random read and write I/Os per second of up to 440,000 and 360,000.

The 960 EVO has sequential read/write speeds up to 3,200MB/s and 1,900 MB/s, respectively, and random read/write speeds up to 380,000 and 360,000 I/Os per second, respectively.

Samsung began using the NVMe specification last year with the introduction of its 950 Pro SSD.

NVMe is a a logical device interface specification for accessing non-volatile storage, such as NAND flash, via the high-speed PCIe bus. The PCIe bus allows non-volatile storage to be directly connected to a computer's motherboard versus more traditional interfaces, such as serial ATA (SATA), which require a data translation layer and creates additional I/O latency.

On the 960 Pro and 960 EVO SSDs, Samsung is also introducing the fully rebuilt Magician software with a new user interface, with which users can control various SSD settings including firmware updates.

In May, Samsung announced it had begun mass-producing the world's smallest 512GB PCIe-connected SSD that also used the NVMe specification.

512gb samsung ssd Samsung

Earlier this year Samsung released its smallest 512GB PCIe-connected SSD, the PM971, which is just 20mm x 16mm x 1.5mm in size and weighs only about one gram.

Samsung's PM971-NVMe SSD was aimed at ultra-thin notebooks and was manufactured by combining 16 of Samsung's 48-layer, 256-gigabit (Gb) V-NAND flash chips, one 20-nanometer 4Gbit LPDDR4 mobile DRAM chip and a high-performance Samsung controller.

The 960 PRO and 960 EVO SSDs are also based on Samsung's 48-layer V-NAND-based NAND flash, which stacks cells one atop another like a microscopic skyscraper for greater density and performance.

"We were proud to erect the NVMe era last year with the introduction of our 950 Pro SSD," Un-Soo Kim, senior vice president of Samsung's memory business, said in a statement. "Now, with the introduction of the NVMe 960 PRO and 960 EVO SSDs, Samsung is once again taking the next step in the multi-terabyte SSD technology and the storage revolution, providing users higher capacities and speeds than ever before within an NVMe PCIe drive to create new possibilities for consumers and business professionals."

This story, "Samsung releases the world’s fastest gumstick SSD" was originally published by Computerworld.

Microsoft emphasizes JavaScript tools, libraries in TypeScript 2.0

Microsoft emphasizes JavaScript tools, libraries in TypeScript 2.0

The latest version of Microsoft's typed JavaScript superset adds simplified declaration file acquisition and non-nullable types

Microsoft is now shipping TypeScript 2.0, an upgrade to the company's typed superset of JavaScript. It can be downloaded for Visual Studio 2015 Update 3, accessed by NuGet, used with with Visual Studio Code, or installed via NPM.

Version 2.0 focuses on developer productivity, alignment with the ECMAscript standard underlying JavaScript, and support for JavaScript libraries and tools, the TypeScript team said.

Compiling to JavaScript and now serving as the underpinning of Google's Angular 2 JavaScript framework, TypeScript features the same syntax and semantics familiar to JavaScript developers, but also offers types.  It is part of a roster of JavaScript alternatives, such as CoffeeScript, that are seen as easier for developers.

Key improvements in TypeScript 2.0 include simplified declaration file acquisition, in which declarations for a library are made easier, and non-nullable types, in which null and undefined have their own types for developers to express when null/undefined values are acceptable. "Because this is a breaking change, we've added a --strictNullChecks mode to opt into this behavior. However, going forward it will be a general best practice to turn this flag on as it will help catch a wide range of null/undefined errors."

Control flow analyzed types in version 2.0 can produce the most specific type possible. "When combined with non-nullable types, TypeScript can now do much more complex checks, like definite assignment analysis." Also, immutable programming has been made easier in version 2.0 by declaring properties read-only.

The first beta version of TypeScript 2.0, which postponed delivery of async support until TypeScript 2.1, was released in July. In future versions, TypeScript's builders plan to evolve the type system to allow further expression of JavaScript in a statically typed fashion. The TypeScript language service and tooling features will be enhanced so tools can become "smarter," the team said.

Well, I never! iOS 10's voicemail transcription has a potty mouth

Well, I never! iOS 10's voicemail transcription has a potty mouth

Turns out, Siri doesn't give a ... darn

eggplantpoopemoji

Anyone who has looked at automatically-generated subtitles on YouTube can tell you that asking a computer to describe what a human says can lead to hilarious results. Now, Apple has brought that issue to iOS 10 with support for transcribing voicemails.

It’s a cool feature that makes it easy to know what your Aunt Matilda said about the gastrointestinal problems her dog is having, without actually having to listen to a three-minute-long, blow-by-blow description. But be careful about trusting it—or reading the transcriptions around sensitive eyes.

I learned that the hard way Thursday when someone left me a message about a reorder special on a wine club shipment. Except my iPhone didn’t hear it that way, proudly telling me about “wearing your c**k s**t.”

iphonetranscription Blair Hanley Frank

This, coming from a phone that I had to teach to swear! I remember having to bludgeon my phone’s autocorrect dictionary into learning that no, I don’t mean that my friends’ artwork is “cool ship.”

Apple stresses that voice mail transcription is still in beta, and as with any voice recognition service, there are bound to be hiccups like this one. The company offers users the ability to provide feedback about the transcription and send off the audio file to Cupertino to help improve future voicemails.

But the swearing in the transcription seems pretty unique in iOS. It’s not like Siri is suddenly down to start calling people nasty SOBs. Apple’s virtual assistant is mildly chiding whenever someone (like a couple of foul-mouthed tech journalists working on an absurd article) decide to throw a string of profanity its way.

Now, before you ask, it’s not clear whether the autocorrect settings are associated with words frequently used on a particular device. And yes, it’s possible that my own speech patterns may have influenced the iPhone’s transcription of an unclear message. (Though I’m usually most aggressive around changing “duck” and “ducking” when presented with a new iOS device.)

It’s clear that Apple does tailor its speech models, however: Rattling off comic George Carlin’s seven words you can’t say on television to the American English version of Siri will lead to it claiming that the third word on the list is “can’t.” Flip over to Siri’s British counterpart, though, and it catches all seven swears in one go.

A representative for the company didn’t respond to a request for comment by press time, sadly, so it’s hard to know whether this sweary transcription is part of a new move by the company to better support profanity, or if it’s just an oversight.

Here's what you should know, and do, about the Yahoo breach

Here's what you should know, and do, about the Yahoo breach

The huge data breach serves as a reminder of some basic security tips

Yahoo

Yahoo’s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale—it’s the largest data breach ever—and the potential security implications for users.

That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

An email compromise is one of the worst data breaches that a person could experience online, so here’s what you should know:

Fifty shades of hashing

Yahoo said that the “vast majority” of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation—this is called a hash.

Hashes are not supposed to be reversible, so they’re a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking “the vast majority” of Yahoo passwords is very low.

But here’s the problem: Yahoo’s wording suggests that most, but not all passwords were hashed with bcrypt. We don’t know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn’t been specified in Yahoo’s announcement or FAQ page suggests that it’s an algorithm that’s weaker than bcrypt and that the company didn’t want to give away that information to attackers.

In conclusion, there’s no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don’t keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won’t ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you’re among the people who don’t delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don’t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn’t even recommend using security questions anymore, so you can go into your account’s security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings that you never check and if it’s turned on there’s little to no indication that it’s active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It’s an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don’t reuse passwords; just don’t

There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of “verifying” their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.

IBM shows how fast its brain-like chip can learn

IBM shows how fast its brain-like chip can learn

IBM benchmarks the deep-learning capabilities of its TrueNorth brain-like chip and concludes it's faster and more power-efficient than today's GPUs and CPUs

ibm research truenorth lawrence livermore supercomputer

Developing a computer that can be as decisive and intelligent as humans is on IBM's mind, and it's making progress toward achieving that goal.

IBM's computer chip called TrueNorth is designed to emulate the functions of a human brain. The company is now running tests and benchmarking TrueNorth to demonstrate how fast and power efficient the chips can be compared to today's computers.

The results of the head-to-head contest are impressive. IBM says TrueNorth can engage in deep learning and make decisions based on associations and probabilities, much like human brains. It can do so while consuming a fraction of the power used by chips in other computers for the same purpose.

The learning and computing capacity of a TrueNorth chip "will open up the possibilities of embedding intelligence in the entire computing stack from the internet of things, to smartphones, to robotics, to cars, to cloud computing, and even supercomputing," the company said in a blog entry.

IBM earlier this year demonstrated the chip in a new computer called NS16e, which is modeled after the brain. The computer has can be used for image, speech, and pattern recognition through a neural network of processing units.

A human brain has 100 billion neurons that intercommunicate via trillions of connections called synapses. One part, the cortex, is responsible for visual recognition, while other parts are responsible for motor function.

Like the brain, the NS16e has "digital neurons," but on a smaller scale, with 16 TrueNorth chips in the system. Each TrueNorth chip has 1 million neurons and 256 million synapses, which are interconnected via circuitry. The NS16e has redesigned memory, computation and communication subsystems to facilitate power-efficient data processing.

IBM said the TrueNorth processor can classify image data at between 1,200 and 2,600 frames per second while consuming only 25 to 275 milliwatts of power. The processor can identify and recognize patterns from images generated by 50 to 100 cameras at 24 frames per second. It can do so using a smartphone without a need to recharge for days. 

That's much more power-efficient than servers today, which rely on conventional chips like GPUs, CPUs and FPGAs for image and speech recognition. Facebook, Google, Microsoft and Baidu use deep learning for approximating answers related to imaging and speech recognition. Those deep-learning systems are mostly driven by GPUs that draw more than 150 watts of power.

IBM's TrueNorth uses algorithms and learning models that involve recognizing patterns and associating past and current data. Algorithms are still being created for different deep learning models, but the chip can be used with existing systems like MatConvNet. Essentially, developers can create learning models on MatConvNet, and TrueNorth will do the background processing. Developers don't need to be exposed to TrueNorth.

That process is similar to the early days of game development, where programmers weren't exposed to GPUs as most didn't know how to exploit the on-chip features. Vulkan recently replaced OpenGL APIs and exposed GPU features directly to programmers, who are better equipped to exploit features on the chip.

The potential of deep learning is illustrated in self-driving cars, which use powerful computers to navigate a vehicle safely by recognizing signals, lanes, and other objects. Like chips in cars and servers, the TrueNorth chip does low-level processing on each neuron, and they are then stringed together to provide identify an object in an image, or recognize a sound. That's the technique also being used by Intel and Nvidia in their mega-chips, which are more power hungry than TrueNorth.

These are still early days for IBM's TrueNorth chip. The company plans to build a computer with these chips at the scale of a human brain, but part of the challenge is developing algorithms and applications for such a huge computer.

IBM started the development of brain-like chips in 2004 and simulated a computer model the scale of a cat's brain in 2009. A prototype chip in 2011 had 256 digital neurons and had pattern-recognition capabilities. A full computer with a brain-emulating chip could still be a long time off.

IBM is also building quantum computer as an option to replace today's PCs and servers, which are based on decades-old computer designs. Other chips that emulate human brains are being developed by Hewlett Packard Enterprise, Stanford University, the University of Heidelberg in Germany, and the University of Manchester in the U.K.

Apple's Siri-powered Amazon Echo rival reportedly hits the prototype phase

Apple's Siri-powered Amazon Echo rival reportedly hits the prototype phase

It's not ready yet, but a report from Bloomberg says Apple's Echo rival is now in the prototype and testing phase.

Amazon Echo

Apple is reportedly still hard at work on a Siri-powered device to rival the Amazon Echo. The project is out of the research and development and phase and into prototyping, according to Bloomberg’s Mark Gurman, who has an excellent track record with Apple rumors.

Gurman doesn’t say what the smart home device will be, but presumably it will be some kind of speaker. The aim is for the Siri device to control smart home appliances—presumably via HomeKit—similar to the Echo. The Siri device would likely also be able to carry out the same tasks that the personal digital assistant already does on the iPhone and iPad. 

That’s assuming Apple doesn’t give up on it. But given Amazon’s success with the Echo and Google’s plans for a similar product called Home, which is expected to roll out in October, it would be more surprising if Apple didn’t enter this space.

The story behind the story:  Looking to gain an edge on its rivals, Apple reportedly wants its device to pack superior hardware to Amazon’s Echo, such as a higher quality speaker and microphone. The device may even include facial recognition sensors, which Gurman theorizes could be used for detecting emotional states in addition to user authentication. A report in June said Amazon was also working on emotional detection through voice cues, though the current Echo does not have facial recognition sensors.

Intelligent assistants—be they built into smart home devices or bots in chat apps—are the next big rush for technology companies. A Siri-powered smart home device would be just one part of Apple’s strategy, according to Gurman. The company is also hoping to make Siri capable of controlling the entire iOS system on an iPhone or iPad within the next three years, which would allow for more hands-free interaction.

This week in games: Blizzard ditches Battle.net, Gears of War 4 adds PC split-screen

This is your gaming news for September 19 through 23.

Battle.net

I have another hundred miles of Australia to explore today, and that Forza Horizon 3 icon is just staring at me from my taskbar. Let’s knock this article out in a hurry.

On the docket this week? Blizzard ditches Battle.net, Gears of War 4 adds split-screen co-op on the PC, Kotaku UK looks into problems with Star Citizen’s development, and Sniper Elite 4 shows off a bunch of slow-mo murders.

This is gaming news for September 19 through the 23.

Highway to Hell

Speaking of Forza’s great Australian Outback (and Australian beaches and Australian cliffs and et cetera), here’s a launch trailer:

Those poor servers

A beta for a beta? This is getting out of hand. CD Projekt, them of Witcher fame, is prepping the Gwent servers ahead of October’s closed beta and want your help. The first test took place today (Friday) and is probably over as you read this, but another goes live at 11 a.m. on Tuesday the 27. You can sign up here if you’re looking to take part in this (not-content-complete) test.

