Developages - Development and Technology Blog

If your New Year’s resolution is to spend less money, let us help. Check out Gearlog’s deals for Wednesday:

1. Quicken is taking $20 off of its line of personal finance CDs and downloads. Choose from the Deluxe package to help maximize your savings, Quicken Premiere to optimize your investments, Home and Business for personal and business in one, or Rental Property Manager for personal and rental property in one package. The discs range from $39.99 to $129.99.

2. Whoops, almost missed this one! Circuit City’s New Year’s Resolutions Event ends today, so hurry over to the site for a variety of deals. Save 15 percent off of select HDTVs, 25 percent off select games, 25 percent off digital cameras, and up to 50 percent off of computer accessories. Also, Netbooks, MP3s, fitness DVDs, and Wii Fit games and accessories are also on sale.

3. Good ‘ol Woot. Today’s deal brings us the Philips HTS6600/37B DVD Home Theater System (above) for $199.99. The system has a list price of $499.99, meaning you won’t find a better deal anywhere else.

Original post by Jennifer Bergen

For the podcaster-on-the-go, there’s always a need for a portable microphone to get through less-than-ideal situations. Clearly, Samson Technologies is lookin′ out, as the simply titled Go Mic provides all that and a bag of chips. The “pocket-sized″ USB microphone comes with a built-in mount for siting atop one’s laptop display and can be used to record audio in a variety of scenarios (Skype, lectures, etc.). It’s supposedly plug-and-play with both Macs and PCs, and it features a 20Hz to 18 kHz frequency response, selectable cardioid / omni directional polar recording pattern and a condenser transducer with pressure gradient. Speak up in one (available in black or white) right now for $49; full release is after the break.

Continue reading Samson introduces highly portable $49 USB Go Mic

Filed under: Peripherals, Portable Audio

Samson introduces highly portable $49 USB Go Mic originally appeared on Engadget on Thu, 18 Dec 2008 15:51:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments

Original post by Darren Murph

A few days ago the FBI’s Internet Crimes Complaint Center (IC3) issued an unclear warning that says versions of Asterisk software are vulnerable to vhishing (voice phishing) attacks, but didn′t say which versions, but causing a flurry of news activity on VoIP news sites, tech sites, and blogs.

It all started with this warning from the IC3:

New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing Attacks

The FBI has received information concerning a new technique used to conduct vishing attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software.

My esteemed colleagues Rich Tehrani and Greg Galitzine did some research to find out what the story was, including contacting Digium’s John Todd.

Here′s Rich’s take:

Before commenting I waited to hear back from Digium’s John Todd who explained that there were some methodology and editorial process issues in this alert - basically no one checked with Digium before going public. As it turns out, after checking with Digium, the FBI quickly revised their statement and everything is fine.

The details are that there was a bug which Digium found in March of 2008 and subsequently patched in version 1.2 and 1.4. Version 1.6 is not affected. Besides, according to Todd, the security issue would arise if system administrators basically disregarded logical security measures like using numerals in passwords.

Read more…

Greg Galitzine also writes about the FBI’s warning about Asterisk in an article titled Digium Defends Asterisk Against Fed Warning: “Tempest in a Teapot”

In it, Greg writes:

Todd writes in a blog entry titled SIP Security and Asterisk:

That bug allowed in some cases unauthorized callers to make calls through an unprotected “context” in Asterisk. Due to the nature of the bug there was fairly limited exposure - it would have required a fairly unusual set of configurations to permit fraud, and there was both a simple config file change that would provide protection, as well as an actual patch to the code which we have every reason to believe has been widely implemented by the very proactive Open-Source community using Asterisk in production environments. The bug didn’t allow arbitrary setting of caller ID, and would only work in a limited set of circumstances that personally I think would be unusual, though possible.

Early on, Todd had a sense that this might just be a misunderstanding: Sorry for the fuss, and I suspect this is just a tempest in a teapot. Use good passwords, keep your packet filters up, and I’ll update things here as we hear more.

Digium’s John Todd wrote an excellent blog post describing what happened after he was able to contact the FBI in charge of the security warning. While there was indeed a security vulnerability in Asterisk, it was patched in 1.2 and 1.4 and doesn′t exist in 1.6. Thus, someone would have to be using a very old version of Asterisk. And as for the security vulnerability itself which seemed to enable vhishing attacks, John indicates that it was a relatively obscure exploit and “an administrator would have to consciously configure their system in what I believe to be an extremely unusual way in order to be victimized by this particular vulnerability.” So indeed in John’s own words, it seems to be a tempest in a teapot after all.

