Voiding your warranty, apparently, is as simple as running five short commands. To run those, however, you need a higher-resolution way of communicating with your Google Glass device than the touch-sensitive screen on your specs.

“Fortunately, this is an Android device, and like most Android devices, it has a Bluetooth chip,” Google engineer P.Y. Laligand said today at the chat on hacking Glass.

Source: Google

Glass is just Android, underneath.

So he simply turned on Bluetooth, paired an external keyboard, opened up a terminal window, and typed five commands in ADB, or Android Debug Bridge:

1. $ adb reboot bootloader: (Allows you to access the bootloader)
2. $ fastboot oem unlock: (Removes security precautions, erases user data, and … voids your warranty.)
3. $ fastboot flash boot boot.img: (Replaces the boot image)
4. $ fastboot reboot: (Reboots back into a normal state)
5. $ adb root: (Finally, you have root access and access to all the data partitions)

These are not steps to be taken lightly, according to Google engineer Hyunyoung Song.

“Even though there are recovery methods, there is a chance that you could get stuck in a state from which it’s not easy for your device to be recovered,” she said. “And Google will not support you.”

Google Glass owners who have taken the lives of their $1,500 Google Glass Explorer Edition devices in their hands and bravely gone where few dare, however, have done some exceptionally cool things. One has installed standard Ubuntu Linux on Glass and now programs on Glass using Emacs, a text editor. Another has created an avatar that mimics your head motion, bobbing around just as you do while talking and gesturing.

Source: Google

Danger, Will Robinson! Voiding warranty now!

And Google — while not supporting you if you brick your device — encourages developers to play around in root mode, hacking new apps and experiences which can be then brought into the Google Glass ecosystem.

“Now you’re in root mode,” Song said. “Play around and go nuts with whatever you want to do.”

For the faint of heart, there will be a safety net at some point. Google will be releasing the standard Glass system images, which can be used to recover bricked devices.

Probably.

Image credit: Jolie O’Dell/VentureBeat

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Me neither.

That hasn’t stopped the BBC from claiming ”Global Internet slows after biggest attack in history,” or the UK’s Independent from saying that “Internet services across the world have been disrupted” with “millions of web users” not able to access service like Netflix.

According to the Internet Traffic Report, everything’s fairly copacetic. Response time has been pretty steady for the past 30 days, with no discernible dip in the past week, and packet loss globally has remained steady at almost zero:

Source: Internet Traffic Report

Internet traffic doesn’t seem very disrupted in the past month or week …

A quick check of InternetPulse shows that the U.S. Internet is all healthy, with sub-90-second latency in response times across the board today:

It’s not until we check Akamai’s global real-time web monitor that we see what the problem is: congestion is up in two general areas. Those would be the UK — where the BBC lives — and Germany/Netherlands, where a local fight is on between a controversial hosting provider, Cyberbunker, and a spam-fighting filter service, Spamhaus.

Essentially, it appears that Spamhaus blacklisted Cyberbunker for allegedly distributing spam, and friends of Cyberbunker then attacked Spamhaus’ servers with up to 300 gigabytes/second of data. That’s an enormous amount of data, and it constitutes the biggest-ever DDOS attack. It’s clogging the interweb’s tubes in at least a few places but not, apparently, all over the world.

Little hint to the BBC and others: Western Europe is not the world.

It’s time to add another issue to the list of what’s ailing publisher Electronic Arts. The company’s chief executive officer announced yesterday that he is stepping down, and it is still reeling from a public-relations snafu with the recently launched city-builder SimCity. Now, a security research firm revealed that members of EA’s digital-download service are vulnerable to attack from hackers.

A fatal flaw in EA’s Origin service may enable hackers to remotely execute software on a target’s Mac or PC, according to Malta-based security researchers ReVuln (via Time’s Techland blog). ReVuln published a paper earlier this month that explains the vulnerability in detail.

“Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure,” Origin spokesperson John Reseburg told GamesBeat.

The hack only takes seconds. It works by exploiting an “Origin://link” uniform resource identifier (URI), which publishers utilize to enable browsers to open and control actions on the Origin platform. Origin’s links follow a particular pattern. Hackers can mess around with that pattern to make the URI execute different commands. One of those commands could be bringing up a box that asks a user to download an application. They might trust that application because they’re on their trusted Origin site and click yes. The malware will then install, and the hacker will effectively “own” the system.

“Using games as an attack vector is pretty difficult to spot,” ReVuln security researcher Donato Ferrante told GamesBeat. “One of the reasons is that most people underestimate games as a possible way for attackers to compromise their systems.”

ReVuln released a proof of concept of the hack, which you can see in the video embedded into ReVuln’s Tweet:

EA Origin Insecurity paper: revuln.com/files/ReVuln_E… and video: vimeo.com/61361586 #BlackHatEU #0day—
ReVuln (@revuln) March 15, 2013

In October, ReVuln discovered a similar insecurity in Valve’s Steam digital service — EA’s primary competitor in the PC space. Ferrante claims Valve still hasn’t addressed the issue.

The security firm suggests that users set their browsers to pop up with a prompt when attempting to open a game in Origin or in Steam. More security-conscious users can install a tool like URIprotocolview to disable the “Origin://” URI.

VentureBeat security reporter Meghan Kelly contributed to this report

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

BREAKING: Weev sentenced to 41 months followed by three years of supervised release.

— Tim Pool (@Timcast) March 18, 2013

Just moments before sentencing, Auernheimer (also known as Weev), was cuffed by court officers in a struggle over his tablet and phone. Auernheimer, who was not permitted to use computers with keyboards, was asked to surrender his devices, but tried to hand them to his lawyer.

“It looks like Andew got slammed into a desk by federal agents while trying to hand his phone to his lawyer after the court asked for his phone,” his publicist told me via email.

Auernheimer is, by all accounts, a controversial figure, which became abundantly clear in a Reddit AMA (ask me anything) conducted yesterday.

He’s a founder of GNAA (Gay N*iggers Association of America), a group that probably has no actual gay or black members and seems, much as many other online trolling groups, to be devoted to causing as much online damage and destruction as possible. He’s also a member of Goatse Security, a grey-hat organization that focuses on finding and exploiting computer and website vulnerabilities. And he has done things online that most of us would consider morally reprehensible and ugly, if not precisely illegal, such as taking a leading role in the massive online harassment that caused usability expert Kathy Sierra to abandon the Internet.

But the specific charges that he was convicted of and has now been sentenced for seem tame by comparison. Essentially, he queried a public server with exactly the same kind of request your browser sent to the servers that run this website, aggregated the results, and sent them to a news agency, Gawker.

Auernheimer got a harder sentence than the #Steubenville rapists. One journalist equated the prosecution of hackers to the Red Scare.

— Tim Pool (@Timcast) March 18, 2013

The charges were based on the same law that federal prosecutors used against Matthew Keys, Aaron Swartz, and Stephen Watt: the Computer Fraud and Abuse Act, which opponents have decried as vague and Swartz’s lawyers have said was misused by federal prosecutors to overly-aggressively pursue Swartz, who ended up committing suicide.

Auernheimer knows he is not exactly a lovable figure.

“I’m a nutjob from Arkansas,” he told me yesterday. “That’s any sane person’s perspective.”

But the question today is whether his exact actions in the AT&T case were illegal. And if they were, how many other actions of ordinary Americans are now being criminalized?

Auernheimer told me yesterday that he already plans to appeal the sentence, and the EFF is helping with the appeal.

photo credit: Funky64 (www.lucarossato.com) via photopin cc

Tomorrow, he’s likely going to jail.

“It’s a fucking ludicrous charge,” Auernheimer told me this morning from New Jersey. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”

Update: Auernheimer was sentenced to 3 years in jail and $73,000 in fines

But tomorrow he expects to go to jail. In preparation, he and supporters have rented a 10,000 square foot hall where they’ll party the night away in perhaps his last taste of freedom for 10 years.

