Како Сийке, не съм от тях!: За Русия без любов

This post was syndicated from: Како Сийке, не съм от тях! and was written by: Longanlon. Original post: at Како Сийке, не съм от тях!

Русофилството и русофобството са традиционни хобита у нас и не минава ден без да попадна на разгорещен спор в интернет на тази тема. Русия наистина носи отпечатъка на своето тежко минало и се опитва да просъществува в съвременния свят и е малко тъпо да се окачествява като извор на всичко зло – поради което преди време се изказах за нея с любов. Предвид настроенията у много българи обаче, мисля, е време за няколко думи за Русия без ама никаква любов…

(Чети още…) (781 думи)


© Петър Стойков

Raspberry Pi: Gameboy Halloween costume

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

The good people at Adafruit pointed us at this video. Besides the fact that the costume is driven by a Raspberry Pi, we don’t know much about the build (or the guy who made it – he goes by MikeHandidate on YouTube, but we suspect that’s not actually his name) – good though, isn’t it?

More Halloween goodies to come tomorrow. Are you using a Pi in your costume or house decorations this year?

TorrentFreak: Gottfrid Svartholm Found Guilty in Hacking Trial

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

After being arrested in his Cambodian apartment in September 2012 it took two years before Gottfrid Svartholm went on trial in Denmark.

The Swede and his 21-year-old co-defendant stood accused of hacking computer mainframes operated by US IT giant CSC. It developed into the largest case of its kind ever seen in the Scandinavian country.

The case broadly took shape along two lines. The prosecution insisted that Gottfrid and his Danish accomplice, both experts in computer security, had launched hacker attacks against CSC back in April 2012 and maintained access to those systems until August that same year.

The defense claimed it was a case of mistaken identity and that others had carried out the crimes, remotely accessing Gottfrid’s computer after comprising its security.

Evidence was produced by the prosecution which showed discussion taking place between hackers with the names “Advanced Persistent Terrorist Threat” and “My Evil Twin”. The topic in hand was the security and setup of CSC’s databases and systems. These people were Gottfrid and his IT consultant co-defendant, the prosecution said.

From the beginning, Gottfrid’s position was that his computer, from where the attacks had taken place, had been compromised. This version of events was supported by respected security expert Jacob Appelbaum who gave evidence for the defense not only in this case, but also in Gottfrid’s Swedish trial, a case in which he was partly acquitted.

Speaking with Denmark’s TV2 earlier today, Gottfrid’s lawyer Luise Høj said that her client should be found not guilty since it had been established that third parties had carried out the crimes.

“My recommendation has always been that the investigation has focused on finding clues that point to my client, even though the tracks have also pointed in another direction,” Høj said.

“I have recommended that the court dismiss the case based on the remote access argument. It is clear that my client’s computer has been the subject of remote control, and therefore he is not responsible.”

But it wasn’t to be. This morning the Court of Frederiksberg found both Gottfrid and his accomplice guilty of hacking into the systems of CSC. Both unlawfully accessed confidential information including police drivers’ license records, social security information plus criminal records.

Dismissing the remote control defense, Judge Ulla Otken said the hacking of CSC had been both “systematic and comprehensive.”

All three judges and four of six jurors returned guilty verdicts. Two jurors voted to acquit after concluding that the remote access defense could not be ruled out.

Following his extradition from Sweden, Gottfrid has spent 11 months behind bars in Denmark. His Danish accomplice, who refused to give evidence to the police and maintained silence right up until his trial in September, has spent 17 months in jail.

Breaking news, article will be updated.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Source Code in TV and Films: When the Ninja Turtles hack Aprils computer this wall of code is…

This post was syndicated from: Source Code in TV and Films and was written by: Source Code in TV and Films. Original post: at Source Code in TV and Films

When the Ninja Turtles hack Aprils computer this wall of code is displayed on her laptop. It is in fact a testing script to show how Linux error codes work and can be found here

http://www.thegeekstuff.com/2010/10/linux-error-codes/

In that text is displayed the authors name, Sasikala.

Upon further examination in the video you can see in the background is a Nuke7 template script

http://www.chimuru.com/nuketools/NukeParticlesFireTemplate.nk

SANS Internet Storm Center, InfoCON: green: Hacking with the Oldies!, (Thu, Oct 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Recently we seem to have a theme of new bugs in old code – first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) – http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit – we all use these every day.

Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: [$] LWN.net Weekly Edition for October 30, 2014

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The LWN.net Weekly Edition for October 30, 2014 is available.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Thursday, October 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4215, (Thu, Oct 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: On joining the FSF board

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

I joined the board of directors of the Free Software Foundation a couple of weeks ago. I’ve been travelling a bunch since then, so haven’t really had time to write about it. But since I’m currently waiting for a test job to finish, why not?

It’s impossible to overstate how important free software is. A movement that began with a quest to work around a faulty printer is now our greatest defence against a world full of hostile actors. Without the ability to examine software, we can have no real faith that we haven’t been put at risk by backdoors introduced through incompetence or malice. Without the freedom to modify software, we have no chance of updating it to deal with the new challenges that we face on a daily basis. Without the freedom to pass that modified software on to others, we are unable to help people who don’t have the technical skills to protect themselves.

Free software isn’t sufficient for building a trustworthy computing environment, one that not merely protects the user but respects the user. But it is necessary for that, and that’s why I continue to evangelise on its behalf at every opportunity.

However.

Free software has a problem. It’s natural to write software to satisfy our own needs, but in doing so we write software that doesn’t provide as much benefit to people who have different needs. We need to listen to others, improve our knowledge of their requirements and ensure that they are in a position to benefit from the freedoms we espouse. And that means building diverse communities, communities that are inclusive regardless of people’s race, gender, sexuality or economic background. Free software that ends up designed primarily to meet the needs of well-off white men is a failure. We do not improve the world by ignoring the majority of people in it. To do that, we need to listen to others. And to do that, we need to ensure that our community is accessible to everybody.