Aim for the groin

Sniper Elite 4 is almost here, and with it? A cornucopia of slow-motion bullets-to-the-testes.

You won’t find any of that in this trailer, though. Just a knife through the calf, a shot through the heart (call Bon Jovi), and some shrapnel through the everything. Also I think at one point our lovable protagonist shatters someone’s jaw with his fist. I guess that Nazi Scumbag didn’t drink his milk.

Better with friends

Split-screen co-op on the PC? There’s something I haven’t seen in a loooooooong time.

Some kudos to Gears of War 4 developer The Coalition, then—this week, technical director Mike Rayner told PC Gamer that split-screen co-op on the PC was a “labor of love” for Gears 4, saying “developers have got to put some effort into it to do it right, it’s not just something you can tack on.”

Maybe this whole Xbox Play Anywhere program isn’t such a bad idea after all.

Frank needs food, badly

More Xbox Play Anywhere stuff? Now Microsoft’s just showing off. Anyway, for our third—and final—bit of Xbox/PC gaming this week, here’s a trailer for Dead Rising 4. All you really need to know is that Frank shoots a cannon. Yes, like a real cannon.

Where the sun don’t shine

Sunless Sea is probably the best game I absolutely haven’t played enough of, at least in recent memory. It’s smart, it’s funny, and it has some of the best Lovecraft-inspired writing to ever hit video games. And if you play a lot of video games, you know there’s a lot of Lovecraft-inspired competition.

Anyway, there’s an expansion (Zubmariner) releasing in a few weeks. More intriguing? At EGX this weekend the developer Failbetter plans to announce a new game. Look for that on Twitch, Saturday at 8AM Pacific.

Inside Star Citizen

The development of spacefaring MMO/shooter/trade sim/whatever Star Citizen has stretched across years now and snapped up over $100 million in crowdfunding. It’s been delayed, it’s been restructured, and it’s made for plenty of “Will it ever come out? And if it does, will it be any good?” questions.

This week Kotaku UK published a massive article on internal strife and problems within Cloud Imperium Games. It makes for a good read, if you’re interested in “a picture of a development process riven by technical challenges, unrealistic expectations and internal strife.”

And I mean, who isn’t interested in that sort of thing?

RIP Battle.net

After two decades of faithful service, Blizzard announced this week that it’s killing Battle.net.

Okay, just killing the name, not the service. Blizzard’s launcher will continue as normal, except rebranded as Blizzard Tech. From the announcement:

“When we created Battle.net, the idea of including a tailored online-gaming service together with your game was more of a novel concept, so we put a lot of focus on explaining what the service was and how it worked, including giving it a distinct name…Given that built-in multiplayer support is a well-understood concept and more of a normal expectation these days, there isn’t as much of a need to maintain a separate identity for what is essentially our networking technology.”

And Blizzard is right—we don’t really need a name for networking technology. But some nostalgic bit of me will miss that cheesy Battle.net name anyway. I guess this is what happens when Chris Metzen leaves the company.

New legislation seeks to prevent US voting systems from being hacked

New legislation seeks to prevent US voting systems from being hacked

Representative Hank Johnson is proposing disconnecting voting machines from the internet

A U.S. lawmaker has introduced two bills to protect voting systems from hacking, amid fears that Russian cyber spies may be interfering with this year's presidential election.

Representative Hank Johnson, a Democrat serving Georgia, is proposing a moratorium on state purchases of electronic voting machines that don't produce a paper trail. His Election Integrity Act, introduced Wednesday, would also prohibit voting systems from being connected to the internet as a way to prevent online tampering.

The high-profile hack of the Democratic National Committee publicized in June has citizens worried that U.S. election systems may be vulnerable, Johnson said.

The hack of the DNC stole sensitive files that were later leaked online. Although the FBI is investigating the breach, U.S. intelligence officials are reportedly confident that the Russian government was involved.

Security experts have also long been warning that some U.S. voting machines are outdated and rife with security holes. This can make them easy to hack or prone to casting ballot errors. 

"We must work to reduce the vulnerability of our crucial voting systems," Johnson said in a statement. His bills were also meant to address "well-documented efforts" of alleged voter suppression, he added.

Johnson's second bill proposes designating U.S. voting systems as critical infrastructure, meaning that the federal government would take a role in protecting it. The country's electrical grid and banking sector are among those already designated as critical infrastructure.

Johnson's bill would also require the Department of Homeland Security to submit a plan to Congress to protect the U.S. election process from threats including cyber terrorism. In addition, it asks that better standards be developed so that citizens can verify their votes.

Johnson introduced his bills just weeks after the FBI began warning that hackers had targeted two state election systems. One of those breaches may have involved stealing login credentials from a county official that could have allowed the hackers to delete voter registration records. 

Johnson's bills are unlikely to pass in Congress this year because legislative activity slows down as the national election approaches.

Can Wi-Fi and LTE-U live together? The tests are ready

Can Wi-Fi and LTE-U live together? The tests are ready

The Wi-Fi Alliance has released its test plan for coexistence of Wi-Fi and LTE in unlicensed spectrum

The moment of truth has arrived for a hotly contested project to make sure LTE and Wi-Fi can share the same frequencies.

On Wednesday, the Wi-Fi Alliance released a test plan for LTE-Unlicensed products, which would bring 4G cellular to unlicensed spectrum bands that Wi-Fi users depend on. The group also said it is qualifying an independent lab where LTE-U vendors can take their equipment for testing.

LTE-U could give smartphones and other cellular devices more frequencies to use, potentially bringing better service to more users in crowded areas. But some makers and operators of Wi-Fi gear, including cable operators using Wi-Fi to compete with mobile carriers, warn that the new technology could crowd out Wi-Fi and hurt its performance.

“Delivering a cross-industry coexistence testing solution was an unprecedented and difficult task, and the outcome will help ensure the billions of people who rely on Wi-Fi every day will continue to benefit from the same great user experience they have enjoyed for more than 15 years,” WFA President and CEO Edgar Figueroa said in a press release.

In announcing the test plan, WFA said its development was a cross-industry effort and incorporated ideas from both sides. But LTE-U backers, including Qualcomm and an industry group called Evolve, have charged multiple times that the process took too long and was slanted toward Wi-Fi. WFA's first workshop took place last November. Carriers have eyed limited deployments of LTE-U this year.

WFA emphasized in a press release on Wednesday that the full test plan is necessary to determine whether an LTE-U product can coexist with Wi-Fi. It said the LTE-U vendors agreed to use the whole plan. The group recently slammed tests by some vendors that it said didn’t include the whole suite.

The unlicensed bands used by Wi-Fi in the U.S. and most other countries are largely open to any type of equipment that can share the spectrum with the other technologies in it.

The U.S. Federal Communications Commission has mostly leaned on industry to make sure Wi-Fi and LTE-U coexist, though it has approved limited tests of the new technology in some areas. But the threat of possible regulation has loomed over the feud. On Wednesday, WFA said it isn’t seeking any regulatory mandates for coexistence.

LTE-U is a version of LTE for unlicensed spectrum that’s allowed only in selected countries, including the U.S., South Korea, and China. Europe and other regions will require another technology with additional safeguards to protect Wi-Fi. That technology, called LAA (Licensed Assisted Access), may even be adopted worldwide.

Oakley and Intel pack a fitness coach into new pair of smart glasses

Oakley and Intel pack a fitness coach into new pair of smart glasses

Oakley's Radar Pace smart glasses have a voice-activated coaching system, thanks to technology from Intel

For wearables to succeed, many people believe technology should be inconspicuous, not popping out and making a fashion statement of its own. Google Glass may have gotten it wrong, and Oakley and Intel may have done it right with the new Radar Pace.

At first glance, Oakley's Radar Pace sunglasses look undeniably cool. But hidden inside is technology that turns the sunglasses into a voice-activated coach that answers questions and provides fitness training recommendations. It's like having Siri in your sunglasses.

The sunglasses are expensive. At US$449, they have a hefty markup, but Oakley sunglasses and cool technology won't come cheap. The glasses will be handy for hard-core athletes, but Oakley is also targeting casual athletes. The smart glasses will start shipping on Oct. 1 in the U.S. and other countries.

Radar Pace has sensors that can track heart rate, distance, cadence, speed, and other vital workout information. The data is synced with a smartphone connected to Radar Pace via Bluetooth, where an app called Radar Pace App monitors the workout, answers questions, and provides voice recommendations.

Users hear the information through earphones in the sunglasses. A cool feature is the ability to ask questions through a microphone, with users getting answers back. The questions are passed on to the smartphone app, which formulates and sends back an answer to Radar Pace.

The voice-activated system can convey daily workout plans, or answer questions that will provide real-time information on speed, race, metrics, and heart rate to people wearing Radar Pace.

The smartphone app can analyze workout data in real time. For example, the glasses can advise a runner to increase the pace, slow down, or end a workout. The mobile app interprets and answers queries through a natural-language processing engine developed by Intel called Real Speech.

For example, a runner can ask questions like, "what's my heart rate?" or "what's my pace?" Voicing "time" or "distance" will prompt the app to convey the answers.

The smart glasses are a result of a two-year alliance between Luxottica, which owns Oakley, and Intel, which developed the core technology and architecture. Intel has pushed for technology to be invisible in wearables, and that design philosophy was the main focus when designing Radar Pace.

Many smart sunglasses for fitness are hitting the market. A notable competitor is Solos, which is a kind of Google Glass for athletes. Solos has a tiny heads-up display that shows metrics like heart rate, pace, distance, and cadence so athletes can see data in real time. It was used by U.S. cyclists in the recent Rio Olympics.

But unlike Google Glass and Solos, the Radar Pace doesn't have a screen. A voice-activated system works better because information on a screen can be distracting when cycling or running, Oakley officials said.

Also, the added-on tech hasn't looked cool in some smart glasses. The technology protruding out of Google Glass was so visible that it upset people who thought they were being spied on. Oakley and Intel came up with a design where the technology is as hidden as possible, though the headsets are clearly visible on the side.

The smartphone app that works with Radar Pace also can pull data from other fitness apps and devices to formulate workouts. That's handy, especially when people like using Fitbit and other devices to track fitness data.

The sunglasses weigh 56 grams and run for about four to six hours on a single battery charge. They have an accelerometer, gyroscope, and sensors to measure pressure, humidity, and proximity.

The glasses have some cool add-on features. They can play your favorite music on the smartphone. You can take phone calls via Radar Pace, and the app works with Android and iOS devices.

For Intel, the Radar Pace is a breakthrough in wearables. The chipmaker has a handful of wearable products on the market, but Radar Pace is the most important for the company.

Unfortunately for Intel, the glasses don't use an x86 chip, but an embedded processor based on another architecture that Intel wouldn't specify. That also highlights a  problem -- Intel's chips aren't used in many wearables partly because the company doesn't have the right processors in its portfolio. Intel is committed to developing chips for wearables, a representative said.

Oracle Visual Code brings cloud-based app dev to business users

Oracle Visual Code brings cloud-based app dev to business users

The competitor to Salesforce Lightning lets citizen developers create apps out of prebuilt components

With its Project Visual Code platform, Oracle is taking a swing at Salesforce in cloud-based application development.

Detailed this week, the platform for low-code development provides a browser-based interface for building standalone applications or extensions to existing applications. Geared to "citizen developers," Visual Code is a direct competitor to the Salesforce Lightning component-based development platform.

Oracle's Bill Pataky, vice president of mobile development and developer tools, said that Visual Code's advantage over Lightning is in extending applications, with users able to integrate with third-party data from sources like Facebook or Google Maps.

Applications are created with prebuilt components from the Oracle Cloud Marketplace, which can be supplemented with a small degree of JavaScript coding. "The goal is to allow business users to meet needs when they come up without relying on IT," Pataky said.

The package features a visual tool for building and hosting Web and mobile applications, a UI design system, a UI component architecture, and business objects for building applications over any REST-based service. Components are dragged onto the UI; back-end data access also can be set up. Applications can be built on any device with a browser, although Pataky does not recommend using a smartphone -- the browser would be too small, and they can be sold in the Oracle Cloud Marketplace.

Components are built with standard JavaScript and REST, using Oracle's JavaScript Extension Toolkit. Users can extend Oracle SaaS applications, bringing in data from the Oracle SaaS platform Pataky said, but apps don't have to work with data in Oracle's cloud. As an example of how the platform can be used, Pataky said Oracle built an application to keep track of who was going to the company's OpenWorld conference in San Francisco this week and where they were staying.

This story, "Oracle Visual Code brings cloud-based app dev to business users" was originally published by InfoWorld.

HTC announces the Desire 10 Pro and Desire 10 Lifestyle

HTC announces the Desire 10 Pro and Desire 10 Lifestyle

HTC announces the Desire 10 Pro and Desire 10 Lifestyle

HTC has unveiled a pair of Desire 10 smartphones heavily teased over the past few weeks under the #BeEdgier slogan. Before you get too excited about the whole edge thing - it refers to the new metallic contour and not to any display niceties.

And while the two smartphones come with what you think is roughly the same name, in fact they couldn't be any more different.

HTC Desire 10 Pro

The Desire 10 Pro is the one you'd want, as it packs the better hardware. It starts with a 5.5-inch FullHD IPS display, protected by an unspecified gen Gorilla Glass. This higher-specced model is powered by a Mediatek Helio P10 chipset and has 4GB of RAM and a roomy 64GB of storage, which is also expandable via microSD.

A 20MP primary camera sits on the back of the Desire 10 Pro with a f/2.2 27.8mm-equivalent lens, laser autofocus and a dual-LED flash. Selfies are taken care of by a 13MP front cam with the same-specced lens, and a 150-degree selfie panorama mode for group shots.

On the connectivity front, the Desire 10 Pro brings Cat. 6 LTE (up to 300Mbps down/50Mbps up) , dual-band 5GHz/2.4GHz Wi-Fi a/b/g/n (but no ac), Bluetooth v4.2, NFC and AGPS + GLONASS. Wired options include a 3.5mm headphone jack, and a microUSB 2.0 port (so no Type-C). A fingerprint sensor is placed on the Pro's back as well, and other than unlocking the device it is also able to control the camera.

The Desire 10 Pro measures 156.5 x 76 x 7.9mm and weighs 165g. Inside it, there's a 3,000mAh battery to keep the lights on.

HTC Desire 10 Lifestyle

The Desire 10 Lifestyle brings some notable hardware downgrades in a body that looks and feels virtually the same. For one, its 5.5-inch display has a 720p resolution for a pixel density of 267ppi. Perhaps least impressive about the Lifestyle is the SoC in charge - the aging and not particularly powerful Snapdragon 400, which even Qualcomm now lists as a wearables' chipset.

Anyway, the Desire 10 Lifestyle will be available in two versions, one with 3GB of RAM and 32GB of built-in storage, the other with a 2GB/16GB configuration. Both offer a microSD slot for expansion, so fret not.

What the Pro gets for a selfie camera, the Lifestyle uses for a primary shooter, at least judging by the numbers. It's a 13MP sensor behind an f/2.2 28mm-equiv. lens. The front-facer of the Desire 10 Lifestyle is a 5MP setup with an f/2.8 aperture and a 33.7mm-equiv focal length.

LTE is Cat. 4 on the Desire 10 Lifestyle (150Mbps down, 50Mbps up), you get 2.4GHz Wi-Fi b/g/n, Bluetooth v4.1, NFC and AGPS + GLONASS. No port surprises here - microUSB 2.0 for charging and data transfer, and a 3.5mm headphone jack. The Lifestyle doesn't get a fingerprint sensor, though.

At 156.9 x 76.9 x 7.7 mm, the Desire 10 Lifestyle measures mostly the same as the Pro, but weighs 10g less - 155g. You guessed it - it packs a smaller 2,700mAh battery.

Both smartphones introduce a new interface concept, which is two-pronged. For starters, HTC does away with the onscreen buttons and puts the navigation in the bottom bezel. That frees the screen for all the customization you might want and you're no longer limited by the usual grid of icons - you can arrange apps, widgets, and stickers, overlap them, make layers - any way you fancy. All that is still called HTC Sense, on top of Android 6.0.1 Marshmallow.

The Desire 10 Pro and Desire 10 Lifestyle will be available in a choice of colors, including Stone Black, Polar White, Royal Blue, and Valentina Flux. All paint jobs will nave the golden accents around the edges and the back.

The Desire 10 Lifestyle will start rolling out in select markets today, with the Desire 10 Pro expected next month.

New rumor says Oppo R9S will arrive next month

New rumor says Oppo R9S will arrive next month

New rumor says Oppo R9S will arrive next month

Last we heard, the Oppo R9S was to be made official on September 12, but that didn't pan out. Now, if a new rumor out of China is anything to go by, the device will be unveiled sometime in October.

The rumor also says that the handset will feature an image stabilization tech powered by a new OPPO SmartSensor, as well as the Super VOOC charging tech that Oppo showcased earlier this year. We had a good look at how both technologies work at the MWC 2016.

To refresh, from what has been revealed so far, the phone is powered by Qualcomm's Snapdragon 625 chipset and sports a 5.5-inch full HD display. It features a 13MP rear unit and a 16MP front shooter, and a 2,850mAh battery is there to keep the lights on.

Samsung Galaxy Note7 sales resume in US

Samsung Galaxy Note7 sales resume in US

Samsung Galaxy Note7 sales resume in US

If you recall, there were rumors recently that in the US, the Samsung Galaxy Note7 will be back on sale on October 21. However, turns out that's not the case as the device is already available for purchase in the country.

At least two of the country's Big Four carriers - Sprint and Verizon - have the new, safer version of the handset listed on their respective websites. All the three color options - Black Onyx, Silver Titanium, and Blue Coral - are currently available on both carriers. We expect other major carriers to join the party soon.

In case you missed, Samsung has already said that it will resume sales of the Galaxy Note7 in South Korea on September 28.

Alleged Xiaomi Mi Note 2 screenshot shows 8GB RAM, 256GB storage

Alleged Xiaomi Mi Note 2 screenshot shows 8GB RAM, 256GB storage

Alleged Xiaomi Mi Note 2 screenshot shows 8GB RAM, 256GB storage

Okay, the September 14 rumors didn't pan out, but perhaps the Xiaomi Mi Note 2 will launch on September 27 alongside the Mi 5S. A Weibo user posted a screenshot of Note 2's About screen, further stocking such rumors.

The screenshot shows that the LG V20 is about to have some company and that the OnePlus 3 is about to be dethroned.

Assuming no funny business happened to the screenshot (and that's a big assumption to make), the Xiaomi Mi Note 2 will run Android 7.0 Nougat and will have a whopping 8GB of RAM. Also, the built-in storage is an impressive 256GB - not unheard of like the RAM, but quite rare.

This will be the top version, previously we heard about 6GB of RAM, 64GB storage. That rumor also claimed that the device would be called "Mi Pro" instead.

Also, the 2.6GHz clock speed seems to confirm the Snapdragon 821 chipset rumors. Other expected specs (not listed on the About screen) include a 5.7" AMOLED screen and a dual-camera setup.

LeEco's Le Pro 3 powerhouse flagship is now official

LeEco's Le Pro 3 powerhouse flagship is now official

LeEco's Le Pro 3 powerhouse flagship is now official

There has been quite a bit of fuss surrounding the LeEco Le Pro 3 these past few months. After sneaking a quick peek of the device in September and then coming across it on Geekbench yesterday, now its time to finally see it in full. Today LeEco officially unwrapped its new flagship and its specs do mostly live up to the original hype.

The "mostly" part refers to a couple of prevailing rumors that fueled pre-release excitement. One is having 8GB of RAM on board and the other has to do with a promised battery capacity of 5000 mAh. Neither of these became reality in today's release, but there is still the distinct possibility of a higher-end 256GB storage model yet to come.

But we can also safely look past these two details and what we are left with is still a really powerful handset. It has a 5.5-inch, 1080p IPS LCD panel at its disposal, with a stylish 2.5D glass finish on top.

Underneath it is Qualcomm's new Snapdragon 821 SoC - the overclocked version with a maximum clock of 2.35GHz on its CPU and 653 MHz on the Adreno 530 GPU.

The RAM configurations still go up to 6GB and the list of available models includes:

  • 4GB RAM + 32GB ROM
  • 4GB RAM + 64GB ROM
  • 6GB RAM + 64GB ROM
  • 6GB RAM + 128GB ROM

The camera setup includes a 16MP main shooter, with an advertised 0.1 second PDAF focus speed and a few proprietary features like: Increased Sharpness, Intelligent Beauty Mode, Gender Recognition and others. On the front, there are 8MP at your disposal.

