Skin printer and bee probe win award

17 September 2014 Last updated at 23:10 By Leo Kelion Technology desk editor

A sun-powered cooker, a printer that 3D prints "skin", a wheelchair that lets disabled people stand upright and a bee prober are among the latest winners of the James Dyson Awards.

The inventions are among those picked to represent various nations in the engineering prize.

Their makers were challenged to "design something that solves a problem".

More than 600 entries from 18 countries were entered into this year's competition.

It was open to university level students and recent graduates.

The contest is run by the James Dyson Foundation, a charity created by the vacuum cleaner creator to help young people develop engineering skills.

In an age when crowdfunding sites, such as Kickstarter and Indiegogo, exist to champion inventions that have yet to go on the market, such competitions still serve a valuable purpose, said one expert.

"The James Dyson Award provides a platform to showcase some of the very best new innovations in science, engineering and technology," Dr William Webb, deputy president of the Institution of Engineering and Technology, told the BBC.

"Whilst some of the entries might not make it beyond the prototype stage, the award provides a crucial role in encouraging new engineering talent, which the UK and other countries around the world so desperately need."

Below are a selection of the winners, which along with some of the runners-up will compete for a cash prize to be announced on 6 November.

Bump Mark (UK):

Please turn on JavaScript. Media requires JavaScript to play.

WATCH: Solveiga Pakstaite shows off Bump Mark to BBC's Spencer Kelly

Food labels filled with gelatine become bumpy to signal if the food inside has spoiled.

Current expiration dates are not always accurate - for example they do not take account of the fact that the meat, juice or vegetables inside might not have been refrigerated properly.

Bump Mark tackles the problem by allowing the producer to set the gelatine to decay at the same rate as the package's contents - the higher the concentration, the longer it takes to turn from a solid into a liquid.

Once the gelatine has changed state, bumps built into the plastic underneath can be felt, providing a tactile safety check.

Mima (Germany):

Kit to inspect a beehive without having to open it up.

The measuring instrument is inserted into the hive, and then a pneumatic system allows the apiarist to select a single bee, which can be examined in isolation at length.

The idea is that this minimises disruption to the hive's climate, reducing the risk that the other insects will stop work.

The creators suggest Mima could be used to understand the increase in bee colony collapses.

PrintAlive BioPrinter (Canada):

A device to 3D print complex structures that mimic the epidermal and dermal layers of human skin.

These can be used to close the wounds of severe burn victims in order to help them recover.

The machine works by placing two types of human cell - keratinocytes and fibroblasts - layer-by-layer into a hydrogel to create the desired patterns.

The designers say early tests suggest that the resulting 3D-printed "skin" can be used to reduce the amount of time doctors need to wait before attempting to graft on real skin taken from a different part of the victim's body.

Miito (Netherlands):

A device that heats liquid in a glass or other container, helping reduce wastage and cleaning.

The product consists of an induction base that plugs into the mains, which heats a rod placed inside the vessel.

Miito does not have an on/off button - instead it powers down when the base detects that the rod is not present or that the liquid has boiled.

Caturix (Switzerland):

A new fastening mechanism for backpacks that is designed to be safer than existing alternatives for mountaineers.

The system places the straps of the bag into a cross, with a buckle at the centre that can be split to allow the bag to be taken off with just one hand.

The idea is to minimise the risk involved in unpacking food, drink and emergency equipment when the climber is at a precarious spot.

Solari (Italy):

Offering an alternative to barbeque and camping stoves, Solari promises to be an eco-friendly way to cook food outdoors.

The portable device is designed to use solar power to heat meals for between four to six people within a few hours.

It works by letting in light through its transparent lid, which then passes through a lens that directs it around an aluminium shell.

The design also incorporates a temperature gauge that transmits information about the food's progress to a smartphone app.

Qolo (Japan):

A vehicle for people with disabled lower limbs that allows them to move while both sitting down and standing up, and to move between the two positions.

Rather than rely on expensive and heavy motors, the machine uses the person's upper body motion to transfer them from one position to the other.