John Todd wrote:

As we had surmised, the warning from the IC3/FBI on Friday was just a re-hash of a bug that was fixed back in March of this year.  I was in touch with the agent in charge of this release this morning (after contact attempts on Friday failed) and he understood quickly that the wording was lacking in ways that created questions in the minds of readers, and this was being amplified by bloggers who more clearly outlined the set of questions raised by the advisory/release.  To his credit, the IC3 agent quickly pushed through a set of changes today to the posting which more specifically describes the issue, which indeed is the AST-2008-003 SIP guest permissions problem.

John Todd also wrote:

This bug was discovered and patched for 1.2 and 1.4 versions of the software, and 1.6 releases were not vulnerable.  Simple changes to site-specific configurations typically would be all that would be required even on systems that did not get patched or upgraded.  The bug that is described is relatively obscure, and was found by Jason Parker here at Digium.  We didn’t know of any “in the wild” exploits back then, though of course there may be some now.  I’m still somewhat surprised that anyone has been able to use this bug to the extent that they were able to mount “vishing” attacks.  While I won’t get into the details of configuration specifics, I would say that an administrator would have to consciously configure their system in what I believe to be an extremely unusual way in order to be victimized by this particular vulnerability.

John Todd complains about the “vagueness” of the warning but in an update after speaking to the IC3 agemt, John Todd says “To his credit, the IC3 agent quickly pushed through a set of changes today to the posting which more specifically describes the issue, which indeed is the AST-2008-003 SIP guest permissions problem.” (an old issue)

So my Asterisk-loving friends. If you are indeed running patcheϩ.2/1.4 Asterisk or v1.6 you have nothing to worry about. And if you aren’t running these versions, what the heck is wrong with you? And you call yourself an Asterisk fan. Per shame!

P.S. As Rich said, “I am sure by the time Asterisk World rolls around in a few months in Miami, we will all be laughing about this incident and marveling at the opportunity that is open source communications.”

Tags: Asterisk, digium, FBI, IC3, Internet Crimes Complaint Center, John Todd, security, vhishing

Related Entries
• Digium Headquarters Tour - Aug 26, 2008
  
• Skype for Asterisk Launches - Sep 25, 2008
  
• ITEXPO West 2008 a Resounding Success - Sep 18, 2008
  
• Packet8 675xi VoIP for the SMB - Jul 24, 2008
  
• Leslie Conway Joins Digium - Jul 11, 2008
  
• Awesome Adtran & Digium article - Jul 08, 2008
  
• Interview With Asterisk Founder, Mark Spencer - Jun 26, 2008
• Rev B of Astfin’s BRI (ISDN) Asterisk Appliance Arrives - Apr 29, 2008
• Podcast Interview with Digium CEO Danny Windham - Apr 17, 2008
• Hulk Smash Asterisk 1.6! - Apr 16, 2008

TrackBacks
| Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Digium Responds to FBI Vhishing Security Warning about Asterisk

Copyright VoIP & Gadgets Blog

Original post by nafiz

I’ve seen the Apple iPhone. You, T-Mobile’s G1 Android phone, are no iPhone.

Based upon an informal survey of about a dozen stores scattered about Sacramento, San Jose, and San Francisco in Northern California, the G1 doesn’t have the buzz of the iPhone. That said, however, stores reported some small lines and generally brisk sales, and salespeople were hopeful that foot traffic would pick up later today.

For some reason, however, T-Mobile seriously shorted Silicon Valley, at least where supplies of the G1 were concerned.

The G1 is the first phone to use the “Android” operating system developed by Google, which is paired with familiar G1 applications like Gmail, as well as the now-familiar apps store where users can download free and for-pay applications written by third-party developers.

It might be fair to say that, while the ˇ has attracted a bit less hype than the iPhone and the iPhone 3G, most of that attention has been focused on the Android operating system, and not the ˇ itself. If that’s true, than others feel the same way: the longest line any T-Mobile storefront reported to me was about ten, with several reporting no lines at all.

Meanwhile, the available stock on hand of G1 phones varied dramatically.

Two stores polled by Gearlog in San Jose, for example, reported twenty or so; a third store, we were told, received a supply of fifty. And, since T-Mobile opened its retail stores at 8 AM to meet the expected demand, the available phones had sold briskly by 8:30 or so. At the El Camino store in Cupertino, for example, the helpful salesman said that all the brown models were out of stock, and he only had five or six of the black models in stock.