If he does go to jail, it’ll be the latest chapter in a long list of federal prosecutions of computer “crimes” by hackers who are forcing mainstream society to reconsider what freedom of speech means online, what is an appropriate response to a corporation’s poor security, and what kinds of access constitute crimes. That list includes Aaron Swartz, who committed suicide after what many have said was DOJ misconduct.

The story starts with a boneheaded AT&T decision.

During the summer of 2010, Auernheimer and co-defendant Danile Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.

“If you buy an Apple product, you have a right to know that Apple partners could compromise your privacy,” Auernheimer told me, explaining why he sent the email addresses. “And that they take six months to patch security issues.”

So there’s obviously a security issue. And there’s obviously a privacy issue. But where’s the crime?

“We sent Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”

If sending Get requests is a crime, we are all criminals.

You could be charged with unauthorized access to a computerized device, for instance, simply because you clicked on the link that brought you to this article. Oh, and Google, one of the most successful corporations in the world, is the root of all evil. A Get request is simply a note from a browser computer code asking for a resource. You issue thousands of them every day all by yourself. Google issues billions.

Whether the receiving server responds to that request in any way, shape, or form is entirely at the discretion of the developers and system administrators who control that server.

The CFAA does not define the phrase “unauthorized access,” so according to Auernheimer, the government essentially told the jury that his access to the server was unauthorized because they said it was. Which, if true, means that whether you commit a legal act or an illegal act is at the discretion of anyone who runs a webserver, who can change their mind at any time without you knowing.

Good luck following the straight and narrow.

After a one-week trial, a jury found Auernheimer guilty on November 20 after just a few hours of debate. Auernheimer told me that his friend overheard “vicious arguing and screaming” in the jury room, so there was some serious debate, but there was a potential reason to be fast, and maybe even hasty.

“The trial was right before Thanksgiving … I think people wanted to get the hell out of there and get to Thanksgiving,” Auernheimer said.

Tonight he’s awaiting sentencing, which could be up to 10 years in jail and up to $500,000 in fines. And he’s not too hopeful that the judge will go easy on him.

“I’m probably going to prison, and they may take me into custody immediately,” Auernheimer told me. “But I have an excellent chance on appeal … any sane examination of the CFAA at this point is going to realize that it criminalizes all web access.”

The Electronic Frontier Foundation has already agreed to help him with that appeal.

Who’s committing these crimes?

Most of them are between 29 and 49 years old, and three-quarters are male. They work in organized groups, half of which have six or more members. And they live all over the world, but especially in Asia, notably China and Indonesia.

That’s according to online payments company Jumio – one of the companies that Facebook founder Eduardo Saverin has invested in. Jumio has put together an infographic highlighting who is attacking companies and people.

To do what they do, cyber criminals need access to the interwebs. That means Internet service providers and website hosting providers are critical, and most of the ones criminals work through are based in Russia and China.

This won’t make victims of identify theft, hacking, or online fraud feel any better, but only 0.0019 percent of cybercrimes in the U.S. in 2010 were tried in court and saw the hackers convicted.

Here’s all the data, in visual form:

Image credits: Jumio

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

Zendesk manages backoffice features like customer support and help desk operations via a cloud service it delivers to hundreds of clients serving over 65 million people, the company says on its website. Only Twitter, Pinterest, and Tumblr clients were affected, the company says, but those sites comprise literally hundreds of millions of users.

Since most end users never touch Zendesk directly, most users’ first awareness that there might be a problem with their personal informtion will come via an email from one of the affected services. I received an email from Tumblr this evening at 11:05PM PST, saying that my information may have been exposed.

Assuming Zendesk knows exactly how deep the penetration went, there is probably not a lot to worry about. The attackers gained access to email addresses and the subject lines of support emails, but there’s no indication they accessed any passwords or other data.

In other words: don’t panic.

Here’s the email that Tumblr sent out to affected users:

Important information regarding your security and privacy

For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.

This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:

• The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
• Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed tosupport@tumblr.com, abuse@tumblr.com, dmca@tumblr.com,legal@tumblr.com, enquiries@tumblr.com, orlawenforcement@tumblr.com.
• Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.

Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.

This is an breaking story, check for updates on Friday.

photo credit: alles-schlumpf via photopin cc

Sept. 9 - 10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Amazon’s homepage went down for about 51 minutes this afternoon in an highly unusual outage. Visitors to the site received an ‘Http/1.1 Service Unavailable’ message, although Amazon Web Services was still up and running. This is the most significant outage Amazon has experienced in years. A group of hackers called the NaziGods are claiming responsibility on Twitter, however sources with knowledge of the event deny that it was related to any outside group.

Estimates put Amazon’s sales-per-minute at over $100,000.

We have reached out to the company for comment and are waiting for a response. In the meantime, you may continue buying panini-makers and Kindles in peace.

“There was a vulnerability with RubyGems.org, which allowed someone to execute code on the server,” a Ruby programmer I talked to said. “RubyGems is a big target, because if you could break in and change a Rails gem, you could gain access to a lot of servers.”

Popular sites such as Twitter, Groupon, Airbnb, and Hulu are built using Ruby on Rails, a framework built in the Ruby programming language. Ruby gems are packages of code that allow developers to distribute programs or libraries, and RubyGems.org is the central means the Ruby community has to publish and distribute those gems. Essentially, if a black hat hacker can corrupt those gems, he or she could potentially gain control of thousands, if not millions of sites around the world that run Ruby on Rails.

Source: https://gist.github.com/3e4829f79dbd1be11295

The exploit itself

“RubyGems is a critical part of the Ruby infrastructure,” the programmer said. “Everything depends on RubyGems.”

RubyGems explained the situation this way in a Google doc that site administrators set up for status updates:

A user uploaded a malicious gem that contained a malicious gem manifest (YAML file). The manifest contained embedded Ruby with this payload. This is the only known incident involving this vulnerability, but the vulnerability involved is a remote code execution exploit, so the usual rules apply.

The Ruby programmer I talked to, who did not want to be identified since he works with some of the key engineers at RubyGems and Heroku, said that the infected gem was executed by the server and then “emailed the database configuration details, including passwords, to a paste-it note on Pastie.org.”

As soon as Heroku became aware of the issue this morning, site administrators disabled access to site update and publishing services:

Ruby deploys have been temporarily disabled to protect our users from malicious gems. We will have more information available shortly, including a workaround for those who wish to deploy anyway.

Based on the information currently available, it doesn’t appear to have been an especially malicious attack, but rather a fairly strenuous way of informing the RubyGems organization that they had a vulnerability. The infected gem was called “exploit,” a pretty clear signal that the author or authors were not trying to slip something in unnoticed, and “they could have done more,” my source said.

Currently, RubyGems is verifying all files by comparing them for differences with older version before re-enabling all access to  functionality. The last update as of 7:30 PM PST is that the service’s classic API is up, as well as its V1 API, but its web application and Dependency API are still down.

photo credit: Andrew* via photopin cc

1. Find a bug that could reveal the personal information of 250,000 students
2. Report it to the proper authorities at his school, Dawson College in Montreal, Canada
3. Get threatened with jail, and get expelled from college

Twenty-year-old Ahmed Al-Khabaz found a flaw in the college-management Omnivox software that most colleges in Quebec use, according to Canada’s National Post. He reported it to the college’s director of IT, who congratulated him and thanked him.

But two days later, when Al-Khabaz decided to double-check whether a fix was in place, he was surprised by a phone call from Edouard Taza, the president of Skytech, the company that makes Omnivox. Al-Khabaz say that Taza accused him of implementing a “cyber-attack,” threatened him with jail, and forced him to sign a nondisclosure agreement.