Qolo also uses a similar mechanism to help them move location: by tilting their upper-body forward they start travelling forward, and if they twist to one side the chair turns that way.

TipTapTop (France):

A tap gadget designed to encourage children to wash their hands, which also saves water in the process.

TipTapTop contains an infrared sensor that starts the water flow when it detects a hand underneath and also triggers a "jolly" music jingle.

When the child removes their hands to add soap, the water stops but the music continues playing to remind them they need to follow up the initial rinse.

Only after they have returned their hands, wiped off the soap and removed them again to dry their skin will the music and water switch off, ending the cycle.

Oralux (Austria):

A device that combines a doctor's tongue stick with a light source.

The light is automatically switched on by attaching a disposable, sterile stick to the handle, and is deactivated when the stick is subsequently discarded.

The idea is that Oralux frees up one of the doctor's hands and allows them to avoid touching the stick while it is in use.

Uplift (US):

A personal shopping trolley that can be collapsed and loaded into a car's boot without having to remove the goods carried inside.

Uplift's aluminium frame helps it remain lightweight, while its bright silicone handles both protect the kit and make the owner more visible.

The designer says it would be targeted at aging adults.

Vax ID (Belgium):

A device intended to make it easier to administer vaccinations to a specific layer of skin.

The designers say medical staff often struggle to find the right depth and angle when using existing syringes to carry out intradermal vaccinations, which are less painful and can obtain an improved immune response when compared to intramuscular or subcutaneous injections.

After Vax ID's plunger is used to deliver a dose of antigens, the needle returns to the body of the device and cannot be reused.

This reduces the risk of needlestick injuries to staff, and prevents medics transmitting diseases from one patient to another.

Remora (Spain):

A biodegradable fishing net system.

An additive added to the net causes it to start breaking apart after four years, to address the problem of abandoned "ghost nets" that pose a threat to the marine environment.

Remora also incorporates RFID (radio-frequency identification) tags. These are scanned when the net is retrieved so that the fishermen can get an instant report from an associated app about whether parts have ripped off.

This tells them if they need to search the surrounding sea to find the lost parts.

Home Hydroponic System (Russia):

Five levels of LED-lit, water-and-nutrient-fed containers that provide a way to grow vegetables and fruits in the home or at schools.

The wires and hoses are hidden inside the apparatus, which is intended to be visually pleasing so that it can be left out in view.

The owner can opt to combine different parts of the Home Hydroponic System to suit how much space they have and the amount of produce they want to grow.

The designers suggest that tomatoes, peppers, strawberries and herbs are some of the fresh produce that could be grown up to three times faster than in soil outdoors.

Nutria (Ireland):

A system to connect a feeding tube to a patient's face without using tape, which can become an irritant.

Nutria also makes use of a terahertz radiation microchip to display the exact position of the tube inside the person's body on a smartphone app.

If the nurse or doctor who fits the patient with the apparatus takes a scan each time, software can then be used to highlight if any of the medics commonly fit the tube incorrectly.

23.52 | 0 komentar | Read More

US military contractors hit by hacks

18 September 2014 Last updated at 13:54

Hackers associated with the Chinese government broke into the computers of airlines and military contractors over 20 times in a single year, according to the US Senate.

The attacks were allegedly targeted at systems that move troops and equipment.

They included breaking in to computers on a commercial ship and uploading malicious software on to an airline's computers, the Senate report alleged.

Chinese officials denied the allegations.

A year-long investigation was concluded in March, but the findings have only just been made public.

In a 12-month period from June 2012, it found evidence of about 50 cyber-attacks on military contractors.

Of those, 20 were attributed to "an advanced persistent threat", a term associated with attacks on governments. All were attributed to China.

The report did not disclose the names of the affected contractors.

"These peacetime intrusions into the networks of key defence contractors are more evidence of China's aggressive actions in cyberspace," senator Carl Levin, chairman of the committee, said.

Chinese embassy officials in Washington questioned the report, calling the accusations "groundless".

