TorrentFreak: Minister: Sue Mums, Dads, Students To Send Anti-Piracy Message

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

nopiracyWhen countries and major rightsholders have announced their new anti-piracy strategies in recent times, several approaches have become apparent.

Instead of pure head-on attacks against websites, their finances are being undermined through deals with advertisers and their sites blocked online. Rather than attempting to batter ISPs into submission through the courts, partnerships are sought instead. And when it comes to the end user, it’s largely education and more education.

In Australia the debate is familiar. On top of a legal framework to have websites blocked at network level, rightsholders are now seeking friendly cooperation from ISPs in order to deliver a message to subscribers that content should be purchased, not pirated.

The debate is well underway with the government seeking input from interested parties. Communications Minister Malcolm Turnbull has been putting pressure on rightsholders to ramp up their game in respect of pricing and availability too, which is definitely a step in the right direction.

But yesterday, during a televised interview with Rupert Murdoch’s Sky News, Turnbull made comments that transport the debate back many years, raising the specter of tough punitive action to send an anti-piracy message.

At first things started as expected, with the Minister telling Sky that people need to be educated. He raised the usual shoplifting and stealing analogies, noting that taking content from supermarkets is no different from downloading content online.

Then, after outlining New Zealand’s “three strikes” system, he noted that if content owners are suffering losses, then it should be them who foot the bill for any introduced anti-piracy measures. Content owners aside, few would disagree there.

Turnbull also noted that disconnections for persistently pirating Internet users would be met with a lot of resistance so were probably off the table, but then the bombshell.

“Rightsholders are not keen on taking people to court, because it doesn’t look good, because it’s bad publicity. What happens if the person you sue is a single mother, what happens if it’s a teenager, what happens if it’s a retiree on a low income?” Turnbull said.

“The bottom line is though, rightsholders are going to have to be tactical about who they take to court, who they want to sue.”

Education, it seems, only goes so far in Turnbull’s eyes. In addition there will need to be punishments for those who don’t get the message and that in turn will help to solve the problem.

“What you do is that when you raise awareness of this, and as people recognize that there is a risk that they will be sued, and have to pay for what they have stolen, then the level of infringement and theft will decline,” the Minister said.

So who should the rightsholders “strategically” target?

“It is absolutely critical that rightsholders…are prepared to actually roll their sleeves up and take on individuals. They have got to be prepared to sue people. Sue moms and dads and students who are stealing their content. They can’t expect everybody else to do that for them,” Turnbull said.

This kind of aggression from a key Minister in this debate is bound to raise alarm bells. As rightholders head down the cooperation and education route, here is a clear sign that the government thinks that yet more legal action against the public will solve the problem.

It won’t, and ISPs such as iiNet almost certainly won’t like the sound of this either. Whether this will hurt cooperation moving forward remains to be seen, but it’s likely to paint a picture of a government and an industry holding up new carrots, but keeping the same old tired stick in reserve, just in case.

The whole interview can be seen here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Microsoft’s Enhanced Mitigation Experience Toolkit 5.0 is out: http://www.microsoft.com/en-us/download/details.aspx?id=43714, (Fri, Aug 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Hacker Factor Blog: Training Day

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I rarely write about my upcoming appearances. But this time, I’m just too excited.

Typically I try to make Blackhat and Defcon. However, this year I’ll have to forgo the Vegas trip and return to Dallas; I’ve been invited back to CACC: the Crimes Against Children Conference. (This is my second year presenting at CACC.) Unlike Blackhat and Defcon, CACC is a closed conference and even the talks are invite-only. Attendees are restricted to law enforcement and people involved in processing crimes against children (public defenders, child advocates, investigators, and the like). Honestly, it’s a horrible topic, but these people are extremely professional, very passionate about their work, and the presentations are fascinating. I feel that anything I can offer them is not enough.

