DTNS 2226 – Uh-OAuth

Logo by Mustafa Anabtawi thepolarcat.comDarren Kitchen is on the show to help us understand why we shouldn’t freak out about the OAuth flaw, and what Apple, Google and Facebook are really doing to protect their users from government data requests.

MP3

Multiple versions (ogg, video etc.) from Archive.org.

Please SUBSCRIBE HERE.

A special thanks to all our Patreon supporters–without you, none of this would be possible.

If you enjoy the show, please consider supporting the show here at the low, low cost of a nickel a day on Patreon. Thank you!

Big thanks to Dan Lueders for the music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, Kylde, TomGehrke and scottierowland on the subreddit

Show Notes

Today’s guest: Darren Kitchen, hak5.org

Headlines

Dear Users, the gubmint wants your stuff: Our top story on the subreddit was submitted by Beatmaster80 and tekkyn00b. Apple, Microsoft, Facebook and Google are all updating their policies to expand the notification they give users when a government agency requests their personal data. Yahoo announced a similar policy in July, and Twitter has always done so. Users would not be notified if a court order prevents it or if there is imminent risk of physical harm to a potential crime victim. The policies will have no effect on NSA data collection or National Security Letters both of which are required to remain secret by law.

Another day, another web security crisis: bmorales submitted a CNET story about Nanyang Technolohical University student Wang Jing uncovering a flaw in OAuth and OpenID that could be used to steal a login token from services like Facebook or Google, when using those services to login to a third party site. The token could then be used to retrieve data from Google or Facebook. Mashable’s Christina Warren has an excellent writeup of the issue. It’s not a weakness in OAuth at all, but caused by a weak implementation on the third-party website’s side, which could be mitigated by certain practices on the side of Facebook or Google. Also, the attack requires you to click a suspicious link AND choose to then login with a service. So no. This is not another Heartbleed.

Get me my files! The Next Web reports Microsoft’s Windows Phone manager, Joe Belfiore held a Reddit AMA today where he said Windows Phone will get a file manager by the end of the month, hopefully. The app will let you create new folders, move files from one folder to another, and search within folders.

Crowdsourced crime fighters: Ars Technica reports on a system called Large Emergency Event Digital Information Repository, meant to let citizens upload videos and photos to help police investigations and disaster response. Amazon Web Services has teamed with the Los Angeles Sheriff’s Department on the project. Santa Barbara, CA, authorities are the first to use the system and are calling on the public to upload images taken of a riot last month at the Isla Vista community near the University of California at Santa Barbara. Apps for LEEDIR are available for iOS and Android. 

Keyser Soze goes to war: The Verge reports the next “Call of Duty” game, “Advanced Warfare,” will launch on November 4th, and star Kevin Spacey as head of a private military corporation that has launched an attack on the U.S. The first trailer showed up on the official “Call of Duty” YouTube page late last night. 

iTunes Match, Asia style: MacRumors reports Apple is expanding its iTunes Match service to Japan. The service, which costs ¥3,980 per year, lets iTunes users match their library with cloud versions of the songs for quick storage, which can then be accessed from any Apple device.  

News From You

KAPT_Kipper posted a GigaOm story that a class action complaint has been filed against Google, alleging secret deals force Samsung and others to use the Google search engine on mobile devices, creating a search monopoly, which in turn makes devices cost more. The crux of the complaint is that Google offers Mobile Application Distribution Agreements, which require device makers to make Google the default search engine if they want to include Google’s other mobile apps like YouTube and the Google Play app store. Google told GigaOm by email “Anyone can use Android without Google and anyone can use Google without Android. 

metalfreak sent in the PC World story about the Attorney General for the US state of Washington filing a lawsuit against a company that raised $25,000 on Kickstarter but failed to deliver its product, a retro-horror playing-card deck called Asylum. The project funded in October 2012 and has yet to deliver any rewards. Kickstarter’s terms of use requires creators to fulfill all rewards of their projects or refund backers. The complaint, filed in King County Superior Court, seeks restitution for consumers and as much as $2,000 per violation of the state’s Consumer Protection Act.

Beatmaster80 pointed us to the Record story that Lila Tretikov has been named Executive Director of Wikimedia Foundation, the nonprofit organization that runs Wikipedia among other projects. Outgoing director Sue Gardner will end her term on June 1. Tretikov was previously chief product officer at SugarCRM. Tretikov’s personal background growing up in the Soviet Union and her experience with open-source engineering seem to be the main reasons she got the job.

KAPT_Kipper posted an ITWorld story that Sony has developed magnetic tape that stores data at 148 gigabits per square inch, 74 times the density of standard tapes. That could mean 185 TB tape cartridges. Current LTO-6 cartridges can handle up to 2.5 TB. Tape is still used for long-term data storage. The Tape Storage Council industry group reports tape capacity shipments grew by 13 percent in 2012 and were projected to grow by 26 percent last year.

Pootinky pointed to a a slashdot posting about a Vanderbilt University graduate student, working at Oak Ridge National Laboratory, who has discovered a way to create three-atom-thick nanowires capable of linking transistors and other components. It’s a step toward devices that could be as thin as paper.

Discussion Section Links:  New Security Flaw discovered

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

http://mashable.com/2014/05/02/oauth-openid-not-new-heartbleed

http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08#section-4.1.5

http://www.washingtonpost.com/business/technology/apple-facebook-others-defy-authorities-increasingly-notify-users-of-secret-data-demands-after-snowden-revelations/2014/05/01/b41539c6-cfd1-11e3-b812-0c92213941f4_story.html?hpid=z1

Pick of the Day:  Dogeforsale.com via Luke Olsen

Looking to get into some Dogecoins before the DogeCar takes the track at Talladega this weekend. Not sure how to how to navigate crypto exchanges? Have no fear dogeforsale.com is here. Its a site where users can buy and sell Dogecoins with paypal, google wallet, debit cards, etc. The site is a basic escrow service, it holds the coins during the transaction. Get Dogecoins fast and securely. much speed very secure. DISCLAIMER: I’m a seller on the site “SkyJedi” 

Good cause of the day: Podcamp Nashville

PodCamp Nashville happening May 17 in Nashville, TN is one of the last and largest Podcamps in the country. They are in need of sponsors and patrons or will have to cut out major parts of the event or cancel. For as little at $100 you can become of friend of this event the has been so vital to the Nashville creative community. This Friday is a deadline that they need to make a $2500 payment for the event. If you or a company you many know would like to help out Podcamp Nashville please visit: http://bit.ly/pcn14friend

Len Peralta was on assignment today 🙁 So Jennie did some 8th grade-level fear-based art: What’s A Poor Normal To Do

Monday’s guest: Jon Strickland

2 thoughts on “DTNS 2226 – Uh-OAuth

  1. I’ve read a few articles about Apple buying LuxVue and everyone talks about better battery life for iPhones, but no one mentions the first thing that came to my mind: the mythical iWatch. And the LuxVue logo is round! This seems like an important clue. 🙂

  2. Thank you so much for the on air mention and in the show notes for PodCamp Nashville. It’s such a amazing event completely run by volunteers in the community. We came up a little short but was able to raise $1200 in 24 hours. We only had to cut half of what we planned. People still can become “Friends” or Sponsors of PodCamp Nashville.

    If you’re ever in Nashville, TN you’ve got a place to stay and tickets to the Country Music Hall of Fame and Museum. Just message me @mdave. I’ve also given a shout out to my network to watch and become a patreon! Thank you again!

Leave a Reply

%d bloggers like this: