AWS Official Blog: New – Access Resources in a VPC from Your Lambda Functions

This post was syndicated from: AWS Official Blog and was written by: Jeff Barr. Original post: at AWS Official Blog

A few months ago I announced that you would soon be able to access resources in a VPC from your AWS Lambda functions. I am happy to announce that this much-wanted feature is now available and that you can start using it today!

Your Lambda functions can now access Amazon Redshift data warehouses, Amazon ElastiCache clusters, Amazon Relational Database Service (RDS) instances, and service endpoints that are accessible only from within a particular VPC. In order to do this, you simply select one of your VPCs and identify the relevant subnets and security groups. Lambda uses this information to set up elastic network interfaces (ENIs) and private IP addresses (drawn from the subnet or subnets that you specified) so that your Lambda function has access to resources in the VPC.

Accessing Resources in a VPC
You can set this up when you create a new function. You can also update an existing function so that it has VPC access.  You can configure this feature from the Lambda Console or from the CLI.  Here’s how you set it up from the Console:

That’s all you need to do! Be sure to read Configuring a Lambda Function to Access Resources in an Amazon VPC in the Lambda documentation if you have any questions.

Things to Know
Here are a couple of things that you should know about this new feature:

ENI & IP Address Resources – Because Lambda automatically scales based on the number of events that is needs to process, your VPC must have an adequate supply of free IP addresses on the designated subnets.

Internet Access – As soon as you enable this functionality for a particular function, the function no longer has access to the Internet by default. If your function requires this type of access, you will need to set up a Managed NAT Gateway in your VPC (see New – Managed NAT (Network Address Translation) Gateway for AWS for more information) or run your own NAT (see NAT Instances).

Security Groups – The security groups that you choose for a function will control the function’s access to the resources in the subnets and on the Internet.

S3 Endpoints – You can also use this feature to access S3 endpoints within a VPC (consult New – VPC Endpoint for Amazon S3 to learn more).

Webinar – To learn more about this new feature, join our upcoming webinar, Essentials: Introducing AWS VPC Support for AWS Lambda.


AWS Official Blog: Amazon RDS Update – Share Encrypted Snapshots, Encrypt Existing Instances

This post was syndicated from: AWS Official Blog and was written by: Jeff Barr. Original post: at AWS Official Blog

We want to make it as easy as possible for you to secure your AWS environment. Some of our more recent announcements in this area include encrypted EBS boot volumes, encryption at rest for Amazon Aurora, and support for AWS Key Management Service (KMS) across several different services.

Today we are giving you some additional options for data stored in Amazon Relational Database Service (RDS). You can now share encrypted database snapshots with other AWS accounts. You can also add encryption to a previously unencrypted database instance.

Sharing Encrypted Snapshots
When you are using encryption at rest for a database instance, automatic and manual database snapshots of the instance are also encrypted. Up until now, encrypted snapshots were private to a single AWS account and could not be shared. Today we are giving you the ability to share encrypted snapshots with up to 20 other AWS accounts. You can do this from the AWS Management Console, AWS Command Line Interface (CLI), or via the RDS API. You can share encrypted snapshots within an AWS region, but you cannot share them publicly. As is the case with the existing sharing feature, today’s release applies to manual snapshots.

To share an encrypted snapshot, select it and click on Share Snapshot. This will open up the Manage Snapshot Permissions page. Enter one or more account IDs (click on Add after each one) and click on Save when you have entered them all:

The accounts could be owned by your organization (perhaps you have separate accounts for dev, test, staging, and production) or by your business partners. Backing up to your mission-critical databases to a separate AWS account is a best practice, and one that you can implement using this new feature while also gaining the benefit of encryption at rest.

After you click on Save, the other accounts have access to the shared snapshots. The easiest way to locate them is to visit the RDS Console and filter the list using Shared with Me:

The snapshot can be used to create a new RDS database instance. To learn more, read about Sharing a Database Snapshot.

Adding Encryption to Existing Database Instances
You can now add encryption at rest using KMS keys to a previously unencrypted database instance. This is a simple, multi-step process:

  1. Create a snapshot of the unencrypted database instance.
  2. Copy the snapshot to a new, encrypted snapshot. Enable encryption and specify the desired KMS key as you do so:
  3. Restore the encrypted snapshot to a new database instance:
  4. Update your application to refer to the endpoint of the new database instance:

And that’s all you need to do! You can use a similar procedure to change encryption keys for existing database instances. To learn more, read about Copying a Database Snapshot.



Lauren Weinstein's Blog: Does Google Hate Old People?

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

No. Google doesn’t hate old people. I know Google well enough to be pretty damned sure about that. Is Google “indifferent” to old people? Does Google simply not appreciate, or somehow devalue, the needs of older users? Those are much tougher calls. I’ve written a lot in the past about accessibility and user interfaces. And today I’m feeling pretty frustrated…

AWS Compute Blog: Introducing custom authorizers in Amazon API Gateway

This post was syndicated from: AWS Compute Blog and was written by: Stefano Buliani. Original post: at AWS Compute Blog

Today Amazon API Gateway is launching custom request authorizers. With custom request authorizers, developers can authorize their APIs using bearer token authorization strategies, such as OAuth using an AWS Lambda function. For each incoming request, API Gateway verifies whether a custom authorizer is configured, and if so, API Gateway calls the Lambda function with the authorization token. You can use Lambda to implement various authorization strategies (e.g., JWT verification, OAuth provider callout). Custom authorizers must return AWS Identity and Access Management (IAM) policies. These policies are used to authorize the request. If the policy returned by the authorizer is valid, API Gateway caches the returned policy associated with the incoming token for up to 1 hour so that your Lambda function doesn’t need to be invoked again.

