TIME Security

Apple, Android Browsers Vulnerable to ‘FREAK Attack’

Apple iPhone 6
Roman Vondrous—AP Apple iPhone 6

Millions of people may have suffered a "FREAK" attack

(SAN FRANCISCO) — Millions of people may have been left vulnerable to hackers while surfing the web on Apple and Google devices, thanks to a newly discovered security flaw known as “FREAK attack.”

There’s no evidence so far that any hackers have exploited the weakness, which companies are now moving to repair. Researchers blame the problem on an old government policy, abandoned over a decade ago, which required U.S. software makers to use weaker security in encryption programs sold overseas due to national security concerns.

Many popular websites and some Internet browsers continued to accept the weaker software, or can be tricked into using it, according to experts at several research institutions who reported their findings Tuesday. They said that could make it easier for hackers to break the encryption that’s supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.

About a third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some government agencies, the researchers said. University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.

Apple Inc. and Google Inc. both said Tuesday they have created software updates to fix the “FREAK attack” flaw, which derives its name from an acronym of technical terms. Apple said its fix will be available next week and Google said it has provided an update to device makers and wireless carriers.

A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Matthew Green, a computer security researcher at Johns Hopkins University.

But some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.

“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.

TIME Automotives

Here’s Why the Apple Car Is Making Auto Executives Nervous

Apple Unveils iPhone 6
Justin Sullivan—Getty Images Apple CEO Tim Cook shows off the new iPhone 6 and the Apple Watch during an Apple special event at the Flint Center for the Performing Arts on September 9, 2014 in Cupertino, California.

Apple and Google’s automotive projects are keeping longtime carmakers on their toes, with the two tech companies set to put their significant capital and technological savvy behind electric or driverless vehicles. Google has already made a driverless car, while Apple is rumored to be working on an electric vehicle of its own.

“If these two companies intend to solely produce electric vehicles, it could go fast,” Volkswagen AG Chief Executive Officer Martin Winterkorn said at the Geneva International Motor Show, Bloomberg reports.

Apple plans to push an electric car into production as early as 2020, and Google said in January that it aims to have a self-driving car on the road within five years. Automakers usually need at least five to seven years to develop a car, sometimes longer.

Automakers Tesla Motors and General Motors are working against the tech companies on a tight timeframe to produce an electric vehicle than can go more than 200 miles on a single charge and cost less than $40,000. “The competition certainly needs to be taken seriously,” Stefan Bratzel, director of the Center of Automotive Management at the University of Applied Sciences in Bergisch Gladbach, Germany, told Bloomberg.

Traditional automakers are hoping to work with Apple and Google, perhaps by assisting with their supply chains or production, Bloomberg reports. Those two areas could be weaknesses for non-automotive companies looking to enter the field.

[Bloomberg]

TIME Virtual Reality

Here’s How Valve Cracked Virtual Reality’s Biggest Problem

This is shaping up to be the most important year in the tumultuous, not-quite-there-yet history of virtual reality.

A number of companies, from Facebook and Samsung to Google and Microsoft, are making significant pushes into the technology, which has been a mainstay of science fiction for decades but has largely failed to materialize as a viable consumer product. The latest piece of kit, the HTC Vive announced this weekend, is the product of a collaboration between the Taiwanese phone giant and Valve, the purveyor of the most important software distribution platform on the PC, Steam.

Virtual reality, or VR, has a long tortured history. Until three years ago, the technology was more or less moribund. Then Palmer Luckey (now 22), reignited interest with a series of prototypes for a new device called the Oculus Rift, which improved significantly on the old technology by taking advantage of advances in components for phones. His company, Oculus VR, was acquired by Facebook last year for $2 billion.

Most of Oculus’ advances, which are now being adopted or emulated by the likes of Sony and Samsung, are in how images are displayed to users wearing the headset. Long story short, a VR system has to display two sets of images—one for each eye—at very fast rates or the viewer will get nauseous.

But the HTC Vive, which the companies say will be available later this year, solves the next most vexing problems: once a viewer is seeing 3D space, how do they maneuver and manipulate the environment around them. Aside from content that is compatible with VR, these are the biggest outstanding questions. Once you’re there, what can you do and how do you do it?

Early development kits for the Oculus employ a standard console controller to move around, but that can be disorienting. Sony’s Morpheus prototype for the Playstation4 uses a set of controllers that look like ice cream cones with lightbulbs on top with similar results. And Microsoft’s recently unveiled HoloLens, which projects images onto the real world, uses hand gestures and arm motions. It’s still unclear which approach will win out.

HTC says its system will come with a base station that can track a user’s movements in 3D space. The company also hinted at a specific controller, perhaps a set of gloves, to enable users to manipulate virtual objects. Details are still scant, but this could solve the problems of mobility in a simulated 3D environment.

If Valve and HTC have indeed managed to do that, virtual reality may finally be ready for prime time.

TIME Google

See Google’s Absolutely Stunning New Headquarters Design

Google wants to build a new Mountain View campus with sweeping glass structures

Google has unveiled its ambitious new plans for a sprawling, modern Googleplex. The new facility, being developed by architect Bjarke Ingels, features a series of glass, canopies the size of city blocks, new biking and walking paths and an emphasis on green space. Renowned designer Thomas Heatherwick is also involved in the project. Google hopes to complete the first stage of development by 2020, but the company will first have to win approval from Mountain View’s city council amid growing concern over Google’s control over the development of the community.

TIME Companies

Google Isn’t Banning Porn Blogging After All

A sign is posted on the exterior of Google headquarters on Jan. 30, 2014 in Mountain View, California.
Justin Sullivan—Getty Images A sign is posted on the exterior of Google headquarters on Jan. 30, 2014 in Mountain View, California.

Blogger users can keep posting nude photos

Google is backing down from its new porn policy four days after announcing a plan to block sexually explicit images from its blogging service.

The company said on its Blogger help forum Friday that it will keep its old policies in place and instead work harder to crack down on commercial porn using the previous rules.

“We’ve had a ton of feedback, in particular about the introduction of a retroactive change (some people have had accounts for 10+ years), but also about the negative impact on individuals who post sexually explicit content to express their identities,” wrote Jessica Pelegio, a Google social product support manager.

Under the new rules, Blogger users would have been banned from posting graphic nudity except in specific circumstances deemed appropriate by Google. Old blogs with sexual imagery would have retroactively been made private.

TIME Web

Google Just Made It Easier to Search for Flights Online

And you don't even have to know where you want to go

Google has updated its flight-search tool and included an array of cool features.

Much like most flight-comparison sites, Google offers a range of fares and available flight options.

Photo: Google

But for undecided travelers, the newest feature lets users plug in countries or whole regions. For example, enter “flights to Europe” and a map will appear showing varying prices for different European destinations.

And if you really have no idea where to travel, you can even hit the “I’m Feeling Lucky” button to generate a completely random location.

Flexible-date search options are also available so users can compare prices across multiple months, and the search engine will even suggest tips for how you can bag a cheaper deal.

Google Flights was launched in 2011, but the latest version of the site was announced on Wednesday.

Read next: 10 Google Maps Tricks You Need to Know

Listen to the most important stories of the day.

TIME Companies

Do This 1 Thing For a Better Google Ranking

Google Mobile Search
JEWEL SAMAD—AFP/Getty Images Google's lead designer for "Inbox by Gmail" Jason Cornwell shows the app's functionalities on a Nexus 6 android phone during a media preview in New York on October 29, 2014.

Mobile-friendly sites will do better in search results next month

Google is once again tweaking its search algorithm with a new change that should have some benefits for users.

The company announced in a Thursday blog post that it will rank mobile-optimized sites higher in search results starting April 21. Sites that work well on a smartphone will get a “significant” boost over other sites, the company says.

The change should ensure that people conducting Google searches on their phone typically arrive on easily-readable sites rather than messy desktop-based layouts that are hard to navigate on a small screen. Google offers a form where developers can input a URL to see whether it is mobile-friendly or not.

In addition to the algorithm change, Google said starting Thursday it will begin surfacing content hidden within apps more prominently in search results. If a developer has enabled App Indexing, Google’s search bots can crawl the contents of an app just like a Web page. Information from the app can show up along with regular search results on Google.

It makes sense that Google would want to incentivize App Indexing. The search giant doesn’t have the stranglehold on information queries on phones as it does on the desktop because people often boot up more narrowly-focused apps (Amazon for shopping, Yelp for food) instead of using Google to trawl the entire World Wide Web. More indexing means more valuable information that Google can present to users and serve ads against.

TIME energy

Google Is Paying Millions to Help You Switch to Solar Power

Solar installer, Justin Woodbury, Namaste (accent over the e) Solar, secures solar panels for a photovoltaic solar array system on the roof of a house in the Sorrel Ranch area, near e-470 and Smoky hill Road in Aurora Friday afternoon in record temperatur
Andy Cross—Denver Post via Getty Images Solar installer, Justin Woodbury secures solar panels for a photovoltaic solar array system on the roof of a house in the Sorrel Ranch area, near e-470 and Smoky hill Road in Aurora Friday afternoon in record temperatures.

The search giant is investing $350 million in a fund to cover home solar panel installations

Google is investing $300 million in a fund designed to help people install solar panels on their houses.

The fund is being created by SolarCity, a fast-growing solar energy startup that boasts SpaceX CEO Elon Musk as its chairman. SolarCity has attracted $750 million overall for the fund, which will finance solar panel installations for homeowners in 15 states. Homeowners who install the panels will then pay SolarCity for the electricity they generate.

SolarCity claims its customers “usually” pay less for electricity than people who use traditional fossil fuels — and it says its energy is cleaner, too.

“It’s good for the environment, good for families and also makes good business sense,” Sidd Mundra, Renewable Energy Principal at Google, said in a statement.

The investment is Google’s largest in renewable energy projects.

 

TIME Media

Google’s Music Service Just Got Way More Useful

Chris Yerga, engineering director of Goo
AFP—AFP/Getty Images Chris Yerga, engineering director of Google, introduces some features of Google play during Google's annual developer conference, Google I/O, at Moscone Center in San Francisco on June 27, 2012.

Google Play Music users will now be able to store up to 50,000 of their own songs for free

Google is expanding the size of its celestial jukebox.

The company announced Wednesday that users will now be able to store up to 50,000 of their own songs for free using Google Play Music, up from the previous limit of 20,000 songs. The songs, which can be uploaded directly from a user’s iTunes collection or other local music folders, can be played on iOS devices, Android devices and the web.

This service shouldn’t be confused with Google Play Music All Access, Google’s Spotify competitor that lets users stream more than 30 million songs from the cloud for $10 per month. However, the two services can work in tandem, so a user can mix songs from the All Access library with tracks they’ve uploaded directly from their own files.

MONEY privacy

Your Embarrassing Online Searches About Health Problems Aren’t Private

camera aimed at laptop
Thomas Jackson—Getty Images

A new study found that 91% of health-related web pages reveal potentially sensitive information to third parties like data brokers and online advertisers.

Hypochondriacs beware: That Google search for “STD symptoms” could go into your digital dossier.

A new study has found that health-related web pages often leak information about you and the information you access to third parties, raising concerns about online privacy.

To conduct the study, University of Pennsylvania PhD student Timothy Libert analyzed the top 50 search results for 1,986 common diseases, some 80,000 web pages. He found that on 91% of the pages, third parties like social networks, advertisers, and data brokers could access information about who was viewing the page, like the user’s IP address. On 70% of the pages, those third parties could see information about specific “conditions, treatments and diseases” viewed.

Altogether, 78% of the health-related web pages sent information about you to Google, 31% sent information to Facebook, and 5% sent information to Experian, a credit bureau and data broker.

What’s the big deal? Libert has two major concerns about these practices. The first is that the third parties could match you with your medical search results, a problem he calls “personal identification.” This isn’t a totally imaginary scenario—data brokers routinely collect information about you from your online activity, shopping habits, and public records, then turn around and sell that information to advertisers. That already includes sensitive medical information: One data broker was caught hawking lists of “rape sufferers,” “domestic abuse victims” and “HIV/AIDS patients.”

Second, advertisers could discriminate against you based on your medical searches, regardless of whether your search results are ever connected to you personally. That’s called “blind discrimination.” In other words, advertisers could serve you certain ads and offer you certain promotions based on the websites you read. Again, this practice can be innocuous, but it can also have a dark side. “It’s like any other form of discrimination,” Libert says. “If you’re going to extend a favorable offer to somebody, your best client probably isn’t somebody with terminal cancer.”

The tech-savvy might think their searches are private because they delete cookies or use a private browser, like Google Chrome’s “incognito mode.” Sorry, but no.

That’s because of the way websites work. Libert explains that a web page is like a recipe. The code says, “display an image from this file” or “play this video from Youtube.” To pull in content from another website’s server—like a video from Youtube—your server makes a “request” to that third-party server, and reveals information about you in the process. For example, the third party can see the name of the webpage you’re visiting, which may sound harmless, but can reveal a lot. You might not, for example, want advertisers and data brokers to know that you recently read “www.cdc.gov/hiv”.

“Even if you’re using incognito mode or something, the HTTP requests, at the very basic level, are still being made,” Libert says.

And you usually don’t even know it’s happening. While you can see evidence of some third-party requests, like Youtube videos and Facebook “like” buttons, Libert says most requests are bits of code invisible to the non-programmer’s eye.

Legally, this is all aboveboard. The HIPAA law protecting medical privacy only applies to medical services like insurance claims, not other businesses.

So while Libert wants lawmakers to beef up online privacy protections, he says in the meantime, your best bet is to install a browser extension like Ghostery or Adblock Plus.

“They don’t catch everything, but they catch a lot,” Libert says.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser