Exploit puts popular web and mobile apps at risk

A new exploit could allow users to bypass security checks in Electron, a popular cross-platform development framework. The exploit, posted by Trustwave, has been patched and developers should update their apps as soon as possible.

The exploit could allow cross site scripting in some apps by turning on nodeIntegration, a method that allows the app to not only connect to its own modules but also Node.js modules.

From the announcement:

Electron applications are essentially web apps, which means they&re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js& built in modules. This makes XSS particularly dangerous, as an attackerpayload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly that. You can remove access to Node.js by passing nodeIntegration: false into your applicationwebPreferences.

Many popular apps use Electron including Discord, Signal, Visual Studio Code, and Github . Slack also uses Electron for its apps.

The exploit depends on the nodeIntegration setting and the process of opening a new window. While in most cases nodeIntegration is set to false, in some cases you can set nodeIntegration to true and then pass other nefarious scripts including calling the child_process module which lets you make system calls like spawn which then lets you run commands in the operating system.

You can see Electronwebsite here and here is their blog post on the update. Most apps shouldn&t be effected as long as you&ve upgraded the platform in the last few weeks.

Write comment (99 Comments)
GraphPath plans to combine Knowledge Graphs with the blockchain

Last year I covered the launch of GraphPath, a new startup that had developed a platform that aimed to &insert AI into global corporates& by making it easy to create and manage so-called Knowledge Graphs with its &Knowledge Graph-as-a-Service& technology.

Knowledge Graphs are essentially a way to organize data in an endless network of facts and relationships. Itsimilar to Facebook‘social graph& (which contains highly descriptive data about how people are connected) but instead is about how knowledge is connected. In theory, you could use blockchain to create a knowledge graph, and in fact, thatwhat the company claims to have now done. GoogleKnowledge Graph powers its search functions, and according to the company contains over 70 billion facts.

Today itannouncing GraphOS, which is described as &the worldfirst decentralized operating system for Knowledge Graphs on the blockchain, that will be enabled by the GraphOS Protocol,& according to Demian Bellumio, GraphPathCEO.

What does that mean in plain English

Basically, it means GraphOS will allow for a network of Knowledge Graphs to be safely and securely be interconnected via blockchain technology. Through this network, a wide array of participants, such as Knowledge Graph owners, data providers, knowledge experts, and data scientists will be able to transact with each other. GraphPath calls this ecosystem, a Graph Operating System, as it will manage all the resources necessary to run the Network, thereby the name GraphOS.

Bellumio says that in order to really derive value from a Knowledge Graph, not only do enterprises need to master the complex technologies that are necessary to build and manage these complex semantic data systems, but they must also have access to large volumes of data.

A telco that builds a graph with just their customers& app usage data, will never be able to draw powerful insights from that data alone, according to Bellumio. It would also need QoS data, web browsing data, and even geolocation. . So how does an enterprise engage with other enterprises or data providers to acquire this complementary data Thatwhere blockchain and smart contracts come in.

The GraphOS Protocol provides a mechanism for defining and exchanging knowledge assets, such as data, code, ownership and governance details, feeding into the complementary data.

In addition, GraphPath plans to open-source all of its tools, while making them all natively support the GraphOS protocol.

GraphPath is also planning an ecosystem around this idea. Italso now creating the GraphOS Consortium, which will be co-chaired by GraphPathCEO Bellumio and Andrew McLaughlin, who has worked with ICANN, Google, the US Government and Tumblr. Consortium members include Chris Boos from Arago and Antoine Blondeau from Sentient, Carlos Domingo from Securitize and SPiCE VC and Shayne Coplan from TokenUnion, and Andrew McLaughlin from Higher Ground Labs and Michael Sarasti from the City of Miami.

Write comment (94 Comments)

TiVo DVRs are getting Alexa support. The company is announcing its lineup of DVRs, including Series 4 (Premiere), 5 (Roamio), and 6 (Bolt) boxes like TiVo BOLT VOX introduced last fall, will be gaining support for Amazonvirtual assistant, Alexa.The assistant will be able to do things like change the channel, skip commercials, jump back or forward, launch apps like Netflix, and more, says TiVo.