Configuring custom authorizers

You can configure custom authorizers from the API Gateway console or using the APIs. In the console, we have added a new section called custom authorizers inside your API.

An API can have multiple custom authorizers and each method within your API can use a different authorizer. For example, the POST method for the /login resource can use a different authorizer than the GET method for the /pets resource.

To configure an authorizer you must specify a unique name and select a Lambda function to act as the authorizer. You also need to indicate which field of the incoming request contains your bearer token. API Gateway will pass the value of the field to your Lambda authorizer. For example, in most cases your bearer token will be in the Authorization header; you can select this field using the method.request.header.Authorization mapping expression. Optionally, you can specify a regular expression to validate the incoming token before your authorizer is triggered and you can also specify a TTL for the policy cache.

Once you have configured a custom authorizer, you can simply select it from the authorization dropdown in the method request page.

The authorizer function in AWS Lambda

API Gateway invokes the Lambda authorizer by passing in the Lambda event. The Lambda event includes the bearer token from the request and full ARN of the API method being invoked. The authorizer Lambda event looks like this:

    "authorizationToken":"<Incoming bearer token>",
    "methodArn":"arn:aws:execute-api:<Region id>:<Account id>:<API id>/<Stage>/<Method>/<Resource path>"

Your Lambda function must return a valid IAM policy. API Gateway uses this policy to make authorization decisions for the token. For example, if you use JWT tokens, you can use the Lambda function to open the token and then generate a policy based on the scopes included in the token. Later today we will publish authorizer Lambda blueprints for Node.js and Python that include a policy generator object. This sample function uses AWS Key Management Service (AWS KMS) to decrypt the signing key for the token, the nJwt library for Node.js to validate a token, and then the policy generator object included in the Lambda blueprint to generate and return a valid policy to Amazon API Gateway.

var nJwt = require('njwt');
var AWS = require('aws-sdk');
var signingKey = "CiCnRmG+t+ BASE 64 ENCODED ENCRYPTED SIGNING KEY Mk=";

exports.handler = function(event, context) {
  console.log('Client token: ' + event.authorizationToken);
  console.log('Method ARN: ' + event.methodArn);
  var kms = new AWS.KMS();

  var decryptionParams = {
    CiphertextBlob : new Buffer(signingKey, 'base64')

  kms.decrypt(decryptionParams, function(err, data) {
    if (err) {
      console.log(err, err.stack);"Unable to load encryption key");
    } else {
      key = data.Plaintext;

      try {
        verifiedJwt = nJwt.verify(event.authorizationToken, key);

        // parse the ARN from the incoming event
        var apiOptions = {};
        var tmp = event.methodArn.split(':');
        var apiGatewayArnTmp = tmp[5].split('/');
        var awsAccountId = tmp[4];
        apiOptions.region = tmp[3];
        apiOptions.restApiId = apiGatewayArnTmp[0];
        apiOptions.stage = apiGatewayArnTmp[1];
        policy = new AuthPolicy(verifiedJwt.body.sub, awsAccountId, apiOptions);

        if (verifiedJwt.body.scope.indexOf("admins") > -1) {
        } else {
          policy.allowMethod(AuthPolicy.HttpVerb.GET, "*");
          policy.allowMethod(AuthPolicy.HttpVerb.POST, "/users/" + verifiedJwt.body.sub);


      } catch (ex) {
        console.log(ex, ex.stack);"Unauthorized");

You can also generate a policy in your code instead of using the provided AuthPolicy object. Valid policies include the principal identifier associated with the token and a named IAM policy that can be cached and used to authorize future API calls with the same token. The principalId will be accessible in the mapping template.

  "principalId": "xxxxxxx", // the principal user identification associated with the token send by the client
  "policyDocument": { // example policy shown below, but this value is any valid policy
    "Version": "2012-10-17",
    "Statement": [
        "Effect": "Allow",
        "Action": [
        "Resource": [

To learn more about the possible options in a policy, see the public access permissions reference for API Gateway. All of the variables that are normally available in IAM policies are also available to custom authorizer policies. For example, you could restrict access using the ${aws:sourceIp} variable. To learn more, see the policy variables reference.

Because policies are cached for a configured TTL, API Gateway only invokes your Lambda function the first time it sees a token; all of the calls that follow during the TTL period are authorized by API Gateway using the cached policy.


You can use custom authorizers in API Gateway to support any bearer token. This allows you to authorize access to your APIs using tokens from an OAuth flow or SAML assertions. Further, you can leverage all of the variables available to IAM policies without setting up your API to use IAM authorization.

Custom authorizers are available in the API Gateway console and APIs now, and authorizer Lambda blueprints will follow later today. Get in touch through the API Gateway forum if you have questions or feedback about custom authorizers.

AWS Official Blog: Congratulations to the Winners of the Hackster AWS IoT Mega Contest

This post was syndicated from: AWS Official Blog and was written by: Jeff Barr. Original post: at AWS Official Blog

Earlier this year I told you about the AWS IoT Mega Contest. The contest closed at the end of January, the judges retired to our secret lair deep in the heart of Seattle, and we have chosen the winners. There were an impressive number of equally impressive projects and it was not easy to evaluate them against our criteria and to pick our favorites. After extended deliberation, we managed to choose ten projects. With no further fanfare, here we go!

First Prize
The following two entrants will receive the first prize, a Kindle Fire HD 10:

Second Prize
The following three entrants will receive the second prize, an Amazon Echo:

Third Prize
The following five entrants will receive the third prize, Amazon Fire TV Gaming Edition:

What I Learned
After spending time examining the entries in detail, I came away impressed by a couple of things. To wit:

  1. There are lots of creative people out there! The initial ideas and the resulting projects were literally all over the map.
  2. IoT is here now. People are building devices, sites, and applications that are sophisticated and useful.
  3. Connecting to and working within the real world is a lot harder than running within the clean, abstract confines of a virtual machine. A successful IoT application must be prepared to deal with erroneous or missing data, intermittent connections, and more.
  4. Building these applications requires and exercises a diverse set of skills. In addition to creativity, a successful IoT project can require theoretical & practical electronics skills (both analog and digital), 3D modeling & printing, along with the ability to write code that runs on small devices and in the cloud, generally using multiple languages, frameworks, and cloud services! If you currently have a subset of these skills, jumping in to IoT is a great way to put them to use.

Congratulations & Thanks
Congratulations to all of the winners, and thank you to everyone who entered! Also, a big thank-you to our device partners and to the team at Hackster.

Jeff; Security advisories for Thursday

This post was syndicated from: and was written by: jake. Original post: at

Arch Linux has updated botan
(three vulnerabilities).

Fedora has updated firebird (F23:
denial of service), firefox (F23: denial of
service), gsi-openssh (F23: privilege
escalation), and php-PHPMailer (F23;
F22: header injection).

openSUSE has updated flash-player (13.2; 13.1:
multiple vulnerabilities), jasper (13.1: denial of service), and
tiff (13.1: multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

SUSE has updated java-1_6_0-ibm (SLE12; SLE11SP2: multiple vulnerabilities) and java-1_7_0-ibm (SLE11SP2: multiple vulnerabilities).

Schneier on Security: Worldwide Encryption Products Survey

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Today I released my worldwide survey of encryption products.

The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to choose from. These foreign products offer a wide variety of secure applications­ — voice encryption, text message encryption, file encryption, network-traffic encryption, anonymous currency­ — providing the same levels of security as US products do today.


  • There are at least 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total.

  • The most common non-US country for encryption products is Germany, with 112 products. This is followed by the United Kingdom, Canada, France, and Sweden, in that order.
  • The five most common countries for encryption products­ — including the US­ — account for two-thirds of the total. But smaller countries like Algeria, Argentina, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and Thailand each produce at least one encryption product.
  • Of the 546 foreign encryption products we found, 56% are available for sale and 44% are free. 66% are proprietary, and 34% are open source. Some for-sale products also have a free version.
  • At least 587 entities­ — primarily companies — ­either sell or give away encryption products. Of those, 374, or about two-thirds, are outside the US.
  • Of the 546 foreign encryption products, 47 are file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and 61 virtual private networking products.

The report is here, here, and here. The data, in Excel form, is here.

Press articles are starting to come in. (Here are the previous blog posts on the effort.)

I know the database is incomplete, and I know there are errors. I welcome both additions and corrections, and will be releasing a 1.1 version of this survey in a few weeks.

Krebs on Security: Fraudsters Tap Kohl’s Cash for Cold Cash

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Scam artists have been using hacked accounts from retailer Kohl’ to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.

kohlscashKrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to — which confirmed her fears that her password had been changed.

On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change it.

“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”

Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.

“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”

Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).

“Since the orders were being shipped to me, even though they were  above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.

More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.

“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”

Perry said she was shocked by the scam’s complexity and sheer gumption.

“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”

Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”

“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”

This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.

It’s unclear how much is lost annually to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at estimated in 2011 that some 2.6 billion loyalty memberships generated $48 billion in rewarded points and miles.

Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.

TorrentFreak: U.S. Copyright Law Forces Wikimedia to Remove “Public Domain” Anne Frank Diary

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

anneThe Diary of Anne Frank is one of the best known literary works in history, written by a young Dutch girl hiding from the Nazis during World War II.

Anne Frank died in 1945 which means that the book was elevated into the public domain in the Netherlands on January 1, 2016, 70 years after her death.

Despite some dispute over its copyright status, several copies of the book have been published online. Also at Wikisource, a digital library of free texts maintained by the Wikimedia Foundation, which also operates Wikipedia.

However, since this week Anne Frank’s diary is no longer available, as U.S. copyright law dictates that works are protected for 95 years from date of publication.

Jacob Rogers, Legal Counsel for the Wikimedia Foundation, labels the removal as an overreach of U.S. copyright law but believes that they have no other option than to comply.

“Today, in an unfortunate example of the overreach of the United States’ current copyright law, the Wikimedia Foundation removed the Dutch-language text of The Diary of a Young Girl,” Rogers notes.

“We took this action to comply with the United States’ Digital Millennium Copyright Act (DMCA), as we believe the diary is still under US copyright protection under the law as it is currently written,” he adds.

The Wikimedia Foundation did not receive a takedown request for the book. Instead, it responded to email discussions that were sent to the organization. Based on these emails the foundation has either “actual” or “red flag” knowledge that the book was hosted on its servers.

Since the servers fall under the U.S. jurisdiction local copyright law applied, meaning that the book remains in copyright for 95 years after publication.

As a result Wikimedia is not allowed to host a copy of the book before 2042. While the organization has complied with U.S. law it’s not happy with the decision and calls for shorter copyright terms.

“Nevertheless, our removal serves as an excellent example of why the law should be changed to prevent repeated extensions of copyright terms, an issue that has plagued our communities for years,” Rogers writes.

Despite the voluntary removal by the Wikimedia Foundation, the Dutch version of Anne Frank’s diary remains widely available elsewhere. The Internet Archive still hosts a copy, as does pretty much every torrent site.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Beyond Bandwidth: Twenty Years of Progress: Reflecting on the Telecommunications Act of 1996

This post was syndicated from: Beyond Bandwidth and was written by: Nick Alexander. Original post: at Beyond Bandwidth

This week we’re marking the twentieth anniversary of the signing of the Telecommunications Act of 1996 into law. It’s a nice reminder that our elected officials can work together in a bipartisan fashion to pass legislation that genuinely advances the public interest. The ’96 Act, passed by an overwhelming vote in both the House and…

The post Twenty Years of Progress: Reflecting on the Telecommunications Act of 1996 appeared first on Beyond Bandwidth.