Last year at CACC, I gave a presentation that included Filename Ballistics. This year, I’ve been asked to give a training session on digital photo analysis. (Actually, I’m giving four training sessions!)

Screening Pictures

I typically stress for months over the presentation material. However, this year the hardest issue to resolve was a technical problem. A few years ago I changed my laptop to a tiny netbook. This is a great travel computer, but the screen is too small for giving presentations. The biggest issue is the screen resolution: the projection display is usually much larger than my little screen. This really gives me only a few presentation options:

  1. Mirror laptop. Force both screens (my display and the projector) to show the exact same small content that I see on my display. This is great for me, but not very nice for the audience.

  2. Mirror projector. Force both screens to show the same resolution as the projector. This gives a great, large image for the audience, but forces me to scroll my little display.
  3. Powerpoint. Powerpoint (and OpenOffice’s Impress) includes a mode where it will scale the content to fit on each display. The problem here is that the speaker’s slide always shows those dreaded speaker notes, timer, and other content. This may be nice on a big monitor, but it’s a lot of visual realestate on a netbook. I end up barely able to see my own slides. What’s worse is that I cannot use Powerpoint/Impress for this presentation since I’m actually training people on software that uses a web browser.

There is another option, but it’s not standard and only available under Linux. (Fortunately for me, my netbook uses Linux.) I wrote a script that will auto-detect the two monitor sizes (local display and projector) and then scales the big display so it fits on the small display without scrolling. As long as the big projector resolution is less than 150% larger than my tiny netbook display (and text is large enough to be visible on the projector), I will still be able to see and read all of the text. (In other words, a projector that shows 1280×960 will display well when scaled to fit on my 1024×600 netbook.)

Sadly for most techies, I wrote the script in PHP. (Why PHP? Why not!)

If you run this script with two monitors, it will set the smaller monitor to display everything on the bigger monitor, but scaled down to fit on the smaller screen. Running it with only one monitor will unset the scaling.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Friday, August 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4087, (Fri, Aug 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: WireShark 1.10.9 and 1.12.0 has been released, (Fri, Aug 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Stable kernel updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Stable kernels 3.15.8, 3.14.15, 3.10.51, and 3.4.101 have been released. All contain
important fixes.

Errata Security: No, the CIA didn’t spy on other computers

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The computer’s the CIA spied on were owned and operated by the CIA.

I thought I’d mention this detail that is usually missing from today’s news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA’s torture program, reviewing classified documents. The CIA didn’t trust the staffers, so they setup a special computer network just for the staffers to use — a network secured and run by the CIA itself.

The CIA, though, spied on what the staffers did on the system. This allowed the CIA to manipulate investigation. When the staffers found some particularly juicy bit of information, the CIA was able to yank it from the system and re-classify it so that the staffers couldn’t use it. Before the final report was ready, the CIA was already able to set the political machine in motion to defend itself from the report.

Thus, what the CIA did was clearly corrupt and wrong. It’s just that it isn’t what most people understand when they read today’s headlines. It wasn’t a case of the CIA hacking into other people’s computers.

Many stories quote CIA director Brennan who said earlier this year:

I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrong

Many stories (like this one) claim that it’s Brennan who was proven wrong, but instead, he was proven right. The investigation showed that at no time did the CIA hack anybody else’s computer.

In pointing out the truth many people assume that I’m defending the CIA. I’m not. The torture program was morally wrong and beneath us as a country. Surreptitiously spying on the investigators into the program is clearly corrupt, and all involved need to be fired — even if it turns out no law was broken (since it was the CIA’s own computers).

I’m outraged, but believe we should be outraged by the right things, not the distorted story in the news. Seriously, I can’t be more outraged at how the CIA revoked the declassification of things the staffers found useful to their investigation. It’s not the spying (of their own computer) that angers me so much as their corrupt actions the spying enabled.