The company is not the only third-party DVR maker to have added support for Alexa.

Thanks to developer tools like the Video Skill API,other cable and satellite TV companies, streaming services, and content providers can now add voice control to their devices and apps, as well. For example, Dish last fall became the first U.S. pay TV provider to integrate with Alexa for hands-free TV. Others working with Amazon include DirecTV and TechCrunchparent (by way of Oath), Verizon.

Amazon Video Skill API was updated in March to include support for DVR recording, allowing users to set and manage their DVR recordings via their voice & thatsomething TiVo, presumably, will add at a later date, as itnot live yet. At the time of Amazonannouncement, it had also said TiVo was one of the companies developing experiences using the Video Skill API.

In addition, TiVo itself had announced plans to add smart home integration, including voice control through Alexa and Google Assistant, back at CES in January.

According to TiVo, Alexa will let its customers do many of the things they can do today with the TiVo remote. For example, you can ask Alexa to change the channel by saying things like &Alexa, watch CBS& or &Alexa, go to FOX.& You can also launch apps on TiVo& by saying things like &Alexa, open Netflix.&

But where TiVoimplementation is different from other DVR makers is how it has put Alexa to use to control its devices& unique features, like skipping the commercials & which TiVo calls SkipMode.

TiVo adds Alexa voice control to its DVRs

This can be done by telling Alex to &skip commercials,& says TiVo, and it joins other playback-related skills like jumping back 8 seconds (&Alexa, go back&), pausing and playing, fast-forward, and rewind.

&With far-field voice control, life becomes more untethered for our customers,& said Andrew Heymann, TiVoSenior Director of Product Management, said in an announcement about the new functionality. &They can continue to enjoy watching their favorite programming with TiVocool features even when they&re preparing dinner and their hands are too dirty to use the remote, or when they&re exercising, and they don&t have access to their remote. Life suddenly gets a lot easier,& he adds.

A placeholder screen for the new Alexa functionality popped up this weekend on supported devices, reports Dave Zatz, who regularly covers TiVo. The screen says Alexa is &coming soon& and will roll out to TiVo retail devices with software version 20.7.4 or later. The rollout is expected to compete by June 1st, it also notes.

The addition of Alexa to TiVoboxes is notable, too, because TiVo itself had developed voice-control functionality of its own. Its newer BOLT VOX and Mini VOX were the companyfirst DVRs to include a voice remote control, which offers similar functionality to Alexa.

However, TiVo sold the remote separately, which limited the reach of its voice control offering for consumers. With Alexa, the company is able to go after the growing market of those who already own an Amazon Echo device.

Write comment (92 Comments)

&Last year was pretty hard, I&m not gonna lie& says Peter Deng, Uberhead of rider experience. But as part of new CEO DaraKhosrowshahipush to rebrand Uber around safety, &we&ve seen the company shift to more listening&.

That focus on hearing users& concerns prompted todaychange. Have a bad Uber ride when you&re busy and you might neglect to rate the driver or accidentally rush through giving them 5 stars. Forcing users to wait until a ride ends to provide feedback deprives them of a sense of control while decreasing the number of accurate data points Uber has to optimize its service.

I had just this experience last month, leading me to tweet that Uber should let us rate trips mid-ride:

Uber apparently felt similarly, so itmaking an update. Starting today, Uber users can rate their trip mid-ride, providing a star rating with categorized and written feedback, plus a compliment or tip at any time instead of having to wait for the trip to end. &Every day 15 million people take a ride on Uber. If you can capture incrementally more and better feedback . . . we&re going to use that feedback to make the service better& says Deng. Lyft still won&t let you rate until a ride is over.

Specifically, the data will be used to &recognize top quality drivers . . . through a new program launching in June&, Uber tells me. &We&re going to be celebrating the drivers that provide really awesome service& Deng says, though he declined to say whether that celebration will include financial rewards, access to extra driver perks, or just a pat on the back.