Linux How-Tos and Linux Tutorials: Linux Foundation Certified System Administrator: Jorge Tudela Gonzalez de Riancho

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

jorgeThe Linux Foundation offers many resources for developers, users, and administrators of Linux systems, including its Linux Certification Program, which is designed to give you a way to differentiate yourself in a competitive job market.

To illustrate how well the certification prepares you for the real world, the Linux Foundation is featuring some of those who have recently passed the certification examinations. These testimonials should help you decide if either the Linux Foundation Certified System Administrator or the Linux Foundation Certified Engineer certification is right for you. In this installment, we talk with Jorge Tudela Gonzalez de Riancho.

How did you become interested in Linux and open source?

My first contact with Linux took place at the University, we used it in some Labs, but I didn’t become interested till my first job as Unix/Linux system administrator.

Regarding Open Source: Along with my current job as a Cloud Solution Engineer, I have started to use many open source tools and technologies, and I have become a true Open source believer!

What Linux Foundation course did you achieve certification in? Why did you select that particular course?

I got the Linux Foundation Certified System Administrator (LFCS). I chose it because I was already familiar with all the domain and competencies of the exam, I just wanted to test my Linux knowledge.

What other hobbies or projects are you involved in? Do you participate in any open source projects at this time?

I don’t participate actively in any open source project at the moment, but that is one of my 2016 year resolutions! I’m a sports lover (especially triathlons)…it is not all about technology and work. But sometimes I spend time at home getting my hands dirty with my raspberry-pi :)

Do you plan to take future Linux Foundation courses? If so, which ones?Lf-logo-new

Yes, I would like to the take Linux Foundation Certified Engineer (LFCE) and also, any other LF courses related to Open Stack or SDN/NFV.

In what ways do you think the certification will help you as a systems administrator in today’s market?

It’s important to prove your knowledge and skills, so I guess the certification makes the difference when it comes to find a new job.

What Linux distribution do you prefer and why?

Although I have experience working with Debian & derivatives, I prefer RHEL & derivatives.

There’s not really a strong reason behind that, just that at my first job, all of our Linux boxes were RHEL :)

Are you currently working as a Linux systems administrator? If so, what role does Linux play?

I work with Linux every day, but not as a typical System Administrator. I’m a Cloud Solution Engineer, so I work with many different technologies like Docker and OpenStack. But Linux is key; it is the base where most of our software stack runs.

Where do you see the Linux job market growing the most in the coming years?

The future of Linux is exciting! I believe IoT platforms of any kind and Automotive Grade Linux industry will enjoy an exponential growth in the coming years.

What advice would you give those considering certification for their preparation?

For experienced professionals, I recommend that they prepare the environment for the exam, and follow the instructions, It’s not a difficult exam if you work daily with Linux.

On the other hand, for newcomers, apart from having a look to open/free resources, I just encourage them to set up a Linux environment at home and get their hands dirty!!

Read more profiles:

Linux Foundation Certified Engineer: Francisco Tsao

Linux Foundation Certified System Administrator: Gabriel Canepa

Linux Foundation Certified Engineer: Michael Zamot

Linux Foundation Certified System Administrator: Ariel Jolo

Linux Foundation Certified System Administrator: Nam Pho

Linux Foundation Certified System Administrator: Steve Sharpe

Linux Foundation Certified Engineer: Diego Xirinachs

Schneier on Security: Make Privacy a 2016 Election Issue

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

EPIC has just launched “Data Protection 2016” to try to make privacy an issue in this year’s elections.

You can buy swag.

Raspberry Pi: Fran Scott’s explosions-based computing

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

We were wowed by this at Bett 2015, so we were delighted when we saw that Bett had published a video of it. Top science explainer Fran Scott uses Raspberry Pis with fruity inputs and explosive outputs to introduce key computer science concepts to kids, teens, and people who love pyrotechnics (which is all of us, and especially Clive). Her show is called #Error404: The Explosions-based Computing Show.

BETT Arena 2015: #Error404: Fran Scott

Error404: The Explosions-based Computing Show Fuelled by the recent change in the curriculum, Fran has turned her skills to producing a stage show all about Computer Science. “#Error 404” is a high-octane coding stage show ideal for KS2-3.

Fancy doing something similar yourself? Fran’s a trained pyrotechnician and a member of the Association of Stage Pyrotechnicians, and even Clive admits that we should leave the explosions to her, but you can safely use your Raspberry Pi to make a balloon go bang with our Balloon Pi-tay Popper resource.

The post Fran Scott’s explosions-based computing appeared first on Raspberry Pi.

Monty says: Foundation report for 2015

This post was syndicated from: Monty says and was written by: Michael "Monty" Widenius. Original post: at Monty says

This is a repost of Otto Kekäläinen’s blog of the MariaDB foundations work in 2015.

The website had over one million page views in 2015, a growth of about 9% since 2014. Good growth has been visible all over the MariaDB ecosystem and we can conclude that 2015 was a successful year for MariaDB.

Increased adoption

MariaDB was included for the first time in an official Debian release (version 8.0 “Jessie”) and there has been strong adoption of MariaDB 10.0 in Linux distributions that already shipped 5.5. MariaDB is now available from all major Linux distributions including SUSE, RedHat, Debian and Ubuntu. Adoption of MariaDB in other platforms also increased, and MariaDB is now available as a database option on, among others, Amazon RDS, 1&1, Azure and Juju Charm Store (Ubuntu).

Active maintenance and active development

In 2015 there were 6 releases of the 5.5 series, 8 releases of the 10.0 series and 8 releases of the 10.1 series. The 10.1 series was announced for general availability in October 2015 with the release of 10.1.8. In addition, there were also multiple releases of MariaDB Galera Cluster, and the C, Java and OBDC connectors as well as many other MariaDB tools. The announcements for each release can be read on the blog archives with further details in the Knowledge Base. Some of the notable new features in 10.1 include:

We are also proud that the release remains backwards compatible and it is easy to upgrade to 10.1 from any previous MariaDB or MySQL release. 10.1 was also a success in terms of collaboration and included major contributions from multiple companies and developers.

MariaDB events and talks

The main event organized by the MariaDB Foundation in the year was the MariaDB Developer Meetup in Amsterdam in October, at the offices. It was a success with over 60 attendees In addition there were about a dozen events in 2015 at which MariaDB Foundation staff spoke.

We are planning a new MariaDB developer event in early April 2016 in Berlin. We will make a proper announcement of this as soon as we have the date and place fixed.

Staff, board and members

In 2015 the staff included:

  • Otto Kekäläinen, CEO
  • Michael “Monty” Widenius, Founder and core developer
  • Andrea Spåre-Strachan, personal assistant to Mr Widenius
  • Sergey Vojtovich, core developer
  • Alexander Barkov, core developer
  • Vicențiu Ciorbaru, developer
  • Ian Gilfillan, documentation writer and webmaster

Our staffing will slightly increase as Vicențiu will start working full time in 2016 for the Foundation. Our developers worked a lot on performance and scalability issues, ported the best features from new MySQL releases, improved MariaDB portability for platforms like ARM, AIX, IBM s390 and Power8, fixed security issues and other bugs. A lot of time was also invested in cleaning up the code base as the current 2,2 million lines of code includes quite a lot of legacy code in it. Version control and issue tracker statistics shows that the foundation staff made 528 commits, reported 373 bugs or issues and closed 424 bugs or other issues. In total there were 2400 commits made by 91 contributors in 2015.

The Board of Directors in 2015 consisted of:

  • Chairman Rasmus Johansson, VP Engineering at MariaDB Corporation
  • Michael “Monty” Widenius, Founder and CTO of MariaDB Corporation
  • Jeremy Zawodny, Software Engineer at Craigslist
  • Sergei Golubchik, Chief Architect at MariaDB Corporation
  • Espen Håkonsen, CIO of Visma and Managing Director of Visma IT & Communications
  • Eric Herman, Principal Developer at

MariaDB Foundation CEO Otto Kekäläinen served as the secretary of the board. In 2015 we welcomed as new major sponsors, Visma, Acronis just joined to be a member for 2016. Please check out the full list of supporters. If you want to help the MariaDB Foundation in the mission to guarantee continuity and open collaboration, please support us as with individual or corporate sponsorship.

What will 2016 bring?

We expect steady growth in the adoption of MariaDB in 2016. There are many migrations from legacy database solutions underway, and as the world becomes increasingly digital, there are a ton of new software projects starting that use MariaDB to for their SQL and no-SQL data needs. In 2016 many will upgrade to 10.1 and the quickest ones will start using MariaDB 10.2 which is scheduled to be released some time during 2016. MariaDB also has a lot of plugins and storage engines that are getting more and more attention, and we expect more buzz around them when software developers figure out new ways to manage data in fast, secure and scalable ways.

TorrentFreak: Hang on…..3DM Now Suggest They’ve Cracked Denuvo

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Hundreds of thousands, perhaps millions of video games players around the world obtain their fix from pirate sources. It’s been that way for more than 30 years, only the numbers have grown over time.

However, in the ‘old days’ people could do most of their copying at home, with a couple of cassette decks or software to shift data between 5.25″ floppy disks. But times have changed and although piracy still exists, people now largely rely on a tiny number of so-called ‘cracking’ experts to break copy protection for them.

One of those groups is Chinese outfit 3DM who in recent years have delighted pirate gamers with free copies of some of the world’s greatest titles. Technology companies have always done their best to thwart groups like 3DM and earlier this year came the most promising news to date.

Out of the blue, 3DM announced that the latest iteration of the infamous Denuvo anti-tamper technology had proven so resistant that in a couple of years PC games piracy might become non-existent.

Then, just a couple of weeks later, 3DM put the icing on the cake when they announced that in order to let the official games market breathe, they would be taking a year off from cracking games.

With games producers everywhere super excited at the prospect of a market free from the nuisance of 3DM, optimism of a boosted-revenue future was high. However, while it seems 3DM can deliver surprise gifts with one hand, apparently they can just as easily take them away with the other.

According to a new announcement by the group’s almost rock-star-famous leader, 3DM have decided they are not quite done. Apparently, growing speculation that the group aren’t up to the job of cracking Denuvo has provided them with new inspiration to prove the masses wrong.

“3DM will soon announce that we have a solution to the latest Denuvo encryption used on games including ‘FIFA 16’, ‘Just Cause 3’, and ‘Tomb Raider: The Rise’,” 3DM leader Bird Sister just announced.

Bird Sister

“We [made this announcement] because a lot of players believe we have abandoned cracking due to technical problems, but we will prove it is not the case,” Bird Sister continues.

“We have not yet been stumped [by protection measures].”

Although this announcement flies in the face of some of 3DM’s earlier comments, the news will be received with disappointment by games developers and publishers, not to mention the team at Denuvo. 3DM had been leading the charge on Denuvo-protected titles so a break could’ve given valuable breathing space.

But that said, the proof of the pudding is in the eating and until pirates have tasted the joys of a fully cracked Just Cause 3, their appetites will remain in full force. In other words they’ll believe this game has been cracked when they actually play it at home – thus far there is no sign of a release.

Interestingly, should cracked copies eventually arrive at the hands of 3DM, the group won’t be taking the credit. A somewhat counter-productive comment by Bird Sister indicates that 3DM will not take the usual path on release since they don’t want to attract too much attention.

“Of course, this will not be a high-profile or official 3DM release,” she concludes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services. [$] Weekly Edition for February 11, 2016

This post was syndicated from: and was written by: corbet. Original post: at

The Weekly Edition for February 11, 2016 is available. Gravitational Waves

This post was syndicated from: and was written by: Original post: at

"That last LinkedIn request set a new record for the most energetic physical event ever observed. Maybe we should respond." "Nah."

Errata Security: Hackers aren’t smart — people are stupid

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The cliche is that hackers are geniuses. That’s not true, hackers are generally stupid.

The top three hacking problems for the last 10 years are “phishing”, “password reuse”, and “SQL injection”. These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.


Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts.

But when read advice from “experts”, it’s often phrased as “Don’t open emails from people you don’t know”. No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept.

What’s going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it into “don’t trust strangers” anyway.

We have a second instinct of giving advice. We want to tell people “just do this one thing”, wrapping up the problem in one nice package.

But these instincts war with the core concept, “phishing emails appear to come from those you trust”. Thus, average users continue to open emails with reckless abandon, because the core concept never gets through.

Password reuse

Similarly there is today’s gem from the Sydney Morning Herald:

When you create accounts on major websites, they frequently require you to “choose 8 letters with upper case, number, and symbol”. Therefore, you assume this is some sort of general security advice to protect your account. It’s not, not really. Instead, it’s a technical detail related to a second layer of defense. In the unlikely event that hackers break into the website, they’ll be able able to get the encrypted version of everyone’s password. They use password crackers to guess passwords at a rate of a billion-per-second. Easily guessed passwords will get cracked in a fraction of a second, but hard to guess passwords are essentially uncrackable. But it’s a detail that only matters once the website has already been hacked.

The real problem with passwords is password reuse. People use the same password for unimportant websites, like, as they use for important sites, like or their email. Simple hobbyist sites are easily hacked, allowing hackers to download all the email addresses and passwords. Hackers then run tools to automate trying out that combination on sites like Amazon, Gmail, and banks, hoping for a match.

Therefore, the correct advice is “don’t reuse passwords on important accounts”, such as your business accounts and email account (remember: your email account can reset any other password). In other words, the correct advice is the very opposite what the Sydney Morning Herald suggested.

The problem here is human nature. We see this requirement (“upper-case and number/symbol”) a lot, so we gravitate toward that. It also appeals to our sense of justice, as if people deserve to get hacked for the moral weakness of choosing simple passwords. Thus, we gravitate toward this issue. At the same time, we ignore password reuse, because it’s more subtle.

Thus we get bad advice from “experts” like the Sydney Morning Herald, advising people to do the very opposite of what they should be doing. This article was passed around a lot today in the cybersec community. We all had a good laugh.

SQL injection

SQL injection is not an issue for users, but for programmers. However, it shares the same problem that it’s extremely simple, yet human nature prevents it from being solved.

Most websites are built the same way, with a web server front-end, and a database back-end. The web server takes user interactions with the site and converts them into a database query. What you do with a website is data, but the database query is code. Normally, data and code are unrelated and never get mixed up. However, since the website generates code based on data, it’s easy to confuse the two.

What SQL injection is that the user (the hacker) sends data to a website frontend that actually contains code that causes the backend to do something. That something can be to dump all the credit card numbers, or create an account that allows the hacker to break in.

In other words, SQL injection is when websites fail to understand the differences between these two sentences:

  • Susie said “you owe me $10”.
  • Susie said you owe me $10.

It’s best illustrated in the following comic:

The core concept is rather easy: don’t mix code with data, or as the comic phrases it “sanitize your database inputs”. Yet the problem persists because programmers fail to grasp the core concept.

The reason is largely that professors fail to understand the core concept. SQL injection has been the most popular hacker attack for more than a decade, but most professors are even older than that. Thus, they continue to teach website design ignoring this problem. The textbooks they use don’t eve mention it.


These are the three most common hacker exploits on the Internet. Teenagers interested in hack learn how to exploit them within a few hours. Yet, the continue to be unsolved because if you aren’t interested in the issues, you fail to grasp the core concept. The concept “phishing comes from people you know” to “don’t trust emails from strangers”. The core concept of hackers exploiting password reuse becomes “choose strong passwords”. The core concept of mixing code with data simply gets ignored by programmers.

And the problem here isn’t just the average person unwilling or unable to grasp the core concept. Instead, confusion is aided by people who are supposed to be trustworthy, like the Sydney Morning Herald, or your college professor.

I know it’s condescending and rude to point out that “hacking happens because people are stupid”, but that’s really the problem. I don’t know how to point this out in a less rude manner. That’s why most hacking persists.

Krebs on Security: Criticial Fixes Issued for Windows, Java, Flash

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.

brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goetti at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

brokenflash-aPatch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Errata Security: Nothing says "establishment" as Vox’s attack on Trump

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

I keep seeing this Ezra Klein Vox article attacking Donald Trump. It’s wrong in every way something can be wrong. Trump is an easy target, but the Vox piece has almost no substance.

Yes, it’s true that Trump proposes several unreasonable policies, such as banning Muslims from coming into this country. I’ll be the first to chime in and call Trump a racist, Nazi bastard for these things.