The row between China and the US over cyber-attacks has been a long-running one.

The Chinese government has previously accused US spies of infiltrating its computer networks.

In May the US government accused five Chinese military members of hacking into and stealing trade secrets from the computers of several large US companies.

Clearinghouse

The latest report revealed that officials had only been told about two of these incidents. It also found that US government agencies had failed to share the information about the attacks among themselves.

This lack of transparency from contractors has raised questions and prompted calls for new procedures about how such hacks are reported.

Senator Jim Inhofe, who sits on the committee, called for a central clearinghouse to make it easier for contractors to report suspicious cyber-activity.

According to the report, contractors are only required to report network-level cyber-intrusions.

Paul Dignan, from security firm F5 Networks, said: "A lot of attacks target end-users with malware so that they can piggyback on legitimate access to the network.

"Firms use lots of security vendors but there are also lots of gaps and, without adequate integration, it is these gaps that will be exploited."

23.52 | 0 komentar | Read More

eBay attack puts its buyers at risk

17 September 2014 Last updated at 15:32 By Leo Kelion Technology desk editor

EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.

The spoof site had been set up to look like the online marketplace's welcome page.

The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.

One security expert said he was surprised by the length of time taken.

"EBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad," said Dr Steven Murdoch from University College London's Information Security Research Group.

The security researcher was able to analyse the listing involved before eBay removed it.

He said that the technique used was known as a cross-site scripting (XSS) attack.

It involved the attackers placing malicious Javascript code within product listing pages. This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password.

Users only had to click the original listing to have their browser hijacked.

"The websites the user is being redirected to are almost certainly compromised by the attacker to hide his or her traces," Dr Murdoch explained.

He added that the fake page the users were ultimately delivered to contained code that had the potential to carry out further malicious actions.

"EBay is pretty competent, but obviously it has been caught out here," he said.

"Cross-site scripting is well within the top 10 vulnerabilities that website owners should be concerned about."

A spokesman for eBay played down the scope of the attack.

"This report relates only to a 'single item listing' on eBay.co.uk whereby the user has included a link which redirects users away from the listing page," he said.

"We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."

However, the BBC identified that a total of three listings had been posted by the same account involved.

At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be checked.

Delayed reaction

The issue was originally identified by Paul Kerr, an IT worker from Alloa in Clackmannanshire who is also an "eBay PowerSeller".

He called the firm shortly after he had clicked on a listing for an iPhone and been redirected.

"The advert had been up for 35 minutes," he told the BBC.

"When I spoke to the lassie on the phone, she said: 'I'm going to report that to the highest level of security to get it looked into.' And she did emphasise that.

"They should have nailed that straight away, and they didn't."

Mr Kerr identified the problem because the web address of the page he was sent to was unusual. He screen-grabbed a video of the attack, which he uploaded to YouTube as evidence.

He added that other less tech-aware users might not have realised the danger they were in.

"It's guaranteed - you can bet your bottom dollar that somebody's going to click on that and be redirected to a third-party site and they're going to enter their details and be compromised," he said.

"You don't know how many of the hundreds of thousands of people who use eBay will have done that."

This is not the first technical setback eBay has suffered in recent months.

The site has experienced several periods when members have been unable to sign into their accounts and have received incorrect password alerts.

In May, the firm made users change their passwords after revealing that a database containing encrypted passwords and other non-financial data had been compromised.

In addition, it announced in July that 1,600 accounts on its StubHub ticket resale site had been broken into resulting in a scam that defrauded the service of about $1m (£600,000).

23.52 | 0 komentar | Read More

'Artificial eye' to detect particles

19 September 2014 Last updated at 01:12 By Melissa Hogenboom Science reporter, BBC Radio Science

The human eye has inspired physicists to create a processor that can analyse sub-atomic particle collisions 400 times faster than currently possible.

In these collisions, protons - ordinary matter - are smashed together at close to light speeds.

These powerful smash-ups could yield new particles and help scientists understand matter's mirror, antimatter.