An hour’s drive north in San Francisco, and the message was quite different. At the Market & 3rd store in San Francisco, store representatives reported “over 100″ phones in stock at the time that I called. And the store on Battery St., in the heart of the Financial District, never receives much foot traffic, a representative said, and that wasn’t expected to change today.

In Sacramento, by contrast, Gearlog polled three stores. Only one would divulge the number of phones, but that store said it had 128 phones in stock as of about 8:30 AM, “more than enough for the day,” according to a salesman.

Granted, some of the stores saw their stocks deplete because of preorders, which sold out. However, the limited supplies might also be a bid to generate a press release later today that claims that the G1 has already sold out at some stores. The message: buy now or lose out!

And what color is the most popular? That’s hard to say. At the two T-Mobile stores that are closest to Apple’s Cupertino campus, one had already sold out of the black model when I called; the other had no browns.

All in all, however, I think we can say that anyone trying to sell their pre-ordered G1 on eBay or on Craigslist for an obscene profit is going to take a bath.

Original post by Mark Hachman

Filed under: Laptops, Wireless

A new variant of Asus’ M50Vm-A1 laptop — the M50Vm-A1WM — just showed up on Newegg and Amazon. Soulcrushingly long (mostly) alphanumeric string aside, it’s a decent 15.4” machine for its $1,399 price point, with desktop replacement specs: Intel Core 2 Duo P8400, 4GB of RAM, a GeForce 9600M with a satisfying 1GB of dedicated graphics memory, and even a numpad. What’s new here is onboard WiMAX, which puts Asus on the post-XOHM launch bandwagon with Toshiba, Acer and other laptop manufacturers. This is good news for some lucky early adopters, but if you’re not in one of the testing locales, you might as well continue twiddling your thumbs.

[Via ComputerMonger]

Read | Permalink | Email this | Comments

Original post by Samuel Axon

Filed under: Cellphones

Welcome to Incrudo country, gentlemen. Out here, we grow chest hair as bushy as the tumbleweed, and we like our phones built thick. We’re not talkin′ no ordinary thick, either, no sir — give us 2 to 3mm of solid titanium casing here. We like our phones heavy, too; a half pound sounds about right. We didn′t get these burly muscles wrasslin′ cattle just to tote around a Samsung 𕫴, if you know what we′re saying. Make it look like a brick, because it’s built like a brick. Just like us, because we′re men. Incrudo men.

[Via Unwired View]

Read | Permalink | Email this | Comments

Original post by Chris Ziegler

Filed under: Cellphones

Not even two full months after Sagem fell into the obviously capable hands of Sofinnova, out pops the company’s return to the red carpet. Picking right up (numerically speaking, at least) where the P′9521 left off is the well-endowed P’9522, which was reportedly built with a little help from Porsche Design. The candybar features an aluminum chassis, 2.8-inch display, 5-megapixel camera, GPS, WiFi, fingerprint reader and a microSD card slot. Unfortunately, the fun and games end there, as there’s no 3G radio anywhere to be found; plus, you’ll be asked to lay down about €600 ($875) to acquire one when it ships next month. Loyalty has its price, we guess.

Read | Permalink | Email this | Comments

Original post by Darren Murph

Filed under: Laptops

HP has always been confident that the 2133 Mini-Note would sell quickly, to the point where the company planned to build some two million units this year, and it sounds like that bet’s paying off — China’s Apply Daily is citing sources at HP Taiwan quoting worldwide sales growing 50 percent monthly. That’s pretty good for one of the more expensive small laptops on the market — we’ll see if that rumored cheaper edition moves even more.

[Via Brighthand]

Read | Permalink | Email this | Comments

Original post by Nilay Patel

Filed under: Laptops

HP’s touting the DreamColor display in its new Centrino 2 / NVIDIA Quadro FX 3700-powered EliteBook 8730w as being one of the best displays on the market, and if the crew at Maximum PC is to be believed, the $400 option lives up to the hype. Other notable bits included the Durakey keyboard coating, which should protect against wear and tear for three years, and the semi-rugged chassis that can withstand short falls. Sadly, all these features bump the starting price from a reasonable $1,700 to over five large, but you get what you pay for, it seems — check out tons more pics at the read link.

