Darknet - The Darkside: LinEnum – Linux Enumeration & Privilege Escalation Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

LinEnum will automate many Local Linux Enumeration & Privilege Escalation checks documented in this cheat sheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more. An…

Read the full post at darknet.org.uk

Raspberry Pi: ramanPi: an open source 3D-printable Raman spectrometer

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

The 2014 Hackaday Prize offered fabulous prizes for the best exemplars of an open, clearly documented device involving connected electronics. Committed hardware hacker fl@c@ (we understand that’s pronounced “flatcat”) wasn’t in the habit of opening up their work, but had been thinking that perhaps they should, and this seemed the perfect opportunity to give it a go. They decided to make an entry of one of their current works-in-progress, a DIY Raman spectrometer based on a Raspberry Pi. The project, named ramanPi, made it to the final of the contest, and was declared fifth prize winner at the prize announcement in Munich a couple of weeks ago.

ramanPi optics overview

Raman spectroscopy is a molecular identification technique that, like other spectroscopic techniques, works by detecting and analysing the characteristic ways in which substances absorb and emit radiation in various regions of the electromagnetic spectrum. It relies on the phenomenon of Raman scattering, in which a tiny proportion of the light falling on a sample is absorbed and then re-emitted at a different frequency; the shift in frequency is characteristic of the structure of the material, and can be used to identify it.

The ideal molecular identification technique is sensitive (requiring only small quantities of sample), non-destructive of the sample, unambiguous, fast, and cheap; spectroscopic methods perform pretty well against all but the final criterion. This means that fl@c@’s Raman spectrometer, which uses a Raspberry Pi and 3D-printed parts together with readily available off-the-shelf components, removes an obstacle to using a very valuable technique for individuals and organisations lacking a large equipment budget.

The ramanPi uses a remote interface so that it can be viewed and controlled from anywhere. Like conventional Raman spectrometers, it uses a laser as a powerful monochromatic light source; uniquely, however, its design:

[…] is based on an open source concept that side steps the expensive optics normally required for raman spectroscopy. Ordinarily, an expensive notch filter would be used which is cost prohibitive for most average people. My system avoids this cost by using two less expensive edge filters which when combined in the correct manner provide the same benefit as the notch filter…at the minimal cost of a little extra computing time.

Once a cuvette containing the sample to be tested is loaded into the ramanPi, the laser is powered up behind a shutter and the first filter is selected while the cuvette’s temperature is stabilised. Then the shutter is disengaged and the sample exposed to laser light, and scattered light is collected, filtered and passed to a Raspberry Pi camera module for capturing and then analysis. The laser shutter is re-engaged and the process is repeated with the second filter. The Raspberry Pi combines multiple exposures into a single image and carries out further image processing to derive the sample’s Raman spectrum. Finally, the spectrum is compared with spectra in online databases, and any match found is displayed.

fl@c@ says,

I’ve been trying to build up the courage to share my work and ideas with the world because I think it benefits everyone. This project is my first to share, and for it to be featured here [in a Hackaday Prize Hacker bio] […] is really amazing. I appreciate this whole community, I’ve learned a lot from it over the years and I hope to be able to give back and contribute more soon!

We’re very glad fl@c@ did decide to share this – ramanPi is an astonishing first contribution to the open source movement, and something that’s likely to be of interest to schools, chemists, biologists, home brew enthusiasts, people who want to know what’s in their water, businesses, ecologists and the simply curious.

You can read about ramanPi in much more detail, with further videos, diagrams, discussion and build instructions, on its Hackaday project page. We hope that this is far from the last we’ll hear of this project, or of fl@c@!

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Fedora has updated clamav (F20:
denial of service), facter (F20: privilege
escalation), libreoffice (F20: code
execution), libvirt (F20: multiple
vulnerabilities), libxml2 (F19: denial of
service), owncloud (F19: security
restriction bypass), php-sabredav-Sabre_CalDAV (F19: security
restriction bypass), php-sabredav-Sabre_CardDAV (F19: security
restriction bypass), php-sabredav-Sabre_DAV
(F19: security restriction bypass), php-sabredav-Sabre_DAVACL (F19: security
restriction bypass), php-sabredav-Sabre_HTTP (F19: security
restriction bypass), php-sabredav-Sabre_VObject (F19: security
restriction bypass), polarssl (F20;
F19: two vulnerabilities), python (F19: script execution),
python-pillow (F20; F19: multiple vulnerabilities), and wget (F20: symlink attack).

Gentoo has updated aircrack-ng (multiple vulnerabilities), ansible (code execution), asterisk (multiple vulnerabilities), and openswan (denial of service).

Mageia has updated imagemagick
(multiple vulnerabilities), moodle
(multiple vulnerabilities), and polarssl (two vulnerabilities).

Mandriva has updated krb5 (ticket
forgery), libvirt (information disclosure),
php-smarty (two vulnerabilities), qemu (multiple vulnerabilities), srtp (denial of service), and wireshark (multiple vulnerabilities).

openSUSE has updated openssl (TLS handshake problem).

SUSE has updated firefox
(SLES11 SP2: multiple vulnerabilities).

TorrentFreak: Pirate Bay Founder Preps Appeal, Puts the Press Straight

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

After being arrested in Cambodia during September 2012 it soon became clear that two Scandinavian countries wanted to get their hands on Gottfrid Svartholm.

Sweden had a long-standing interest in their countryman for his infamous work on The Pirate Bay, but once that was out-of-the-way a pair of hacking cases had to be dealt with.

The first, in Sweden, resulted in partial successes for both sides. While Gottfrid was found guilty of hacking into IT company Logica, following testimony from Jacob Appelbaum he was later cleared by the Appeal Court (Svea Hovrätt) of hacking into Nordea Bank.

But despite this significant result and a repeat appearance from Appelbaum, the trial that concluded in Denmark last month went all one way, with Gottfrid picking up a three-and-a-half year sentence.

With his mother Kristina acting as go-between, TorrentFreak recently fired off some questions to Gottfrid to find out how he’s been bearing up following October’s verdict and to discover his plans for the future.

Firstly, TF asked about his opinion on the decision. Gottfrid declined to answer directly but indicated we should look to the fact that he has already filed an appeal against the verdict. That should be enough of an answer, he said.

As it stands and considering time served, Gottfrid could be released as early as August 2015, but that clearly isn’t deterring him from the possibility of leaving sooner. Gottfrid has always shown that he’s both stubborn and a fighter, so sitting out his sentence in silence was probably never an option.

Moving on, TF pressed Gottfrid on what he feels were the points of failure during the court process and how these will play out alongside his appeal.

“Can’t discuss defense strategy at this point,” he responded. Fair enough.

Even considering the preparations for an appeal, there are a lot of hours in the coming months that will prove hard to fill. However, Gottfrid’s comments suggest that his access to books has improved since his days in solitary confinement and he’s putting that to use.

“I study neurobiology and related subjects to pass the time,” he says, with mother Kristina noting that this education is self-motivated.

“The ‘arrest house’ can of course not provide him with opportunities for higher studies,” she says.

Although he’s been thrust into the public eye on many occasions, Gottfrid’s appearances at court in Sweden (documented in TPB AFK) and later in his Danish trial reveal a man with an eye for detail and accuracy. It perhaps comes as little surprise then that he also took the opportunity to put the record straight on something he knows a lot about – the history of The Pirate Bay.

If one searches for “founders of The Pirate Bay” using Google, it’s very clear from many thousands of reports that they are Gottfrid Svartholm, Fredrik Neij and Peter Sunde. According to Gottfrid, however, that simply isn’t true.

“TPB was founded by me and two people who haven’t been involved since 2004,” Gottfrid says. “Fredrik came into the picture when the site moved from Mexico to Sweden, probably early 2004.”

While acknowledging Fredrik’s work as important for the growth of the site, Gottfrid noted that Peter’s arrival came sometime later. He didn’t specify who the other two founders were but it’s likely they’re to be found among the early members of Piratbyrån as detailed here.

With Peter Sunde already released from his sentence and Fredrik Neij close to beginning his, it’s possible that the founders trio could all be free men by the end of 2015. So does Gottfrid have anything exciting up his sleeve for then?

“Yes, I have plans, but I’m not sharing them,” he concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: Encrypt Everything: How to Encrypt the Disk to Protect the Data

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

Recently, at BrowserStack.com, some of our services got compromised. We use Amazon Web Services extensively. The person (or group) who attacked us mounted one of our backups and managed to steal some of the data. We could have prevented this simply by ensuring that we use encrypted disks which would have made this attack useless. Learning from our mistakes, we have recently started encrypting everything and I am going to show you how to do that.

One point worth noting here is that Amazon AWS does provide encryption support for the EBS volumes but that is transparent and would not help in case of the account getting compromised. I am going to use dm-crypt which is supported by Linux kernel so the steps are quite generic and would work on any kind of disk, on any kind of environment, including Amazon AWS, Google Compute Engine, physical disks in your datacenter.

SANS Internet Storm Center, InfoCON: green: Someone is using this? PoS: Compressor, (Mon, Nov 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Hello Dear Readers,

This diary comes to you by way of the real world and was taken very recently. Has anyone seen anything like this before? This handler was stunned into silence before the years of cynicism took over and I started breathing again. I was about to leave the convenience store, as I had passengers and they were in a hurry, but instead got out and took this picture. There were no cameras monitoring it, the position as you can tell, was around the side of the store, the placement in the area was convenient for drivers to use but terrible for monitoring. I could see someone driving up to use this, and then perhaps making a modification to it for say skimming or repeat after me boys and girls? Can we say pivot” />

Quick poll for the comments: I would never use this (Agree/Disagree) This is risky (Agree/Disagree)

===

Richard Porter

@packetalien

rporter at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Kernel prepatch 3.18-rc6

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The 3.18-rc6 prepatch is out, right on
schedule. Linus says: “Steady progress towards final release,
although we still have a big unknown worry in a regression that Dave Jones
reported and that we haven’t solved yet. In the process of chasing that one
down, there’s been a fair amount of looking at various low-level details,
and that found some dubious issues, but no smoking gun yet.

Дни: Закуска в Тифани

This post was syndicated from: Дни and was written by: Антония. Original post: at Дни

Точно като у дома:

[His] breakfast consisted of six strips of bacon, sausage, a bloody steak, scrambled eggs, and three pancakes, which I watched him devour with a fascination I used to reserve for Shark Week.

Кроасан и кафе за мен, моля. И няколко чаши чай.

Schneier on Security: New Kryptos Clue

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jim Sanborn has given he world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters.

Older posts on Kryptos.

TorrentFreak: Piracy Monetization Firm Rightscorp Sued for Harassment and Abuse

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

rightscorp-realCopyright holders have been sending DMCA takedown notices to ISPs for over a decade, but in recent years these warnings turned into revenue opportunities.

Companies such as Rightscorp ask U.S. ISPs to forward DMCA notices to subscribers,with a settlement offer tagged on to the end. On behalf of Warner Bros, BMG and others Rightscorp asks subscribers to pay $20 per pirated file or risk a potential $150,000 in court.

In recent months there have been various complaints from people who were aggressively approached by Rightscorp, which has now resulted in a class-action complaint against the piracy monetization firm.

The lawsuit was filed at a California federal court on behalf of Karen Reif, Isaac Nesmith and others who were approached by Rightscorp. In the complaint, Rightscorp is accused of violating the Telephone Consumer Protection Act, violations of debt Collection laws and Abuse of Process.

One of the allegations describes the repeated use of robo-calls to alleged infringers. A summary of what happened to Karen Reif shows that once Rightscorp knows who you are, they don’t give up easily.

“By late September of 2014, Ms. Reif was receiving on average about one robo-call per day, and sometimes one robo-call and one live call in the same day.These calls came in from a variety of different numbers, from different area codes all over the country,” the complaint alleges.

This bombardment of harassing robo-calls is a violation of the Telephone Consumer Protection Act, the lawyers argue.

The class-action further includes a long list of violations regarding Rightscorp’s debt collection practices, violating both the FDCPA and the Rosenthal Act.

“Among other wrongful conduct: Rightscorp has engaged in telephone harassment and abuse; made various false and misleading representations; engaged in unfair collections practices; failed to provide validation and required notices relating to the debts..,” the complaint reads.

In addition to the above Rightscorp allegedly made false representations that ISPs were participating in the debt collection. For example, the warning letter stated that ISPs would disconnect repeat infringers, something that rarely happened.

Finally, the complaint raises the issue of Rightscorp’s controversial DMCA subpoenas which demand that smaller ISPs should hand over personal details of their subscribers. Thus far most ISPs have complied, but according to the complaint these requests are a “sham and abuse” of the legal process.

“To identify potential consumers to target, Rightscorp has willfully misused this Court’s subpoena power by issuing at least 142 special DMCA subpoenas, per [the DMCA], to various Internet Service Providers.”

“These subpoenas, which were issued on this Court’s authority, but procured outside of an adversarial proceeding and without any judicial review, are so clearly legally invalid as to be a sham and abuse of the legal process,” the complaint reads.

The above is just a summary of the long list of complaints being brought against Rightscorp. With these settlement practices becoming more common, the case will definitely be one to watch.

Attorney Morgan Pietz is confident that they have a strong case and told FCT that other Rightscorp victims are invited to get in touch.

“We would still be very interested to talking to anyone who was being contacted by Rightscorp or who paid settlements, particularly anyone who was getting the pre-recorded robo-calls,” Pietz said.

For Rightscorp the lawsuit is yet another setback. Earlier this month the piracy monetization firm reported that it continues to turn a loss, which may eventually drive the company towards bankruptcy.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Top 10 Most Pirated Movies of The Week – 11/24/14

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

guardiansThis week we have four newcomers in our chart.

Guardians of the Galaxy is the most downloaded movie for the second week in a row.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are BD/DVDrips unless stated otherwise.

RSS feed for the weekly movie download chart.

Ranking (last week) Movie IMDb Rating / Trailer
torrentfreak.com
1 (1) Guardians of the Galaxy 8.5 / trailer
2 (…) Lucy 6.5 / trailer
3 (2) Dawn of the Planet of the Apes 8.0 / trailer
4 (…) Predestination 7.6 / trailer
5 (3) Dracula Untold 6.3 / trailer
6 (…) Falcon Rising 5.7 / trailer
7 (4) If I Stay 7.0 / trailer
8 (…) Interstellar (TS) 9.0 / trailer
9 (6) Let’s Be Cops 6.7 / trailer
10 (5) The November Man 6.3 / trailer

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Craigslist Outage, (Mon, Nov 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

We were notified this evening by Matt H. that Craigslist is suffering an outage of some sort. Briefly checking the sitefrom the west coast I am finding web access basically unavailable, and access via their app intermittent. The website downdetector.com shows a period of outage reports increasing over the last 5 hours. We will continue to monitor, and ask if anybody has information on what is happening, wed appreciate getting the word out.

tony d0t carothers –gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Monday, November 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4249, (Mon, Nov 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: More Trouble For Hikvision DVRs, (Mon, Nov 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The Internet of Things is turning against us once more. Rapid 7 is reporting how HikvisionDVRs are vulnerable to at least 3 different remote code execution vulnerabilities. Metasploit modules are available to take advantage of them, a patch is not available.

All three vulnerabilities were found in the code dealing with RTSP requests. The vulnerabilities are simple buffer overflows.

Hikvision DVRs were already in the news earlier this year, when we found many of them being exploited by The Moon worm, bitcoin miners, and code scanning for Synology disk stations. Back then, the main exploit vector was the default root password of 12345 which never got changed.

At this point, device manufacturers just dont get it. The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brandnames and Hikvision may not be the only vulnerable brand.

[1] https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices–multiple-vulnerabilities
[2]https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633/


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

xkcd.com: Background Screens

This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com

No way, we gotta rewind and cross-reference this map with the list of coordinates we saw on the other screen. This Greenland thing could be big.

TorrentFreak: Google Refuses MPAA Request to Blacklist ‘Pirate Site’ Homepages

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayEvery week copyright holders send millions of DMCA takedown notices to Google, hoping to make pirated movies and music harder to find.

The music industry groups RIAA and BPI are among the most active senders. Together they have targeted more than 170 million URLs in recent years.

The MPAA’s statistics are more modest. Thus far the Hollywood group has asked Google to remove only 19,288 links from search results. The most recent request is one worth highlighting though, as it shows a clear difference of opinion between Hollywood and Google.

Last week the MPAA sent a DMCA request listing 81 allegedly infringing pages, mostly torrent and streaming sites.

Unlike most other copyright holders, the MPAA doesn’t list the URLs where the pirated movies are linked from, but the site’s homepages instead. This is a deliberate strategy, one that previously worked against KickassTorrents.

However, this time around Google was less receptive. As can be seen below most of the MPAA’s takedown requests were denied. In total, Google took “no action” for 60 of the 81 submitted URLs, including casa-cinema.net, freemoviestorrents.com and solarmovie.is.

Part of MPAA’s takedown request
mpaa-takedown-refusal

It’s unclear why Google refused to take action, but it seems likely that the company views the MPAA’s request as too broad. While the sites’ homepages may indirectly link to pirated movies, for most this required more than one click from the homepage.

We previously asked Google under what circumstances a homepage might be removed from search results. A spokesperson couldn’t go into detail but noted that “it’s more complex than simply counting how many clicks one page is from another.”

“We’ve designed a variety of policies to comply with the requirements of the law, while weeding out false positives and material that’s too remote from infringing activity,” Google spokesperson told us.

In this case Google appears to see most reported homepages as not infringing, at least not for the works the MPAA specified.

The MPAA previously said that it would like to move towards blocking pirate sites from search engines entirely, however Google’s recent actions suggest that the company doesn’t want to go this far just yet.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: Lowering The Bar

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

The Electronic Frontier Foundation (EFF) is one of my favorite non-profit organizations. They have a huge number of attorneys who are ready to help people with issues related to online privacy, copyright, and security. If you’re about to make an 0-day exploit public and receive a legal threat from the software provider, then the EFF should be the first place you go.

The EFF actually provides multiple services. Some are top-notch, but others are not as high quality as they should be. These services include:

Legal Representation
If you need an attorney for an online issue, such as privacy or security, then they can give you direction. When I received a copyright extortion letter from Getty Images, the EFF rounded up four different attorneys who were interested in helping me fight Getty. (Getty Images backed down before I could use these attorneys.) Legal assistance is one of the EFF’s biggest and best offerings.

Legal News
The EFF continually releases news blurbs and whitepapers that discuss current events and their impact on security and privacy. Did you know that U.S. companies supply eavesdropping gear to Central Asian autocrats or that Feds proposed the secret phone database used by local Virginia cops? If you follow the EFF’s news feed, then you saw these reports. As a news aggregation service, their reports are very timely, but also very biased. The EFF’s reporting is biased toward a desire for absolute privacy online, even though nobody’s anonymous online.

Technical Services
The EFF occasionally promotes or releases software designed to assist with online privacy. While these efforts have good intentions, they are typically poorly thought out and can lead to significant problems. For example:

  • HTTPS Everywhere. This browser extension forces your web browser to use HTTPS whenever possible. It has a long set of configuration files that specify which sites should use HTTPS. Earlier this year, I wrote about some of the problems created by this application in “EFF’ing Up“. Specifically: (1) Some sites return different content if you use HTTPS instead of HTTP, (2) they do not appear to test their configuration files prior to releasing them, and (3) they do not fix bad configuration files.

  • TOR. The EFF is a strong supporter of the TOR Project, which consists of a network of servers that help anonymize network connections. The problem is that the EFF wants everyone to run a TOR relay. For a legal organization, the EFF seems to forget that many ISPs forbid end consumers from running public network services — running a TOR relay may violate your ISP’s terms of service. The TOR relay will also slow down your network connection as other people use your bandwidth. (Having other people use your bandwidth is why most consumer-level ISPs forbid users from hosting network services.) And if someone else uses your TOR relay to view child porn, then you are the person that the police will interrogate. In effect, the EFF tells people to run a network service without revealing any of the legal risks.

Free SSL

The EFF recently began promoting a new technical endeavor called Let’s Encrypt. This free CA server should help web sites move to HTTPS. News outlets like Boing Boing, The Register, and ExtremeTech all reported on this news announcement.

A Little Background

Let’s backup a moment… On the web, you can either connect to sites using HTTP or HTTPS. The former (HTTP) is unencrypted. That means anyone watching the network traffic can see what you are doing. The latter (HTTPS) is HTTP over SSL; SSL provides a framework for encrypting network traffic.

But notice how I say “framework”. SSL does not encrypt traffic. Instead, it provides a way for a client (like your web browser) and a server (like a web site) to negotiate how they want to transfer data. If both sides agree on a cryptographic setting, then the data is encrypted.

HTTPS is not a perfect solution. In many cases, it really acts as a security placebo. A user may see that HTTPS is being used, but may not be aware that they are still vulnerable. The initial HTTPS connection can be hijacked (a man-in-the-middle attack) and fake certificates can be issued to phishing servers. Even if the network connection is encrypted, this does nothing to stop the web server from tracking users or providing malware, and nothing to stop vandals from attacking web server. And all of this is before SSL exploits like Heartbleed and POODLE. In general, HTTPS should be considered a “better than nothing” solution. But it is far from perfect.

Entry Requirements

Even with all of the problems associated with SSL and HTTPS, for most uses it is still better than nothing. So why don’t more sites use HTTPS? There’s really a few limitations to entry. The EFF’s “Let’s Encrypt” project is a great solution to one of these problems and a partial solution to another problem. However, it doesn’t address all of the issues, and it is likely to create some new problems that the EFF has not disclosed.

Problem #1: Pay to Play
When an HTTPS client connects to an HTTPS server, the server transmits a server-side certificate as part of the cryptographic negotiation. The client then checks with a third-party certificate authority (CA server) and asks whether the server’s certificate is legitimate. This allows the client to know that the server is actually the correct server.

The server’s certificate identifies the CA network that should be used to verify the certificate. Unfortunately, if the certificate can say where to go to verify it, then bad guys can issue a certificate and tell your browser that it should be verified by a CA server run by the same bad guys. (Yes, fake-bank.com looks like your bank, and their SSL certificate even looks valid, according to fake-ca.com.) For this reason, every web browser ships with a list of known-trusted CA servers. If the CA server is not on the known-list, then it isn’t trusted by default.

If there are any problems with the server’s certificate, then the web browser issues an alert to the user. The problems include outdated/expired certificates, coming from the wrong domain, and untrusted CA servers.

And this is where the first barrier toward wide-spread use comes in… All of those known-trusted CA servers charge a fee. If you want your web server to run with an SSL certificate that won’t generate any user warnings, then you need to pay one of these known-trusted CA servers to issue an SSL certificate for your online service. And if you run multiple services, then you need to pay them multiple times.

The problems should be obvious. Some people don’t have money to pay for the trusted certificate, or they don’t want to spend the money. You can register a domain name for $10 a year, but the SSL certificate will likely run $150 or more. If your site doesn’t need SSL, then you’re not going to pay $150 to require it.

And then there are people like me, who cannot justify paying for a security solution (SSL) that isn’t secure. I cannot justify paying $150 or more, just so web browsers won’t see a certificate warning when they connect to my HTTPS services. (I use self-signed certificates. By themselves, they are untrusted and not secure, but I offer client-side certificates. Virtually no sites use client-side certificates. But client-side certs are what actually makes SSL secure.)

The EFF’s “Let’s Encrypt” project is a free SSL CA server. With this solution, cost is no longer an entry barrier. When their site goes live, I hope to use it for my SSL needs.

Of course, other CA services, like Entrust, Thawte, and GoDaddy, may lower their prices of offer similar free services. (You cannot data-mine users unless they use your service. Even with a “free” pricing model, these CA issuers can still make a hefty profit from collected user data.) As far as the EFF’s offerings go, this is a very disruptive technology for the SSL industry.

Problem #2: Server Installation
Let’s assume that you acquired an SSL certificate from a certificate authority (Thawte, GoDaddy, Let’s Encrypt, etc.). The next step is to install the certificate on your web server.

HTTPS has never been known for its simplicity. Installing the SSL server-side certificate is a nightmare of configuration files and application-specific complexity. Unless you are a hard-core system administrator, then you probably cannot do it. Even GUI interfaces like cPanel have multiple complex steps that are not for non-technies. You, as a user with a web browser, have no idea how much aggravation the system administrator went through in order to provide you with HTTPS and that little lock icon on the address bar. If they are good, then they spent hours. If it was new to them, then it could have been days.

In effect, lots of sites do not run HTTPS because it is overly complicated to install and configure. (And let’s hope that you don’t have to change certificates anytime soon…) Also, HTTPS certificates include an expiration date. This means that there is an ongoing maintenance cost that includes time and effort.

The EFF’s “Let’s Encrypt” solution says that it will include automated management software to help mitigate the installation and maintenance effort. This will probably work if you run one of their supported platforms and have a simple configuration file. But if you’re running a complex system with multiple domains, custom configuration files, and strict maintenance/update procedures, then no script from the EFF will assist you.

Of course, all of this is speculation since the EFF has not announced the supported platforms yet… So far, they have only mentioned a python script for Apache servers. I assume that they mean “Apache2″ and not “Apache”. And even then, the configuration at FotoForensics has been customized for my own needs, so I suspect that their solution won’t work out-of-the-box for my needs.

Problem #3: Client Installation
So… let’s assume that it is past Summer 2015, when Let’s Encrypt becomes available. Let’s also assume that you got the server-side certificate and their automated maintenance script running. You’ve got SSL on your server, HTTPS working, and you’re ready for users. Now everything is about to work without any problems, right? Actually, no.

As pointed out in problem #1, unknown CA servers are not in the user’s list of trusted CA servers. So every browser connecting to one of these web servers will see that ugly alert about an untrusted certificate.

Every user will need to add the new Let’s Encrypt CA servers to their trusted list. And every browser (and almost every version of every browser) does this differently. Making matters worse, lots of mobile devices do not have a way to add new CA servers. It will take years or even decades to fully resolve this problem.

Windows XP reached its “end of life” (again), yet nearly 30% of Windows computers still run XP. IPv6 has been around for nearly 20 years, yet deployment is still at less than 10% for most countries. Getting everyone in the world to update/upgrade is a massive task. It is easier to release a new system than it is to update a deployed product.

The EFF may dream of everyone updating their web browsers, but that’s not the reality. The reality is that users will be quickly trained to ignore any certificate alerts from the web browsers. This opens the door for even more phishing and malware sites. (If the EFF really wanted to solve this problem, then they would phase out the use of SSL and introduce something new.)

There is one other possibility… Along with the EFF, IdenTrust is sponsoring Let’s Encrypt. IdenTrust runs a trusted CA service that issues SSL certificates. (The cost varies from $40 per year for personal use to over $200 per year, depending on various options.) Let’s Encryption could piggy-back off of IdenTrust. This would get past the “untrusted CA service” problem.

But if they did rely on the known-trusted IdenTrust that is already listed in every web browser… the why would anyone buy an SSL certificate from IdenTrust when they can get it for free via Let’s Encrypt? There has to be some catch here. Are they collecting user data? Every browser must verify every server, so whoever runs this free CA server knows when you connected to specific online services — that’s a lot of personal information. Or perhaps they hope to drive sales to their other products. Or maybe there will be a license agreement that prohibits the free service from commercial use. All of this would undermine the entire purpose of trying to protect user’s traffic.

Problem #4: Fake Domains
Phishing web sites, where bad guys impersonate your bank or other online service, have been using SSL certificates for years. They will register a domain like “bankofamerica.fjewahuif.com” and hope that users won’t notice the “fjewahuif” in the hostname. Then they register a real SSL certificate for their “fjewahuif.com” domain. At this point, victims see the “bankofamerica” text in the hostname and they see the valid HTTPS connection and they assume that this is legitimate.

The problem gets even more complicated when they use DNS hijacking. On rare occasions, bad guys have temporarily stolen domains and used to to capture customer information. For example, they could steal the “bankofamerica.com” domain and register a certificate for it at any of the dozens of legitimate CA servers. (If the real Bank of America uses VeriSign, then the fake Bank of America can use Thawte and nobody will notice.) With domain hijacking, it looks completely real but can actually be completely fake.

The price for an SSL certificate used to be a little deterrent. (Most scammers don’t mind paying $10 for a domain and $150 for a legitimate certificate, when the first victim will bring in a few thousands of dollars in stolen money.) But a free SSL CA server? Now there’s no reason not to run this scam. I honestly expect the volume of SSL certificate requests at the EFF’s Let’s Encrypt servers to quickly grow to 50%-80% scam requests. (A non-profit with a legal emphasis that helps scammers? As M. Night Shyamalan says in Robot Chicken: “What a twist!“)

“Free” as in “Still has a lot of work to do before it’s really ready”

The biggest concern that I have with this EFF announcement is that the technology does not exist yet. Their web site says “Arriving Summer 2015” — it’s nearly a year away. While they do have some test code available, their proposed standard is still a draft and they explicitly say to not run the code on any production systems. Until this solidifies into a public release, this is vaporware.

But I do expect this to eventually become a reality. The EFF is not doing this project alone. Let’s Encrypt is also sponsored by Mozilla, Akamai, Cisco, and IdenTrust. These are companies that know browsers, network traffic, and SSL. These are some of the biggest names and they are addressing one of the big problems on today’s Internet. I have no doubt that they are aware of these problems; I just dislike how they failed to disclose these issues when they had their Pollyannaish press release. Just because it is “free” doesn’t mean it won’t have costs for implementation, deployment, maintenance, and customer service. In the open source world, “free” does not mean “without cost”.

Overall, I do like the concept. Let’s Encrypt is intended to make it easier for web services to implement SSL. They will be removing the cost barrier and, in some cases, simplifying maintenance. However, they still face an uphill battle. Users may need to update their web browsers (or replace their old cellphones), steps need to be taken to mitigate scams, users must not be trained to habitually accept invalid certificates, and none of this helps the core issue that HTTPS is a security placebo and not a trustworthy solution. With all of these issues still needing to be addressed, I think that their service announcement a few days ago was a little premature.

Grigor Gatchev - A Weblog: Гаранции

This post was syndicated from: Grigor Gatchev - A Weblog and was written by: Григор. Original post: at Grigor Gatchev - A Weblog

Преди няколко месеца си купих ASUS Fonepad. Макар и непретенциозна и евтина, джаджата се оказа учудващо универсална. Доста от нещата ѝ не са перфектни, но обикновено са достатъчно добри, а са полезни. Изобщо, оказах се много доволен.

Докато един ден не установих, че зарядното ѝ вече не я зарежда. Разглобяемо е – трафче с USB вход, на който се включва кабелът, по същество преходник USB / microUSB, така че пробвах само кабела. От USB-тата на компютъра ми зареждаше чудесно. Очевидно проблемът беше в трафчето. Гаранционно? Супер!

Почти месец нямах време. Най-сетне в петък цъфнах в сервиза на Мост Компютърс, откъдето направих покупката. Посрещнаха ме с усмивка. Едно от изреченията обаче ме сепна.

– Ще трябва да оставите и апарата. Трябва да се тества.

– На него му няма абсолютно нищо – с кабела от компютър, или с други зарядни зарежда чудесно, вече месец.

– Съжалявам. Не го ли оставите, не мога да ви приема поръчката гаранционно.

Моля?

– Ама аз го използвам като телефон, непрекъснато. Ако нямах нужда от него, нямаше да го купя.

Що за необмислено изискване? Сигурно момичето имаше някаква грешка в инструкциите.

– Съжалявам, господине. Ако искате, мога да ви пусна поръчка за извънгаранционен ремонт.

Очевидно разговорът на това ниво беше безсмислен. Заобиколих сградата и отидох при дилъра си – свястно и сериозно момче, удоволствие да се работи с него. Той веднага звънна по телефона до сервиза, поговори малко и ме изгледа виновно:

– Съжалявам. Изискването не е наше, на ASUS е. Искат всеки даден за гаранционен ремонт телефон, дори ако е само за зарядно, да се свързва към компютър с тяхна програма и да се регистрира на сайта им.

– Сигурно за да не им надчитат гаранционни ремонти дистрибуторите. – С какво ли Мост бяха заслужили подобно изискване? Трудно ми е да повярвам, че ASUS ще го наложат на който и да било по-голям западен дистрибутор. Клиентите ще го сметнат за недопустимо, а конкуренцията между производителите в момента е остра, така че моментално ще им бъде показана вратата… – Но предполагам, че доста подобни устройства няма да работят, ако са донесени за ремонт, така че свързването им ще е безсмислено. Това как го решавате?

Той лекичко се изчерви.

– Не зная. Просто ни е изискване. – Очевидно много добре разбираше колко глупаво е, и хич не му беше приятно, че се налага да бере срама пред клиентите.

– А не може ли да го дам сега и да изчакам да го свържат, за да си го взема? Надали ще отнеме повече от десетина минути. Все пак без телефон човек днес е като без очи, бизнесът ми върви през него. Иначе защо да го купувам? Разбирам да е повреден, няма да имам избор… – И вие също няма да можете да го свържете и отчетете, добавих наум.

Момъкът отново запреговаря със сервиза по телефона. След това ме погледна с леко смущение:

– Ако го занесеш сега, до ден-два работни ще гледат да е готов…

По лицето му ясно пишеше, че много добре разбира какви глупости предлага, но просто това му е по силите. Благодарих му от сърце, че си даде труда заради мен – заслужил го е. Проблемът е във фирмата му, не в него.

Такова зарядно е няколко лева, и мога преспокойно да мина и без него – където и да се огледам, все ще намеря USB порт, на който да включа кабел. Но ме отблъсна начинът, по който Мост действат. Формално не отказват да спазят гаранцията – само ти поставят неизпълнимо условие…

Затова и искам да предупредя всеки, който смята да си купи подобно нещо от тях, или от някъде другаде, където ги използват като сервиз – премислете още веднъж. Може да се окаже, че при повреда ще ви спазят гаранцията единствено ако джаджата реално не ви трябва. А ако е така, по-добре не я купувайте. :-)

TorrentFreak: Luxury Watchmakers Target Pirate Smartwatch Faces

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

rolx-360While digital watches have been becoming more complex in recent years, the advent of a new generation of smartwatches is changing the market significantly. Manufacturers such as Samsung, Sony, Pebble, Motorola and LG all have an interest in the game, with Apple set to show its hand in the early part of 2015.

Currently Android Wear compatible devices such as Motorola’s Moto360 are proving popular, not least due to their ability to display custom watch faces. Fancy Tag Heuer’s latest offering on your wrist? No problem. Rolex? Omega? Cartier? Patek Philippe? All just a click or two away.

Of course, having a digital copy of a watch on one’s wrist is a much cheaper option than the real deal. See that Devon watch fourth from left in the image below? A real-world version will set you back a cool $17,500. The copy? Absolutely free.

watches

While it’s been fun and games for a while, makers of some of the world’s most expensive and well known watches are now targeting sites offering ‘pirate’ smartwatch faces in order to have digital likenesses of their products removed from the market.

TorrentFreak has learned that IWC, Panerai, Omega, Fossil, Armani, Michael Kors, Tissot, Certina, Swatch, Flik Flak and Mondaine are sending cease and desist notices to sites and individuals thought to be offering faces without permission.

Richemont, a company behind several big brands including Cartier, IWC and Panerai, appears to be one of the frontrunners. The company is no stranger to legal action and recently made the headlines after obtaining court orders to have domains selling counterfeit watches blocked at the ISP level in the UK.

Notices seen by TorrentFreak reveal that the company, which made 2.75 billion euros from its watch division during 2012/2013, is lodging notices against watch face sites citing breaches of its trademark rights. Owners are being given 24 hours to remove infringing content.

We discussed the issue with Richemont’s PR representatives but were informed that on this occasion the company could not be reached for comment.

Earlier this week a source informed TF that Swatch-owned Omega had also been busy, targeting a forum with demands that all Omega faces should be removed on “registered trademark, copyright and design rights” grounds. Although the forum would not talk on the record, its operator revealed that the content in question had been removed. Omega did not respond to our requests for comment.

While watchmakers are hardly a traditional foe for those offering digital content, history shows us that they are prepared to act aggressively in the right circumstances.

mondaineMondaine, a Swiss-based company also involved in the latest takedowns, famously found itself in a huge spat with Apple after the company included one of its designs in iOS6. That ended up costing Apple a reported $21 million in licensing fees. The same design is readily available for the Moto360 on various watch face sites.