But despite his cooperation with what some might say was an unreasonable and bullying approach, Al-Khabaz was expelled from college.

Calls to Donna Varrica and Carey-Ann Pawsey at the Dawson’s communications office go straight to voicemail, but the college has posted a statement on its website, standing by its decision and saying that Al-Khabaz had been warned on at least one occasion to “cease and desist.”

Dawson College stands by its policies regarding academic integrity and professional code of conduct. The provisions of these policies are clearly stated in the Institutional Student Evaluation Policy and the Code of Conduct on the website (listed below).

Under the terms of Quebec privacy laws, it is illegal to discuss the details of student files with individuals or with the media. Dawson College practices due process and due diligence in every case brought before the review committee. If a student does not agree with a decision, he or she has the right to appeal, as spelled out in the policies

In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student.

When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student.

I have not been able to speak to Al-Khabaz yet, but based on the publicly available facts, Dawson College and Skytech — sounds suspiciously like Skynet, no? — should be thanking him and perhaps rewarding him.

VentureBeat has reached out to Edouard Taza, Skytech’s president, and will update if he responds.

photo credit: Gìpics via photopin cc

“Prosecutors do not acknowledge nuance,” Watt told me today. “They turn everything into a very clear-cut moral issue, where everything is nicely packaged into a premeditated act.”

Swartz, of course, downloaded almost 5 million academic articles from JSTOR, a nonprofit that provides access to academic journals. It was probably illegal, although JSTOR decided not to pursue legal action. Heymann did, however, and very aggressively. Swartz, who had a history of depression, committed suicide just five days ago.

“If you look at the sorts of cases that [Heymann] prosecutes, he does seem to very much enjoy being the first one to accomplish something in a legal sense,” Watt said. “He seems to push the envelope … and I have certainly heard the word ‘bully’ used to describe Heyman. It was a common label.”

That’s something that legal activist Lawrence Lessig highlighted on his blog post about Swartz’s suicide as well.

Watt was convicted of helping a criminal group steal 40 million credit cards from TJX and various retailers after creating a data-sniffing software tool for his best friend. According to Watt, he wasn’t in the conspiracy and didn’t know exactly how his software would be used; he just shared it, as is common in the hacker/cracker community. And he didn’t receive any of the ill-gotten gains.

“I acknowledge I’m a much less sympathetic character, simply because of the company I kept,” says Watt, a fitness addict who now runs a sports supplement store but is still negotiating with his probation officer over whether he can use computers. “What I do know is that in both cases you have actions taken by the defendants which are not in any way criminal … and actions which are not overtly criminal need to precipitate a much more nuanced investigation, and a much more appropriate sentence.”

When it comes to Aaron Swartz’s case, Watt says that prosecutors used the same damage and punishment matrix they had used for him. Based on the number of files and the calculated damages, Swartz was facing half a lifetime in jail and a million-dollar fine.

“But if you look at Aaron’s history, any reasonable person would assume he was not going to sell this information … he wanted to free this information,” Watt told me. “And yet you have this insinuation that he might have wanted to profit from it.”

When Heymann spoke in court about Watt, he highlighted Watt’s supposed “sociopathic tendencies” by finding quotes from Mike Tyson and the movie Fight Club on Watt’s MySpace page, he told me, insinuating that Watt had created his data-sniffing code as part of an attempt to “bring down the end of the country’s financial institutions.” Then, in closing comments, Watt says that Heymann said that he was “not someone to feel sorry for,” had enjoyed a “privileged background,” and that “his parents had read to him as a child.”

That kind of take-no-prisoners prosecution, Watt feels, contributed to Swartz’s suicide. And it’s something that doesn’t advance the pursuit of justice.

“In both situations there was a very compelling case that nothing illegal had been done,” Watt said to me. “To face those sorts of overwhelming odds … it’s just not justice.”

Watt, who will be speaking about his experiences with the law in April at Infiltrate 2013 in Miami, says the waiting is the hardest part.

“When I think of the stress that Aaron was feeling … that was absolutely the most psychologically debilitating time of the process,” he says. “It’s worse than being behind bars: You’re in limbo, you’re unable to work, and you’re financially hamstrung.”

Jonathan James, one of the other hackers investigated in the TJX investigation for which Watt did time, committed suicide, leaving a note that said in part:

I have no faith in the ‘justice’ system. Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.

There is a petition up on WhiteHouse.gov to fire Assistant U.S. Attorney Steve Heymann. It currently has 7,969 signatures and says:

We should not destroy the lives of human beings for crimes against computer systems that harm no one and provide no benefit to the perpetrator. Such actions should be treated as forms of protest and civil disobedience. To prosecute these actions the same as rapes and murders is a savage abuse of the criminal justice system which continues to destroy the lives of peaceful, productive members of society.

Photo credit: RageSoss/Flickr

“I’ve always done a certain amount of work with my hands, but my whole career was in software.”

Rich Pekelney (pictured above) is standing in front of one of many mammoth machines in San Francisco’s TechShop, a DIY paradise full of industrial equipment for makers of all kinds.

The space is intimidating at first glance. Loud mechanisms tower and sprawl around the workshop’s several stories; people in welding masks and heavy protective gloves quietly bustle from one corner to another.

But after a few minutes in the shop, its aura of mystery quickly disappears. After all, people come here to learn, to weld, to screen print, to indulge their hobbies and acquire new skills. It’s a bit like a gym: Anyone can join as long as they want to do the work.

At TechShop’s San Francisco location, a $125 monthly membership fee gets you access to more than $1 million dollars of industrial-grade machinery, industry-standard design software for 2D and 3D projects, unlimited workshop hours, and coaching from experts in given techniques and materials. You can purchase additional classes for equipment or skills, and the pricing isn’t prohibitive. For example, you can get trained on working with sheet metal for $75 in a two-hour class.

Pekelney came here at first because, like so many other TechShop members, he needed to make something that couldn’t be bought. In this particular case, it was a perfect replica of a trashcan for use on a restored World War II submarine, the USS Pampanito.

“Twenty years ago, when I started working on [restoring] the ship, there were so many really talented guys who could make you anything you needed,” he said.

“Now, they’re gone. … They aged out or they moved out of the city. They’re 80, and they can’t see, or their hands shake.”

So Pekelney became part of the maker renaissance, a growing movement of women, men, and kids who want to make cool stuff. They come to places like TechShop for access to state-of-the-art equipment you’d be hard-pressed to find outside of a heavy industrial facility (as Pekelney tells me, “I would not be using a $15,000 machine if it weren’t for TechShop”); but they stay for the classes and the community.

And many of them end up doing more than learning a new skill; more and more, part-time tinkerers are turning their TechShop experiences into full-time, self-owned businesses.

“Oops, I started a business”

Today’s maker movement includes a huge range of arts, crafts, and fabrication, and at least as many fascinating types of humans. You’ve got the steampunk/Burning Man crowd who build robotic art cars to drive around the desert. You’ve got radical lesbian feminist knitters and quilters who are reclaiming the “feminine” arts. You’ve got kids young and old turning a deep Lego obsession into huge, intricate projects for display, and you’ve got even younger kids tinkering with mass-produced starter kits to nurture an early obsession with electronics. And you’ve got would-be entrepreneurs just trying to crank out a prototype for a product that might disrupt the market.

Accidental entrepreneurship, I learn during an extended TechShop tour, is a not uncommon outcome for folks who walk through its doors seeking to simply finish a one-off project. The lady behind Better Off Wed, an Etsy store of statement cake-toppers, first came to TechShop to do a single piece and ended making a business out of it. Another founder was doodling around with the shop’s laser cutter and ended up turning that into Yes & Yes Designs, a jewelry store.