The experimental processor could speed up the analysis of data from the collisions.

Published in the pre-print arXiv server, the algorithm has been proposed for possible use in Large Hadron Collider (LHC) experiments at Cern in 2020. It could also be useful in any field where fast, efficient pattern recognition capabilities are needed.

The processor works in a similar way to the retina's incredible ability to recognise patterns extremely quickly.

Snapshots in time

That is, individual neurons in our retinas are specialised to respond to particular shapes or orientations, which they do automatically before our brain is even consciously aware of what we are processing.

Cern physicist Diego Tonelli, one of a team of collaborators of the work, explained that the "artificial retina" detects a snapshot of the trajectory of each collision which is then immediately analysed.

These snapshots are then mapped into an algorithm that can run on a computer, automatically scanning and analysing the charged particle trajectories, or tracks. Exposing the detector to future collisions will then allow teams sift out the interesting events.

Data crunching

Speed is of the essence here. There are roughly 40 million collisions per second and each can result in hundreds of charged particles.

The scientists then have to plough through an incredible amount of data. It's spotting the deviations from the norm that may give hints of new physics.

An algorithm like this could therefore provide a useful way of crunching through this vast amount of data, in real time.

"It's 400 times faster than anything existing or foreseen for high energy physics applications. If implemented in a real experiment it will allow us to collect more interesting data more quickly," Dr Tonelli told the BBC.

Flavour physics

The LHC has been switched off since February 2013 but is due to begin its hunt for new physics in 2015 when the giant machine will once again begin smashing together protons.

As this happens, they break down and free up a huge amounts of energy that forms many neutral and charged particles. It's the trajectories of the charged ones that can be observed.

The new algorithm is not aimed at the type of physics used to find the famous Higgs boson, instead it's intended to be used for "flavour physics" which deals with the interaction of the basic components of matter, the quarks.

Commenting on the work, Tara Shears a Cern particle physicist from the University of Liverpool, said it could be extremely useful to automatically "give us most information about what we want to study - Higgs, dark matter, antimatter and so on. The artificial retina algorithm looks like it does this brilliantly".

"When our detectors take these snapshots of the collisions - to us that's like the picture that your eye sees and when your brain is scanning that picture and making sense of it, well we try and codify those rules into an algorithm that we run on computers that do the job for us automatically," Prof Shears told the BBC's Inside Science programme.

"When the LHC continues... we will start to operate with a more intense beam of protons getting a much higher data rate, and then this problem of sifting out what you really want to study becomes really really pressing," she added.

"This artificial retinal algorithm is one of the latest steps in our mission to [understand the Universe], and it's really good, it does the job vast banks of computers normally do."

The algorithm has been developed with the 2020 upgrade of the LHC in mind, which will have even more powerful collisions.

Follow Melissa on Twitter

• The LHC Beauty (LHCb) detector is designed to answer a specific question: where did all the antimatter go?
• Antimatter is a mirror image of the matter that makes up the world we are familiar with. "Normal" matter consists of particles, while antimatter is made up of antiparticles, identical in mass but with opposite electric charge
• The theory goes that equal amounts were forged during the intense heat of the Big Bang but today we find no evidence of, for example, antimatter galaxies or stars
• LHCb investigates the slight differences between matter and antimatter by studying a type of particle called the "beauty (b) quarks"
• 'b' and 'anti-b' quarks are unstable and short-lived, they rapidly decay into a range of other particles. Physicists believe that by comparing these decays, they may be able to gain useful clues as to why the Universe is dominated by matter rather than antimatter
• To do this LHCb produces many different types of quark when the particle beams collide
• In order to catch the beauty quarks, LHCb has developed sophisticated movable tracking detectors close to the path of the beams circling in the Large Hadron Collider

23.52 | 0 komentar | Read More

Users frustrated by Apple iOS update

18 September 2014 Last updated at 16:27

Apple iPhone and iPad users have taken to social media to express their frustration over installing the company's latest software update.