The Le Pro 3 is powered by a 4070mAh, which although still a far cry from 5000 mAh, is impressive nontheless, especially in a 7.5mm thick body.

The phone also supports 24W QuickCharge 2.0, which LeEco is confident can get you from zero to 50% in 30 minutes (impressive for a 4 thousand amp battery).

Speaking of the phone's body, it has a premium all-metal built with a brushed finish. In fact, the manufacturer claims a 98% metal content for the devices shell.

The front has a trio of capacitive buttons, the middle one shaped like the LeEco logo and complete with a "breathing light" feature.

On the back, there is a fingerprint reader and not much else, besides an edged logo. The Le Pro 3 uses a USB Type-C connector and doesn't really have another one. There is no 3.5mm jack, but before you assume some Apple plagiarism is in play, we'll remind you that the Le Max 2 and Le 2 also rely on the USB CDLA standard for audio since before the iPhone 7 was announced.

Other details worth noting include dual SIM support and dual Wi-Fi MIMO antennas for a maximum transfer speed of 866 Mbps. 4G LTE is pretty fast as well with 3x CA, adding up to around 600 Mbps.

The Le Pro 3 also has two speakers and runs on the Marshmallow-based EUI 5.8.

Currently color options include Silver, Gray, Rose Gold and Gold.

Pricing is as follows:

  • 4GB RAM + 32GB - CNY 1799 ($270)
  • 6GB RAM + 64GB - CNY 1999 ($300)
  • 4GB RAM + 64GB - CNY 2499 ($375)
  • 6GB RAM + 128GB - CNY 2999 ($450)

The latter are special "Zhang Yimou" Edition. The edition named after the famed Chinese film director will be themed after the upcoming movie 'Great Wall', starring Matt Damon. The phone will come with a custom "Great Wall" theme and wallpaper, an exclusive access to a behind-the-scenes video about the movie, a signature Great Wall leather flip case and a movie-themed retail box.

Pre-orders are live now, but there is no info on availability. We will definitely be looking forward to learning more about that.

Brocade's big new router is all about network size, automation

Brocade's big new router is all about network size, automation

The Brocade SLX 9850 expands the Brocade routing family and offers 15x more total capacity than the current Brocade MLXe box

Brocade this week rolled out a big data center router its says will handle and help manage the massive amounts of traffic expected to cross enterprise networks in the not-to-distant future.

The Brocade SLX 9850 expands the Brocade data center routing family and supports 15x more total capacity than the current Brocade MLXe box via a 230Tbps non-blocking chassis fabric capacity for 10/40/100 Gigabit Ethernet connectivity.

+More on Network World: Brocade CEO says they've built an easy button for IP networks, are benefiting from SDN/NFV+

"With bandwidth demands exploding from the digital transformation of organizations as they leverage IoT, Mobile, Video, Cloud and Big Data technologies, the ability to cost-effectively scale network capacity -- in terms of bandwidth, devices and policies is foundational," said Daniel Williams, Brocade’s principal director of product marketing for data center routing.

Brocade pointed to a recent Gartner forecast of 6.4 billion connected things will be in use worldwide in 2016, up 30% from 2015, and will reach 20.8 billion by 2020. In 2021, video will account for about 70% of mobile data traffic. With cloud services, video streaming, internet of things and mobile connectivity growing at exponential rates, organizations must ensure that the infrastructure they deploy today can support dramatic future traffic growth.

"Key to any routing solution for this digital era is a platform designed to support new customer requirements without a rip-and-replace as networking silicon capabilities advance," Williams said.

Daniels noted a couple key features on the SLX 9850, including:

  • The Brocade SLX Insight Architecture featured on the 9850 which is an open KVM (kernel-based virtual machine) that can run third-party and customer-specific monitoring, troubleshooting and analytics applications. It is designed to make it faster, easier, and more cost-effective to get the comprehensive, real-time visibility needed for network operations and automation. It also provides a dedicated 10G Ethernet analytics path between the packet processor on each SLX 9850 interface module and the KVM environment on the management modules. This allows applications running in the KVM environment to extract data via an internal, isolated link, without disrupting forwarding or control plane traffic.
  • Brocade’s existing Workflow Composer works with the SLX 9850 to offer what the company calls dev-ops style automation. Workflow Composer, which is developed by the StackStorm open source project, automates workflows across multiple IT domains within the services delivery chain—such as network, compute, storage and applications—to bridge organizational silos within the data center.

The Brocade SLX 9850, which competes most closely with the Cisco NX9500, Arista 7500R and Juniper OFX 10000, is expected to be available in the fourth quarter of 2016. Brocade Workflow Composer is available now for an annual subscription price of $25,000 per data center or admin console.

This story, "Brocade's big new router is all about network size, automation" was originally published by Network World.

KB 3185911 speeds up the Windows 7 scan for updates

KB 3185911 speeds up the Windows 7 scan for updates

We have a new "magic" patch that cuts Windows 7 updates scans from hours to minutes

Do you still have problems with the Windows 7 check for updates taking hours and hours? It's the same problem I've been talking about since April, but this month, we have a different solution. I can hear the sigh of relief from here.

The "magic" patch this month is KB 3185911, otherwise known as MS16-106. It's yet another security patch for the Windows Graphics component. If you install KB 3185911 first, then scan for updates, the scan will miraculously decrease from many hours to a few short minutes.

In the past, a blogger known as Dalai has updated the information on his website, wu.krelay.de/en, to fill us all in on the latest magic patch. Unfortunately, at the moment, I can't get that site to appear. It's quite likely that the site's become so popular that it's inaccessible, or Dalai has pulled it offline.

If you want to install that patch alone, see the two-step method I posted last month (you only have to do Step 2 this month), and substitute KB 3185911 in Step 2. Make sure you follow the instructions and turn off the Windows Update service at the right time.

Poster Canadian Tech, both on AskWoody.com and on the Microsoft Answers forum, has presented a simple, permanent solution to the problem (at least until Microsoft changes everything in October). He suggests that you install KB 3020369, then KB 3172605. (Canadian Tech gives credit to TrashZone, ElderN, and VolumeZ for their contributions.)

I had a problem with that approach several months ago. KB 3020369 was triggering "Stage 3 of 3" reboot hangs and KB 3172605 had many bugs. Now it looks like Microsoft has fixed those problems -- in particular the Intel Wi-Fi bug has been fixed.

So you can pick your poison and either install the one key patch that makes it work, or go ahead with the more-recent changes demonstrated by Canadian Tech. Poster ch100 on AskWoody recommends:

For new machines, use Canadian Tech's approach as it is enough to get WU started. For established machines missing patches, use Dalai's approach as it has extra updates which are useful for the slow WU issue.

A lot of the issues are related to Windows Update Agent 7.6.7600.320 which is pushed automatically if there is no superseding (later) Windows Update Agent installed. Currently the best Windows Update agents come with KB3138612 or KB3172605 and one of them needs to be installed first thing. Eventually both will be installed as part of WU, as while they overlap in some parts, they do not supersede each other.

