hacked
Latest
SparkFun intros IOIO for Android, a hack-free breakout box to get your mind spinning
Meet any seasoned techie, and they'll likely spin whimsical tales of computing's early days, and the challenge of finding a practical use for a device with seemingly limitless potential (you know, like feeding your cat while you sleep). A new product from SparkFun promises to bring this old-school awesomeness into the smartphone age: introducing IOIO (pronounced yo-yo), a breakout box that enables any Android 1.5+ device to control electronic circuits from within Android's applications. Designed in collaboration with Google, Spark's PCB connects to your phone over USB, working its magic through a Java library that hooks into your apps. This DIY paradise will begin shipping in a few weeks, and can be yours for $49.95 on pre-order. We've already witnessed some clever mods with IOIO, and when it sent a real alarm clock ringing, we couldn't help but smile. Crack one yourself after the break.
Epsilon breach exposes TiVo, Best Buy email addresses, spambots stir into action
If you're subscribed to any of TiVo's email-based communiqués, now would be a good time to make sure your spam filters are up to scratch. Epsilon, TiVo's email service provider, has reported the discovery of a security breach that has compromised the privacy of some customers' names and / or email addresses. A rigorous investigation has concluded that no other personal data was exposed, however it's not just TiVo that's affected -- other big names, such as JPMorgan Chase, Citi, US Bank, Kroger, and Walgreens have also seen their users' deets dished out to the unidentified intruder. As we say, no credit card numbers or any other truly sensitive data has escaped, so the only thing you really have to fear is fear itself... and an onslaught of spam. Update: Best Buy and the US College Board have also joined the extremely broad list of affected organizations now, judging by the warning emails they've been sending off to our readers. Valued Best Buy customers should expect an email similar to the scawl posted after the break. Update 2: You can also count Chase Bank customers among those also affected -- not their bank accounts, mind, but their e-mail addresses. [Thanks to everyone who sent this in]
HTC Thunderbolt rooted for real, locked files nearly soured the deal
They thought it would be easy, but they were wrong -- AndIRC developers reportedly spent the last 72 hours readying the new HTC Thunderbolt for custom ROMs. Today, they emerge victorious, but that victory is bittersweet, because it may signify the end of a generally hacker-friendly era from the folks at HTC. While devices from the Taiwanese manufacturer have traditionally been easy to modify, the hacker community found Verizon's LTE flagship fully locked down, with a signed kernel, signed recovery image and a signed bootloader. FOF. Of course, if you're just looking for a way to overclock your Thunderbolt, you probably don't care about all that. You'll find all the (exceptionally lengthy) instructions you need at Android Police. Just be careful out there! [Thanks to everyone who sent this in]
Player identifies "huge security hole" in RIFT's authentication system, Trion seals it
Hacking and account hijacking have been severe issues for RIFT ever since launch, even though Trion Worlds anticipated the onslaught from the beginning. Yesterday we saw Trion implement the so-called Coin Lock patch to prevent hackers from selling other players' items in-game, which some see as a novel (partial) solution to the problem. However, this may not be enough to stop the truly malicious invaders from getting into RIFT accounts. One player, identified as "ManWitDaPlan" on the forums, claims to have circumvented the account login completely, leaving a "huge security hole" for hackers to exploit: "I have verified the authentication system can be bypassed by successfully logging into another account without needing its credentials. Worse, all it took was about thirty seconds of time once I got all of the details locked down. I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream. I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system." Later in the thread, a Trion representative added: "We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely). Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer." And it looks as though the problem may be fixed, as ManWitDaPlan posted late last night: "Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed."
RSA hacked, data exposed that could 'reduce the effectiveness' of SecurID tokens
If you've ever wondered whether two-factor authentication systems actually boost security, things that spit out pseudorandom numbers you have to enter in addition to a password, the answer is yes, yes they do. But, their effectiveness is of course dependent on the security of the systems that actually generate those funny numbers, and as of this morning those are looking a little less reliable. RSA, the security division of EMC and producer of the SecurID systems used by countless corporations (and the Department of Defense), has been hacked. Yesterday it sent out messages to its clients and posted an open letter stating that it's been the victim of an "advanced" attack that "resulted in certain information being extracted from RSA's systems" -- information "specifically related to RSA's SecurID two-factor authentication products." Yeah, yikes. The company assures that the system hasn't been totally compromised, but the information retrieved "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." RSA is recommending its customers beef up security in other ways, including a suggestion that RSA's customers "enforce strong password and pin policies." Of course, if security admins wanted to rely on those they wouldn't have made everyone carry around SecurID tokens in the first place. [Thanks to everyone who sent this in]
iPad 2 jailbroken, no ETA on public release
You knew this was coming -- it was only a matter of time -- and here it is, Apple's latest creation sans the iOS 4.3 chains. The development community credits @comex with installing Cydia on this white iPad 2, and he's apparently already hard at work on a public jailbreak. According to his Twitter feed, the hack required a brand new exploit, as previous bugs were squashed in iOS 4.3. We'll keep you posted on when the hack's ready for you to use, too. [Thanks, Henrique and Vassilis]
Safari and IE8 get shamed at Pwn2Own, Chrome still safe... for now
Ahead of the most recent Pwn2Own, Google made a rather proud challenge: it'd pay $20,000 to any team or individual who could successfully hack Chrome. Two takers signed up for that challenge -- and then both backed down. One individual didn't show up and a second entry, known as Team Anon, decided to focus their efforts elsewhere. There's still time left for someone to come out of the woodwork and scrape off that polish, but as of now no brave souls have registered intent. Meanwhile, IE8 was taken down by Stephen Fewer, who used three separate vulnerabilities to get out of Protected Mode and crack that browser's best locks. Safari running on a MacBook Air got shamed again, cracked in just five seconds. Not exactly an improvement compared to how it fared in 2008.
Motorola Atrix docks literally and figuratively torn apart, hack enables Webtop over HDMI port
Motorola's got a fine smartphone in the Atrix 4G, but a mildly unsatisfactory pair of modular docks. Good thing, then, that you can gain the most intriguing functionality they add without buying one! Fenny of xda-developers reportedly figured out a way to modify the phone's APK files to activate Webtop mode over a standard HDMI cable -- with no dock needed as a go-between -- allowing you to experience the Atrix's PC-like functionality when connected to any HDMI-ready computer monitor or TV. Of course, you'll need a rooted and deodexed phone to give it a try, but we hear those aren't monumentally difficult to come by. While Fenny's hack could potentially make the desktop dock obsolete -- assuming you've got a Bluetooth mouse and keyboard handy -- Motorola's LapDock is still something else. It's razor-thin, it doesn't require a separate monitor, and it charges your phone. So, before you write it off entirely, you might at least want to indulge your morbid curiosity about what's inside, and thus there's a complete teardown video after the break to show you what the guts look like. Enjoy! [Thanks to everyone who sent this in]
Turbine upgrades LotRO's compromised account reimbursement policy
Account security is a worrysome topic in Lord of the Rings Online these days, especially following a reported rise in hacks and thefts among the playerbase. A couple months ago Codemasters implemented a stronger policy to help players recover lost property, a direction that Turbine followed yesterday when it revised its compromised account reimbursement policy. Sapience announced on the LotRO forums that this policy is significantly updated and expanded from the old one. Now when a player's account is hacked, Turbine gives a seven-day window to report the issue, during which the company can restore "most" of the lost items and compensate players for items that cannot be replaced. This, however, is not a true rollback and does not cover accounts compromised before February 24th. Turbine also reassured players that the studio is making it much tougher for unauthorized intruders to delete or sell rare items like raid gear, which should add another layer of protection from losing one's goods.
Motorola Atrix root found to be signed, hacking might not be so easy
That the Atrix got itself rooted before it was even available made us wonder just how... receptive it would be to the caresses of the hacker community at large. Sadly we're finding it's perhaps a bit more frigid than its friendly demeanor might have lead us to believe. User adlx.xda over at the xda-developers forums has found that the phone's system files are not encrypted, but they are signed. This will make the process of replacing them and loading custom builds and the like rather more complicated -- but surely not impossible. [Thanks, chaoslimits]
PlayStation hackers reportedly able to unban selves, ban others, turn tables
Just last week Sony said that those found to have hacked their PlayStation 3 consoles would have their PlayStation Network access "terminated permanently." Harsh words that, unsurprisingly, weren't too warmly received by the hacking community. Destructoid is now reporting that not only have those tinkerers found a way to unban themselves, but that they can in turn ban any other console they want. There's apparently a catch, though, with the hackers having to know the unique ID assigned to the other console that they'll be banning, which makes this sound like perhaps the hack is simply swapping a "good" ID onto a "bad" console, but at this point we have no details on the supposed procedure here. Regardless, if some random girl with a cute avatar hits you up on IM and, after a few minutes of casual conversation, asks you for the serial number on your PS3, think twice before handing over those digits. Update: We were a little leery about this given Destructoid's lack of a source, and thanks to a note from reader Omega we now have what looks to be the actual source -- indeed this all is sounding rather theoretical.
You are the navigator: China developing motion-sensing MMO
MMO players are always looking for games that provide deeper, more immersive experiences to draw us into the game world and keep us there. China, one of the world's largest MMORPG markets, is attempting to forge ahead with the next evolution of immersive gameplay by combining online games with motion-sensing controls. Jin Gang Network is developing Land of Lords Online, an MMO that promises to allow players to explore the world and control their characters via a Kinect-like device. Without touching a physical controller or keyboard, a person can instruct his avatar to move, kill and cast spells in the game. Although details on the project are scant at this point, the company says that it will be releasing a video next month to show how the game's technology works. Whether motion-sensing controls are the next true gaming interface or just an odd fad, China isn't the only place where a marriage between MMOs and such devices is being explored. Students from the University of Southern California hacked a Kinect to interface with World of Warcraft while South Korea's GamePrix is bringing the Kinect-compatible Divine Souls to Xbox.
CUPP crams ARM inside of a MacBook Pro, makes it run Android with a button press (video)
CUPP's original prototype wasn't exactly gorgeous, but the premise was sound -- couple an ARM platform with an x86 CPU in order to give consumers the ability to run a desktop OS and a low-power OS such as Chrome OS or Android. It's a tactic that has far-reaching potential. Imagine this: you're on a flight attempting to finish up a document, but you only have ten percent of your battery remaining. On a standard desktop OS (like Window 7 or OS X), that'll get you around 15 to 20 minutes of life; if you were instantly able to sleep that OS after saving your most recent copy on the hard drive, boot up Chrome OS and finish it there, you'd magically have at least an hour of usage time remaining. The fact is that ARM platforms require a fraction of the power that standard x86 systems do, with a demo unit here at MWC proving that a sleeping Windows 7 machine actually consumed more power than a typical ARM system that's running. The company has shown off a beast of a machine before in order to prove that it's concept was legit, but here at Barcelona's mobile extravaganza, it brought something special: a modified MacBook Pro with a TI OMAP-based daughter-board module sitting in place of the optical drive. In theory, a battery similar to that found in the machine above could power an instance of Chrome OS or Android for 20 to 30 hours, just to give you some numbers to nibble on. Care to see how it all panned out? Hop on past the break for a few impressions along with a video. %Gallery-116639%
HTC Thunderbolt exclusively hits Best Buy for $250 at launch, rooted prototype provides hope for easy unlock
Though hard facts on the HTC Thunderbolt's availability were hard to come by, conflicting rumors were flying fast and strong -- now, a Best Buy ad seems to clear most everything up. Like we'd originally heard, the 4.3-inch LTE smartphone will launch for $250 on a two-year contract -- or a wallet-crushing $750 without -- but the key ingredients here are three words at the very top. The Thunderbolt is apparently a "national retail exclusive" for Best Buy, which explains how the device could simultaneously face Verizon delays and yet come in for a Valentine's Day landing at the big box store. You'll also note that the ad mentions Skype video and 4G mobile hotspot functionality, so we'd be surprised if the phone came without, though it's also possible that the whole kit and kaboodle has been delayed to match -- Droid-Life says this ad comes from a February 20th circular, so we might not see anything until then. In case you needed an additional reason to be excited about the Thunderbolt, the developers at AndIRC have some related news -- they've already rooted a prototype version (which just so happens to have the familiar codename Mecha) and believe the same technique will work on retail devices. Wouldn't it be nice to have root on day one... whenever that is? [Thanks to everyone who sent this in]
Elaborate Arduino tutorial explains the nuts and bolts of communicating over GSM
If you're looking to make yourself somewhat more productive on this lazy weekend, and you've got an Arduino or two collecting dust, we've got just the thing to add line after line to your dwindling to-do list. Tronixstuff has a borderline insane tutorial series going, and as of now, 27 chapters have been published. It's essentially the Arduino Bible, but the two most recent additions in particular have piqued our interest. With the explosion in mobile broadband, even hackers are looking to get their creations online. If you've mastered the art of Arduino, but haven't yet been brave enough to toss in a bit of GSM communication, the how-to guides linked below definitely deserve your attention. Just be careful how you write that code -- one wrong line with a SIM card installed could lead to text overages that'll take two lifetimes to pay off.
Google's Cr-48 netbook now surfing on AT&T's GSM network (after a gentle hack)
Oh, sure -- Google's being all-too-kind by handing out a few free megabytes of Verizon data with each of its Cr-48 netbooks, but if you're both lucky enough to have one and more inclined to use that dust-collecting AT&T SIM of yours, there's hardly a better day for you to pay attention to a hack. After noticing that a recent update to Chrome OS added GSM support for Qualcomm's Gobi 3G chip, Hexxeh dug in a little to see what it'd take to get the Cr-48 operational with a data SIM from Ma Bell. Turns out there's shockingly little needed from you; simply flip the Developer switch beneath the battery and follow the shell commands listed in the source link. It should be noted that there's no data counter here, so watch those gigabytes if you're working with a data cap. There, we solved your Saturday. You're welcome.
Codemasters unveils Lord of the Rings Online hacked account program
With great playerbase numbers comes great security responsibility. Wait, no. That's not the movie metaphor we're looking for. How about keep it secret, keep it safe! That's more like it, but unfortunately for some Lord of the Rings Online fans, the secret (and the safe) parts are being compromised as the free-to-play title sees a rise in hacked accounts to go along with its expanding user numbers. All hope is not lost, however, as Codemasters (LotRO's European publisher) has introduced a new Hacked Account Restart Program designed to assist victims and speed them back onto the road to Mordor. The program has a few prerequisites, among them player support eligibility and GM verification of the actual account owner. Claims must also be filed within seven days of the security breach, and reimbursement methods will vary at Codemasters' discretion. You can read the official announcement on the Codemasters website, and you'll also want to check out Customer Service Manager Sincilbanks' blog entry on the subject.
Apple hacker digs up Qualcomm baseband proof by decompiling iTunes?
We're a little short-staffed on Qualcomm chipset engineers at the moment, so forgive us if we can't immediately confirm this tale, but we're hearing iPhone hacker Zibri has discovered proof of the Apple / Qualcomm collaboration in his very own build of iTunes. Zibri claims that by tearing apart the latest version, he found the chunk of code above, which contains files that are allegedly the exclusive "building blocks" of Qualcomm radio firmware. That doesn't tell us anything about a supposed iPhone 5 or iPad 2, unfortunately, as it's probably just referring to that CDMA chipset in the Verizon iPhone 4... but with the right building blocks, one can craft any number of wonders.
The Road to Mordor: Hacked!
"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier. "I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky." So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline. Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.
How to keep your unlocked HTC WP7 device from re-locking after every sync
Okay, so the WP7 hacking community may not be quite as active as that working tirelessly to keep every facet of Android devices splayed to the breeze, but that's not to say there isn't a skilled group of tinkerers doing their best on Microsoft's best. ChevronWP7 is a clear example of that, and though it's been officially pulled it is still quite certainly being used. Now its functionality has been extended with a second hack that enables you to use Zune to sync your HTC handset without it getting all locked up tight again. You can find all the details on the other end of the source link below, but we'll go ahead and warn you that as soon as the next WP7 version drops this particular unlock will be disabled. Then it'll be on to the next one.