So how are sites handing the claims of the watchmakers? TorrentFreak spoke with Luke, the operator of leading user-uploaded watch face site FaceRepo. He told us that the site had indeed received takedown notices from brand owners but made it very clear that uploading infringing content is discouraged and steps are being taken to keep it off the site.

“Although some of the replica faces we’ve received take downs for are very cool looking and represent significant artistic talent on the part of the designer, we believe that owners of copyrights or trademarks have the right to defend their brand,” Luke explained.

“If a copyright or trademark owner contacts us, we will promptly remove infringing material. To date, all requests for removal of infringing material have been satisfied within a matter of hours.”

Learning very quickly from other user generated content sites, FaceRepo notifies its users that their content has been flagged as infringing and also deactivates accounts of repeat infringers. A keyword filter has also been introduced which targets well known brands.

“If these [brand names] are found in the face name, description or tags, this will cause the upload to be rejected with a message stating that sharing of copyrighted or trademarked material is prohibited,” FaceRepo’s owner notes.

The development of a new front in the war to keep copyrighted and trademarked content off the Internet is hardly a surprise, and considering their power it comes as no shock that the watchmakers have responded in the way they have. We may be some time from an actual lawsuit targeting digital reproductions of physical content, but as the wearables market develops, one can not rule them out.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Чорба от греховете на dzver: Cine Grand @ Sofia Ring

This post was syndicated from: Чорба от греховете на dzver and was written by: dzver. Original post: at Чорба от греховете на dzver

Щастлив съм, че най-сетне има конкуренция на Арена и Синема Сити. В новото мол са “открили” кино с приятна концепция – зали с по 50 кресла, които са на прилично растояние едно от друго и позволяват лягане и спане по време на по-скучни филми.

Предимства:
– Рекламите преди филма отнемат 6 минути, вместо 25!
– Privacy. Рискът някой да седне до теб и да не млъкне е драстично по-малък. Същото и за крака на креслото до вас, на сантиметри от главата ви.
– Удобство. Може да управлявате креслото с копчета.

Недостатъци:
– Киното е недовършено, както и целия мол. Работят 2 зали.
– Пуканките са в дъното, не в началото.
– Неопитен персонал. Пуснаха ни грешния филм.

Логика Арена да чарджва 9/12/15 вече няма, вече не са най-доброто кино.

Sprites mods: Snake on a Keyboard

This post was syndicated from: Sprites mods and was written by: Sprites mods. Original post: at Sprites mods

So I got a nice mechanical keyboard with per-keycap backlights. I should be able to do something more than just type on it.

TorrentFreak: Fail: MPAA Makes Legal Content Unfindable In Google

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

wheretowatchThe entertainment industries have gone head to head with Google in recent months, demanding tougher anti-piracy measures from the search engine.

According to the MPAA and others, Google makes it too easy for its users to find pirated content. Instead, they would prefer Google to downrank sites such as The Pirate Bay from its search results or remove them entirely.

A few weeks ago Google took additional steps to decrease the visibility of pirated content, but the major movie studios haven’t been sitting still either.

Last week MPAA announced the launch of WhereToWatch.com, a website that lists where movies and TV-shows can be watched legally.

“WheretoWatch.com offers a simple, streamlined, comprehensive search of legitimate platforms – all in one place. It gives you the high-quality, easy viewing experience you deserve while supporting the hard work and creativity that go into making films and shows,” the MPAA’s Chris Dodd commented.

At first glance WhereToWatch offers a rather impressive database of entertainment content. It even features TorrentFreak TV, although this is listed as “not available” since the MPAA’s service doesn’t index The Pirate Bay.

Overall, however, it’s a decent service. WhereToWatch could also be an ideal platform to beat pirate sites in search results, something the MPAA desperate wants to achieve.

Sadly for the MPAA that is only a “could” since Google and other search engines currently have a hard time indexing the site. As it turns out, the MPAA’s legal platform isn’t designed with even the most basic SEO principles in mind.

For example, if Google visits the movie overview page all links to individual pages are hidden by Javascript, and the search engine only sees this. As a result, movie and TV-show pages in the MPAA’s legal platform are invisible to Google.

Google currently indexes only one movie page, which was most likely indexed through an external link. With Bing the problem is just as bad.

wtw-google

It’s worth noting that WhereToWatch doesn’t block search engines from spidering its content through the robots.txt file. It’s just the coding that makes it impossible for search engines to navigate and index the site.

This is a pretty big mistake, considering that the MPAA repeatedly hammered on Google to feature more legal content. With some proper search engine optimization (SEO) advice they can probably fix the problem in the near future.

Previously Google already offered SEO tips to copyright holders, but it’s obvious that the search engine wasn’t consulted in this project.

To help the MPAA on its way we asked isoHunt founder Gary Fung for some input. Last year Fung lost his case to the MPAA, forcing him to shut down the site, but he was glad to offer assistance nonetheless.

“I suggest MPAA optimize for search engine keywords such as ‘download ‘ and ‘torrent ‘. For some reason when people google for movies, that’s what they actually search for,” Fung tells us.

A pretty clever idea indeed, as the MPAA’s own research shows that pirate-related search terms are often used to “breed” new pirates.

Perhaps it’s an idea for the MPAA to hire Fung or other “industry” experts for some more advice. Or better still, just look at how the popular pirate sites have optimized their sites to do well in search engines, and steal their work.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Swedes Prepare Record File-Sharing Prosecution

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

serversFollowing a lengthy investigation by anti-piracy group Antipiratbyrån, in 2010 police raided a “warez scene” topsite known as Devil. Dozens of servers were seized containing an estimated 250 terabytes of pirate content.

One man was arrested and earlier this year was eventually charged with unlawfully making content available “intentionally or by gross negligence.”

Police say that the man acted “in consultation or concert with other persons, supplied, installed, programmed, maintained, funded and otherwise administered and managed” the file-sharing network from where the infringements were carried out. It’s claimed that the Devil topsite had around 200 members.

All told the man is accused of illegally making available 2,250 mainly Hollywood movies, a record amount according to the prosecutor.

“We have not prosecuted for this many movies in the past. There are many movies and large data set,” says prosecutor Fredrik Ingblad. “It is also the largest analysis of computers ever made in an individual case.”

Few details have been made available on the case but it’s now been revealed that Antipiratbyrån managed to trace the main Devil server back to the data center of a Stockholm-based electronics company. The site’s alleged operator, a man from Väsbybo in his 50s and employee of the company, reportedly admitted being in control of the server.

While it would likely have been the intention of Devil’s operator for the content on the site to remain private, leaks inevitably occurred. Predictably some of that material ended up on public torrent sites, an aggravating factor according to Antipiratbyrån lawyer Henrik Pontén.

“This is a very big issue and it is this type of crime that is the basis for all illegal file sharing. The films available on Pirate Bay circulate from these smaller networks,” Pontén says.

The big question now concerns potential damages. Pontén says that the six main studios behind the case could demand between $673,400 and $2.69m per movie. Multiply that by 2,250 and that’s an astonishing amount, but the lawyer says that in order not to burden the justice system, a few titles could be selected.

Henrik Olsson Lilja, a lawyer representing the defendant, declined to comment in detail but criticized the potential for high damages.