Either way you'll save many hours in your pursuit of Windows 7 patches.

Google's Angular 2 JavaScript framework finally arrives

Google's Angular 2 JavaScript framework finally arrives

The new version, rewritten with Microsoft's TypeScript, offers payload size and performance enhancements

Angular 2, the long-awaited rewrite of the popular JavaScript framework, is finally going live Thursday evening, Google said on Wednesday afternoon. The moves follows a beta release stage last December and a release candidate first offered in May.

With the final release, Google is offering a framework optimized for small payload size and performance, said Jules Kremer, technical program manager for Angular at the company. "With ahead-of-time compilation and built-in lazy loading, we've made sure that you can deploy the fastest, smallest applications applications across the browser, desktop, and mobile environments."

Modular Angular 2 enables developers to use a third-party library or write their own. The upgrade features the Angular CLI command-line interface, along with more capable versions of Angular's router, forms, and core APIs.

Next up for Angular are bug fixes and nonbreaking features for APIs marked as stable, more guides and live examples of specific to use cases, and more work on animations. Web Workers, for web content to run scripts in background threads, will be moved out of an experimental phase, and Angular Material 2, providing Material Design components, will be added as well. More features and languages will be added to Angular Universal, which provides server-side rendering for apps, and speed and payload size improvements also are planned.

Also known as AngularJS, the framework debuted six years ago, boasting dependency injection and HTML-driven development. It was rewritten to allow for a decoupling of the framework from the DOM, enabling use of multiple renderers; Microsoft's TypeScript, a typed superset of JavaScript, was used in the rewrite.

AI and robotics could replace 6% of U.S. jobs by 2021

AI and robotics could replace 6% of U.S. jobs by 2021

Those same systems could also create new jobs, Forrester report says

In just five years, intelligent systems and robots may have taken up to 6 percent of U.S. jobs, according to Forrester Research in a report released this week.

As artificial intelligence (AI) advances to better understand human behavior and make decisions on its own in complicated situations, it will enable smart software and robots to take on increasingly challenging jobs.

That means robotics should be able to take over some jobs traditionally held by humans by 2021.

For instance, Forrester predicts that smart systems like autonomous robots, digital assistants, AI software and chatbots will take over customer service rep jobs and eventually even serve as truck and taxi drivers.

"Intelligent agents have emerged, but wide adoption is not yet mainstream," Forrester analysts wrote in their report. "As cognitive elements are added, capabilities will expand and target more use cases."

Forrester also noted that by 2021, AI is expected to evolve significantly beyond today's relatively simple machine learning and natural language processing capabilities. Advanced applications will focus more on self-learning and more complex scenarios.

This isn't a new scenario for the American workforce -- and it's also not as bad as it sounds.

In January, the Geneva-based World Economic Forum reported that technologies like AI and machine learning could mean the loss of more than 7 million jobs over the next several years.

However, the Forum also reported that these same technologies could lead to the gain of 2 million jobs in fields related to computer science, engineering and mathematics.

Tom Davenport, co-author of Only Humans Need Apply: Winners and Losers in the Age of Smart Machines, echoed that idea According to Davenport, artificial intelligent systems and robotics will become our assistants and co-workers, helping many people do their jobs better.

"We have a new generation of technologies and we need to work with them if we're going to be productive and effective," Davenport told Computerworld in April. "I think that in many cases, we'll be working with these machines as colleagues.... I think the people who prosper will be the ones who like working with machines."

Patrick Moorhead, an analyst with Moor Insights & Strategy, said Forrester's estimate seems a bit high. He expects the number to be closer to 3 percent or 4 percent.

"I don't necessarily buy into customer service jobs being replaced very quickly," he added. "Most of the jobs impacted would be in transportation, like cabbies, limo drivers, large highway truck and small truck city drivers [whose jobs are] hit by autonomous vehicles. And jobs where people are checking on things, like oil pipeline inspectors, will be impacted."

Moorhead noted that if many of these smart systems and devices are made here in the United States, there may not be much of a net job loss.

This story, "AI and robotics could replace 6% of U.S. jobs by 2021" was originally published by Computerworld.

New project runs Arch Linux on Windows

New project runs Arch Linux on Windows

ALWSL, still in very early stages, allows Linux boot images to be run in Windows 10's experimental Linux subsystem

"Experimental" is a great adjective for Microsoft's WSL (Windows Subsystem for Linux). Not only is it Microsoft's attempt to lure Linux devs into making themselves comfortable in Windows, it also provides a lab for the hacking whizzes who want to see how far they can push the WSL.

The latest such experiment is an attempt to run a third-party Linux distribution, Arch Linux, on the WSL.

The ALWSL project is currently only available in a very unstable dev preview -- essentially a glorified batch file that removes the existing WSL setup, downloads a copy of Arch Linux, verifies its validity, prepares it, and allows it to be booted at the WSL prompt.

By default, WSL uses Ubuntu as the basis for its kernel and userspace, but the underlying subsystem is in theory distribution-agnostic. It simply translates Linux system calls into their Windows counterparts or provides emulation when there isn't a 1:1 match. Consequently, ALWSL needs to do very little on its own to make Arch Linux work.

The project is extremely raw right now, with no real documentation. "If you don't want to break anything, wait for the first release. Which is [of course] not a batchfile," says the project's README.

Regardless, intriguing possibilities are already surfacing. One convenient side effect of the ALWSL project is that it provides a handy utility for backing up and restoring the state of the WSL subsystem. This kicks open the door for a new wave of tinkering with WSL that requires incrementally less heavy lifting.

Some tinkering is already on the way, even though ALWSL isn't ready for prime time. The maintainer of another maverick operating system project, NodeOS, is already interested in developing a system image that can be used with WSL through ALWSL.

EU threatens to open e-commerce antitrust investigations

EU threatens to open e-commerce antitrust investigations

Manufacturers and suppliers may be unfairly restricting retailers' access to e-commerce channels, the European Commission warns

The European Commission may open antitrust investigations into price restrictions and online sales bans in the e-commerce industry, it warned Thursday.

It is concerned that consumers across the European Union may be paying more than they should for a range of physical and digital goods sold online because of restrictive practices by manufacturers and distributors.

The European Union's goal of creating a single market for goods and services has historically been hampered by the geographical and linguistic barriers to selling across the 28-country bloc -- but e-commerce can help businesses break down both of these.

However, the online market is creating barriers of its own to competition, the Commission found, potentially threatening its latest initiative, the Digital Single Market, a way of removing national barriers to online sales.

In a year-long study, it found evidence that one in five retailers is prevented by suppliers from selling goods online, while two in five face some form of price recommendation or restriction from manufacturers. One retailer in 10 was contractually restricted by its suppliers from submitting information to price comparators, used by many consumers to find the best deal.

Industry lobby group CCIA echoed the Commission's warning. "Restrictions preventing sellers from using marketplaces as a sales channel harms competition, consumer choice, and European small and mid-sized businesses," European director Jakob Kucharczyk said via email. "The Digital Single Market is bound to remain theory if it cannot become a reality for millions of European businesses because of unjustified online sales restrictions."