Update: @grayrisk points to this Lawfare blogpost with specifics. As you can see, CIA sysadmins had access to the system to administer it, but otherwise the system was supposed to be segregated from the rest of the CIA.
http://www.lawfareblog.com/2014/03/ssci-v-cia-three-key-questions/

TorrentFreak: Punish Music Pirates With Finger Amputations, Artist Says

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

carrotIf there was a guaranteed and cost-effective way for the creative industries to clamp down on piracy, rest assured they would take it. Unfortunately, there is no silver bullet in today’s arsenal.

Ordering ISPs to block ‘pirate’ sites is one approach, but at least in the first instance the process is both expensive and drawn out, often taking a number of years to come to fruition.

Another method is to hit Internet users who dare to download and share copyrighted material. Some frameworks, such as those in the United States and United Kingdom, envision a situation where people can be persuaded to do the right thing after receiving warning letters. More aggressive schemes, such as those in South Korea and New Zealand, foresee potential disconnections for persistent pirates.

But one musician in Nigeria believes she has a quick and easy solution to stop people illegally pirating her work. Her version of the so-called “graduated response” is controversial, but might just work.

“Cutting their fingers off will stop them, by the time you cut off two people’s fingers others will stop,” popular singer Stella Monye told the News agency of Nigeria.

Amputations, the singer says, are doubly effective. Not only do they act as a deterrent, but already-punished pirates will not be able to re-offend either.

“If their fingers are cut, they won’t [be able to use the hands] in pirating the works,” Monye said. “They will learn and it will be faster in stopping them; without a drastic measure they won’t stop.”

Web blockades have been previously described as a potential abuse of human rights, but Monye’s anti-piracy solution pushes new boundaries.

Image credit

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: The Fundamental Insecurity of USB

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is pretty impressive:

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.

These are exactly the sorts of attacks the NSA favors.

LWN.net: This thumbdrive hacks computers. (Ars Technica)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Ars Technica takes
a look
at an exploit that transforms keyboards, Web cams, and other
types of USB-connected devices into highly programmable attack platforms. “Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week’s Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

Krebs on Security: Sandwich Chain Jimmy John’s Investigating Breach Claims

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.

jjohnsMultiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.

Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”

The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.

Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White LodgingP.F. Chang’s, Sally Beauty and Goodwill Industries (all breaches first reported on this blog).

According to the company’s Wikipedia page, there are more than 1,900 Jimmy John’s stores in at least 43 states. Nearly all Jimmy John’s locations (~98 percent) are franchisee-owned, meaning they are independently operated and may not depend on common information technology infrastructure.

However, multiple stores contacted by this author said they ran point-of-sale systems made by Signature Systems Inc. The company’s PDQ QSR point-of-sale product is apparently recommended as the standard payment solution for new Jimmy John’s franchise owners nationwide. Signature Systems did not immediately return calls for comment.

Reports of a possible card compromise at Jimmy John’s comes amid news that the Delaware Restaurant Association is warning its members about a new remote-access breach that appears to have been the result of compromised point-of-sale software.

Update: An earlier version of this story incorrectly stated that Jimmy John’s was based in Charleston, Ill.; rather, it was founded there. The copy above has been corrected.

Backblaze Blog: Lisa Forgets Her ID, Backblaze to the Rescue!

This post was syndicated from: Backblaze Blog and was written by: Yev. Original post: at Backblaze Blog

In may, our intern Lisa joined me (her brother) at Backblaze for a month-long internship. Lisa goes to school at McGill University in Montreal, so we don’t get to see each other very often, and what better way to do some sibling bonding than to order her around the office. One of the brother-sister activities […]

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated nss (multiple vulnerabilities) and tor (traffic confirmation attack).

Fedora has updated cups (F20: privilege escalation).

Mandriva has updated dbus (BS1.0:
two denial of service flaws), file (BS1.0:
denial of service), live (BS1.0: code
execution), php-ZendFramework (BS1.0: SQL
injection), and sendmail (BS1.0: denial of service).

openSUSE has updated apache2-mod_wsgi (13.1: off-by-one error), firefox (13.1, 12.3: multiple
vulnerabilities), gpg2 (11.4: denial of
service), memcached (11.4: multiple
vulnerabilities), Mozilla (11.4: multiple
vulnerabilities), ntp (13.1, 12.3: denial
of service), php5 (13.1, 12.3: multiple
vulnerabilities), ppc64-diag (13.1;
12.3: two vulnerabilities), pulseaudio (13.1, 12.3: denial of service), samba (11.4: two vulnerabilities), php5 (11.4: code execution), and xalan-j2 (11.4: information disclosure/code execution).

Red Hat has updated openstack-keystone (RHELOS3&4: privilege escalation).

Ubuntu has updated kde4libs
(14.04 LTS, 12.04 LTS: ), tomcat6,
tomcat7
(14.04 LTS, 12.04 LTS, 10.04 LTS: multiple
vulnerabilities), and unity
(14.04 LTS: command execution).

Beyond Bandwidth: In Today’s Internet Marketplace, Good Content is not Enough

This post was syndicated from: Beyond Bandwidth and was written by: Alejandro Girardotti. Original post: at Beyond Bandwidth

For quite some time we have considered it normal to use the Internet as a channel to download content, though in recent years, the Internet has become a channel through which to watch content live. In this increasingly interactive and collaborative environment, in which a matter of seconds may make the difference for consumers in…

The post In Today’s Internet Marketplace, Good Content is not Enough appeared first on Beyond Bandwidth.

SANS Internet Storm Center, InfoCON: green: A Honeypot for home: Raspberry Pi, (Thu, Jul 31st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I’m going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There’s plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi’s interface to the USB drive. Other than who doesn’t like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don’t forget to share the data with us, especially if you install Kippo [5]

From my observations, don’t expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It’s a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven’t set up a firewall to drop all non-specified traffic) is that it’ll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it’s always handy to have a little bit of notification if your fridge starts port scanning every device on your network…

As one of my fellow Handler, Mark Hofman, sagely mentioned:

“if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can’t hurt you or others.”

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Microsoft Gets GitHub to Remove “Infringing” Xbox Music App

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

audioticaA few weeks ago Microsoft extended its Xbox Music API, allowing third-party developers to link their apps to the music service.

This resulted in a range of new apps that provide access to Xbox Music tracks, but Microsoft is not happy with all of them.

Earlier this week the company contacted developer platform GitHub, asking the company to remove all code related to the Audiotica download tool, which they did.

In its takedown notice Microsoft explains that the app in question provides users with DRM-free music, something it is not allowed to do. Specifically, the app is said to violate the circumvention clause of the DMCA.

“This code violates [...] the DMCA in that it allows users to circumvent a technological measure that effectively controls access to copyrighted works by facilitating the unauthorized conversion of songs streamed via Xbox Music into DRM-free MP3s that can be easily shared online,” Microsoft writes.

Microsoft explains that the application puts its licensing agreements with the major music labels in jeopardy. Under these agreements the company has to protect music tracks from being shared online without restrictions.

“As part of Microsoft’s agreements with the copyright owners of the songs included in the service, Microsoft has both authorization from and an obligation to those copyright owners to control access to their works by employing an effective DRM system,” Microsoft notes.

An interesting argument, since the tracks provided by Xbox’s Music service appear to be free of DRM.

Xbox Music API
music_api

TorrentFreak contacted Audiotica developer Harry who was unpleasantly surprised by Microsoft’s takedown notice. He notes that Microsoft itself is the one making it easy to access DRM-free music through the Xbox Music API.

“Audiotica is programmed so users with an Xbox Subscription can download directly from Xbox Music. This is what surprised me about the takedown. Microsoft claims we can’t allow users to obtain DRM free music from their service, while they’re the one providing it,” Harry says.