There are dozens of stories like this from TechShop’s San Francisco store. The Bosavi headlamp came from a guy who walked into TechShop in September 2011 with no maker experience whatsoever. Now, he’s an inventor, entrepreneur, and TechShop instructor. A former ad copywriter sitting in the shop’s airy upper floor tells me that social media killed the advertising business; now, he makes and sells jewelry instead.

In fact, as maker advocate and Autodesk employee Jesse Harrington Au tells me during our tour, around 60 percent of TechShop members end up looking at starting their own businesses. Accidental entrepreneurship, he says, “happens more than I would have thought,” in no small part due to the fact that all kinds of makers, from sewers and designers and papercrafters to welders and carpenters and painters, under a single roof. The cross-pollination effects are huge.

Making’s roots

Dan Woods is a TechShop exec and was also part of another important cornerstone of the maker renaissance.

“When we co-founded Make, we thought we’d have maybe 10,000 people, old farts like us, from the ’60s,” he tells me as we meander through the shop’s panoply of machinery. “But there’s all these upstarts from Brooklyn with metal in their faces — and they get it.

“For some reason, it has become very trendy to express yourself physically,” says Woods, “and it is showing off.”

Woods has an aeronautics degree and used to work for Lockheed. I ask him point-blank what his job was. “I was helping pilots drop off — things — very accurately. … It was very cerebral.”

After that, Woods started working on Make with O’Reilly co-founder Dale Dougherty. At first a simple quarterly magazine, Make was first published in January 2005 as a way to explore and encourage DIY and DIWO (do it with others) culture. Dougherty originally envisioned the publication as “Martha Stewart for geeks.”

Maker Faire was born out of Make magazine. First held in San Mateo, Calif., it was billed as the world’s largest show-and-tell and included more than 100 exhibitors, DIY workshops for learning new skills, and competitions. Nowadays, the Faire has exploded into a chain of events around the world, drawing in makers and spectators by the tens of thousands.

At the very first Maker Faire, robotics instructor and MythBusters science advisor Jim Newton showed up at the San Mateo fairground in a huge Army truck looking for a place to park it. Realizing that Maker Faire was leaving enthusiasts with a warm glow but no outlet for future DIWO/DIY action, Newton decided that people needed a slice of Maker Faire all year ’round. He opened the doors of the first TechShop in late 2006, hoping that Maker Faire would be not just a show-and-tell but a gateway experience that would democratize making and hacking.

The birth of the hackerspace

Hacker spaces were a relatively new — or at least relatively unheard-of — idea in 2006. One of the first such spaces, c-base was founded in Berlin in 1995. Its primary focus was on hacking computer hardware and software, and it developed a large following and mythology around itself.

But the hackerspace revolution didn’t really take off until Metalab popped up in Vienna in 2006. The revolution in this case wasn’t the idea that hackers should hang out and hack together; rather, the revolution was around the mechanism that would make the whole enterprise work: money. As an open space for technical creatives, Metalab was funded from membership dues; the funds allowed the collective to rent a physical space, purchase materials, and hold events. This model proved to be an important catalyst for what followed.

Starting around 2006, the concept of hackerspaces experienced a small, underground explosion. In 2007, Bre Pettis and a handful of East Coast hackers started NYC Resistor, also with a membership-based model. Noisebridge, another leader in the scene, opened its doors in San Francisco in 2008.

Noisebridge was co-founded by Tor Project and Wikileaks hacker Jacob Appelbaum and hardware hacking legend Mitch Altman. “He’s a kind of Johnny Appleseed for hackerspaces,” says Woods. “But hackerspaces are for … people who are already comfortable with technology.”

While the hackerspace forefathers succeeded in bringing knowledge to noobs, first-time visitors to hackerspaces — non-nerdy consumers — can end up feeling more intimidated than welcomed.

Plus, these spaces tend to focus on the thrilling anarchy of hacking computer systems, whether bundles of circuits and storage or collections of data. There isn’t as much opportunity for, say, the guy who wants to weld a new consumer snowplow prototype or the lady who wants to screen-print a band T-shirt design.

A cleaned-up, commercial hackerspace for everyone else

As these Matrix-reminiscent spaces and groups popped up around the globe in the mid-2000s, the idea began to catch on with the less technically advanced, as well.

“You go to a job, sit at a computer, maybe you design things, but you never get to see it through,” said Harrington Au, pretty much summing up the mid-career ennui anyone over the age of 25 has experienced. Without the ability to see your work in its immediate, physically complete form, you can end up feeling less connected to it, less aware of its impact on others.

“There’s very little opportunity for those little successes,” he says.

And the little successes one experiences at TechShop might be nifty toys, one-off playthings made for one’s own amusement. But more often than not, the TechShop staff say the projects are immediately useful; they have a purpose in the real world and often fulfill a legitimate need in the marketplace.

That’s the kind of accidental entrepreneurship TechShop fosters. If these kinds of stories are any indicator of the organization’s future direction, it’s shaping up to be a casual incubator for the next generation of hardware and consumer goods companies.

Woods tells a great story about a Stanford undergrad student who was at TechShop working on a problem with polymers. The student expressed some frustration aloud about the particular problem; as fate would have it, a professor with 30 years of experience in polymers overheard him and offered help. The project is the Embrace Infant Warmer, a small, reusable sleeping bag for babies that keeps at-risk infants warm during medical emergencies. The project is funded by GE and was recognized at the annual Silicon Valley Tech Awards.

As we finish our tour in the textiles section of TechShop’s enormous warehouse, Woods waves his arm around the room, his gesture taking in the wildly diverse group of tinkerers intently bent over their projects.

“The most valuable thing is this,” he says. “It’s the members — their encouragement, their knowledge, their experience. … And they are dying to share what they know.”

All photos courtesy of TechShop, Flickr

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Earlier today, I posted about AuthenTec, a recent Apple acquisition that has had some security issues with software it produced for Windows PCs. One of the company’s products, a biometric security package called Protector Suite, stored passwords insecurely.

The issue was highlighted by security company Elcomsoft on August 28, and rose to prominence again in the past few days when an open-source project enabling easy exploitation of the security hole was posted to Github. I noticed it yesterday on Ars Technica, and today contacted Apple for comment, as well as phoning Authentec directly.

Apple didn’t return either of my two calls, and when the person I talked to at Authentec told me only that the software was discontinued (I also left a message for a product manager, who did not return my voicemail) I wrote a story based on the facts I knew.

But a reader checked Authentec’s support site, which I had not seen, and discovered that a new download is available for Protector Suite. In fact, according to the information on the support site, it’s been available since September 18. And in the release notes is a direct response to the security issue: “Changed passport encryption implementation.”

So the software does appear to be patched.

Now, I’d appreciate it if AuthenTec had made that known on its corporate website, not just the support site. And there seems to be no direct link from AuthenTec’s corporate website to its support site. In addition … it’d be nice if Apple had returned my calls, or if the person at AuthenTec knew that the software had already been patched.

All that aside, however, the fact remains: the software had been patched, and I wrote a story saying it was not. So … I was just plain wrong.

As soon as I saw the note from our reader — you rock, by the way — I updated my original story with a note.

But I felt that an additional story needed to be written, because as I check Google News for “AuthenTec” or look at MacSurfer’s list of Apple security stories, all of the posts still say that Apple’s subsidiary still has unpatched, vulnerable software. And that’s simply not the case today, as far as I can tell. No-one seems to have picked up on the fact that our reader found.

In fact, according to what the reader subsequently sent me, the patch has been delivered to all affected computer manufacturers. (AuthenTec, Apple, please feel free to add any missing details.)

So the recorded needed to be set straight. I trust that it now is.

VentureBeat’s goal is accurate, timely information. So is mine. It’s not always easy or straightforward, and sometimes I screw up. When that happens, we do our best to make it right.