CCIA members have some skin in the game: They include Amazon.com, eBay, Netflix, Paypal, and Rakuten, all major players in e-commerce or the sale of digital goods and services.

The Commission published its preliminary findings Thursday, in a report based on its analysis of 8,000 distribution contracts involving 1,800 companies reselling electronic and digital goods across the EU.

The market for digital goods such as ebooks and music downloads is little better, it found. Copyright licensing agreements restrict the territories where people may buy such digital goods, with more than 60 percent of license agreements restricting sales to a single country, the Commission found.

The Commission is inviting people to comment on the preliminary report, giving it some direction before publication of the final version. Depending on its findings, it may take action against companies it believes are breaking European competition law.

New Google API cryptographically secures Chromebooks

New Google API cryptographically secures Chromebooks

The Verified Access API uses the Trusted Platform Module to cryptographically identify and assess the security posture of Chrome OS devices

Google is making it possible for enterprises to cryptographically validate Chrome OS devices before letting them connect to secure networks with its new Verified Access for Chrome OS.

With Verified Access, network services -- VPN gateways, sensitive servers, an enterprise certificate authority, enterprise Wi-Fi access points -- can get a hardware-backed cryptographic guarantee from the client machine that it has not been compromised and the user is who he or she claims to be.

Verified Access uses the Trusted Platform Module chip present on all Chrome OS devices to confirm the device is unmodified and complies with existing security policies. The network service uses that information to determine what level of access the device gets to sensitive corporate systems and applications.

The combination of a cryptographic attestment of the device's untampered state, anchored to a chip on the device, has long been used in Apple's iOS devices, BlackBerrys, and Samsung's higher-end Android devices. The Trusted Platform Module chip used in Chrome OS devices has been available on higher-end Windows PCs for several years as well, though its use there is typically tied to validating the encryption key in a tamperproof manner.

"For years, Google has been using Verified Access to enhance security by ensuring the veracity and policy compliance of Chrome devices before allowing access to resources, and now we are making it available externally," Saswat Panigrahi, senior product manager for Chrome for Work, wrote on the Google for Work blog.

The Chrome OS Verified Access API is now publicly available and configurable in the Google Apps Admin Panel. Administrators get started by enabling Verified Access and granting access to use the enterprise.platformKeys API. A Chrome extension also needs to be installed on the devices to interact with the enterprise.platformKeys API.

ID, please

Enterprises typically have policies in place to restrict network and data access only to corporate-issued and verified devices, but they rely on client-side methods to verify the devices. A malicious actor who has compromised the operating system can conceivably fake the signals and bypass the client-side checks.

Verified Access obtains the cryptographic guarantee from the Trusted Platform Module chip present on the device and uses the Google server-side API to confirm the identity and status of the device. It confirms the device is a real Chrome OS device and not some other hardware with the Chrome OS image installed, and the request was recently initiated and not an older, cached request. Verified Access is managed by the corporate domain, so it can check the device against security settings and policies, as well as its compliance with internal policies. It can also verify the user is a valid domain user.

One potential scenario is to integrate Verified Access with an enterprise certificate authority. In this case, hardware-protected device certificates can be distributed to only devices that IT manages and has verified. A VPN gateway can be configured to authenticate the user with a certificate and issue that certificate if the user and device passes the Verified Access check, Panigrahi said. This way, enterprises get a hardware-backed cryptographic guarantee of the identity of the device, the user, and its policy compliant state before granting them access to the protected resources behind the VPN.

This setup would work many of  the popular commercial VPN gateways, including Pulse Secure VPN, Dell SonicWALL Mobile Connect, Cisco AnyConnect, F5 Access, GlobalProtect, OpenVPN, and L2TP over IPSec. VPN vendors can build direct integrations with Verified Access, but it won't be necessary to get the benefits of the attestation protocol.

As long as the VPN is set up to accept certificate-based authentication, a common arrangement among enterprises, certificate issuance can be conditioned on Verified Access without making additional changes on the gateway, Panigrahi said.

The Chromebook security advantage

Many organizations are giving Chromebooks to their employees because of their security advantages, such as the automatic operating system updates, sandboxing and isolation technologies, whitelists for trusted Chrome extensions, and built-in encryption. Chrome OS also makes it easy to enforce policies, such as isolating the device to the Google Apps domain and using Verified Boot to complicate persistence across reboots. For organizations relying heavily on cloud applications and email-based attachments, Chromebooks make a lot of sense.

This is why cloud-based trusted access provider Duo Security has decided to issue Chromebooks to more than a quarter of its employees, across different job functions and departments. Over the past few months, Duo Security has been using Verified Access internally to assess Chromebooks before granting access to corporate resources, Michael Hanley, director of security at Duo Security, wrote in a blog post.

In Duo's case, Verified Access passed the cryptographic guarantees to the company's trusted access service to make decisions about the level of access to grant to the device. A login attempt passes a challenge from the Verified Access API to the Chrome extension (via the Chrome Message Passing API), which uses the enterprise.platformKeys API to get a response. The challenge response is sent to Duo's service, which verifies it by sending it to the Verified Access API and receiving the response. The service makes an access control decision based on that outcome. If the device fails the protocol, then access is denied.

"We use this to reliably assess the security posture of Chromebooks at Duo before they are allowed to access particularly sensitive resources," Hanley wrote.

Duo Security and Ruckus Wireless has already integrated the Verified Access API with their offerings. Duo plans to have general availability of Verified Access in Duo's Platform Edition later this year. Administrators would be able to use Duo's service to make access control decisions based on information from Verified Access, much in the same way Duo currently uses the feature internally.

"Part of the reason we like this feature is it's a very strong property based on how the protocol works and what it attests to and because it was very easy for us to deploy and manage," Hanley said. 

Ruckus has integrated its Cloudpath ES security management platform with the API to securely differentiate between IT-owned and user-owned Chromebooks. Cloudpath uses the API to ensure only IT-owned Chromebooks are allowed to join the wireless network or receive the certificate to access sensitive resources.

Other identity, network, and security providers can follow Ruckus and Duo's example, but integrating their services with the Verified Access API. Duo's Hanley said Verified Access required "very minimal adjustments" to deploy the API internally.

"For customers that are heavy on Chromebooks and google Apps, the lift is surprisingly low considering what customers gain from this," Hanley said.

Google has also been working on other ways to strengthen endpoint security on Chrome devices, such as adding Smartcard Authentication support. The newly launched Citrix Receiver for Chrome 2.1 lets users authenticate to virtualized Citrix applications using smartcards. If single sign-on is enabled, they can login to their Chromebook and automatically be authenticated across Citrix and virtualized Windows applications.

At the moment, Verified Access is only available for Chrome devices, and there's no word on whether Google plans to expand the security feature for other TPM-enabled platforms. Verified Access makes Chrome OS even more attractive in the enterprise endpoint security space.

Kategori

Kategori