“I want to wait for the trial, but there was no intent in the sense that the prosecutor is looking for,” Lilja told Mitte.se. “In practice, these are American-style punitive damages.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

трънки и блогинки: Разговори със зам-командири от „Донбас“

This post was syndicated from: трънки и блогинки and was written by: Пейо. Original post: at трънки и блогинки

Освен с доброволците „Златни Врата“ се срещнах и с двама от заместник командирите на доброволческия батальон „Донбас“. Заместниците по „Тил“ и „Кадри“ на командира Семён Семенченко – един от най-уважаваните полеви командири, а вече и избран депутат в новия парламент.Emblem_of_the_Donbas_Battalion.svg

Позивната на заместника по „Тил“ е „Капитан“. Юрист по образование, в цивилния живот е военен прокурор. Основния ми интерес към него беше към   формалната, правна, квалификация на ситуацията. За съжаление „Капитан“ не пожела да бъде записван и  по-долу преразказвам по записки и спомени.

„Капитан“, като юрист, определя случващото се в Донецката и Луганска област е „сепаратизъм“, което е вид противодържавна, терористична дейност. Армията не се занимава с терористите и по тази причина и действията се наричат Анти-терористична операция (АТО). Още по-важно, тази квалификация определя водещата роля на Службата за безопасност на Украйна (СБУ), еквивалент на нашата ДАНС, която ръководи щаба на АТО и влияе и на действията на украинската армия. (Бел. моя: Полицаи ръководят военни, може да си представите част от причините за кашите).

За юристите, точната дума която квалифицира Русия за Украйна е „неприятелска държава“ (недружественное государство). Една от причините Украйна да не иска да назове случващото се „война“, а Русия „агресор“, е опасението това да не премахне и последните формални пречки пред Русия да отвори фронт по продължение на цялата граница. Ръководителите на АТО, считат, че в настоящето състояние могат да контролират ограничената зона на конфликта.

„Капитан“ разказа и официалната позиция за йерархическото положение и предназначение на доброволните батальони. Действията на доброволните батальони се ръководят от щаба на АТО. Тактическите им задачи би трябвало да са свързани с полицейски функции по установяване на гражданската власт на територите, където украинската милиция е дезертирала или е ненадеждна. Този тип задачи са и причина на доброволците да не се предоставя автоматично и тежко оръжие, което би се използвало на първа линия на боя. (Бел. моя: Признава, че така е само на теория. Реалното участие на доброволците се различава значително от това предназначение. Тогава актуалните събития около Иловайск бяха ярък пример.)

Историята на зам. командира по „Кадри“ с позивна  „Щурман“ е свързана с Донецк. Роден е и до началото на конфликта е живял в Донецк. Там се е намирала и неговата съпруга и брат, докато той е воювал, срещу сепаратистите, които са контролирали града. От страх да не го разпознаят и отмъстят на близките му, той е ходил практически постоянно с маска. Към момента на разговора ни, всички негови близки бяха напуснали района на военните действия и не се притесняваше да говори, но когато го попитах за снимка ми даде тази, направена на отвоюван от батальона блокпост край Донецк:

Sturman

„Щурман“ беше съгласен да го записвам и публикувам разговора ни, който може да прочетете по-долу:

- Какви са ви отношенията с Русия в настоящата ситуация?

Не знам дали мога правилно да отговоря на този въпрос. Затова ще ви кажа как аз виждам нещата. Моето лично отношение към Русия е сложно. Аз имам син, който е роден там. Имам близки и роднини, които живеят там. Аз съм тясно свързан с Русия и не виня руския народ, защото той е излъган. Като страни Украйна и Русия са в много тежки отношения. Русия за мен лично е окупатор на страната ни, но не и руският народ. Именно това искам да подчертая – руският народ е излъган.

- Кой е вашият противник? Путин?

Режимът на Путин. С Владимир Владимирович аз лично съм се здрависвал и за мен той беше авторитет. Считам го за гениален човек. И наистина той беше гениален човек. След разпадането на Съветския съюз живях в Русия 12 години. Когато Съветският съюз се разпадна, започнаха да се формират нови държави, които бяха в много тежко състояние, точно както и Русия. Тя беше в ужасно състояние през 90-те години. И през 2004 година дойде този човек и всичко започна да се развива много добре. А сега нещо се промени. Не знам какво. Промени се лошо. И сега режимът на Путин… той е лъжлив.

- Кои са правилните думи за това, което се случва между вас?

Това е война. Война е и аз преди малко обясних защо. Защото… но как може да се каже това… срещу нас стоят руски военни. Когато вземем в плен руски военни това какво е? Просто, когато пристигат на нашата, украинска територия, това е война.

- Как наричате хората, които стоят там – терористи, сепаратисти, военни, опълченци, бандити?

Аз съм се родил в Донецк, там съм израстнал и смятам, че много от жителите на областта са излъгани – от пропаганда, от проруски настроения. И действително Донецкият и Луганският регион са свързани с много тесни роднински и приятелски отношения, но това са излъгани хора. Бих ги нарекъл излъгани хора.

- Какъв е статутът на тази територия?

Като жител на Донецк заявявам, че никакъв особен статут не е нужен на Донецко-Луганския регион. Ние сме граждани на Украйна. Аз съм се родил в Украинска съветска социалистическа република – това е бившият Съветски съюз. След разпадането му Украйна си стана Украйна. Това е. Няма какво да се дели. На хората трябва да се обяснява как живее западна Украйна и как живеем ние. Ние живеем много лошо.

По повод на Крим всичко беше много удобно. Хората твърдят, че 60 години назад той е предаден на Украйна. Но защо никой не казва, че украинците дават на Руската федерация е еквивалентна територия – Белгородска област. Била е направена размяна. Това е било административно решение и то е било абсолютно правилно за онова време. А сега един факт се изкарва наяве, а друг се премълчава, включително и от украинската власт. И хората не знаят за това. Питайте ги: „Знаете ли защо са предали Крим?”

- Вие работите в отдел „Кадри”. Разкажете ми впечатленията си: какви хора се записват при вас, каква е мотивацията им?

Ще отговоря като военен, който е имал вече военен опит, а не като кадровик. Мотивацията за всички е една: Украйна да бъде такава, каквато си е. Ще ви дам пример. В семейството, когато се карат мъж и жена или баща и син, те се карат, но това не ги превръща във врагове. И в Украйна е същото. Има териториален конфликт и изкуствено налаган езиков конфликт. Но от това ние не ставаме врагове. Ние се скарахме, разделихме се, сега трябва да се спрем на някакво решение. Мъжът и жената в семейството измислят някакво решение. И това е. И продължаваме да живеем. Сега нас ни разединиха много силно. А след това дойде някакъв съсед и започна да поставя условия, които съвсем ни изпокараха.

- Каква според вас е стратегическата цел на Путин? Какво смятате, че иска да постигне?

Путин окупира Крим. На него Калининградския регион му е малко, а е и много проблемен регион. След него се появи Кримският регион, който също е проблемен. А той е дал обещания на хората в Крим и тези обещания трябва да се спазят.

- Защо трябва?

Ами защото когато кажеш нещо, трябва да го изпълняваш. Дал си дума. Аз така живея. Такъв ми е принципът.  Освен това как хората в тази област си осигуряват всичко – топлина, продукти? От Украйна. Украйна счита тази територия за своя, но тя е окупирана. А с окупираните територии не бива да имаш кой знае какви икономически връзки. Ако това е Руска федерация, значи Путин и руското правителство са длъжни да се погрижат за това. Той завзе Луганско-Донецката област, после Запоржската област и после ще достигне Крим. Свободно.

- Казахте, че за вас Путин е гениален?