Many have resorted to deleting photos, videos and other files in order to free up space for the new version of Apple's mobile operating system, iOS8, which requires up to 5.8GB of storage.

Apple has also removed apps for its new health software because of a bug.

One expert said Apple's updates were often prone to "teething problems".

Some vexed Apple users took to Twitter to express their annoyance, at one point causing the subject to be trending above the Scottish referendum.

David Roberts tweeted: "This update would be great... If you didn't have to delete half of the stuff on your phone just to install it."

Daniel Zennon took a more humorous approach, tweeting: "So Apple put the #U2 album on everybody's phone and then tell them they don't have enough space for the #iOS8 upgrade".

This is not the first time Apple users have had trouble with iOS updates.

In 2012, the iOS6 update caused some users to lose their apps, and others lost photos and messages when updating to iOS7 last year.

As well as requiring a lot of storage, the latest version, iOS8, does not include apps that run with Apple's new HealthKit service, which is designed to work with third-party wearable health devices.

The software was originally scheduled for release in iOS8, but has been pulled while Apple works on fixing a bug.

David Price, online editor at Macworld UK, told the BBC the issues were not "really a surprise".

"There's always a rush on the servers on launch day, some delays, and usually some teething problems," he said.

"That's why we always recommend that people wait a day or two before updating."

Apple users can avoid the need to free up storage space for the latest update by upgrading their software via iTunes on a Mac or PC, instead of through the phone or tablet itself.

Additionally, much of the free space required by the update is made available again once the installation process has completed.

Privacy pledge

In a separate development, Apple has taken steps to reassure users that it takes privacy seriously, by vowing that it would not hand over data to government authorities.

In an open letter, the firm's chief executive, Tim Cook, underlined that Apple's philosophy was "great customer experience shouldn't come at the expense of your privacy".

The message came as Apple's iCloud storage service continued to come under intense scrutiny following the leaks of private pictures belonging to celebrities such as Jennifer Lawrence.

"I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," said Tim Cook.

"We have also never allowed access to our servers. And we never will."

The firm also emphasised that protected data stored on devices running iOS8 cannot be handed over to law enforcement agencies, as Apple does not have the option of overriding a user's own passcode.

23.52 | 0 komentar | Read More

Microsoft cuts more than 2,000 jobs

18 September 2014 Last updated at 20:52

Microsoft has confirmed another 2,100 redundancies as part of a plan to cut 18,000 jobs, some 14% of its workforce.

The software giant said 747 jobs will go in the Seattle area, with the rest spread across its global operations.

Microsoft had already cut 13,000 jobs, with the bulk at the Nokia phone division bought by the US company.

In July, chief executive Satya Nadella announced radical plans to move Microsoft away from software to online services, apps and devices.

Microsoft, which has about 127,000 people on its payroll, will take a charge of between $1.1bn (£672m) and $1.6bn for costs related to the cuts.

Microsoft said in a statement that the latest cuts "are spread across many different business units, and many different countries".

In an email to staff in July, Mr Nadella said that the "difficult but necessary" cuts are part of a plan to bring a new direction to the technology company.

"The first step to building the right organisation for our ambitions is to realign our workforce," he said.

Microsoft completed its takeover of Nokia's phone division in April in a move that strengthened its position in mobile devices. The cost was around $7.5bn.

23.52 | 0 komentar | Read More

Oracle boss Larry Ellison steps down

19 September 2014 Last updated at 00:14

Oracle boss Larry Ellison is stepping aside as chief executive after 37 years at the helm of the software giant.

Mr Ellison, estimated to be the world's fifth wealthiest man, becomes chairman and chief technology officer, remaining an influential presence at the company.

Mark Hurd and Safra Catz have been named as successors, and become co-chief executives.

Mr Ellison, 70, co-founded what would become Oracle with Bob Miner and Ed Oates in 1977.

In a statement, Oracle board president Michael Boskin said: "Larry has made it very clear that he wants to keep working full time and focus his energy on product engineering, technology development and strategy.

