SANS Internet Storm Center, InfoCON: green: ISC StormCast for Monday, April 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4457, (Mon, Apr 27th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Farmers Unable to Repair Tractors Because Copyright: Never a Side Effect, But Core Intention of Law

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

This week, there have been stories about farmers who can’t legally repair their John Deere tractors, as copyright monopoly legislation prohibits tampering with computer code in something you own. This has been described as an “unexpected side effect” of the copyright monopoly legislation in general and the DMCA/EUCD in particular.

That’s wrong. It’s not a side effect and it’s not unexpected. That is exactly what those laws intended to accomplish. Being locked out of your own possessions is not a side effect – it was the central point of the legislation and its core purpose.

As usual, the geeks who understood the deeper repercussions of this cried murder over the legislation at the time, and were summarily ignored by policymakers. Perhaps only now, when it becomes clear that it’s not just geek toys that are affected but everything in our everyday life, will more people become aware of how the copyright monopoly limits property rights.

This development, eroding property rights of everything, has been driven by the cartoon industry – by which I mean the copyright industry in general and Disney Corporation in particular.

It started with DRM, Digital Restriction Measures. Somebody thought it was both possible and a good idea to control how playback of video and audio could take place at people’s homes after they bought music and movies. (Imagine that translated to books, by the way, that publishers thought it possible to control how a book would be read – where, when and how.)

Digital Restriction Measures (DRM) were never about preventing copying, even though they were frequently presented as “copy protection”, mostly for PR purposes. They did absolutely nothing to prevent copying. They prevented playback. They controlled playback. They permitted or didn’t permit playback.

However, the technology didn’t work. The technology couldn’t work. It wasn’t broken at the technical level, or needed a little bit of improvement: it was broken at the conceptual level. It relied on the cartoon industry’s ability to prevent the owner of an object to tinker with their own property. (This is where tractors and cars come in.)

Obviously, if a computer is able to decode and decrypt a cartoon, then the owner of that computer is also able to instruct their own computer computer to decode and decrypt it (presumably a copy they bought and therefore also own), even against the cartoon industry’s desire for that possibility.

This is why DRM is broken at the conceptual level.

In this respect, there is no difference between a copy of a car or tractor – one of many identical sold objects off a production line – and a CD or DVD. You hold the receipt, you own it. The manufacturer doesn’t get to say what you do with your own property.

Or didn’t, at least.

The cartoon industry – copyright industry – realized that they needed to attack the core concept of the ability to hold property in order to prop up their crumbling copyright monopoly, and pushed for legislation that turned out as something called the DMCA in the US and the EUCD/InfoSoc in Europe. It “fixes” the conceptual problem with DRM by simply making it illegal to tinker with your own property when the original manufacturer, who sold the object to you, doesn’t want it tinkered with even after it’s been sold to you.

Yes, that’s a blatant intrusion into the very core concept of property rights. It also illustrates how the copyright monopoly, a governmentally-granted private monopoly, was always firmly in opposition to property rights (despite the copyright industry’s insistent attempts to reframe it as “property” for PR purposes, which is one of many lies from that cartoon industry).

As computers are spreading through society, into every aspect of our lives, so are the effects of the law that the copyright industry rammed through legislative corridors fifteen years ago.

John Deere claiming that farmers aren’t allowed to tinker with their tractors and other farming equipment is not an “unfortunate side effect” of copyright monopoly legislation. It was the core idea, all the time, to prevent owners of property to exercise their normal property rights. That was the only possible way the copyright monopoly was even slightly maintainable into a digital environment.

One has to ask whether it was, and continue to be, worth that price.

In any case, now that it’s not just geeks and nerds being affected by the cartoon industry’s wholesale slaughter of civil liberties but car owners and farmers and most ordinary people, one can hope that understanding of the fundamental idiocy of these laws can start to surface a little wider.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Lauren Weinstein's Blog: While the World Burns, the Washington and Media Elite Party Through the Night

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

In Nepal, thousands lay dead and dying in a horrendous earthquake and its aftermath. In Baltimore, righteous anger over the crushed spine and death of a young black man in police custody was triggering violence and arrests. And last night while those events raged, the Washington political and media elite were hypocritically and drunkenly joking and partying in their formal…

SANS Internet Storm Center, InfoCON: green: Quantum Insert Attack, (Sun, Apr 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. HTML Redirection attack by injecting malicious content into a specific TCP session. A session is selected for injection based on selectors, such as a persistent tracking cookie that identifies a user for a longer period of time.