That’s a personal commitment, and I think I dare speak for everyone else at VentureBeat on that point as well.

photo credit: sunnyUK via photopin cc

iPhones hear the name “Charlie Miller” and run, Siri screaming out her mortal fear. Charlie Miller, the notorious Apple device hacker, is taking that fear and channeling it for the greater good of his newest employer, Twitter.

Yes, Twitter confirms to VentureBeat that the social site has hired the gray-hat security expert, who got his start working for the U.S. National Security Administration. At Twitter, Miller takes on the role of systems software engineer and reports to Moxie Marlinspike, the hacker who ran Android security shop Whisper Systems until Twitter acquired it last year.

After his five-year stint at the NSA, Miller went on to hack Apple products of all kinds and was the first hacker to find a critical bug in the MacBook Air. He also created a proof-of-concept app for hacking iPhones and iPads; the app got into the App Store, smudging a bit more egg on Apple’s face in the process.

Miller earned a Ph.D in mathematics from the University of Notre Dame. He’s working remotely from his home office in St. Louis, Missouri.

“It’s going to be bug genocide, my friend!” the hacker quipped on Twitter.

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Ready for the most outlandish story of your day? Here we go. Today a hacker allegedly stole Mitt Romney’s tax returns and is demanding $1 million in Bitcoins for silence. The hacker also sent a USB drive and letter to the Republican and Democratic party offices in Williamson County, Tenn. as proof.

Williamson County Republican party executive director Jean Barwick confirmed to VentureBeat that the U.S. Secret Service has taken the USB drive and letter from the GOP party office to examine it and see if this is a hoax or a real situation.

“We don’t know what this will turn into, if anything,” said Barwick in an interview with VentureBeat. “[The Secret Service] didn’t say what they would do with it.”

In a letter, the hacker says the records were stolen from PricewaterhouseCoopers in Franklin, Tenn.

PricewaterhouseCoopers PR managing director Chris Atkins told VentureBeat in an e-mail, “We are aware of the allegations that have been made regarding improper access to our systems.  We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question.”

The letter begins:

Dear PricewaterhouseCoopers LLP,

… We were able to gain access to your network file servers and copy over the tax documents for one Willard M Romney and Ann D Romney. We are sure that once you figure out where the security breach was, some people will probably get fired but that is not our concern.

Barwick went on to tell me that the GOP office did not call the Secret Service but expects that news traveled through the U.S. Attorney’s Office, which prompted the confiscation. She also added that she doesn’t believe they are the only office that received a letter such as this, though she’s hearing conflicting stories.

In the letter, the hacker threatened the release of the tax returns to “all major news media outlets” if the Bitcoin ransom is not received (the hacker also politely suggested people should “Google it if you need a lesson on what Bitcoin is”). The person also set up a bit of a race for Romney: first to pay the sum will receive the goods.

Of course, Bitcoin has its own problems after a hacker stole the Bitcoin equivalent of $250,000 dollars Tuesday.

via Nashville’s The City Paper; Mitt Romney image via Dave Delay/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Getting your data back might cost you big time. Same for not having “those pictures” spread all over the Internet. And that’s just one of the new attack vectors targeting Android phones in the past few months, according to security firm McAfee.

Source: McAfee

Malware samples found so far

Mobile malware tracked by McAfee has exploded this year, growing almost 700 percent over 2011 numbers. Almost all of it, perhaps 85 percent, targets smartphones running Android.

The attacks range from the traditional and fairly well known email-with-bogus-attachments to the downright Machiavellian: drive-by downloads. Similarly to desktop drive-bys, simply visiting a site initiates the attack.

Once they’re in, your data can be held hostage as “ransomware” threatens deletion — or publication — unless you pay up.

Users still need to authorize an install, but as McAfee says, “when an attacker names the file Android System Update 4.0.apk, most suspicions vanish.” That’s because it looks like an official update to the Android operating system.

In the past three months alone, McAfee has seen 2.7 million new websites on 300,000 new domains that are either infected or created specifically by malware authors to trap the unwary.

The big surprise in the huge increase on Android isn’t that Android is being attacked: Google’s smartphone platform has been a key focus for the bad guys for some time. The big surprise is that Google has not managed to stem the tide in any significant way.

Source: McAfee

Mobile malware by platform … where’s iOS?

Security concerns on Android should not be news to Google, and Google should be putting security at the top of its list of priorities. But Google’s Bouncer software, which is supposed to be protecting users by scanning apps on Google Play for any malicious code or behavior, often appears to be asleep at the switch and easily fooled.

Shades of London Olympics Widget, anyone?

Even worse, Bouncer can only scan Google Play, the official Android app store, not Amazon’s Android market, or any of the other Android markets that appear.

That’s bad news for Android users, bad news for Android, and bad news for Google. McAfee’s “Total Mobile Malware by Platform” graphic doesn’t even show Google’s biggest competitor in the smartphone war: Apple’s iOS.

See that tiny purple sliver? IOS is buried in there, somewhere. Security is so tiny an issue, in spite of a recent SMS spoofing issue, an in-app purchasing problem, and one discovered Trojan on the app store, Apple doesn’t even get its own slice.

The answer can’t just be the standard “educate the users.” The users aren’t going to get it on their own.

Google needs to do more to ensure its mobile platform is safe and secure.

photo credit: kk+ via photo pin cc

OpenROV, a mini submarine developed in a Silicon Valley garage, has been hailed by the world’s media as the key to unlocking the earth’s last frontier.

No pressure, or anything.

The 20-something creators, David Lang (pictured, above) and Eric Stackpole, did not anticipate that their open-source robot would infatuate the press or be viewed as the low-cost alternative to subs like the Deep Sea Challenger, which took filmmaker, James Cameron, to the deepest, darkest recesses of the western Pacific.

“At the outset, we thought this might be a great project to discover underwater caves that are too small for divers,” said Lang when I met up with him at open-access workshop TechShop in San Francisco, where he and Stackpole make their parts. “Our ideas for what we wanted to use it for were dwarfed by the community.”

Environmentalists and marine archeologists already say they plan to use OpenROV to discover shipwrecks in Cuba and spotlight pollution in the high seas. Treasure hunters can use the mini sub to look for gold in unchartered waters. In November, Stackpole will be headed to Antarctica as an under-ice pilot in a larger-scale, commercial grade ROV.

“We don’t want to be the wealthiest mini sub builders in the world,” said Lang. ”Our goal is to have a high return on adventure.”

TechShop, the site where Lang and Stackpole solder the submarine’s parts.

On popular crowdfunding platform Kickstarter, OpenROV took on a life of its own and far exceeded its funding goal by netting $111,622 from 484 backers.

It didn’t hurt that Stackpole was profiled by the New York Times’, and OpenROV was credited for its potential to transform underwater exploration.

Lang told me no one has used OpenROV to successfully discover any buried treasure in the ocean’s depths, yet.

The founders’ singular focus is to keep up with the demand for the kits. At TechShop, Lang and Stackpoke laser cut electronic material and plastic and hand-pack and mail the kits. Lang told me that the most common purchasers are tinkerers and hobbyists, who add their own flourishes like robotic arms, payload equipment, and additional cameras.

The TechShop chain is a recent addition to the Bay Area, and is a paradise for hardware geeks. For $100 per month, anyone can access high-tech equipment such as 3-D printers. Classes taught at one of the TechShop hacker spaces include Welding 101, and are available for a few extra dollars. At TechShop, Lang learned how to build robots and work with machines in less than six months.

OpenRov, a mini submarine, can dive as deep as 100m.

The basic prototype has been through 35 iterations and is designed to be portable and cheap. At the basic level, its open-source, remotely operated robot that can be deployed underwater and navigated in 3D using a laptop.

The little robot is elegantly simple, but the real innovation is its inexpensive parts. OpenROV is available for $750, and anyone with a knack for DIY can use it to scale the depths of the ocean, as far as 100 meters.