Microsoft most likely took offense to the fact that the application allowed users to download and store tracks. Although this might not technically be a form of “circumvention,” it does violate the API’s terms of service.

The Audiotica developer says he will ask GitHub to reinstate his project, without the Xbox Music feature. The application will still be able to access music from other sources including YouTube, VK and Soundcloud.

“Right now I will be filling a counter notice to bring it back. To avoid further problems with Microsoft I will be removing Xbox Music from the MP3 crawler engine and the downloader.”

Microsoft’s takedown request follows a new trend in which copyright holders are targeting GitHub projects. Previously the MPAA successfully requested the takedown of two popular Popcorn Time forks. While both the MPAA and Microsoft don’t own any of the code, the alleged indirect infringements were sufficient to take the code down.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Debit Card Override Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Clever:

Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.

So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.

Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.

Raspberry Pi: Introducing Raspberry Pi HATs

This post was syndicated from: Raspberry Pi and was written by: James Adams. Original post: at Raspberry Pi

Just over two weeks ago, we announced the new Raspberry Pi B+ with immediate availability. We’ve been very pleased at the response from the community and press about the B+, and most people seem to appreciate why we decided to evolve the Model B in the way we did – lots of you have been in touch to tell us how much you’re enjoying your new B+.

There are many great new features built into the B+, but today we want to talk about one new feature we are particularly excited about.

One of the brilliant things about the Raspberry Pi has always been the ability to attach physical hardware to the Raspberry Pi’s GPIO (General Purpose Input/Output) connector. There are so many third party add-on boards that attach to the Raspberry Pi and extend its functionality: motor controllers, LEDs, buttons, sensors, microcontrollers, LCDs, ADCs and DACs; you name it, someone has almost certainly created an add-on board that makes it usable with the Raspberry Pi.

PiB-Bplus-GPIO

Model B’s 26W vs Model B+’s 40W GPIO connectors

On the Raspberry Pi models A and B, the GPIO connector has 26 pins. Users attaching an add-board to the model A or B Pi usually have to work out which drivers are required for their specific board, and then edit the relevant Linux files to make them load at boot time before the board is usable (or load them by hand from the command line). The Raspberry Pi has no knowledge of whether it has a board attached or not, and the various drivers, when loaded, will simply assume that they can make exclusive use of the GPIO interface. Most of the time this all works OK, but it can be a bit challenging for new users. Linux drivers blindly assuming GPIO pins are available can also occasionally cause confusion.

The Raspberry Pi B+ has been designed specifically with add-on boards in mind and today we are introducing ‘HATs’ (Hardware Attached on Top). A HAT is an add-on board for B+ that conforms to a specific set of rules that will make life easier for users. A significant feature of HATs is the inclusion of a system that allows the B+ to identify a connected HAT and automatically configure the GPIOs and drivers for the board, making life for the end user much easier!

Before we go any further, it is worth noting that there are obviously a lot of add-on boards designed for the original model A and B boards (which interface to the original 26 way GPIO header). The first 26 pins of the B+ GPIO header are identical to those of the original models, so most existing boards will still work. We are not breaking compatibility for existing boards; we’re creating a specification that B+ add-on board designers can follow (if they so wish), which is designed to make end users’ lives much easier.

So what is a HAT?

HAT-Pi-Flexis

B+ sporting a (mechanical sample of a) HAT and showing camera and display connections

In a nutshell a HAT is a rectangular board (65x56mm) that has four mounting holes in the (nicely rounded) corners that align with the mounting holes on the B+, has a 40W GPIO header and supports the special autoconfiguration system that allows automatic GPIO setup and driver setup. The automatic configuration is achieved using 2 dedicated pins (ID_SD and ID_SC) on the 40W B+ GPIO header that are reserved for an I2C EEPROM. The EEPROM holds the board manufacturer information, GPIO setup and a thing called a ‘device tree‘ fragment – basically a description of the attached hardware that allows Linux to automatically load the required drivers.