Беше. Сега си мисля, че е полудял. Шизофрения. В миналото Путин имаше авторитет – и в страната си и извън нея. Как се постига този авторитет? Затова го уважавам. Но да се поставим на неговото място. Все едно сме в казино. Той залага – печели, залага – печели. Има непрекъснат успех. В подобна ситуация аз навярно ще се побъркам. И ето сега той има имперски планове. Един вид „Защо да не заложа всичко”, разбирате ли? Ние като нормални хора не можем да разберем това. Но хората, които играят на рулетка, ги наричат болни.

Ето преди години в Русия излезе програма за заздравяване на семейството. И Путин се разведе с жена си, т. е. той обявява някаква програма и прави точно обратното на нея. И сега казва, че не е изпращал войска в Крим, но там има войска. Само в Севастопол, но имаше.

- Какво ще се случи до изборите? Какво смятате, че ще се случи след 1 година? А след 5? Какви са перспективите? Реалистичен, оптимистичен, песимистичен сценарий.

Ще започна с песимистичния. Вече съм извел семейството си от Донецк. Жена ми беше там до последно, а аз воюювах. Децата ми не бяха там. И двамата са пълнолетни. Синът ми е в Молдова. С него е по-сложно, той е роден в Русия и е доста проруски настроен. Дъщеря ми е в Лвов и не иска да го напуска, защото вижда как могат хората да се държат един с друг. Аз не искам да налагам своята гледна точка на сина си, но искам да му покажа някои ценности. Ето, дъщеря ми разбра. А цял живот в Донецк е говорила на руски. Аз вече ще живея в Киев. Това е песимистичният сценарий. Защото искам да живея в този дом, в който съм се родил и да посещавам гробовете на родителите си, което сега не мога да направя.

Реалистичният сценарий: все пак се надявам, че на нашето правителство ще му стигне воля да приключи всичко това. Всичко това може да приключи.

- Как?

За съжаление само с военни действия.

- Юристите се опасяват, че ако правителството каже думата „война”…

Знаете ли, през 1939 година, Втората Световна война, Хитлер също не е произнесъл думата „война”. Той просто е нападнал без предупреждение. Сега се получи в общи линии същото. Ние проверяваме за руски войници, влезли на наша територия без разрешение и ги взимаме в плен с оръжие в ръка. На наша територия има артилерия. Това не е ли война? Война е. Така го виждам аз. Ние имаме ресурси. И най-главния ресурс – воюваме за себе си. Може да нямаме финанси, може да не живеем много добре, но ние не сме дошли да грабим от някого, а да воюваме за себе си. Затова и ще победим.

- Малко завиждам, докато ви слушам. Хората ви са горди, уверени в правотата си…

О, аз мисля, че и в Русия хората са уверени в правотата си. Ще ви дам пример. Мой чичо ми дойде на гости от Русия. Където и да отидехме навсякъде си говореше с хората на руски, навсякъде чуваше руска реч и се разбираше с всички. Една година по-късно той ми се обади, пита как съм и ми каза, че по телевизията съобщили, че всеки, който говори на руски в Донцек го застрелват. И аз го питам: „Ти нали видя със собствените си очи?” „Да – отговаря той – но по телевизията казаха…” „Защо вярваш на телевизията, а не на собствените си очи?” Ето, информационната война е такава… А това е моят роден чичо със здрав разум. Информационната пропаганда там е много силна.

- Какво искате да се случи с Украйна след 5 години?

Уверен съм в това, че украинците са най-миролюбивия народ в света. Затова и когато се разпадна Съветския съюз, ние се отказахме от ядреното си оръжие. Това ни успокои. Всичките ни съседи са добри. И в това беше златото на Украйна. Отказахме се от ядреното оръжие. А после се оказа, че не всичко е толкова добре. Всяка държава може да смаже всяка. Затова и НАТО се оказа не толкова лошо.

- Не толкова лошо или необходимо?

Сега е необходимо.

- Как можем да ви помогнем?

Голяма поддръжка ще бъде, ако България признае, че това е война.

- Но вие не искате да признаете, че това е война.

Да, но аз говоря от свое име. Друго, което е реална помощ, да се осигури медицинска помощ за нашите пострадали бойци. Да се ускорят някак процедурите или… Защото те нямат време да минат през всички юридически процедури, да си извадят виза и задграничен паспорт, за да получат медицинска помощ в чужбина.

- Има ли проблем с бежанците от Донбас? Къде живеят, кой ги храни?

Помагат доброволци. Разселват ги. Но това не е за дълго време, а не е ясно кога ще могат да се върнат по родните си места. И какво ще намерят там. Нужна е помощ от държавата.

Backblaze Blog | The Life of a Cloud Backup Company: Backblaze + Time Machine = ♥

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-time-machine

“Why do I need online backup if I have Time Machine Already?” We get that question a lot. Here, we recommend you use both. Backblaze strongly believes in a 3-2-1 backup policy. What’s 3-2-1? Three copies of your data, on two different media, and one copy off-site. If you have that baseline, you’re in good shape. The on-site portions of your backup strategy are typically, the original piece of data, and an external hard drive of some sort. Most of our Mac customers use Time Machine, so that’s the one we’ll focus on here.

Raising Awareness
Apple did a great job with Time Machine, and with building awareness for backups. When you plugged in your first external hard drive, your Mac would ask if you wanted to use that drive as a Time Machine backup drive, which was instrumental in teaching users about the importance and potential ease of backups. It also dramatically simplified data backup, making it automatic and continuous. Apple knew that having people manually drag and drop files into folders and drives so they were backed up was not a reliable backup strategy. By making it automatic, many people used Time Machine for their local backup, but this still left a hole in their backup strategy, they had nothing off-site.

Why Bother
Having an off-site backup comes in handy when your computer and local backup (Time Machine in this case) are both lost. That can occur because of fire, theft, flood, forgetfulness, or a wide variety of other unfortunate reasons. Stories of people neglecting to replace their failed Time Machine drive then having their computer crash are well known. An off-site backup that is current, such as an automatic online backup can also be used to augment the local Time Machine backup, especially when traveling. For example, your hard drive in your laptop crashes while you’re on vacation. Time Machine can be used to recover up to the point where you left for your trip and your online backup can be used to fill in the rest.

Some Limitations
One thing about using Time Machine, is that as a hard drive, it doesn’t scale with the amounts of data that you have. When you purchase a 500GB drive, that’s all the space you have for your backup. For example, if you have your Mac Pro or MacBook and have a Time Machine hard drive connected to it, it will back up the data that’s on the computer. If you add an additional hard drive in to the mix as a storage drive, the Time Machine drive may not be large enough to handle both data sets, from the Mac and from the additional storage. So the more data you accumulate, the larger the Time Machine drive you have to use.

Additionally, if you store data on your Time Machine drive itself, those files are not actually going to be included in the Time Machine backup, so be wary! Apple and Backblaze strongly recommend using a separate, dedicated drive for your Time Machine backup, and not keeping any original data on that drive. That way, if the drive fails, you only lose one copy, and avoid potentially losing both copies. Backblaze works similarly, because you have an off-site backup with Backblaze, it’s another layer of protection from data loss.

Diversification
So use both! And if you’re on a PC, use an external hard drive as your second media type (most come with their own local-backup software). There’s no such thing as too many backups. Backing up is like a retirement or stock portfolio, the more diversification you have, the less vulnerability you have!

Author information

Yev

Yev

Social Marketing Manager at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Backblaze + Time Machine = ♥ appeared first on Backblaze Blog | The Life of a Cloud Backup Company.