But I’m not sure the other candidates are any better. Sure, they aren’t Nazis, but their politics are just as full of hate and impracticality. For example, Hillary wants to force Silicon Valley into censoring content, brushing aside complaints from those people overly concerned with “freedom of speech”. No candidate, not even Trump, is as radical as Bernie Sanders, who would dramatically reshape the economy. Trump hates Mexican works inside our country, Bernie hates Mexican workers in their own countries, championing punishing trade restrictions.

Most of substantive criticisms Vox gives Trump also applies to Bernie. For example, Vox says:

His view of the economy is entirely zero-sum — for Americans to win, others must lose. … His message isn’t so much that he’ll help you as he’ll hurt them… 

That’s Bernie’s view of the economy as well. He imagines that economy is a zero-sum game, and that for the 1% rich to prosper, they must take from the 99% of everyone else. Bernie’s entire message rests on punishing the 1% for the sin of being rich.

It’s the basis of all demagoguery that you find some enemy to blame. Trump’s enemies are foreigners, whereas Bernie’s enemies are those of the wrong class. Trump is one step in the direction of the horrors of the Nazi Holocaust. Bernie is one step in the direction of the horrors of old-style Soviet and Red Chinese totalitarian states.

About Trump’s dishonesty, Vox says:

He lies so constantly and so fluently that it’s hard to know if he even realizes he’s lying.

Not true. Trump just lies badly. He’s not the standard slick politician, who lie so fluently that we don’t even realize they are lying. Whether we find a politician’s lying to be objectionable isn’t based on any principle except whether that politician is on our side.

I gave $10 to all 23 presidential candidates, and get a constant stream of emails from the candidates pumping for more money. They all sound the same, regardless of political party, as if they all read the same book “How To Run A Presidential Campaign”. For example, before New Years, they all sent essentially the same message “Help us meet this important deadline!”, as if the end of the year is some important fund-raising deadline that must be met. It isn’t, that’s a lie, but such a fluent one that you can’t precisely identify it as a lie. If I were to judge candidate honesty, based on donor e-mails, Bernie would be near the top on honesty, and Hillary would be near the bottom, with Trump unexceptionally in the middle.

Vox’s biggest problem is that their attack focuses on Trump’s style more than substance. It’s a well-known logical fallacy that serious people avoid. Style is irrelevant. Trump’s substance provides us enough fodder to attack him, we don’t need to stoop to this low level. The Vox piece is great creative fiction about how nasty Trump is, missing only the standard dig about his hair, but there’s no details as to exactly why Trump’s policies are bad, such as the impractical cost of building a 2000 mile long wall between us and Mexico, or the necessity of suspending the 6th Amendment right to “due process” when deporting 20 million immigrants.

Vox’s complaint about Trump’s style is mostly that he doesn’t obey the mainstream media. All politicians misspeak. There’s no way to spend that many hours a day talking to the public without making the most egregious of mistakes. The mainstream media has a way of dealing with this, forcing the politician to grovel. They resent how Trump just ignores the problem and barrels on to the next thing. That the press can’t make his mistakes stick makes them very upset.

Imagine a situation where more than half the country believes in an idea, but nobody stands up and publicly acknowledges this. That’s a symptom of repressed speech. You’d think that the only suppressor of speech is the government, but that’s not true. The mainstream media is part of the establishment, and they regularly suppress speech they don’t like.

I point this out because half the country, both Democrats and Republicans, support Trump’s idea of preventing Muslims from coming into our country. Sure, it’s both logically stupid and evilly racist, but that doesn’t matter, half the country supports it. Yet, nobody admits supporting the idea publicly, because as soon as they do, they’ll be punished by the mass media.

Thus, the idea continues to fester, because it can’t openly be debated. People continue to believe in this bad idea because they are unpersuaded by the ad hominem that “you are such a racist”. The bedrock principle of journalism is that there are two sides to every debate. When half the country believes in a wrong idea, we have to accept that they are all probably reasonable people, and that we can change their minds if we honestly engage them in debate.

This sounds like I’m repeating the “media bias” trope, which politicians like Trump use to deflect even fair media coverage they happen not to like. But it’s not left-wing bias that is the problem here.

Instead, it’s that the media has become part of the establishment, with their own seat of power. Ezra Klein’s biggest achievement before Vox was JournoList, designed to help the established press wield their power at the top of the media hierarchy. Ezra Klein is the quintessential press insider. His post attacking Trump is just a typical example of how insiders attack outsiders who don’t conform. Yes, Trump deserves criticism, but based upon substance — not because he challenges how the press establishment has defined how politics should work in America.

Lauren Weinstein's Blog: Call for Participation: Internet Political Trolls Collection Project 2016

This post was syndicated from: Lauren Weinstein&#039;s Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

It’s no secret that vile political trolls remain massively at large in the social media landscape during this USA 2016 presidential election season. But who are they? Who are their targets? Who do they support? What are the specific aspects of their attacks in social media comments and their other postings? I’ve begun a survey to collect some detailed data…

Schneier on Security: AT&T Does Not Care about Your Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

AT&T’s CEO believes that the company should not offer robust security to its customers:

But tech company leaders aren’t all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn’t have any say in the debate.

“I don’t think it is Silicon Valley’s decision to make about whether encryption is the right thing to do,” Stephenson said in an interview with The Wall Street Journal. “I understand [Apple CEO] Tim Cook’s decision, but I don’t think it’s his decision to make.”

His position is extreme in its disregard for the privacy of his customers. If he doesn’t believe that companies should have any say in what levels of privacy they offer their customers, you can be sure that AT&T won’t offer any robust privacy or security to you.