But if you want an underwater robot of your own, you’ll need to be a dab hand with a soldering iron, as the robot is sold in a kit filled with parts.

To keep tabs on how the robot is being used, the pair launched a company blog and discussion forum. It is already proving to be a powerful tool for small-town environmentalists.

OpenROV can be fitted with video equipment to highlight the pile-up of junk in lakes and ponds. It can go in tiny crevices, where a diver can’t. One user plans to search for evidence of plastic pollution in the unchartered, murky depths of a seabed.

“At a tiny un-touristed cove in southern Maine, I’m finding hundreds — sometimes thousands — of bits of plastic wreckage washing up weekly,” he wrote.

At TechShop, where Lang spends the bulk of his time, he tells me that these findings are the tip of the iceberg for OpenROV. “Our story is just the beginning,” said Lang, who animatedly points out a number of other cool projects that are in development.

“We do know that deep sea exploration, space exploration, drones, 3-D printing are now something that anyone can do,” he said.

An aspiring hardware hacker at Twilio has used his company’s own telephony APIs as well as Node.js and Arduino to build the charming robot you see in the clip above.

We just about overloaded on developer buzzwords there, so let’s back it up a bit.

The bot was built by Twilio developer evangelist Jonathan Gottfried, to whom we say, nice work, Jon! There’s no quicker way to developers’ hearts than showing them how to build and code a robot, and no better way to evangelize for your company’s software than by using it in said robot in an actually interesting way. Twilio overlords, give this man a raise!

“Robots have fascinated me for as long as I can remember,” writes Gottfried on the company blog. He then proceeds to go into great, and we mean great, detail on how the bot was made “using Twilio, Arduino, Node.js, and the RN-XV WiFly module.”

The result is a robot you can control from your phone’s keypad. The post includes step-by-step images and lots of code snippets.

You might be asking, “Why, why in heaven’s name, would anyone use Node for such a task?” The Hacker News army asked the same thing, to which Gottfried replied, “It was the easiest way I found to set up a simultaneous HTTP server and TCP socket to the bot.”

In the HN thread, Gottfried also said, “The hardest part for me was getting the Wi-Fi module to work,” and, “It’s pretty fun to play with, honestly. Hasn’t tried to kill me yet….”

I didn’t know it could be someone’s job to attend hackathons. I hadn’t heard of a developer evangelist before, so a year ago when I stumbled across an opportunity to become one, I was drawn by its novelty.

The mission was to build a developer community from the bottom up by saturating the hackathon scene, gaining allegiance from the early-adopters, the enthusiasts, the hackers. The kind of people who geek out over a new JavaScript library, smother their MacBook Airs with stickers, and maintain wardrobes consisting primarily of startup t-shirts.

If the goal is to build a business on an API, were hackathons the place to start? I wasn’t sure. The tactic seemed so niche. But hey, if someone wanted to pay me to travel and build weekend hacks, that sounded fun to me.

My first hackathon surprised me. I expected it to be quiet and secluded, consisting of the most die-hard geeks, an exclusive community disconnected from the outside world.

But it wasn’t. It was inviting. It was cool. It was a spot for anyone with an entrepreneurial itch to try something new, from bankers to artists to lawyers, all sprinkled amongst designers and developers of all skill levels.

I expected it to feel underground, but it didn’t. Microsoft and Amazon, among other high-profile sponsors, pitched their tools, platforms, and APIs to an eclectic group of would-be world-changers.

I realized after that first event that my weekend calendar was not going to be free for a while. There was no shortage of events to attend or companies wanting to throw sponsorship dollars at those events.

I travelled to hackathons in Dallas, Portland, Boulder, Chicago, Las Vegas, Seattle, DC, and Boston, among others. Every city I went, I asked them the same question: what’s the tech scene like here?

Every time I got the same response: It’s growing.

Everywhere I went, people told me that their tech community was thriving, that their city was going to be the next big tech hub. A year ago there was nothing. Now there were incubators, investors, meetups, and new hackathons popping up every month.

It quickly became clear to me that hackathons are not an outlandish trend, popular only among techies in Silicon Valley and NYC. They are a national phenomenon.

So I asked 150 hackathon attendees, hosts, and sponsors from across the country what they thought about the rise in hackathons. I found some interesting things:

• Why they go: Learning (85 percent) and networking (81 percent) were the top two reasons, followed by changing the world (38 percent) and winning prizes (28 percent). More people are interested in the tech scene and want to learn to code but this community has many people who really have big, ofter altruistic visions. Hackathons offer newbies an environment to learn from experienced coders while building something tangible. Some of those hacks have turned into real businesses, like GroupMe, Launchrock, Zaarly, and Foodspotting.
• APIs are a core strategy: 78 percent of event attendees said APIs are becoming an increasingly integral part of their business strategy. They attend hackathons to increase awareness (56 percent), partner with other cool brands with APIs (75 percent), and build a showcase of apps using their API (56 percent). Since hackers are driven to go to these events, hackathons are a good place to get in front of early adopters, get feedback, and gain enthusiasts for a new API.
• Women are underrepresented: While this is true in many areas of the technology and startup worlds, it was interesting to note that only one in 10 attendees at hackathons are women.
• So many hackathons: The combination of more people wanting to hack on new projects, and more companies wanting to get their APIs consumed has stimulated a surge in hackathons. The top three reasons why attendees believed there are more and more hackathons going on were: an increased awareness of APIs (46 percent); an increased general interest in tech (40 percent); and an increase in the number of hackers (39 percent).

It will be interesting to see if these findings change over time. Perhaps my company will run the survey again next year. But for now, we compiled our findings into a nice infographic to provide a bit of a peek into what really goes on at those hackathon events.

Jon Mumm is a developer evangelist for TokBox, a San Francisco-based startup that provides an API for live video chat. Follow his hackathon adventures on Twitter @jonmumm.

Top image courtesy of lenetstan, Shutterstock

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

It seems that four days ago Homakov tried to alert the folks behind Rails, one of the most popular programming languages, and the one used to create Github itself, about the security flaw. There was some back and forth for a day, and eventually the powers that be decided to close the thread, writing that “There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.”

But Homakov was’t going to go down without a fight. Since he couldn’t get things fixed through the proper channels, he decided to use the exploit himself. He used the loophole to give himself access to Ruby on Rails code repository and left a message confirming that any project on Github was indeed vulnerable. He didn’t change any code or do anything malicious.

When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down shot to the top of Hacker News, the world’s biggest news board for programmers. Github users threatened to pack up their projects and head to alternative services, claiming they felt vulnerable to hackers and betrayed by the response.

In the end, Github restored Homakov’s account and issued a public apology. It was a reminder that Github, which has become the defacto platform for collaborative coding, needs to take security very seriously. Software engineers often use their Github accounts as resumes when applying for jobs, so they have to feel their work is safe from tampering.

It was also an example of when the wisdom of the crowd got things wrong. Github exemplifies the benefits of open, collaboration. In this case, though, the wisdom of the crowds got things wrong, and it took a single contrarian, willing to work by any means to necessary, to show the community the danger they were in.

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

After a FBI manhunt, he was caught in 1995 with the help of security expert Tsutomu Shimomura, who wrote about the experience with New York Times writer John Markoff. Mitnick spent five years in jail, including eight months in solitary confinement.

At first, Mitnick wasn’t allowed to tell his side of the story, thanks to a gag order. Now he has penned a book on about his life on the run, co-written with author William L. Simon.  Called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” the title has stayed on the New York Times Bestseller list for several weeks.

After getting out of prison, Mitnick pulled his life together as a “white hat” hacker, or one who helps companies by testing the security of their networks via Mitnick Security Consulting. Now he frequently talks about how to protect yourself from wily cyber attacks.

Here’s an excerpt from the book. And below is an edited transcript of our interview with Mitnick.

VB: Hi Kevin. We’ve talked before when you published your books, The Art of Intrusion and The Art of Deception. At the time, you had a gag order that did not allow you to write about your arrest and the events leading up to it. Now that it has expired, you’ve revisited those memories. Why?

KM: I had a deal with the government for about, for seven years after I was released from custody. So it expired around Jan. 21, 2007.  After that, we decided to work on my memoir, Ghost in The Wires. That was finally published on August 15. The other two books mentioned my life on the run, but they were really about the lessons I learned with social engineering and how organizations could mitigate the risk of falling victim to it. That book was The Art of Deception. Art of Intrusion was really kind of just talking about the stories of other hackers that were in the news and some where the perpetrators were never identified.

So what I like about the best of all these three is my life story Ghost in The Wires because it’s kind of like a Catch Me If You Can version for a computer hacker. What is unique about it that it is a true story. People really seem to like it.

VB: Yeah I noticed you tweeted about how it’s still on the New York Times online bestseller list.

KM: Well this week it was 23 last week it was 12 the week before that it was 15, the week before that it was 16. So I have been on the New York Times best seller list a month so far.

VB: Congratulations. Why do people want to read it?

KM: Thank you so much. I never expected it but I guess it’s a great story and it’s written very well. So people are interested in it and I guess I’m the cyber version of Frank Abagnale.

VB: It’s probably only fair since there were other bestsellers that were written about you.

KM: I don’t think any of them actually made the bestsellers list. John Markoff’s book, [Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw, By the Man Who Did It], never made it the bestsellers list.

VB: Oh it didn’t?

KM: As far as I am aware, the only hacking book that made the bestseller list was a book called The Cuckoo’s Egg by Cliff Stoll. The Takedown book never made it to the list and in fact it was a very poorly reviewed book.

VB: Did you ever figure out why the government had such an unusual gag order in place here because that seems pretty rare?

KM: Well one of the things was they wanted to profit off my story and they wanted to keep everything under a protect order meaning that I was essentially forbidden to talk about it. So I had to be very careful because there is still stuff that is still under protective order that I couldn’t reveal. And so I had to be very careful to still tread around that restriction. The seven-year restriction was to prevent me from earning any revenue from my free public expression. They learned that from cases like the (murderer) Son of Sam.

So they had to do it that way because there are laws that are usually applied to violent crime cases to prevent people from profiting by telling the story. But it’s a prior restraint on free speech, so the Supreme Court has since struck down those laws. That was how the federal government dealt with it back then. It was part of the plea agreement.

VB: So what really drove you to write this new book after the gag order lifted and you were free?

KM: To get the story out. It wasn’t really about making money. I mean I make money from my security business and my public speaking career because I go around in the world doing a lot of public speeches, keynoting at conferences. I make plenty of money doing that. So it wasn’t really about the money it was about getting my side of the story out. I thought it was a great story to tell that people would enjoy it. And I want to really to focus on the chase because my story is kind of a cat-and-mouse game with the federal government.

Pages: 1 2 3

John McNabb, a security expert who has focused on protecting drinking water, told the audience at the Defcon hacker conference in Las Vegas today that, despite a $40 billion-dollar water economy, it’s still far too easy to hack into water meters used by utilities around the country. He concluded that nation’s 150,000 water utilities have a number of well-known vulnerabilities to cyber attacks and they should fix them on behalf of the 250 million consumers they serve.

“The energy theft when it comes to water theft is billions of dollars a year,” McNabb (pictured) said. “Electric utilites assume they use about 10 percent losses to theft each year. Water could be similar, and it winds up increasing the rates for others.”

Lots of water meters are still mechanical devices. Water companies lose revenue when those meters get old and sediment builds up in them so that they measure lower water usage. Utilities have started to put in wireless water meters that are easier to read and less costly. For instance, some meters broadcast a wireless signal so that a meter reader can simply drive by, detect the signal, and record it electronically. That reduces the cost of reading meters. Here’s McNabb’s white paper on the topic.

Adding computer technology throughout the infrastructure helps bring down costs. It’s easier for utilities to monitor usage on any given day and send bills more frequently. They can also detect water leaks more precisely, based on water usage patterns throughout the population. Water meters with wireless attachements can become sensors for the utility and two-way communications systems. Utilities can also resolve billing disputes better, provide more customer service, enforce water conservation, and identify illegal water connections.

Smart water meters are the new thing. The smart water meter market is expected to total $4.2 billion between 2010 and 2016, according to market researcher Pike Research. And Pike predicts that the worldwide installed base of smart water meters will increase from 5.2 million in 2009 to 31.8 million by 2016. The market researcher defines a smart meter as a component of a smart grid, with two-way communications between the meter and the water utility that allows the utility to get readings on an hourly (or more frequently) basis and issue commands to the meter. California in particular is racing ahead in deployment, and 25 manufacturers are making the smart meters now.

“It’s like an electronic cash register for the utility,” McNabb said. “But it could also be a tool for Big Brother,” a reference to the totalitarian figurehead of George Orwell’s novel, 1984.

The problem with the wireless water meters is that they are vulnerable because of the wireless medium they use. Communications are not encrypted (largely due to higher costs) and so they are easily intercepted, faked or even jammed. The sensors are unattended and hang on the meter, outside the house, and so they are easily tampered with. The cyber attacks against them can be active, where commands are issued to them, or passive, where the data is taken.

If people want to reduce their water bills, they could hack the sensors. They could also increase the bill paid by a neighbor they don’t like, or evade restrictions on the amount of water used. And since the usage of water indicates the presence or absence of the homeowner, the hacked water meters can be used for surveillance purposes.

Last year, Greek hacker Thanassis Giannetsos demonstrated how it was possible to introduce a worm to the smart electrical grid (similar to water grids) on a simulated network. Ioactive, a security penetration testing firm, also did something similar. But McNabb said that the concern about Big Brother is also a big one. He said that the water department’s staff could learn what time of day you take a shower, when you are at home, and when you’re on vacation.

“Are we being paranoid?” McNabb asked. “It’s already established that law enforcement is using electricity use and thermal imaging,” where the heat generated by indoor marijuana-growing farms has been measured.

McNabb also noted that the Hydrosense device created by researchers at the University of Washington in Seattle can be attached to water faucets to determine the usage coming out of a particular fixture in the home.

McNabb said his research showed that vendors don’t use frequency hopping spread spectrum (FHSS), which could stop eavesdropping on wireless signals, or encryption with their smart meters. One utility used a default password system which used a generic password on its web site (where users would log in and view their water usage) that was easily hacked. Transceivers for sending commands to the water meters can be purchased on eBay.

But some manufacturers are starting to build 128-bit encryption and spread spectrum security into their meters. McNabb, who was an elected water commission and managed a small water system for 13 years, described the vulnerabilities in some detail, including how to inexpensively “sniff” the wireless water meter readings, and has described them in a white paper. He said he will put it online in the near future.

Sniffing wireless water meters should’t be too difficult, he said, but there are some technical hurdles. Most U.S. meters broadcast in the 900 megahertz band of the wireless spectrum. That is the same frequency as cell phones, and there aren’t any off-the-shelf devices to sniff packets from them. Also, most of them scramble the signal by using spread spectrum, which sends out part of the message on one frequency, the next part on another, and so forth. However, other researchers have shown how to unscramble the spread spectrum code, so McNabb plans to build a device to sniff the 900 megahertz spread spectrum signals to show how it can be done and why it needs to be more secure.