What we are not doing with HATs is forcing people to adopt our specification. But you can only call something a HAT if it follows the spec.

So why are we bothering with all this? Basically, we want to ensure consistency and compatibility with future add-on boards, and to allow a much better end-user experience, especially for less technically aware users.

The HAT specification is available on GitHub for those wishing to design add-on boards for the B+. As previously explained, there is no requirement to follow the HAT specification, but we encourage people to think about following it if possible, as it will make the world a better place for end users.

One final bit of good news:  we have used a surface mount connector on our internal prototype HAT which works very nicely. As you can see from the pictures it solders to the top of the board and then fits over an extension header (the extension header pins push through the HAT from underneath). As the extension headers push through like this it is possible to either use a short, flush mounting extension or a version with longer pins that poke out above the HAT and allow further access to the GPIO pins for debugging.

HAT-longpins

HAT using extender with longer pins

For HAT designers wanting to use these connectors, we have secured discounted pricing through Toby Electronics. The connector part numbers are:

Toby tell us they are getting stock in now, which should arrive for the 5th August.

Please post technical questions about the specification to the forum.

TorrentFreak: Piracy Fight Needs Content Available at a Fair Price, Minister Says

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-runningFor close to a decade Australia has been struggling with what the content industries see as a serious online piracy problem but today the country seems closer than ever to a legislative tipping point.

A paper leaked last week revealed that the government is looking towards a range of piracy mitigation measures, from holding ISPs more responsible for their users’ actions to the ISP-level blocking of so-called ‘pirate’ sites.

To coincide with the paper’s official release yesterday, the Australian Subscription Television and Radio Association (ASTRA), the trade body representing subscription
television platforms, published (PDF) the results of a survey in which 60% of respondents agreed that people who facilitate piracy should face prosecution.

Whether the respondents understood that those “facilitators” include those who download TV shows and movies using BitTorrent isn’t clear, but the reality on the ground is that a large section of the Australian public has grown weary of being treated as second class consumers. Content not only arrives months adrift on a slow boat from the United States, but also at vastly elevated rates that defy reasonable explanation. This has led many to download TV shows instead, something which has led into today’s debate.

But while some of the Government’s proposals are causing unease due to a perceived reliance on a Big Media “wishlist”, there are signs that ministers understand that the piracy problem doesn’t exist in a vacuum.

In an interview with ABC’s Chris Uhlmann, Communications Minister Malcolm Turnball was put on the spot over what some view as the exploitation of Australian consumers by international entertainment companies. So why do Aussies pay 40% more than those in the US to download movies from iTunes?

“That is, that is a very powerful argument,” Turnball conceded.

“If I can just say so, there is an obligation on the content owners, if their concerns are to be taken seriously and they are by government, and if governments are to take action to help them prevent piracy, then they’ve got to play their part which is to make their content available universally and affordably.”

The argument that content has to be made widely available at a fair price before progress can be made cannot be understated and it will be extremely interesting to see whether the Minister’s acknowledgment of the problem will become a sticking point in negotiations as potential legislation draws closer.

But in the meantime, why are content producers “ripping off” Aussies with inflated prices? Profit, apparently.

“Well, I assume it’s because they feel they can make money out of it,” Turnball said.

Of course, commercial decisions like this get made every day, but as Uhlmann pointed out to the Minister, for Internet content the justification isn’t strong – from a technical standpoint it doesn’t cost any more to make content available for download in Australia than in the United States.

The entertainment companies’ “right” to charge whatever they like is their business, Turnball reiterated, but that approach may come at a price.

“If you want to discourage piracy, the best thing you can do, and the music industry is a very good example of this, the way they’ve responded, the best thing you can do is to make your content available globally, universally and affordably. In other words, you just keep on reducing and reducing and reducing the incentive for people to do the wrong thing,” he said.

Turnball also noted that following the publication of the discussion paper, content owners are going to have to justify why they are charging Australians more than overseas counterparts. That might prove a very interesting discussion.

Finally, the government is now inviting submissions from the public on the issue of online copyright infringement. There is no specific mention of offering content widely at a fair price, however, something which has drawn the ire of the Pirate Party.

“Instead of addressing the reality that Australians are paying more money for less content than other countries, the Discussion Paper is biased towards turning Internet service providers into ‘Internet police’ and censorship in the form of website blocking, neither of which have proven effective overseas,” Pirate Party President-elect Brendan Molloy said in a statement.

Those interested have until September 1 to make their opinions heard – question 9 might prove an opportunity to talk about a fair deal for Australians.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Thursday, July 31st 2014 http://isc.sans.edu/podcastdetail.html?id=4085, (Thu, Jul 31st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: [$] LWN.net Weekly Edition for July 31, 2014

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The LWN.net Weekly Edition for July 31, 2014 is available.

SANS Internet Storm Center, InfoCON: green: Symantec Endpoint Protection Privilege Escalation Zero Day, (Wed, Jul 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

– Rick Wanner – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Bleep… BitTorrent Unveils Serverless & Encrypted Chat Client

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bleepEncrypted Internet traffic surged worldwide after the Snowden revelations, with several developers releasing new tools to enable people to better protect their privacy.

Today BitTorrent Inc. contributes with the release of BitTorrent Bleep, a communication tool that allows people to exchange information without the need for any central servers. Combined with state of the art end-to-end encryption, the company sees Bleep as the ideal tool to evade government snooping.

Bleep’s main advantage over some other encrypted messaging applications is the absence of central servers. This means that there are no logs stored, all metadata goes through other peers in the network.

“Many messaging apps are advertising privacy and security by offering end-to-end encryption for messages. But when it comes to handling metadata, they are still leaving their users exposed,” BitTorrent’s Farid Fadaie explains.

“We reimagined how modern messaging should work. Our platform enables us to offer features in Bleep that are unique and meaningfully different from what is currently available.”

Bleep Bleep
BleepScreen

The application’s development is still in the early stages and the current release only works on Windows 7 and 8. Support for other operating systems including popular mobile platforms will follow in the future.

Aspiring Bleep users can create an account via an email or mobile phone number, but an incognito mode without the need to provide any personal details is also supported.

The new messaging app is not the only ‘breach safe’ tool the company is currently working on. Last year BitTorrent launched its Sync application which provides a secure alternative to centralized cloud backup solutions such as Dropbox and Google Drive.

BitTorrent Inc. is inviting people to test the new Bleep application, but warns there are still some bugs.

Those who want to give BitTorrent Bleep a try can head over to BitTorrent’s experiments section to sign up for the pre-Alpha release.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Akademy 2014 Keynotes: Sascha Meinrath and Cornelius Schumacher

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

KDE.News looks
at Akademy keynote speakers
Sascha Meinrath and Cornelius Schumacher. “Akademy 2014 will kick off on September 6 in Brno, Czech Republic; our keynote speakers will be opening the first two days. Continuing a tradition, the first keynote speaker is from outside the KDE community, while the second is somebody you all know. On Saturday, Sascha Meinrath will speak about the dangerous waters he sees our society sailing into, and what is being done to help us steer clear of the cliffs. Outgoing KDE e.V. Board President, Cornelius Schumacher, will open Sunday’s sessions with a talk about what it is to be KDE and why it matters.

LWN.net: [$] Wayland in GNOME: two progress reports

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The X11 replacement protocol Wayland has been in development
since 2010. Compared to X11 itself, it is still a relatively new project,
but the enthusiasm with which distributions and large software projects
announced their intent to support Wayland makes it at least understandable
that users would ask how much longer they need to wait before Wayland is
made available to them. At GUADEC
2014 in Strasbourg, France, a pair of talks presented the latest status of
Wayland support in various GNOME desktop components.