Episode 2226 – Uh-OAuth

Darren Kitchen is on the show to help us understand why we shouldn’t freak out about the OAuth flaw, and what Apple, Google and Facebook are really doing to protect their users from government data requests.

Len Peralta was on assignment today So Jennie did some 8th grade-level fear-based art: What’s A Poor Normal To Do



Or you can download the MP3 version here.

Headlines

 * Our top story on the subreddit was submitted by Beatmaster80 and tekkyn00b. Apple, Microsoft, Facebook and Google are all updating their policies to expand the notification they give users when a government agency requests their personal data. Yahoo announced a similar policy in July, and Twitter has always done so. Users would not be notified if a court order prevents it or if there is imminent risk of physical harm to a potential crime victim. The policies will have no effect on NSA data collection or National Security Letters both of which are required to remain secret by law.


 * bmorales submitted a CNET story about Nanyang Technolohical University student Wang Jing uncovering a flaw in OAuth and OpenID that could be used to steal a login token from services like Facebook or Google, when using those services to login to a third party site. The token could then be used to retrieve data from Google or Facebook. Mashable’s Christina Warren has an excellent writeup of the issue. It’s not a weakness in OAuth at all but caused by a weak implementation on the third-party website’s side, which could be mitigated by certain practices on the side of Facebook or Google. Also, the attack requires you to click a suspicious link AND choose to then login with a service. So no. This is not another Heartbleed.


 * The Next Web reports Microsoft’s Windows Phone manager, Joe Belfiore held a Reddit AMA today where he said Windows Phone will get a file manager by the end of the month, hopefully. The app will let you create new folders, move files from one folder to another, and search within folders.


 * Ars Technica reports on a system called Large Emergency Event Digital Information Repository, meant to let citizens upload videos and photos to help police investigations and disaster response. Amazon Web Services has teamed with the Los Angeles Sheriff’s Department on the project. Santa Barbara, CA authorities are the first to use the system and are calling on the public to upload images taken of a riot last month at the Isla Vista community near the University of California at Santa Barbara. Apps for LEEDIR are available for iOS and Android.


 * The Verge reports the next Call of Duty game, Advanced Warfare, will launch on November 4th, and star Kevin Spacey as head of a private military corporation that has launched an attack on the US. The first trailer showed up on the official Call of Duty YouTube page late last night.


 * Macrumors reports Apple is expanding its iTunes Match service to Japan. The service, which costs ¥3,980 per year, lets iTunes users match their library with cloud versions of the songs for quick storage, which can then be accessed from any Apple device.

News From You

 * KAPT_Kipper posted a GigaOm story that a class action complaint has been filed against Google, alleging secret deals force Samsung and others to use the Google search engine on mobile devices, creating a search monopoly, which in turn makes devices cost more. The crux of the complaint is that Google offers Mobile Application Distribution Agreements, which require device makers to make Google the default search engine if they want to include Google’s other mobile apps like YouTube and the Google Play app store. Google told GigaOm by email “Anyone can use Android without Google and anyone can use Google without Android.


 * metalfreak sent in the PC World story about the Attorney General for the US state of Washington filing a lawsuit against a company that raised $25,000 on Kickstarter but failed to deliver its product, a retro-horror playing-card deck called Asylum. The project funded in October 2012 and has yet to deliver any rewards. Kickstarter’s terms of use requires creators to fulfill all rewards of their projects or refund backers. The complaint, filed in King County Superior Court, seeks restitution for consumers and as much as $2,000 per violation of the state’s Consumer Protection Act.


 * Beatmaster80 pointed us to the Record story that Lila Tretikov has been named Executive Director of Wikimedia Foundation, the nonprofit organization that runs Wikipedia among other projects. Outgoing director Sue Gardner will end her term on June 1. Tretikov was previously chief product officer at SugarCRM. Tretikov’s personal background growing up in the Soviet Union and her experience with open-source engineering seem to be the main reasons she got the job.


 * KAPT_Kipper posted an ITWorld story that Sony has developed magnetic tape that stores data at 148 gigabits per square inch, 74 times the density of standard tapes. That could mean 185 TB tape cartridges. Current LTO-6 cartridges can handle up to 2.5 TB. Tape is still used for long-term data storage. The Tape Storage Council industry group reports tape capacity shipments grew by 13 percent in 2012 and were projected to grow by 26 percent last year.


 * Pootinky pointed to a a slashdot posting about a Vanderbilt University graduate student, working at Oak Ridge National Laboratory, who has discovered a way to create three-atom-thick nanowires capable of linking transistors and other components. It’s a step toward devices that could be as thin as paper.

Discussion Section Links

 * http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
 * http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
 * http://mashable.com/2014/05/02/oauth-openid-not-new-heartbleed
 * http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08#section-4.1.5
 * http://www.washingtonpost.com/business/technology/apple-facebook-others-defy-authorities-increasingly-notify-users-of-secret-data-demands-after-snowden-revelations/2014/05/01/b41539c6-cfd1-11e3-b812-0c92213941f4_story.html?hpid=z1

Pick of the Day

 * Dogeforsale.com via Luke Olsen
 * "Looking to get into some Dogecoins before the DogeCar takes the track at Talladega this weekend. Not sure how to how to navigate crypto exchanges? Have no fear dogeforsale.com is here. Its a site where users can buy and sell Dogecoins with paypal, google wallet, debit cards, etc. The site is a basic escrow service, it holds the coins during the transaction. Get Dogecoins fast and securely. much speed very secure. DISCLAIMER: I’m a seller on the site “SkyJedi”"