.net programming, computers and assorted technology rants

Archive for September, 2013

Microsoft developing tech to stream Xbox games to PC, phones

Courtesy ArsTechnica

Recently, Microsoft’s discussions of "cloud gaming" have centered on how its Azure-powered servers can help add more processing power to games on the Xbox One. Now, a new report hints that Redmond’s server farms may allow the company to stream console games to PC and mobile platforms.

The Verge cites "sources familiar" with a recent internal Microsoft meeting that demonstrated Xbox 360 game Halo 4 running on Windows Phone and PC platforms via cloud-based streaming. Such a solution would allow high-end games to run even on relatively underpowered phones and PCs by handling the input and processing on remote servers, then streaming video and audio back to the user’s screen.

According to the report, Microsoft was able to get latency of just 45 ms streaming the game to a Lumia 520 through the cloud. That would be incredible if true, considering that in-home streaming from a local PC on devices like the Nvidia Shield clocks in at about 100 ms of round-trip latency in testing, and that’s without having to get data from Internet servers that can be thousands of miles away.

For its part, Sony purchased streaming gaming company Gaikai last year and has promised to use the technology to stream PS3 and PS4 games to PS4 and Vita systems (and potentially other devices). Still, Sony has yet to lay out any significant details about its streaming plans, and it says the service won’t be available until 2014.


Meet the machines that steal your phone’s data

Courtesy Ryan Gallagher, ArsTechnica

The National Security Agency’s spying tactics are being intensely scrutinized following the recent leaks of secret documents. However, the NSA isn’t the only US government agency using controversial surveillance methods.

Monitoring citizens’ cell phones without their knowledge is a booming business. From Arizona to California, Florida to Texas, state and federal authorities have been quietly investing millions of dollars acquiring clandestine mobile phone surveillance equipment in the past decade.

Earlier this year, a covert tool called the “Stingray” that can gather data from hundreds of phones over targeted areas attracted international attention. Rights groups alleged that its use could be unlawful. But the same company that exclusively manufacturers the Stingray—Florida-based Harris Corporation—has for years been selling government agencies an entire range of secretive mobile phone surveillance technologies from a catalogue that it conceals from the public on national security grounds.

Details about the devices are not disclosed on the Harris website, and marketing materials come with a warning that anyone distributing them outside law enforcement agencies or telecom firms could be committing a crime punishable by up to five years in jail.

These little-known cousins of the Stingray cannot only track movements—they can also perform denial-of-service attacks on phones and intercept conversations. Since 2004, Harris has earned more than $40 million from spy technology contracts with city, state, and federal authorities in the US, according to procurement records.

In an effort to inform the debate around controversial covert government tactics, Ars has compiled a list of this equipment by scrutinizing publicly available purchasing contracts published on government websites and marketing materials obtained through equipment resellers. Disclosed, in some cases for the first time, are photographs of the Harris spy tools, their cost, names, capabilities, and the agencies known to have purchased them.

What follows is the most comprehensive picture to date of the mobile phone surveillance technology that has been deployed in the US over the past decade.

Read More…


Pic of the Day: The NSA advertising on TechCrunch

Courtesy of TechCrunch


Microsoft will pay you for your iPhone or iPad

Courtesy Alex Wilhelm, TechCrunch

Screen Shot 2013-09-27 at 4.21.00 PM

Microsoft wants to take your Apple product off your hands, today expanding its trade-in programs to allow owners of dated iPhone hardware to cash in their now-passé electronics.

If you own an iPhone 4S or 5 that is “gently used” and not much worse, Microsoft will offer you no less than $200 for it. The kicker? The funds come in the form of Microsoft Store credit, so you are trading in your Apple hardware for the chance to buy Microsoft goods.

What does Microsoft want? That you drop that iPhone off with them and wander out with a Surface 2 pre-order or a Lumia Windows Phone handset. Microsoft has cash and wants market share; this is a natural outgrowth of those two facts.

Microsoft also has in place a deal that will grant store credit for iPads. In short, if you have an Apple device that Microsoft competes with – recall that Microsoft doesn’t build PCs that are not tablet-based, through its Surface line – it wants to buy it from you and get you onto its own hardware.

In a way the move is ballsy: Microsoft is betting its own money that you will be content with its wares after a long stint on Apple silicon. And it is paying to make the wager. Precisely what Microsoft intends to do with all its accumulated Apple hardware remains opaque.

Microsoft is in the process of purchasing Nokia’s handset business, and recently announced new Surface hardware that replaces its first-generation attempts at OEM supremacy. Expect more moves like this to support Microsoft’s yet-nascent devices business.

Stop using NSA-influenced code in our products, RSA tells customers

Coutesy Dan Goodin, ArsTechnica.com

Officials from RSA Security are advising customers of the company’s BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that were recently revealed to contain a backdoor engineered by the National Security Agency (NSA).

An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, The New York Times reported last week. RSA’s advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.

"To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG," the RSA advisory stated. "Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation" on RSA’s websites.

The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle through possible keys until the correct one is guessed.

McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it. The product uses the newer SHA1 PRNG random number generator in all other settings.

The NIST certification page lists dozens of other products that also use the weak RNG. Most of those appear to be one-off products. More significant is the embrace of BSAFE as the default RNG, because the tool has the ability to spawn a large number of derivative crypto systems that are highly susceptible to being broken.

In the beginning …

From the beginning, Dual EC_DRBG—short for Dual Elliptic Curve Deterministic Random Bit Generator—struck some cryptographers as an odd choice for one of NIST’s officially sanctioned RNGs. It was literally hundreds of times slower than typical RNGs, and its basis in "discrete logarithm" mathematics was highly unusual in production environments.

"I personally believed that it was some theoretical cryptographer’s pet project," one cryptographer who asked not to be named told Ars. "I envisioned a mathematician, annoyed at the lack of theoretical foundation in random number generation, badgering his way into an NIST standard."

A year after NIST approved the RNG as a standard, two Microsoft researchers devised an attack that allowed adversaries to guess any key created with the RNG with relatively little work.

Johns Hopkins professor Matt Green recounts that failing and a wealth of other peculiarities surrounding the embrace of Dual_EC_DRBG in an exhaustive technical analysis published Wednesday. Among them, when Dual_EC_RNG was adopted, was that it had no security proof.

"In the course of proposing this complex and slow new PRNG where the only frigging reason you’d ever use the thing is for its security reduction, NIST forgot to provide one," Green wrote. "This is like selling someone a Mercedes and forgetting to include the hood ornament."

In an e-mail, RSA Chief of Technology Sam Curry defended the decision-making process that went into making the RNG the default way for BSAFE and Data Protection Manager to generate keys.

"The length of time that Dual_EC_DRBG takes can be seen as a virtue: it also slows down an attacker trying to guess the seed," he wrote. He continued:

Plenty of other crypto functions (PBKDF2, bcrypt, scrypt) will iterate a hash 1000 times specifically to make it slower. At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard. SP800-90 (which defines Dual EC DRBG) requires new features like continuous testing of the output, mandatory re-seeding, optional prediction resistance, and the ability to configure for different strengths.

It will take time for people to ferret out all the products that use Dual_EC_DRBG, particularly as the sole or default RNG. Readers who know of others are invited to leave that information in a comment to this post.

MS Windows 8.1 RTM and VS 2013 RC Available to Developers

Courtesy Adrian Bridgwater, Dr. Dobbs

Microsoft this week informs developers that access is open to the Release Candidate (RC) for Visual Studio 2013. The company also announced that Windows 8.1 RTM (release to manufacturing) and Windows Server 2012 R2 RTM are now available to the developer community via MSDN and TechNet.

The invitation here from Redmond is, build and test your apps for Windows 8.1 now in advance of Windows 8.1 general availability in October. However, given the subtle differences between Windows 8.0 and Windows 8.1 with its pseudo-START button (that isn’t really a start button), one has to question whether developers will radically reshape any plans already in motion at this stage, however positive the overall release of 8.1 may be.

Microsoft unsurprisingly turns on the "touchy-feely" spin here and says that it is confident these pre-release versions will enable developers to prepare and test their applications and infrastructure for the next release of Windows and Windows Server.

NOTE: Although developers now have all the tools they need to build and test their Windows 8.1 apps, they will need the final versions of Windows 8.1, Windows Server 2012 R2, and Visual Studio 2013 to onboard their apps to the Windows Store, starting October 18 2013.

New features in Visual Studio 2013 RC include Office 365 Cloud Business app development so that programmers can create business applications that extend Office 365 to help users interact with business processes, artifacts, and other systems. Office 365 Cloud Business Apps run in the cloud and are available to run on a "myriad of devices" (says Microsoft) to aggregate data and services from in and out of an enterprise, plus help integrate user identities and social graphs.

NOTE: These applications integrate with the application lifecycle management capabilities of Visual Studio — and this is, in effect, a play from Microsoft to bridge the worlds of the business application developer with IT operations.

Also featured here we find the TypeScript language for application-scale JavaScript development after Microsoft released its first public preview less than a year ago now.

According to Microsoft, "With Visual Studio 2013 RC, we are including the most recently released version of TypeScript tooling (v0.9.1.1) as we continue to seek community feedback from our early adopters. TypeScript brings classes, modules, and optional static types to JavaScript development. In Visual Studio, this enables rich tools like live error reporting as you type, IntelliSense, and Rename refactoring."

Work Item Charting has also been included to help programmers create a variety of charts to visualize data based from work item queries, such as bugs, user stories, and tasks. As a work item data changes, simply refresh your charts to reflect the latest information says Microsoft.

In separate blog posts from executives S. Somasegar and Steve Guggenheimer, Microsoft invited developers to download and try the many new features in Visual Studio 2013 RC — the latest version of Microsoft’s developer tools — in order to provide feedback for the final release.

Phatwares Windows 8 Handwriting SDK

courtesy Adrian Bridgwater, DrDobbs.com

PhatWare’s WritePad handwriting recognition SDK for Microsoft Windows 8/RT and Windows Phone 8 has been updated with support for 11 languages in a single static library.

This tool recognizes natural handwritten text in a variety of handwriting styles: cursive (script), PRINT, and MIXed.

Suitable for implementation in both embedded devices and "external" applications, this is handwriting-based text input to automatically convert text in third-party applications on Windows-based devices.

Support for seven new languages brings the total count of supported languages to 11, including English (US, UK, US Medical), Danish, Dutch, Finnish, French, German, Italian, Norwegian, Portuguese (Brazil, Portugal), Spanish, and Swedish.

PhatWare has worked on improved recognition quality of individual letters and words in print and cursive modes. The company has also updated sample code that demonstrates how to call native WritePad API from .NET and Windows Store applications. It recognizes dictionary words from its main or user-defined dictionary, as well as non-dictionary words, such as names, numbers, and mixed alphanumeric combinations.

It also provides automatic segmentation of handwritten text into words and automatically differentiates between vocabulary and non-vocabulary words, and between words and arbitrary alphanumeric strings.

According to PhatWare, "WritePad SDK includes handwriting recognition engine static libraries and dictionaries for all supported languages, API header files, documentation, and sample code in C++ and C# allowing easy integration with new or existing Windows applications or devices. WritePad SDK evaluation is free, while commercial redistribution is royalty-based."