Does he have any clue what an anti-market position this is? He says that it is not the business of Silicon Valley companies to offer product features that might annoy the government. The “debate” about what features commercial products should have should happen elsewhere — presumably within the government. I thought we all agreed that state-controlled economies just don’t work.

My guess is that he doesn’t realize what an extreme position he’s taking by saying that product design isn’t the decision of companies to make. My guess is that AT&T is so deep in bed with the NSA and FBI that he’s just saying things he believes justifies his position.

Here’s the original, behind a paywall. [$] A Linux-powered microwave oven

This post was syndicated from: and was written by: jake. Original post: at

Scratching an itch is a recurring theme in presentations at As the open-hardware
movement gains strength, more and
more of these itches relate to the physical world, not just the digital.
David Tulloh used his presentation [WebM] on the “Linux Driven
Microwave” to discuss how annoying microwave ovens can be and to
describe his project to build something less irritating.

Click below (subscribers only) for the full report from Neil Brown.

TorrentFreak: Inside MPAA’s Piracy Deal With the Donuts Domain Registry

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mpaa-logoDomain name registry Donuts describes itself as “the largest operator of new domain name extensions” and it certainly has some interesting ones under its belt.

In addition to future classics such as .EMAIL, .COMPANY and .GURU, Donuts also has more light-hearted options available including .FAIL and .WTF.

However, with a current registration volume that has just surpassed 900 domains, the gTLD of most interest to Hollywood (except .TAX, perhaps) is .MOVIE.

With this in mind it will come as no surprise that the MPAA has been building bridges with Donuts in order to keep .MOVIE clean while avoiding the nightmare scenario of ThePirateBay.MOVIE gaining traction with millions of Internet pirates.

Still available……at a price


To that end, the MPAA and Donuts have just announced a voluntary agreement to ensure that domains under the control of the registry aren’t engaged in Internet piracy.

Under the agreement the MPAA will be granted “Trusted Notifier” status, i.e. it will become the definitive authority on what is considered a large-scale piracy website. Sites that are subsequently found to be breaching Donuts’ terms and conditions will either have their domains suspended or put on hold.

“This is a groundbreaking partnership and one we’re proud to undertake,” says Donuts Co-Founder and Executive Vice President Jon Nevett.

“Donuts, as the operator of .MOVIE, .THEATER, .COMPANY and almost 200 other domain extensions, is committed to a healthy domain name environment and this is another step toward a safe and secure namespace.”

While praising Donuts for its cooperation, MPAA chief Chris Dodd took the opportunity to show that it’s indeed possible for Hollywood and technology companies to reach voluntary agreement on piracy-related matters, without intervention from the law.

“This agreement demonstrates that the tech community and content creators can work together on voluntary initiatives to help ensure vibrant, legal digital marketplaces that benefit all members of the online ecosystem,” Dodd said.

So how will the deal work in practice? TF obtained a copy of the plan which begins with the assumption that the MPAA will act with integrity.

The agreement

“Donuts will treat referrals from the MPAA expeditiously and with a presumption of credibility,” it begins.

From there the MPAA is required to fulfill several criteria, including that any complaint filed with Donuts is authorized by its members. The movie industry group is then expected to provide evidence of “clear and pervasive copyright infringement” on the domain in question while indicating which laws have been violated.

However, before contacting Donuts the MPAA will have to do additional preparatory work, including alerting both the site’s registrar and hosting provider to the alleged problems. While providing Donuts with the details of the discussions, the MPAA will be required to indicate why these failed to stop the alleged infringement.

Human-only complaints

Perhaps wary of the carpet-bombing approach employed by many DMCA complaint companies around the world today, Donuts is insisting that any reports of infringement filed by the MPAA are not based on machine-generated complaints.

“[The MPAA’s referral will contain] confirmation that the referral was subject to careful human review and not submitted solely based on automated Internet scanning or scraping services,” the plan reads.


It is extremely common for ‘pirate’ sites to operate with falsified WHOIS information – after all, who wants to guide a lawyer to their front door? To that end Donuts will accept complaints from the MPAA when the group feels a domain’s records contain “false or misleading information”.


In addition to dealing with the MPAA’s complaints “on an expedited basis” (while determining a course of action within 10 business days), Donuts says it will coordinate with applicable registrars and/or registrants and set deadlines for them to respond to the allegations.

However, if Donuts has any “concerns or questions” regarding the scope or nature of the alleged infringement (or has received alternative instructions from law enforcement), the registry will give the MPAA the opportunity to “supplement or amend” its referral.


Once Donuts is happy that the MPAA has a valid complaint, it will move onto the next and final stage.

“If Donuts is satisfied that the domain clearly is devoted to clear and pervasive copyright infringement, Donuts may, in its discretion and as permitted under its Acceptable Use and Anti-Abuse Policy, suspend, terminate, or place the domain on registry lock, hold, or similar status as it determines necessary to mitigate the infringement,” the company notes.

The future

In his statement the MPAA’s Chris Dodd praised Donuts for “their leadership” and his timing could hardly be better.

The Domain Name Association will hold its first Healthy Domains Initiative summit in Seattle today and the MPAA will be hoping that other registries will see the Donuts agreement as something to aspire to. It certainly ticks all the right boxes and could prove a potent weapon in the fight against piracy.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Darknet – The Darkside: Darknet Moving Servers & Upgrades Etc

This post was syndicated from: Darknet – The Darkside and was written by: Darknet. Original post: at Darknet – The Darkside

So way back, this was the site 10 years ago when it launched in 2006 – not ALL that much different from today to be honest. The current theme you see here has been in use since April 2010, so almost 6 years as of February 2016 – and it’s come time to change. Which […]

The post Darknet Moving Servers & Upgrades Etc…

Read the full post at