Miller, a security consultant at Accuvant, said he tried to make a MacBook “smart battery” explode, since the project was all in fun and videos of exploding batteries are big draws on YouTube. But he hasn’t been able to make that happen yet. Had he done so, he could have had one of the most popular talks at Black Hat and caused considerable alarm among a variety of vendors and consumers. It’s also another lesson that shows that if you put the intelligence of computing into an otherwise dumb device, that new smart device will be subject to hacking, as has been proven over and over again.

“I set out to see if I could hack the firmware of a battery,” he said. “I couldn’t make it explode. I took over the battery. It was fun, and I did cool stuff.”

Miller had to go through a long process to figure out which chips were used in the battery — some controllers and circuit protection chips from Texas Instruments. He conducted experiments to find out how the chips operated, how they communicated between the operating system and the battery’s charger, and then compared them to online manuals and other published data. He found that Apple had left a default password unchanged that gave him entry into a chip so that he could manipulate the settings for the chip. (Apple can try to fix this problem in the future, but Miller figures it wouldn’t be hard to crack the 32-bit password). Apple has not yet responded to a request for comment.

Smart batteries such as those used in Apple’s MacBooks can be used to charge a battery more efficiently and report back to the operating system (and the user) the exact percentage charge remaining on the battery. The computer can thus talk to the firmware running on the chips within the battery. That firmware controls the charging process and safety parameters for the battery, which govern when to shut off charging to prevent overheating. Current, voltage and temperature can be calibrated.

Miller found it easy to change the settings on the batteries so that they were no longer recognized by the computer. This essentially “bricked” the batteries. He accidentally bricked his own machine a number of times. Once, he took a fried motherboard into an Apple store and they asked him what happened.

“I don’t know,” he told them, getting some laughs from the Black Hat crowd. “They should have a picture of me on the wall.”

Once he figured out how to break into the firmware, Miller then figured out how to change the settings of the battery and showed the code that proved that he did so. He is sharing his slides as well as atool that allows people to change the default passwords on their batteries. But that will only work so long as Apple makes no changes.

The dangers of hacking a battery remain theoretical so far. Coupled with a browser exploit, a malevolent hacker could send a virus or some other malware to a target. That virus could then deliver a payload such as sending commands to the battery to make it inoperable. That’s not as dangerous to a computer as wiping its hard disk, Miller said. But if someone could actually make a battery catch on fire from afar, that would be very dangerous.

Miller has no plans to undertake such hacking projects. But he continues with his battery research.

Two researchers told a crowd at the Black Hat security conference today that they had used web-based hacker tricks to compromise the security of the Chrome OS, which is the software that powers recently launched laptop-like Chromebooks from a variety of vendors. The hacks let the researchers get access to a user’s emails, Google Docs, contacts, and Google Voice messages. If Google doesn’t patch the variety of flaws found or if researchers uncover more, then hackers could have a field day accessing data on Chromebooks.

Matt Johanson and Kyle Osborn, two researchers at White Hat Security’s Threat Research Center, said in their talk that they spent months doing research on Chrome OS. They found a flaw in ScratchPad, a preinstalled extension to the Chrome OS that lets people take notes and save them to cloud-based Google Docs. On stage at Black Hat, the researchers showed both videos of the hacked documents and live demos as well.

“You basically grab and download someone’s contacts like this,” Osborn said, demonstrating the deed on a big screen.

In a statement, a Google spokesman said, “This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”

Google also recently published information about writing more secure extensions to the Chrome OS, and it explained why it thinks the Chrome OS is more secure.

With Chromebooks, no data is stored on the device and everything takes place in the cloud and is accessible via the Chrome web browser. By attacking browsers with known exploits such as cross-site scripting, cross-site requests, and “clickjacking,” hackers can get around the Chrome OS’s security protections. The researchers say they can do high-speed scans of intranets via the hack and can view active host Internet Protocol addresses (which let them figure out what websites you’re looking at). They also say they can take over a user’s Google account by stealing session cookies, which can contain user password data.

Chrome OS is not unique in having these types of vulnerabilities. Other OSes are also subject to similar attacks.

Google was informed of the vulnerabilities and addressed some of them, including the ScratchPad flaw, but the researchers said some of the underlying weaknesses remain.

The demonstration is a pointed reminder that the shift toward cloud computing is not a panacea for all security problems.

Sony

Users were angry that Sony took six days to inform them that their personal data had been stolen, but the exact nature of the credit card theft isn’t precisely known. I was among those 77 million PSN and Qriocity users who had my personal data stolen, and I received an apologetic email from Sony yesterday. The company clearly has a long way to go to earn back the trust of gamers, and it seems to be aware that communicating clearly and quickly has to be its priority right now.

Patrick Seybold, spokesman for Sony, said in an updated statement that the “entire credit card table was encrypted and we have no evidence that credit card data was taken.” The personal data, such as names and emails, was not encrypted. Sony said it cannot rule out the possibility that credit card information was taken. If it was, then the card number and date of issuance was likely taken, but not the credit card security number on the back of a card.

“First off, we want to again thank you for your patience,” Seybold said. “We know that the PlayStation Network and Qriocity outage has been frustrating for you. We know you are upset, and so we are taking steps to make our services safer and more secure than ever before. We sincerely regret any inconvenience or concern this outage has caused, and rest assured that we’re going to get the services back online as quickly as we can.”

Sony has hired a “recognized technology security firm” to conduct a full investigation of the “malicious attack” against the PSN. Sony said it won’t ask anyone for their credit card, social security or other personally identifiable information. Sony suggests users that users log on and change the password once the PSN service comes back, presumably within a week. Consumers can visit Sony’s support site for more notices.

Sony says it is adding several measures to improve the security of the PSN once it comes back online, including moving the company’s network infrastructure and data center to a new, more secure location.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

Sony said in a court filing that Hotz, known as GeoHot, lied about having a PlayStation Network account and destroyed his computer hard disks rather than hand them over to Sony’s lawyers. Hotz allegedly wrote code capable of circumventing the security protection on the PS 3 so it can run unauthorized software and pirated games.

[Update: Hotz's attorney, Stewart Kellar, told Threat Level and IGN that Hotz has not fled to South America and that the missing components have been provided to Sony.]

Hotz’s escape, if true, is a weird twist in a case that is being closely watched as a battle between a copyright owner and a freewheeling hacker. At stake is whether Sony can stop hackers and users from playing lots of pirated software or unauthorized software on machines that generate billions of dollars in revenue a year for Sony.

A federal magistrate had ordered Hotz a couple of weeks ago to turn over his PS 3 consoles, computers and other equipment, untouched, to Sony’s lawyers. But Sony said that Hotz allegedly erased key evidence that Sony planned to use against him. Sony accused Hotz of violating the Digital Millennium Copyright Act and the Computer Fraud Abuse Act by distributing his tools for “jailbreaking” the PS 3. Sony said it had found through its research that at least 13,300 unique internet addresses had downloaded the tools from Hotz’s web site in California alone. (Sony does not have access to each address, as is commonly thought; it only has the total number of them.)

In a filing today, Sony said that Hotz has thwarted its legal discovery at every turn and that “Hotz had deliberately removed integral components of his impounded hard drives prior to delivering them to a third party neutral and Hotz is now in South America.”

Sony said that, while Hotz declared under oath that he did not have a PSN account, Sony found that one of the PS 3s that Hotz had identified as his was used to created a PlayStation Network account — which gives users access to online gaming and other entertainment — on March 10, 2010 using an IP address located in Glen Rock, N.J., where Hotz lives. He used the nickname “blickmanic,” which was associated with postings on the internet related to jailbreaking cell phones. Hotz reportedly publicized his hacking software at psx-scene.com, a site for PlayStation hackers and gamers. The PSN information was critical because users who sign up for it agree to a user agreement that prohibits hacking the PS 3. Sony wants jurisdiction for the case established in California, while Hotz’s attorney is fighting that.

Beyond what Sony said, there isn’t yet independent confirmation that he has fled.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---