"Safra and Mark are exceptional executives who have repeatedly demonstrated their ability to lead, manage and grow the company. The directors are thrilled that the best senior executive team in the industry will continue to move the company forward into a bright future."

Ms Catz will run the manufacturing, legal and finance operations at Oracle, while Mr Hurd will be in charge of the sales, service and business units.

The software and hardware engineering teams will continue to report to Mr Ellison.

Fortune

"The three of us have been working well together for the last several years, and we plan to continue working together for the foreseeable future," said Mr Ellison.

The shake-up comes at a critical time for Oracle, which is trying to adapt to technological upheaval in the business software market.

Many corporate customers are shifting to cloud computing instead of paying licensing fees to install programs on machines kept in their own offices.

FBR Capital Markets analyst Daniel Ives said: "While there was some speculation Larry could step down, the timing is a bit of a head scratcher in our opinion."

Forbes magazine has put Mr Ellison's fortune at $51.3bn, with much of it tied up in Oracle, where he owns about 25% of the company. He co-founded the firm with $1,200 of his own money.

A close friend of the late Apple co-founder Steve Jobs, Mr Ellison antics away from Oracle kept him in the news. This included his personal financing of the winning team in last year's dramatic America's Cup yacht race in San Francisco.

23.52 | 0 komentar | Read More

3D printer telescope snaps moon pics

19 September 2014 Last updated at 09:21

A university has shown the first photographs taken by a £100 telescope built from parts made by a 3D printer.

The University of Sheffield researchers behind the project claim the image quality from the PiKon telescope compares to models costing 10 times as much.

Plans are available online allowing anyone to download and print the components needed to build the device.

The telescope's images were unveiled as part of a science festival in the city.

It captured numerous pictures of the moon's surface during its first use.

One of the Pikon's developers, physicist Mark Wrigley, said he hoped the new telescope would be a "game changer".

'Democratising technology'

"We hope that one day this will be seen on a par with the famous Dobsonian 'pavement' telescopes, which allowed hobbyists to see into the night skies for the first time," he said.

"This is all about democratising technology, making it cheap and readily available to the general public."

At the heart of the telescope is the camera module of a Raspberry Pi, the cheap, barebones, British built computer.

Based on Isaac Newton's reflecting telescope design, a concave mirror focuses an image directly onto the Pi camera sensor, which is mounted onto components created by 3D printing.

Other parts such as the lens and the mirror can be bought from online suppliers.

Because of the small size of the Raspberry Pi camera, it is possible to mount it directly in front of the mirror.

The PiKon telescope has a magnification of times 160, which means that on a cloudless night it will allow detailed views of the moon's surface, as well as galaxies, star clusters and some planets.

Mr Wrigley said that the designers would use public feedback to improve the telescope and develop new products.

Other events in the university's Festival of the Mind, include a live musical performance by 150 musicians of Gustav Holst's symphony The Planets in a pop-up planetarium and an interactive video game art gallery.

23.52 | 0 komentar | Read More

Google, Apple to encrypt by default

19 September 2014 Last updated at 12:55 By Joe Miller Technology Reporter

Google has announced that its next mobile operating system, Android L, will encrypt users' data by default.

The measure will make it more difficult for private information to be hacked or handed to law enforcement agencies.

On Thursday, Apple said that devices running its new iOS8 software would be encrypted by default, with even the company itself unable to gain access.

Both firms have offered encryption for some time, but many users were unaware of its existence or had not enabled it.

Earlier this week, Apple's boss Tim Cook posted an online message assuring users the company's philosophy was that a "great customer experience shouldn't come at the expense of your privacy".

Swipe

As well as announcing default encryption for all devices running the new iOS8 software, Mr Cook took a thinly veiled swipe at Google, saying that Apple would not use its customers' information to sell things to them.

"We don't 'monetise' the information you store on your iPhone or in iCloud," he wrote, "and we don't read your email or your messages to get information to market to you."

He added that although Apple does have an advertising business, called iAd, the function can be disabled by users.