Uber lets you rate mid-ride before you forget feedback

But Uber will also now use the feedback options that appear when you give a less-than-perfect rating to tune the technology on its backend. So that way, if you say that the pickup was the issue, it might be classifed as a &PLE & pickup location error&, and that data gets routed to the team that improves exactly where drivers are told to scoop you up. To ensure thereno tension between you and the driver, Uber won&t share your feedback with them anonymously until the ride ends.

I asked if reminding users to buckle their seat belts would be in that Safety Center and Uber tells me itnow planning to add info about buckling up. Itbeen a personal quest of mine to dispel the myth that professionally driven vehicles are invulnerable to accidents. That idea, propagated by heavy-duty Ford Crown Victoria yellow cabs piloted by life-long drivers in cities they know, doesn&t hold up given Ubers are often lightweight hybrids often operating in places less familiar to the driver.Uber lets you rate mid-ride before you forget feedback

The launch follows the unveiling of Ubernew in-app Safety Center last month that gives users access to insurance info, riding tips, and emergency 911 button. After a year of culture and legal issues, Uber needs to recruit users who deleted it or check an alternative first when they need transportation.

Enhanced safety and feedback could earn their respect. As competition for ride sharing heats up around the world, all the apps will be seeking ways to differentiate. They&re already battling for faster pick-ups and better routing algorithms. But helping riders to feel like their complaints are heard and addressed could start to work some dents out of Uberpublic image.

Write comment (95 Comments)
Xage introduces fingerprinting to protect industrial IoT devices

As old-school industries like oil and gas increasingly network entities like oil platforms, they become more vulnerable to hacking attacks that were impossible when they were stand-alone. That requires a new approach to security and Xage (pronounced Zage), a security startup that launched last year thinks it has the answer with a concept called ‘fingerprinting& combined with the blockchain.

&Each individual fingerprint tries to reflect as much information as possible about a device or controller,& Duncan Greatwood, XageCEO explained. They do this by storing configuration data from each device and controller on the network. That includes the hardware type, the software thatinstalled on it, the CPU ID, the storage ID and so forth.

If someone were to try to inject malware into one of these controllers, the fingerprint identification would notice a change and shut it down until human technicians could figure out if ita legitimate change or not.

Whither blockchain

You may be wondering where the blockchain comes into this, but imagine a honey pot of these fingerprints were stored in a conventional database. If that database were compromised, it would mean hackers could have access to a companyentire store of fingerprints, completely neutering that idea. Thatwhere the blockchain comes in.

Greatwood says it serves multiple purposes to prevent such a scenario from happening. For starters, it takes away that centralized honey pot. It also provides a means of authentication making it impossible to insert a fake fingerprint without explicit permission to do so.

But he says that Xage takes one more precaution unrelated to the blockchain to allow for legitimate updates to the controller. &We have a digital replica (twin) of the system we keep in the cloud, so if someone is changing the software or plans to change it on a device or controller, we will pre-calculate what the new fingerprint will be before we update the controller,& he said. That will allow them to understand when there is a sanctioned update happening and not an external threat agent trying to mimic one.

Checks and balances

In this way they check the validity of every fingerprint and have checks and balances every step of the way. If the updated fingerprint matches the cloud replica, they can be reasonably assured that itauthentic. If it doesn&t, he says they assume the fingerprint might have been hacked and shut it down for further investigation by the customer.

While this sounds like a complex way of protecting this infrastructure, Greatwood points out that these devices and controllers tend to be fairly simple in terms of their configuration, not like the complexities involved in managing security on a network of workstations with many possible access points for hackers.

The irony here is that these companies are networking their devices to simplify maintenance, but in doing so they have created a new set of issues. &Ita very interesting problem. They are adopting IoT, so they don&t have to do [so many] truck rolls. They want that network capability, but then the risk of hacking is greater because it only takes one hack to get access to thousands of controllers,& he explained.

In case you are thinking they may be overstating the actual problem of oil rigs and other industrial targets getting hacked, a Department of Homeland Security report released in March suggests that the energy sector has been an area of interest for nation-state hackers in recent years.

Write comment (91 Comments)

Boosted Boards (now, just Boosted) is back with a skateboard that really seems to get it right. The companylatest product is their first shortboard. It lops off 8.5 inches in length from the deck, but the differences go far beyond a big reduction in a single dimension.