Read | Permalink | Email this | Comments

Original post by Nilay Patel

Filed under: Laptops

So now that HP’s joined Dell in releasing information on which laptops have those defective NVIDIA GPUs, we can sort of piece together which chips are faulty — and just as had been rumored, it looks like basically every Geforce 8600M and 8400M chip is affected. That’s not good news for NVIDIA, which has been saying that only “previous-generation” chips were problematic — unless the chipmaker is planning on updating the hugely popular 8⻠ series sometime, say, now, that’s not exactly true, now is it? Other affected chips appear to be in the GeForce Go 7000 and 6000 lines, as well as the Quadro NVS 135M and the Quadro FX 360M, but that’s just looking at model numbers, and we can’t be exactly sure. We’d say that if you′ve got a machine with any one of these GPUs, it might be wise to call in and see what your laptop maker is going to do — and it would be smart for NVIDIA to come right out and say exactly how big and how bad this problem really is.

Read - Dell list of machines and patch
Read - HP list of machines, extended warranty info

Permalink | Email this | Comments

Original post by Nilay Patel

Filed under: Misc. Gadgets

Sure, it’s all well and cute to think of “cloud computing” as being a magical data-fairy, but storing and processing all your fancy new CalDAV-enabled Google Calendar entries and MobileMe emails costs money, kid — and that means it’s hard for researchers to accurately simulate and build cloud research projects, since they don’t have the resources to build large enough data centers. HP, Intel, and Yahoo are teaming up to alleviate that problem, though — the three behemoths are going to build six cloud-computer research data centers around the world, stocked with anywhere from 1,000 to 4,000 nodes each, with the goal of bringing them online later this year for pre-selected researchers to work on scaling, security, management, and new applications for the cloud. Three of the data centers will be hosted at HP, Intel, and Yahoo, and the other three will be at the the University of Illinois, the Infocomm Development Authority of Singapore, and the Steinbuch Centre for Computing in Germany.

Read | Permalink | Email this | Comments

Original post by Nilay Patel

Filed under: Desktops, Laptops

Just weeks after “reinventing” Voodoo with the Envy 133 laptop and Omen gaming desktop, it looks like HP’s had enough — it’s decided to straight-up merge the specialty PC shop with its core consumer business, and sell its products alongside the Compaq Presario and HP Pavilion lines. Yeah, that’ll make Voodoo seem totally hardcore. For it’s part, HP says it’s always been planning on this kind of merger, and that the move will make Voodoo product easier to buy worldwide and faster to get with no change in service for existing customers, but it’s also oddly ambiguous on whether the Voodoo name will live on — saying only that it’s “likely,” but that a decision hasn’t been reached. All this means that it’s even weirder that HP has both the Voodoo and Blackbird gaming lines, of course — any bets on which one gets axed first?

Read - PC World article
Read - HP CTO Raul Sood’s blog entry on the merger

Permalink | Email this | Comments

Original post by Nilay Patel

Filed under: Wearables

Good thing Halloween is months away. You’ll need that time to hone your sewing skills in the noble quest to create a Daft Punk suit of your very own. Instructables has everything you need (except the electroluminescent wire, soldering iron, heat gun, and pleather tracksuit) to build an EL suit worthy of electronic celebration. Best of all, your tutor for the course is none other than the suits’ creator for the duo’s 2007 tour. Now get moving humans, it’s time to let the robots rock the party.

[Via Hack n Mod]

Read | Permalink | Email this | Comments

Original post by Thomas Ricker

Filed under: Wearables

Good thing Halloween is months away. You’ll need that time to hone your sewing skills in the noble quest to create a Daft Punk suit of your very own. Instructables has everything you need (except the electroluminescent wire, soldering iron, heat gun, and pleather tracksuit) to build an EL suit worthy of electronic celebration. Best of all, your tutor for the course is none other than the suits’ creator for the duo’s 2007 tour. Now get moving humans, it’s time to let the robots rock the party.

[Via Hack n Mod]

Read | Permalink | Email this | Comments

Original post by Thomas Ricker

Filed under: Cellphones

We briefly mentioned using junk data to overwrite the the iPhone’s flash as a last-ditch method of securely clearing off your user data yesterday, and although we were half-joking, that’s pretty much your only option until Apple provides a proper secure erase feature. Security researcher Rich Mogull has helpfully laid out the steps for you, and they’re pretty much what you′d expect: restore your iPhone, don’t sync any personal data to it, and then manually transfer three different playlists large enough to fill the flash. Essentially you′re doing a manual three-pass overwrite, which is pretty much exactly the long and tedious process it sounds like — but we wouldn’t dream of selling or giving away our iPhones (or any other phone with personal data on it) without struggling through it.

[Via Hack A Day]

Read&nbsp|&nbspPermalink | Email this | Comments

Original post by Nilay Patel