Shortly after, Google announced its stance on privacy, also embracing default encryption. A spokesman said: "For over three years, Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement.

"As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on."

Both Apple and Google follow in the footsteps of the now somewhat beleaguered Blackberry, which has encrypted data by default for some time.

The firms' focus on privacy comes after nude photos of celebrities were leaked online earlier this month.

The breach, which affected actress Jennifer Lawrence, among others, was linked by some security experts to vulnerabilities in Apple's iCloud storage service.

Law enforcement

The introduction of default encryption also protects US firms from having to hand over data to law enforcement agencies.

As the companies themselves do not have access to users' passwords, which unlock the encryption, they are not actually in possession of the data concerned.

Several of the largest US tech firms have been fighting government requests for their users' private data, including Microsoft, Google, Twitter, Facebook and Dropbox.

David Emm, a senior researcher at security firm Kaspersky Lab, told the BBC that automatic encryption was "probably more about privacy than about protection".

"Customers will find some reassurance in the fact that their data can't routinely fall into third-party hands," he said.

However he added that the measure only "applies to stuff on a [Apple or Android] device, but not necessarily to stuff you put in the cloud, which could still be accessible to law enforcement agencies".

23.52 | 0 komentar | Read More

eBay flaw has existed for months

19 September 2014 Last updated at 15:38 By Dave Lee Technology reporter, BBC News

A flaw that has exposed eBay customers to malicious websites has been affecting the site since at least February, the BBC has found.

Earlier this week it was revealed how clicking on some listings automatically redirected users to the harmful sites.

EBay removed several posts, but said it was an isolated incident.

But the BBC has since found multiple listings, from multiple users, exploiting the same vulnerability.

Furthermore, several readers contacted the BBC detailing complaints they had made to the site.

In a statement, eBay said it had a dedicated team working on security, but that criminals "intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems".

'Big problem'

A transcript from February this year showed user Paul Castle explaining the issue, in detail, to eBay support staff.

"I was just browsing in Digital Cameras and came across a password-harvesting scam," wrote Mr Castle during the online chat with eBay support staff.

Clicking on the listing link, Mr Castle explained, "transfers immediately to a password harvest scam page".

"This is potentially a big security problem for eBay users," he said, adding: "There could be hundreds."

EBay staff told Mr Castle that the problem had been escalated to "higher authorities".

Other users got in touch with the BBC to outline how they too had found listings that, when clicked on, behaved in the same way.

'Abusive ways'

EBay's search function allows users to find only completed auctions that are no more than 15 days old.

However, a brief search by the BBC uncovered 64 listings from the past 15 days that posed a danger to users.

In each case, it appears cross-site scripting (XSS) has been used to hijack the user's browsing - placed in the listings page using Javascript.

In a statement on Friday, a spokeswoman for eBay said: "This is not a new type of vulnerability on sites such as eBay.

"This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site.

"Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways."

She added: "Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

'A bad thing'

Ebay has been criticised by security experts for not responding to the vulnerability quickly enough.

While some listings were removed after being reported, the underlying issue has yet to be fixed.

Ilia Kolochenko, XSS expert and chief executive of security firm High-Tech Bridge, said it was difficult for "large complicated sites to be completely free of XSS vulnerabilities".

But he said that once a particular XSS exploit was being used for malicious purposes - as demonstrated by the redirects to harmful websites - companies must act quickly to not just remove offending content, but to prevent the flaw being exploited again.

He said: "If someone has reported an issue to eBay, and the vulnerability was not fixed promptly, this is a bad thing."

Dr Steven Murdoch, from University College London's Information Security Research Group, agreed.

He told the BBC: "EBay should as a matter of priority have looked for all the other links which exploited the same vulnerability and removed these too, as well as closing off the vulnerability from future attackers.

"It's clear they need to be more careful about what they allow - particularly when it comes to Javascript."

Follow Dave Lee on Twitter @DaveLeeBBC

23.52 | 0 komentar | Read More