The company is probably the most recognizable name in electric longboards, but the Boosted detractors would likely point to their products& priciness as their central downfall.The $749 Boosted Mini S does a lot to increase accessibility on the price front, and while zooming around at 18mph on the shortboard might feel a bit more nerve-racking as your island of control shrinks, this board is incredibly fun.

Review: $749 Boosted Mini S electric skateboard nails it

Specs (via Boosted)

  • Price: $749
  • Range: Up to 7 miles
  • Top Speed: Up to 18 mph
  • Hill Climbing: Up to 20% grade
  • Modes: 3 Ride Modes
  • Wheels: Boosted Lunar 80mm
  • Deck Length: 29.5 inches
  • Weight: 15.0 lbs

First, the shortening of the board does do a good deal for portability. My preferred way of holding the board by its front truck just hanging down alongside my leg, with past Boosted boards if you did this you&d either be dragging the board along the ground or you&d be hoisting it up in a way that gave you a little side abs workout. Holding this while walking around indoors feels a lot less like you&re cruising through the aisles with a surfboard under your arm, itjust way more low-key and less of a hassle to travel with.Italso got a nice new look with its sort-of-signature orange wheels now custom-made by Boosted.

Nevertheless, the Mini S is a dense little guy. If you were hoping for an electric skateboard you could pop an ollie on, the Boosted Mini S will throw you some challenges. At 15 pounds, itnot exactly a beast, but a big weight reduction was not part of this shortboard transformation.The board is still certainly manageable but everyone who has picked mine up has been pretty surprised at how hefty it is.

Review: $749 Boosted Mini S electric skateboard nails it

That heft feels a lot more rigid on the Boosted Mini S if you&re familiar with the Boosted boards of the past. There is very minimal flex on this shortboard which is unsurprising if you ride regular skateboards but offers a pretty major alteration to how the ride feels. Whereas hopping up and down on a Boosted longboard involves the middle bowing in and out quite a bit, the undercarriage of the Mini S is basically one big battery so therenot much room for flexibility which means that you definitely feel bumps along the way more.

This is both good and bad. I personally think it makes the board a lot of fun to ride. The rigidity teamed with the little kicktail on the back of the board can make for some added maneuverability that means hairpin turns are well within reach. This is pretty big because the turning radius was already tighter just by virtue of the wheels being closer together so the kicktail can free you up to do most tight maneuvering as long as you aren&t maxing out throttle while doing so.

[gallery ids="1638917,1638916,1638915,1638914,1638911"]

The Mini S is fairly frightening to ride at times, theresomething a bit more comforting about the extra length and flex of the longboards. The shortboard takes away the security of a suspension system and swaps it with the freedom of being able to easily hop up onto a small curb or turn out.

With a max speed of 18mph, itbecome clear that fast feels faster on the Mini S. You get the speed modes of past iterations which should help you adjust your training wheels while you get moving gradually towards expert speeds. Your guide to this speed and mode-switching is still the little Boosted controller which gets the job done and offers a nice degree of precision for accelerating and breaking with the satisfying wheel control.

Review: $749 Boosted Mini S electric skateboard nails it

The seven-mile range on a single charge isn&t that great and you won&t even hit that if you&re maxing out the speed, but if you&re buying this for a short commute or just for some little jaunts around town, ita great ride — though you still might be in for an easier ride on one of the companylengthier boards.

With $250 separating the Mini S from the Mini X, a gray-wheeled version of the product that adds less than a couple of pounds but doubles the total range from 7 to 14 miles and increases max speed by a couple of miles, there might be enough there to offer a full endorsement of making an upgrade if you want to try out the electric shortboard life.

Boosted has managed to fit an awful lot into a $749 package that has inherited most of its predecessors& better qualities without gaining any fatal flaws. Ita different beast and there are still plenty of people who should still be opting for a longboard, but the Mini S offers a degree of freedom and tightness that you won&t get from many of the other electric-powered things with wheels out there.

Write comment (97 Comments)