That’s not the case right now. We are a community that is disproportionately male, disproportionately white, disproportionately rich. This is made strikingly obvious by looking at the composition of the FSF board, a body made up entirely of white men. In joining the board, I have perpetuated this. I do not bring new experiences. I do not bring an understanding of an entirely different set of problems. I do not serve as an inspiration to groups currently under-represented in our communities. I am, in short, a hypocrite.

So why did I do it? Why have I joined an organisation whose founder I publicly criticised for making sexist jokes in a conference presentation? I’m afraid that my answer may not seem convincing, but in the end it boils down to feeling that I can make more of a difference from within than from outside. I am now in a position to ensure that the board never forgets to consider diversity when making decisions. I am in a position to advocate for programs that build us stronger, more representative communities. I am in a position to take responsibility for our failings and try to do better in future.

People can justifiably conclude that I’m making excuses, and I can make no argument against that other than to be asked to be judged by my actions. I hope to be able to look back at my time with the FSF and believe that I helped make a positive difference. But maybe this is hubris. Maybe I am just perpetuating the status quo. If so, I absolutely deserve criticism for my choices. We’ll find out in a few years.

comment count unavailable comments

TorrentFreak: Google Glass Now Banned in US Movie Theaters Over Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

Google Glass poses a significant threat to the movie industry, Hollywood believes. The advent of the wearable technology has sparked fears that it could be used for piracy.

This January the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed his wearing of Google Glass was a sign that he was engaged in camcorder piracy.

At the time the MPAA shrugged off the incident as an unfortunate mistake, claiming that it had seen “no proof that it is currently a significant threat that could result in content theft.” This has now changed.

Starting today Google Glass is no longer welcome in movie theaters. The new ban applies to all US movie theaters and doesn’t include an exception for prescription glasses.

The MPAA and the National Association of Theatre Owners (NATO) stress that they welcome technological innovations and recognize the importance of wearables for consumers. However, the piracy enabling capabilities of these devices can’t be ignored.

“As part of our continued efforts to ensure movies are not recorded in theaters, however, we maintain a zero-tolerance policy toward using any recording device while movies are being shown,” MPAA and NATO state.

“As has been our long-standing policy, all phones must be silenced and other recording devices, including wearable devices, must be turned off and put away at show time. Individuals who fail or refuse to put the recording devices away may be asked to leave,” they add.

Cautioning potential pirates, the movie groups emphasize that theater employees will take immediate action when they spot someone with wearable recording devices. Even when in doubt, the local police will be swiftly notified.

“If theater managers have indications that illegal recording activity is taking place, they will alert law enforcement authorities when appropriate, who will determine what further action should be taken.”

The wearable ban is now part of the MPAA’s strict set of anti-piracy practices. These instruct movie theater owners to be on the lookout for suspicious individuals who may have bad intentions.

Aside from the wearables threat, the best practices note that all possible hidden camera locations in the theater should be considered, including cup holders. In addition, employees should be alert for possible concealed recording equipment, as often seen in the movies.

“Movie thieves are very ingenious when it comes to concealing cameras. It may be as simple as placing a coat or hat over the camera, or as innovative as a specially designed concealment device,” it warns.

To increase vigilance among movie theater employees, a $500 bounty is being placed on the heads of those who illegally camcord a movie.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: The Wonderful World of CMS strikes again, (Wed, Oct 29th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

I think that I will start this Diary with the following statement:

If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.

You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.

The third one in this list is Drupal. We mentioned last week, on our podcast about a criticalvulnerability fixed by the developers, and today they released a Public Announcement in regards to that vulnerability. And it is scary (yes, Halloween pun intended…).

The PSAmentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.

As our reader Gebhard noted, there is a very interesting quote in the PSA:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement

This means, that by now, evenif you updated your server, there is very high chance that your server is now part of a botnet…so, if you have a website with Drupal, I would highly recommendthe Recovery section of the PSA document.

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: A “highly critical public service announcement” from Drupal

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The Drupal project has put out an advisory that if you
haven’t already patched the recent SQL injection
vulnerability
, it’s probably too late. “Automated attacks began
compromising Drupal 7 websites that were not patched or updated to Drupal
7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core -
SQL injection. You should proceed under the assumption that every Drupal 7
website was compromised unless updated or patched before Oct 15th, 11pm
UTC, that is 7 hours after the announcement.

Raspberry Pi: Pi Talks at PyConUK

This post was syndicated from: Raspberry Pi and was written by: Ben Nuttall. Original post: at Raspberry Pi

You may remember our Education team attended PyConUK in Coventry last month. We ran the Education Track, which involved giving workshops to teachers and running a Raspberry Jam day for kids at the weekend. We also gave talks on the main developer track of the conference.

Carrie Anne gave a fantastic keynote entitled Miss Adventures in Raspberry Pi wherein she spoke of her journey through teaching the new computing curriculum with Raspberry Pi, attending PyConUK the last two years, being hired by the Foundation, and everything she’s done in her role as Education Pioneer.

See the keynote slides here

I also gave my talk PyPi (not that one) – Python on the Raspberry Pi showing interesting Pi projects that use Python and demonstrating what you can do with a Pi that you can’t on other computers.

See the talk slides here

Alex gave his talk Teaching children to program Python with the Pyland game - a project Alex led over the summer with a group of interns at the Computer Lab.

See the talk slides here

The conference ended with a sprint day where Alex led a team building and testing Pyland and adding challenges, and I worked with a group of developers porting Minecraft Pi to Python 3.

If you missed it last week, we posted Annabel’s Goblin Detector, a Father-daughter project the 8 year old demonstrated at PyConUK while enjoying the Raspberry Jam day.

Darknet - The Darkside: Serious Linux/UNIX FTP Flaw Allows Command Execution

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

A lot of old bugs have been biting us on the butt lately, and here’s another to add to the list. This week it was discovered a fairly nasty FTP Flaw Allows Command Execution when using the old but still fairly widely used. tnftp client It’s a fairly unlikely set of circumstances however, and it [...]

The post Serious Linux/UNIX FTP…

Read the full post at darknet.org.uk

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated kernel (C7: multiple vulnerabilities).

Debian has updated iceweasel (multiple vulnerabilities).

Fedora has updated file (F20:
out-of-bounds read flaw), seamonkey (F20:
multiple vulnerabilities), webkitgtk3 (F20:
disable SSLv3 to address POODLE), and wpa_supplicant (F20: command execution).

Mageia has updated kde4 (MG4: multiple vulnerabilities), konversation (information disclosure), mythtv (SSDP reflection attacks), php-ZendFramework (multiple vulnerabilities), quassel (information disclosure), and zabbix (local file inclusion).

Mandriva has updated wget (symlink attack) and wpa_supplicant (command execution).

openSUSE has updated openssl
(13.1, 12.3: multiple vulnerabilities) and libxml2 (13.1, 12.3: denial of service).

Oracle has updated kernel (OL7: multiple vulnerabilities).

Red Hat has updated kernel
(RHEL7: multiple vulnerabilities).

Krebs on Security: How to Tell Data Leaks from Publicity Stunts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone’s time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.

dataleakThe following scenario plays out far too often. E-fame seekers post a fake database dump to a site like Pastebin and begin messaging journalists on Twitter and other social networks, claiming that the dump is “proof” that a particular company has been hacked. Inevitably, some media outlets will post stories questioning whether the company was indeed hacked, and the damage has been done.

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

According to Nixon, the easiest way to check a leak claim is to run a simple online search for several of its components. As Nixon explains, seeking out unique-looking artifacts — such as odd passwords or email addresses — very often reveals that the supposed leak is in fact little more than a recycled leak from months or years prior. While this may seem like an obvious tip, it’s appalling at how often reporters fail to take even this basic step in fact-checking a breach claim.

A somewhat more advanced test seeks to measure how many of the “leaked” accounts are already registered at the supposedly breached organization. Most online services do not allow two different user accounts to have the same email address, so attempting to sign up for an account using an email address in the claimed leak data is an effective way to test leak claims. If several of the email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.

uniquenesstest

To determine whether the alleged victim site requires email uniqueness for user accounts, the following test should work: Create two different accounts at the service, each using unique email addresses. Then attempt to change the one of the account’s email address to the others. If the site disallows that change, no duplicate emails are allowed, and the analysis can proceed.

Importantly, Nixon notes that these techniques only demonstrate a leak is fake — not that a compromise has or hasn’t occurred. One of the sneakier ways that ne’er-do-wells produce convincing data leak claims is through the use of what’s called a “combolist.” With combolists, miscreants will try to build lists of legitimate credentials from a specific site using public lists of credentials from previous leaks at other sites.

This technique works because a fair percentage of users re-use passwords at multiple sites. Armed with various account-checking programs, e-fame seekers can quickly build a list of working credential pairs for any number of sites, and use that information to back up claims that the site has been hacked.

Account checking tools sold on the cybercriminal underground by one vendor.

Account checking tools sold on the cybercriminal underground by one vendor.

But according to Nixon, there are some basic patterns that appear in lists of credentials that are essentially culled from combolists.

“Very often, you can tell a list of credentials is from a combolist because the list will be nothing more than username and password pairs, instead of password hashes and a whole bunch of other database information,” Nixon said.

A great example of this came earlier this month when multiple media outlets repeated a hacker’s claim that he’d stolen a database of almost seven million Dropbox login credentials. The author of that hoax claimed he would release on Pastebin more snippets of Dropbox account credentials as he received additional donations to his Bitcoin account. Dropbox later put up a blog post stating that the usernames and passwords posted in that “leak” were likely stolen from other services.

Other ways of vetting a claimed leak involve more detailed and time-intensive research, such as researching the online history of the hacker who’s making the leak claims.

“If you look at the motivation, it’s mostly ego-driven,” Nixon said. “They want to be a famous hacker. If they have a handle attached to the claim — a name they’ve used before — that tells me that they want a reputation, but that also means I can check their history to see if they have posted fake leaks in the past. If I see a political manifesto at the top of a list of credentials, that tells me that the suspected leak is more about the message and the ego than any sort of breach disclosure.”

Nixon said while attackers can use the techniques contained in her paper to produce higher quality fake leaks, the awareness provided by the document will provide a greater overall benefit to the public than to the attackers alone.

“For the most part, there are a few fake breaches that get posted over and over again on Pastebin,” she said. “There is just a ton of background noise, and I would say only a tiny percentage of these breach claims are legitimate.”

A full copy of the Deloitte report is available here (PDF).

LWN.net: [$] A Debian init system GR flurry

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

One might have hoped that that Debian systemd debate would have wound down
several months ago, after the technical committee decided the default init system question
and especially after Matthew Vernon’s general resolution on init system
choice was withdrawn due to a lack of
seconds. The Debian community, it seemed, was tired of this discussion and
ready to move on. Given a few months to rest, though, even old, tiresome
subjects can once again seem worthy of discussion. So now we have a return
of the init system choice resolution — along with three alternatives of
varying scope.

TorrentFreak: Joker is Cool But Not the New Popcorn Time

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

While BitTorrent’s underlying technology has remained mostly unchanged over the past decade, innovators have found new ways to make it more presentable. Torrent clients have developed greatly and private tracker systems such as What.cd’s Gazelle have shown that content can be enhanced with superior cataloging and indexing tools.

This is where Popcorn Time excelled when it debuted earlier this year. While it was the same old torrent content underneath, the presentation was streets ahead of anything seen before. With appetites whetted, enthused BitTorrent fans have been waiting for the next big thing ever since.

Recently news circulated of a new service which in several headlines yesterday was heralded as the new Popcorn Time. Joker.org is a web-based video service with super-clean presentation. It’s premise is straightforward – paste in a magnet link or upload a torrent file from your computer then sit back and enjoy the show.

joker-1

Not only does Joker work, it does so with elegance. The interface is uncluttered and intuitive and the in-browser window can be expanded to full screen. Joker also provides options for automatically downloading subtitles or uploading your own, plus options for skipping around the video at will.

While these features are enough to please many visitors to the site, the big questions relate to what is going on under the hood.

Popcorn Time, if we’re forced to conduct a comparison, pulls its content from BitTorrent swarms in a way that any torrent client does. This means that the user’s IP address is visible both to the tracker and all related peers. So, has Joker successfully incorporated a torrent client into a web browser to enable live video streaming?

Last evening TF put that question to the people behind Joker who said they would answer “soon”. Hours later though and we’re still waiting so we’ll venture that the short answer is “no”.

Decentralized or centralized? That is the question..

The most obvious clues become evident when comparing the performance of popular and less popular torrents after they’ve been added to the Joker interface. The best seeded torrents not only tend to start immediately but also allow the user to quickly skip to later or earlier parts of the video. This suggests that the video content has been cached already and isn’t being pulled live and direct from peers in a torrent swarm.

Secondly, torrents with less seeds do not start instantly. We selected a relatively poorly seeded torrent of TPB AFK and had to wait for the Joker progress bar to wind its way to 100% before we could view the video. That took several minutes but then played super-smoothly, another indication that content is probably being cached.

joker-2

To be absolutely sure we’d already hooked up Wireshark to our test PC in advance of initiating the TPB AFK download. If we were pulling content from a swarm we might expect to see the IP addresses of our fellow peers sending us data. However, in their place were recurring IP addresses from blocks operated by the same UK ISP hosting the Joker website.

Conclusion

Joker is a nice website that does what it promises extremely well and to be fair to its creators they weren’t the ones making the Popcorn Time analogies. However, as a free service Joker faces a dilemma.

By caching video itself the site is bound by the usual bandwidth costs associated with functionally similar sites such as YouTube. While Joker provides greater flexibility (users can order it to fetch whichever content they like) it still has to pump video directly to users after grabbing it from torrent swarms. This costs money and at some point someone is going to have to pay.

In contrast, other than running the software download portal and operating the APIs, Popcorn Time has no direct video-related bandwidth costs since the user’s connection is being utilized for transfers. The downside is that users’ IP addresses are visible to the outside world, a problem Joker users do not have.

Finally and to address the excited headlines, comparing Joker to Popcorn Time is premature. The site carries no colorful and easy to access indexes of movies which definitely makes it a lot less attractive to newcomers. That being said, this lack of content curation enhances Joker’s legal footing.

Overall, demand is reportedly high. The developers told TF last evening that they were “overloaded” and were working hard to fix issues. Currently the service appears stable. Only time will tell how that situation develops.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Dotcom Tries To Reclaim Millions Seized in Hong Kong

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

For many months the New Zealand courts have been dealing with the thorny issue of Kim Dotcom. The entrepreneur’s case has traversed the legal system, with claim and counterclaim, decision followed by appeal.

The key topic of Dotcom’s possible extradition to the United States aside, much of the courtroom action has centered around the Megaupload founder’s assets. On the one hand Dotcom has been trying to reclaim his property, and on the other United States-based entertainment companies have been trying to lock it down in preparation for any future damages payout.

But as the fight simmers in New Zealand and largely stalls in the U.S., Dotcom’s legal representatives are fighting to reestablish control of his wealth in a third territory.

Over in Hong Kong, lawyers for Dotcom are attempting to take back HK$330 million (US$42.55m) in assets that were seized by local authorities when Megaupload was shut down in January 2012.

While Dotcom’s servers were being sealed off in the United States and his mansion raided in New Zealand, the Megaupload chief’s Hong Kong offices were being raided by 100 customs officers following allegations of copyright infringement and money laundering.

The seized assets are being held under a restraining order but Dotcom’s legal team are arguing that it should be set aside. In April 2014, Megaupload initiated legal action against the government and now its legal team is accusing the secretary for justice of failing to provide a “full and frank disclosure” of the facts when the application for seizure was made.

“We are applying for [the order] to be set aside because the court has misrepresented the true position,” Dotcom lawyer Gerard McCoy SC told SCMP yesterday.

In a feature that has become a hallmark of the pre-shutdown activity surrounding Megaupload, the Hong Kong restraining order was made ex parte, meaning that the defendants in the case were not allowed to put their side of the story. Dotcom’s lawyers say that in such circumstances the prosecution is under obligation to exercise additional caution

“Did the secretary for justice put his cards on the table face up? This application is a clear example of the duty either being ignored or simply misunderstood,” McCoy said.

According to the lawyer the prosecution deliberately withheld crucial information from the court when applying for the restraining order, not least the fact that Megaupload could not be served with a criminal complaint in the United States as it did not have a US mailing address.

“None of this was ever brought to the attention of the judge. It was all put to one side and never raised,” McCoy said.

In an interview with TorrentFreak in December 2011 before the raid, Dotcom spoke warmly of Hong Kong. “I should write a book about doing business in Hong Kong, that’s how good it is,” he said. “People there leave you alone and they are happy for your success.”

But according to McCoy, one month later the fate of Dotcom, his co-defendants, and his Megaupload empire was sealed in a matter of minutes.

“In about six or seven minutes, the applicant has dealt with the position of nine defendants and managed to freeze a massive amount of money. There is not one word about Megaupload, not a jot, not a tittle,” he told the court.

If the case goes in Dotcom’s favor there could be big implications for the entrepreneur. Not only could he regain tens of millions of dollars in wealth, but he could also be in a position to file a multi-billion dollar civil claim for damages. Before its shutdown, Megaupload was valued at a cool two billion dollars.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: We Know You’re A Dog

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Usually when I read about “new” findings in computer security, they are things that I’ve known about for years. Car hacking, parasitic file attachments, and even changes in phishing and spamming. If you’re active in the computer security community, then most of the public announcements are probably not new to you. But Wired just reported on something that I had only learned about a few months ago.

I had previously mentioned that I was looking for alternate ways to ban users who violate the FotoForensics terms of service. Specifically, I’m looking at HTTP headers for clues to identify if the web client is using a proxy.

One of the things I discovered a few months ago was the “X-UIDH” header that some web clients send. As Wired and Web Policy mentioned, Verizon is adding this header to HTTP requests that go over their network and it can be used to track users.

Miswired

As is typical for Wired, they didn’t get all of the details correct.

  • Wired says that the strings are “about 50 letters, numbers, and characters”. I’ve only seen 56 and 60 character sequences. The data appears to be a base64-encoded binary set. If you base64 decode the sequence, then you’ll see that it begins with a text number, like “379612345″ and it is null-terminated. I don’t know what this is, but it is unique per account. It could be the user’s account number. After that comes a bunch of binary data that I have not yet decoded.

  • Wired says that the string follows the user. This is a half-truth. If you change network addresses, then only the first part of the base64 X-UIDH value stays the same. The rest changes. If services only store the X-UIDH string, then they will not be tracking you. But if they decode the string and use the decoded number, then services can track you regardless of your Verizon-assigned network address.
  • Wired makes it sound like Verizon adds the header to most Verizon clients. However, it isn’t added by every Verizon service. I’ve only seen this on some Verizon Wireless networks. User with FIOS or other Verizon services do not get exposed by this added header. And even people who use Verizon Wireless may not have it added, depending on their location. If your dynamically assigned hostname says “myvzw.com”, then you might be tagged. But if it isn’t, then you’re not.
  • The X-UIDH header is only added when the web request uses HTTP. I have not seen it added to any HTTPS headers. However, most web services use HTTP. And even services like eBay and Paypal load some images with HTTP even when you use HTTPS to connect to the service. So this information will be leaked.

The Wired article focused on how this can be used by advertisers. However, it can also be used by banks as part of a two-part authentication: something you know (your username and password) and something you are (your Verizon account number).

Personally, I’ve been planning to use it for a much more explicit purpose. I’ve mentioned that I am legally required to report people who upload child porn to my server. And while I am usually pro-privacy, I don’t mind reporting these people because there is a nearly one-to-one relationship between people who have child porn and people who abuse children. So… wouldn’t it be wonderful if I could also provide their Verizon account number along with my required report? (Let’s make it extremely easy for the police to make an arrest.)

Unique, and yet…

One other thing that Wired and other outlets failed to mention is that Verizon isn’t the only service that does this kind of tracking. Verizon adds in an “X-UIDH” header. But they are not alone. Two other examples are Vodafone and AT&T. Vodafone inserts an X-VF-ACR header and AT&T Mobility LLC (network AS20057) adds in an “x-acr” header. These headers can be used for the same type of user-specific tracking and identification.

And it isn’t even service providers. If your web antivirus software performs real-time network scanning, then there’s a good chance that it is adding in unique headers that can be used to track you. I’ve even identified a few headers that are inserted by specific nation-states. If I see the presence of certain HTTP headers, then I immediately know the country of origin. (I’m not making this info public yet because I don’t want Syria to change the headers. Oops…)

Business as usual

For over a decade, it has been widely known in the security field that users can be tracked based on their HTTP headers. In fact, the EFF has an online test that determines how unique your HTTP header is. (The EFF also links to a paper on this topic.) According to them, my combination of operating system, time zone, web browser, and browser settings makes my system “unique among the 4,645,400 tested so far.” Adding in yet-another header doesn’t make me more unique.

When I drive my car, I am in public. People can see my car and they can see me. While I believe that the entire world isn’t watching me, I am still in public. My car’s make and model is certainly not unique, but the various scratches and dents are. When I drive to my favorite restaurant, they know it is me before I get out of the car. By the same means, my HTTP header is distinct. For some uses, it is even unique. When I visit my favorite web sites, they can identify me by my browser’s HTTP header.

Continuing with this analogy, my car has a license plate. Anyone around me can see it and it is unique. With the right software, someone can even identify “me” from my license plate. Repainting my car doesn’t change the license plate. These unique tracking IDs that are added by various ISPs are no different from a license plate. The entire world may not be able to see it, but anywhere you go, it goes with you and it is not private.

The entire argument that these IDs violate online privacy is flawed. You never had privacy to begin with. Moreover, these unique tags do not make you any more exposed or any more difficult to track. And just as you can take specific steps to reduce your traceability in public, you still have options to reduce your traceability online.

Errata Security: No evidence feds hacked Attkisson

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Former CBS journalist Sharyl Attkisson is coming out with a book claiming the government hacked her computer in order to suppress reporting on Benghazi. None of her “evidence” is credible. Instead, it’s bizarre technobabble. Maybe her book is better, but those with advance copies quoting excerpts  make it sound like the worst “ninjas are after me” conspiracy theory.

Your electronics are not possessed by demons

Technology doesn’t work by magic. Each symptom has a specific cause.

Attkisson says “My television is misbehaving. It spontaneously jitters, mutes, and freeze-frames”. This is not a symptom of hackers. Instead, it’s a common consumer complaint caused by the fact that cables leading to homes (and inside the home) are often bad. My TV behaves like this on certain channels.

She says “I call home from my mobile phone and it rings on my end, but not at the house”, implying that her phone call is being redirected elsewhere. This is a common problem with VoIP technologies. Old analog phones echoed back the ring signal, so the other side had to actually ring for you to hear it. New VoIP technologies can’t do that. The ringing is therefore simulated and has nothing to do with whether it’s ringing on the other end. This is a common consumer complaint with VoIP systems, and is not a symptom of hacking.

She says that her alarm triggers at odd hours in the night. Alarms work over phone lines and will trigger when power is lost on the lines (such as when an intruder cuts them). She implies that the alarm system goes over the VoIP system on the FiOS box. The FiOS box losing power or rebooting in the middle of the night can cause this. This is a symptom of hardware troubles on the FiOS box, or Verizon maintenance updating the box, not hackers.

She says that her computer made odd “Reeeeee” noises at 3:14am. That’s common. For one thing, when computers crash, they’ll make this sound. I woke two nights ago to my computer doing this, because the WiMax driver crashed, causing the CPU to peg at 100%, causing the computer to overheat and for the fan to whir at max speed. Other causes could be the nightly Timemachine backup system. This is a common symptom of bugs in the system, but not a symptom of hackers.

It’s not that hackers can’t cause these problems, it’s that they usually don’t. Even if hackers have thoroughly infested your electronics, these symptoms are still more likely to be caused by normal failure than by the hackers themselves. Moreover, even if a hacker caused any one of these symptoms, it’s insane to think they caused them all.

Hacking is not sophisticated

There’s really no such thing as a “sophisticated hack“. That’s a fictional trope, used by people who don’t understand hacking. It’s like how people who don’t know crypto use phrases like “military grade encryption” — no such thing exists, the military’s encryption is usually worse than what you have on your laptop or iPhone.

Hacking is rarely sophisticated because the simplest techniques work. Once I get a virus onto your machine, even the least sophisticated one, I have full control. I can view/delete all your files, view the contents of your screen, control your mouse/keyboard, turn on your camera/microphone, and so on. Also, it’s trivially easy to evade anti-virus protection. There’s no need for me to do anything particularly sophisticated.

We are experts are jaded and unimpressed. Sure, we have experience with what’s normal hacking, and might describe something as abnormal. But here’s the thing: ever hack I’ve seen has had something abnormal about it. Something strange that I’ve never seen before doesn’t make a hack “sophisticated”.

Attkisson quotes an “expert” using the pseudonym “Jerry Patel” saying that the hack is “far beyond the abilities of even the best nongovernment hackers”. Government hackers are no better than nongovernment ones — they are usually a lot worse. Hackers can earn a lot more working outside government. Government hackers spend most of their time on paperwork, whereas nongovernment hackers spend most of their time hacking. Government hacker skills atrophy, while nongovernment hackers get better and better.

That’s not to say government hackers are crap. Some are willing to forgo the larger paycheck for a more stable job. Some are willing to put up with the nonsense in government in order to be able to tackle interesting (and secret) problems. There are indeed very good hackers in government. It’s just that it’s foolish to assume that they are inherently better than nongovernmental ones. Anybody who says so, like “Jerry Patel”, is not an expert.

Contradictory evidence

Attkisson quotes one expert as saying intrusions of this caliber are “far beyond the the abilities of even the best nongovernment hackers”, while at the same time quoting another expert saying the “ISP address” is a smoking gun pointing to a government computer.

Both can’t be true. Hiding ones IP address is the first step in any hack. You can’t simultaneously believe that these are the most expert hackers ever for deleting log files, but that they make the rookie mistake of using their own IP address rather than anonymizing it through Tor or a VPN. It’s almost always the other way around: everyone (except those like the Chinese who don’t care) hides their IP address first, and some forget to delete the log files.

Attkisson quotes experts saying non-expert things. Patel’s claims about logfiles and government hackers are false. Don Allison’s claims about IP addresses being a smoking gun is false. It may be that the people she’s quoting aren’t experts, or that her ignorance causes her to misquote them.

Technobabble

Attkisson quotes an expert as identifying an “ISP address” of a government computer. That’s not a term that has any meaning. He probably meant “IP address” and she’s misquoting him.

Attkisson says “Suddenly data in my computer file begins wiping at hyperspeed before my very eyes. Deleted line by line in a split second”. This doesn’t even make sense. She claims to have videotaped it, but if this is actually a thing, it sounds like more something kids do to scare people, not what real “sophisticated” hackers do.

So far, none of the quotes I’ve read from the book use any technical terminology that I, as an expert, feel comfortable with.

Lack of technical details

We don’t need her quoting (often unnamed) experts to support her conclusion. Instead, she could just report the technical details.

For example, instead of quoting what an expert says about the government IP address, she could simply report the IP address. If it’s “75.748.86.91″, then we can judge for ourselves whether it’s the address of a government computer. That’s important because nobody I know believes that this would be a smoking gun — maybe if we knew more technical details she could change our minds.

Maybe that’s in her book, along with pictures of the offending cable attached to the FiOS ONT, or the pictures of her screen deleting at “hyperspeed”. So far, though, none of those with advanced copies have released these details.

Lastly, she’s muzzled the one computer security “expert” that she named in the story so he can’t reveal any technical details, or even defend himself against charges that he’s a quack.

Conclusion

Attkisson’s book isn’t out yet. The source material for this post if from those with advance copies quoting her [1]][2]. But, everything quoted so far is garbled technobabble from fiction rather that hard technical facts.


Disclosure: Some might believe this post is from political bias instead of technical expertise. The opposite is true. I’m a right-winger. I believe her accusations that CBS put a left-wing slant on the news. I believe the current administration is suppressing information about the Benghazi incident. I believe journalists with details about Benghazi have been both hacked and suppressed. It’s just that in her case, her technical details sounds like a paranoid conspiracy theory.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Wednesday, October 29th 2014 http://isc.sans.edu/podcastdetail.html?id=4213, (Wed, Oct 29th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

xkcd.com: Geese

This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com

Anyway, that's a common misconception. Geese live for a long time; all the ones we can see will probably keep flying around for billions of years before they explode.

Monty says: MariaDB foundation trademark agreement

This post was syndicated from: Monty says and was written by: Michael "Monty" Widenius. Original post: at Monty says

We have now published the trademark agreement between the MariaDB Corporation (formerly SkySQL) and the MariaDB Foundation. This agreement guarantees that MariaDB Foundation has the rights needed to protect the MariaDB server project!

With this protection, I mean to ensure that the MariaDB Foundation in turn ensures that anyone can be part of MariaDB development on equal terms (like with any other open source project).

I have received some emails and read some blog posts from people who are confusing trademarks with the rights and possibilities for community developers to be part of an open source project.

The MariaDB foundation was never created to protect the MariaDB trademark. It was created to ensure that what happened to MySQL would never happen to MariaDB: That people from the community could not be part of driving and developing MySQL on equal terms as other companies.

I have personally never seen a conflict with having one company own the trademark of an open source product, as long as anyone can participate in the development of the product! Having a strong driver for an open source project usually ensures that there are more full-time developers working on a project than would otherwise be possible. This makes the product better and makes it useful for more people. In most cases, people are participating in an open source project because they are using it, not because they directly make money on the project.

This is certainly the case with MySQL and MariaDB, but also with other projects. If the MySQL or the MariaDB trademark would have been fully owned by a foundation from a start, I think that neither project would have been as successful as they are! More about this later.

Some examples of open source projects that have the trademark used or owned by a commercial parent company are WordPress (wordpress.com and WordPress.org) and Mozilla.

Even when it comes to projects like Linux that are developed by many companies, the trademark is not owned by the Linux Foundation.

There has been some concern that MariaDB Corporation has more developers and Maria captains (people with write access to the MariaDB repositories) on the MariaDB project than anyone else. This means that the MariaDB Corporation has more say about the MariaDB roadmap than anyone else.

This is right and actually how things should be; the biggest contributors to a project are usually the ones that drive the project forward.

This doesn’t, however, mean that no one else can join the development of the MariaDB project and be part of driving the road map.

The MariaDB Foundation was created exactly to guarantee this.

It’s the MariaDB Foundation that governs the rules of how the project is developed, under what criteria one can become a Maria captain, the rights of the Maria captains, and how conflicts in the project are resolved.

Those rules are not yet fully defined, as we have had very few conflicts when it comes to accepting patches. The work on these rules have been initiated and I hope that we’ll have nice and equal rules in place soon. In all cases the rules will be what you would expect from an open source project. Any company that wants to ensure that MariaDB will continue to be a free project and wants to be part of defining the rules of the project can join the MariaDB Foundation and be part of this process!

Some of the things that I think went wrong with MySQL and would not have happened if we had created a foundation similar to the MariaDB Foundation for MySQL early on:

  • Claims that companies like Google and Ebay can’t get their patches into MySQL if they don’t pay (this was before MySQL was bought by Sun).
  • Closed source components in MySQL, developed by the company that owns the trademark to MySQL (almost happened to MySQL in Sun and has happened in MySQL Enterprise from Oracle).
  • Not giving community access to the roadmap.
  • Not giving community developers write access to the official repositories of MySQL.
  • Hiding code and critical test cases from the community.
  • No guarantee that a patch will ever be reviewed.

The MariaDB Foundation guarantees that the above things will never happen to MariaDB. In addition, the MariaDB Foundation employs people to perform reviews, provide documentation, and work actively to incorporate external contributions into the MariaDB project.

This doesn’t mean that anyone can push anything into MariaDB. Any changes need to follow project guidelines and need to be reviewed and approved by at least one Maria captain. Also no MariaDB captain can object to the inclusion of a given patch except on technical merits. If things can’t be resolved among the captains and/or the user community, the MariaDB Foundation has the final word.

I claimed earlier that MariaDB would never have been successful if the trademark had been fully owned by a foundation. The reason I can claim this is that we tried to do it this way and it failed! If we would have continued on this route MariaDB would probably be a dead project today!

To be able to understand this, you will need a little background in MariaDB history. The main points are:

  • Some parts of the MariaDB team and I left Sun in February 2009 to work on the Maria storage engine (now renamed to Aria).
  • Oracle started to acquire Sun in April 2009.
  • Monty Program Ab then hired the rest of the MariaDB engineers and started to focus on MariaDB.
  • I was part of founding SkySQL in July 2010, as a home for MySQL support, consultants, trainers, and sales people.
  • The MariaDB Foundation was announced in November 2012.
  • Monty Program Ab and SkySQL Ab joined forces in April 2013.
  • SkySQL Ab renamed itself to MariaDB Corporation in October 2014

During the 4 years before the MariaDB foundation was formed, I had contacted most of the big companies that had MySQL to thank them for their success and to ask them to be part of MariaDB development. The answers were almost all the same:

We are very interested in you succeeding, but we can’t help you with money or resources until we are using MariaDB ourselves. This is only going to happen when you have proved that MariaDB will take over MySQL.”

It didn’t help that most of the companies that used to pay for MySQL support had gotten scared of MySQL being sold to Oracle and had purchased 2-4 year support contracts to protect themselves against sudden price increases in MySQL support.

In May 2012, after 4 years and spending close to 4 million Euros of my own money, to make MariaDB possible, I realized that something would have to change.

I contacted some of the big technology companies in Silicon Valley and asked if they would be interested in being part of creating a MariaDB Foundation, where they could play bigger roles. The idea was that all the MariaDB developers from Monty Program Ab, the MariaDB trademark and other resources would move to the foundation. For this to happen, I need guarantees that the foundation would have resources to pay salaries to the MariaDB developers for at least the next 5 years.

In the end two companies showed interest in doing this, but after months of discussions they both said that “now was not yet the right time to do this”.

In the end I created the MariaDB Foundation with a smaller role, just to protect the MariaDB server, and got some great companies to support our work:

  • Booking.com
  • SkySQL (2 years!)
  • Parallels (2 years!)
  • Automattic
  • Zenimax

There was also some smaller donations from a variety of companies.

See the whole list at https://mariadb.org/en/supporters.

During this time, SkySQL had become the biggest supporter of MariaDB and also the biggest customer of Monty Program Ab. SkySQL provided front line support for MySQL and MariaDB and Monty Program Ab did the “level 3″ support (bug fixes and enhancements for MariaDB).

In the end there were only two ways to go forward to secure the financing of the MariaDB project:

a) Get investors for Monty Program Ab
b) Sell Monty Program Ab.

Note that neither of the above options would have been possible if Monty Program Ab had not owned the MariaDB trademark!

Selling to SkySQL was in the end the right and logical thing to do:

  • They have good investors who are committed to SkySQL and MariaDB.
  • Most of the people in the two companies already know each other as most come from the old MySQL team.
  • The MariaDB trademark was much more known than SkySQL and by owning it would make it much easier for SkySQL to expand their business.
  • As SkySQL was the biggest supporter of the MariaDB project this felt like the right thing to do.

However, to ensure the future of the MariaDB project, SkySQL and Monty Program Ab both agreed that the MariaDB Foundation was critically needed and we had to put a formal trademark agreement in place. Until now there was just a verbal promise for the MariaDB trademarks to the foundation and we had to do this legally right.

This took, because of a lot of reasons too boring to bring up here, much longer time than expected. You can find the trademark agreement publicly available here.

However, now this is finally done and I am happy to say that the future of MariaDB, as an open source project, is protected and there will never again be a reason for me to fork it!

So feel free to join the MariaDB project, either as a developer or community contributor or as a member of the MariaDB Foundation!

Errata Security: The deal with the FTDI driver scandal

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The FTDI driver scandal is in the news, so I thought I’d write up some background, and show what a big deal this is.

Devices are connected to your computer using a serial port. Such devices include keyboards, mice, flash drives, printers, your iPhone, and so on. The original serial port standard called RS232 was created in 1962. It got faster over the years (75-bps to 115-kbps), but ultimately, the technology became obsolete.

In 1998, the RS232 standards was replaced by the new USB standard. Not only is USB faster (a million times so), it’s more complex and smarter. The initials stand for “Universal Serial Bus“, and it truly is universal. Not only does your laptop have USB ports on the outside for connecting to things like flash drives, it interconnects much of the things on the inside of your computer, such as your keyboard, Bluetooth, SD card reader, and camera.

What FTDI sells is a chip that converts between the old RS232 and the new USB. It allows old devices to be connected to modern computers. Even new devices come with RS232 instead of USB simply because it’s simple and reliable.

The FTDI chip is a simple devices that goes for about $2. While there are competitors (such as Silicon Labs), FTDI is by far the most popular vendor of RS232-to-USB converters. This $2 may sound cheap, but relatively expensive for small devices which cost less than $50. That $2 is often greater than the profit margin on the entire device. Therefore, device manufacturers have a strong incentive to find cheaper alternatives.

That’s where clones come in. While the FTDI sells them for $2, the raw chips cost only pennies to manufacture. Clone chips are similarly cheap to manufacture, and can be sold for a fraction of FTDI’s price. On Alibaba, people are advertising “real” FTDI chips for between $0.10 and $1 apiece, with the FTDI logo on the outside and everything. They are, of course, conterfeits.

FTDI is understandably upset about this. They have to sell millions of chips to make back development and support costs, which they can’t do with clones undercutting them.

FTDI’s strategy was to release a driver update that intentionally disabled the clone chips. Hardware devices in a computer need software drivers to operate. Clone chips use the same drivers from FTDI. Therefore, FTDI put code in their software that attacked the clones, disabling them. The latest FTDI driver through Windows Update contains this exploit. If your computer automatically updates itself, it may have downloaded this new driver.

Every USB devices comes with a vendor identifier (VID) and a product identifier (PID). It’s these two numbers that tells operating systems like Windows or Linux which driver to load. What FTDI did was reprogram these numbers to zero. This, in effect, ruined the devices. From that point on, they can no longer be recognized, either by FTDI’s driver or any other. In theory, somebody could write software that reprogrammed them back to the original settings, but for the moment, they are bricked (meaning, the hardware is no more useful than a brick).

This can have a devastating effect. One place that uses RS232 heavily is industrial control systems, the sort of thing that controls the power grid. This means installing the latest Windows update on one of these computers could mean blacking out an entire city.

FTDI’s actions are unprecedented. Never before has a company released a driver that deliberately damages hardware. Bad driver updates are common. Counterfeits aren’t perfect clones, therefore a new driver may fail to work properly, either intentionally or unintentionally. In such cases, users can simply go back to the older, working driver. But when FTDI changes the hardware, the old drivers won’t work either.. Because the VID/PIDs have been reprogrammed, the operating system can no longer figure out which drives to load for the device..

Many people have gotten upset over this, but it’s a complex debate.

One might think that the evil buyers of counterfeits are getting what they deserve. After all, satellite TV providers have been known to brick counterfeit access cards. But there is a difference. Buyers of satellite cards know they are breaking the rules, whereas buyers of devices containing counterfeit chips don’t. Most don’t know what chips are inside a device. Indeed, many times even the manufacturers don’t know the chips are counterfeit.

On the other hand, ignorance of the law is no excuse. Customers buying devices with clone chips harm FTDI whether they know it or not. They have the responsibility to buy from reputable vendors. It’s not FTDI’s fault that the eventual end customer chose poorly.

It rankles that FTDI would charge $2 for a chip that costs maybe $0.02 to manufacturer, but it costs money to develop such chips. It likewise costs money to maintain software drivers for over 20 operating systems, ranging from Windows to Linux to VxWorks. It can easily cost $2 million for all this work, while selling only one million chips. If companies like FTDI cannot get a return on their investment in RND, then there will be a lot less RND — and that will hurt all of us.

One way to protect RND investment is draconian intellectual-property laws. Right now, such laws are are a cure that’s worse than the disease. The alternative to bad laws is to encourage companies like FTDI to protect themselves. What FTDI did is bad, but at least nobody held a gun to anybody’s head.

Counterfeits have another problem: they are dangerous. From nuclear control systems to airplane navigation systems to medical equipment, electronics are used in places where failure costs human lives. These systems are validated using the real chips. Replacing them with counterfeits can lead to human lives lost. However, counterfeit chips have been widespread for decades with no documented loss of life, so this danger is so far purely theoretical.

Separate from the counterfeit issue is the software update issue. In the last decade we’ve learned that software is dynamic. It must be updated on a regular basis. You can’t deploy a device and expect it to run unmodified for years. That’s because hackers regularly find flaws in software, even simple drivers, so they must be patched to prevent hacker intrusions. Many industries, such as medical devices and industrial control systems, are struggling with this concept, putting lives at risk due to hackers because they are unwilling to put lives at (lesser) risk when changing software. They need more trust in the software update process. However, this action by FTDI has threatened that trust.

Conclusion

As a typical Libertarian, I simultaneously appreciate the value of protecting RND investments while hating the current draconian government regime of intellectual property protection. Therefore, I support FTDI’s actions. On the other hand, this isn’t full support — there are problems with their actions.


Update: As Jose Nazario points out, when Microsoft used Windows Update to disable pirated copies of WinXP, pirates stopped updating to fix security flaws. This resulted in hackers breaking into desktops all over the Internet, endangering the rest of us. Trust in updates is a big thing.

LWN.net: Release for CentOS-6.6 i386 and x86_64

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS 6.6 has been released. “There are many fundamental changes in
this release, compared with the past CentOS-6 releases, and we highly
recommend everyone study the upstream Release Notes as well as the upstream
Technical Notes about the changes and how they might impact your
installation. (See the ‘Further Reading’ section of the [CentOS release notes]).