The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:

  • Source and Destination IP address
  • Source and Destination TCP port
  • Sequence and Acknowledgment Number

Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.

Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.

To detect Quantum Insert we should look for the following:

  1. Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
  2. TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.

==========================================

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Experts Urge Canada to Stop Threatening Piracy Notices

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningDue to a recent change i Canada’s copyright law, ISPs are now required to forward copyright infringement notices to their customers.

As a result, hundreds of thousands of Internet subscribers have received warnings in their mailboxes since the start of the year, with some asking for cash settlements.

The so-called notice-and-notice system aims to reduce local piracy rates but this hasn’t been without controversy. From the start, copyright holders have taken advantage of the system to send subscribers settlement offers, or threaten them with inaccurate legal penalties.

Hoping to fix these ‘abuses’ copyright experts and advocacy groups have this week written a letter to Canada’s Minister of Industry, James Moore.

Signed by the University of Ottawa, OpenMedia, Project Gutenberg Canada, Consumers Council of Canada, Electronic Frontier Foundation and many others, the letter warns over abuse while proposing several changes.

“As we feared, copyright trolls have in fact taken advantage of the Notice and Notice system to ramp up their abusive practices in Canada,” the groups write to the Minister.

“We have seen notices claiming infringement of foreign law, misrepresenting the scope of damages recipients potentially face, omitting mention of defenses, and failing to identify the notice as a mere allegation of infringement.”

In the short-term the Minister should use his regulatory powers to correct abuses, the groups suggest. For example, notices should make clear that they represent an allegation, not a clear determination of infringement.

The popular settlement demands or offers, which can amount to hundreds of dollars per notice, should also be banned. In addition, notices should include a mention of copyright exceptions such as fair use.

The groups further propose various penalties for copyright holders. For example, senders of notices with false or misleading information should be held liable and punished appropriately.

In the long-term the letter recommends that the Government should adopt new legislation to tackle copyright trolls and various other forms of abuse.

“Canada requires a legislative response to the abusive and deceitful tactics of a minority of copyright owners and their agents. The emergence of a cottage industry of copyright trolls and their migration to Canada is just one example of how copyright can be abused,” the groups write.

“The next round of copyright reform must include a copyright misuse provision to curb such wrong-doing,” they add.

The full letter, which includes more recommendations, is available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Leaked Piracy Report Details Fascinating Camcording Investigations

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spyThis week the UK’s Federation Against Copyright Theft (FACT) released its latest report detailing the rewards presented to cinema workers who disrupt so-called movie “cammers”. FACT is the main group to release this kind of report and no equivalent is regularly made available from any other English speaking countries.

While the insight is useful to build a picture of “anti-camming” activity in the UK, FACT is obviously selective about the information it releases. While big successes receive maximum publicity, relative failures tend to be brushed under the carpet. Something else the group would like to keep a secret are presentations made to Sony Pictures in 2010, but thanks to a trove of leaked emails that is no longer possible.

The presentation begins with FACT stating that it’s the “best known and most respected industry enforcement body of its kind in the UK” and one that has forged “excellent relationships with “public enforcement agencies and within the criminal justice system”.

fact1

FACT goes on to give Sony several examples of situations in which it has been involved in information exercises sharing with the authorities. The exact details aren’t provided, but somewhat surprisingly FACT says they include murder, kidnap and large-scale missing persons investigations.

But perhaps of most interest are the details of how the group pursues those who illegally ‘cam’ and then distribute movies online. The presentation focuses on the “proven” leak of five movies in 2010, the total from UK cinemas for that year.

Vue Cinemas, North London

First up are ‘cams’ of Alice in Wonderland and Green Zone that originated from a Vue Cinema in North London. Noting that both movies had been recorded on their first day using an iPhone (one during a quiet showing, the other much more busy), the presentation offers infra-red photographic evidence of the suspect recording the movies.

Alice in Wonderland camming

fact-3

Green Zone camming

fact-2

Cineworld – Glasgow

The documentation behind this Scotland-based investigation is nothing short of fascinating. FACT determined that their suspect was the holder of a Cineworld Unlimited pass which at the time he had used 14 times.

On three occasions the suspect had viewed the movie Kick-Ass, including on the opening day. The ‘cammed’ copy that leaked online came from that viewing. The suspect also viewed Clash of the Titans, with a camcorded version later appearing online from that session. The man also attended three Iron Man 2 viewings at times which coincided with watermarks present on the online ‘cammed’ copies.

Working in collaboration with the cinema, FACT then obtained CCTV footage of the man approaching a cash desk.

fact-4

Putting it all together

The most interesting document in the entire presentation is without doubt FACT’s investigative chart. It places the holder of the Cineworld Unlimited pass together with a woman found as a friend on his Facebook page. Described as IC1 (police code for white/caucasian), FACT note that the pair attended the Cineworld Cinema together on at least one occasion.

The unnamed female is listed at a property in Glasgow and from there things begin to unravel. An IP address connected with that residence uploaded a copy of Kick-Ass which was later made available by an online release group. The leader of that group was found to have communicated with the unknown cammer of the movie but who FACT strongly suspected to be the man in the images taken at the cinema. He was later arrested and confessed to his crimes.

fact-5

The full document provides a fascinating insight into FACT’s operations, not only in camming mitigation but also in bringing down websites. Another notable chart shows the operations of an unnamed “video streaming” site.

fact-6

While no names are mentioned, a later edition of the same presentation blanks out key details, suggesting a level of sensitivity. However, after examining the chart it appears likely that it refers to Surf the Channel, the site previously run by Anton Vickerman.

Considering the depth and presentation of the above investigations it will come as no surprise to most that many FACT investigators are former police officers. For the curious, the full document can be found here on Wikileaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

LWN.net: Debian 8 “Jessie” released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian 8, codenamed “Jessie”, has been released. It comes with a wide array of upgraded packages including GNOME 3.14, KDE Plasma Workspaces and KDE Applications 4.11.13, Python 2.7.9 and 3.4.2, Perl 5.20.2, PHP 5.6.7, PostgreSQL 9.4.1, MariaDB 10.0.16 and MySQL 5.5.42, Linux 3.16.7-ctk9, and lots more. “With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
the universal operating system. It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, or storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian’s archive ensure that
“Jessie” fulfills the high expectations that users have of a stable
Debian release.

Чорба от греховете на dzver: Неочакван антракт в Синегранд

This post was syndicated from: Чорба от греховете на dzver and was written by: dzver. Original post: at Чорба от греховете на dzver

Ходихме да гледаме Age of Ultron в Cinegrand Ring Mall. По някое време звукът изчезна. Тръгнахме да търсим някой да го пусне, и вместо да ни пуснат филма, ни пуснаха съобщение за евакуация. “Незабавно и без паника напуснете сградата, използвайте стълбите, не отивайте към колите си, незабавно и без паника.”

Евакуирахме се, обаче нещо беше твърде наред – извън киното хората си ядяха във фуудкорта, без да им пука особено и там никаква евакуация нямаше. Излязохме на терасата, да си поуспокоим нервите, поседяхме 5-10 минути и по едно време хората почнаха да се прибират обратно в киното. Алармата се включила заради изгорял бушон. Влязохме в залата, където филмът все още си вървеше – бяха минали 10-тина минути. Какво пък, решихме че не сме изтървали много, така или иначе филмът е бавен. След още 10 минути ни върнаха 20 минути назад, та да не изтървем нещо.

Не мога да кажа, че съм очарован. Това са практически най-скъпите билети за кино в София, човек очаква да седне, да си вдигне краката с бжътката и да гледа филм, не да му обясняват къде да ходи без паника и да му превъртат филма напред-назад. Нямаше никаква форма на извинение.

Чорба от греховете на dzver: Jetpack 3.5 and updated Tiled Gallery

This post was syndicated from: Чорба от греховете на dzver and was written by: dzver. Original post: at Чорба от греховете на dzver

About a month ago I submitted a PR to Jetpack for improving the Tiled Gallery algorithm. It’s finally merged and you can enjoy less repetitive mosaic tiles in your gallery :-)

2015-03-31 15.41.24
2015-03-31 15.51.29
2015-03-31 16.55.48
jp1
2015-03-17 10.14.59
2015-03-18 17.02.26
2015-03-31 16.56.51
2015-03-31 16.58.49
2015-03-31 17.01.28
2015-03-31 17.05.52
2015-04-02 08.23.33

With the new update, there is also a new way of arrangements called Tiled Columns, that looks like this:

2015-03-31 15.41.24
2015-03-31 15.51.29
2015-03-31 16.55.48
jp1
2015-03-17 10.14.59
2015-03-18 17.02.26
2015-03-31 16.56.51
2015-03-31 16.58.49
2015-03-31 17.01.28
2015-03-31 17.05.52
2015-04-02 08.23.33

TorrentFreak: BitTorrent Inc. Lays Off Close to a Third of its Workforce

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

bittorrent-new-logoDuring the past few years BitTorrent Inc. has grown at a surprising rate, taking on increasing numbers of employees to fill various roles at the expanding company.

On Thursday, however, things took a turn for the worse. Rumors began to spread that BitTorrent Inc. had laid off dozens of staff in its biggest shake up since 2008, yet no official statement was forthcoming from the company.

Then on Friday two separate sources, at least one of whom was a former employee at the San Franciso-based company, revealed the scale of the layoffs.

“About 40-45 people in their US office just got laid off which represents a large percentage of the US workforce,” one of the sources revealed. Another described the cutting of “around a third” of an estimated 150 U.S.-based employees.

“The Ads team has been gutted as have several other groups – more development work is being sent to the BitTorrent team in Minsk. Only one person from senior management was let go, as is often the case in these types of things,” an insider told TF.

In comments to Buzzfeed, BitTorrent Inc. put a positive spin on events, describing the layoffs as a “realignment” of the business.

“We’ve recently realigned resources based on a regular evaluation of the business,” a spokesperson said. “Regrettably, this did include some employee departures. The business however, remains healthy, profitable and growing.”

A source close to the company painted a slightly different picture, however.

“The whole point is to save money and to try and return the company to profitability since it expanded its headcount way too fast and based on very unrealistic revenue projections. The morale, as you can imagine, is pretty low just now,” the source said.

One person presumed to be safe is Christian Averill, who was promoted to Vice President, Communications & Brand last month.

“My efforts will be focused on having our brands such as Bundle and Sync stand on their own and have a strong mind share in the market,” he said.

Averill’s promotion suggests that BitTorrent intends to continue efforts to put Sync and its content distribution deals front and center of its business. Meanwhile, its uTorrent and BitTorrent clients will continue to generate most of the company’s revenues.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Scammers Take Over New EZTV Domain Name

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

eztv-logo-smallEZTV, the go-to place for many torrenting TV fans, has suffered its fair share of troubles in recent months.

In January the group lost its .it domain name, which was then taken over by impostors in March.

The torrent distribution group meanwhile continued to operate from the new EZTV.ch domain name, but during the past few hours this new home also became compromised.

Instead of hosting official EZTV torrents the .CH domain now links to the same content as the ‘hijacked’ EZTV.it site. While there are plenty of TV-torrents available, these are sourced externally from RARBG.

And there are more signs pointing to a hostile takeover. Users are not able to login for example, and the scam warning that was previously listed on the .ch domain in gone as well. In addition the site now serves various ads including popunders.

TF reached out to ETZV’s Novaking to find out more about the apparent takeover, but we have yet to receive a reply.

Upon close inspection it appears that the domain name was taken over at the registrar level. The WHOIS information was updated and now lists the UK-based “EZCLOUD LIMITED” as owner, which is the same company that registered the .it domain.

Novaking informed TF a few weeks ago that the same happened to one of his other domains.

eztvdomain

The scammers who’ve taken over EZTV are looking to cash in from the site. EZCLOUD director Hernandez Dominguez Emmanuel previously said that he offered to partner with EZTV or sell the domain for a profit.

“The business proposal to Novaking was straightforward: he pays us a slightly bigger amount than we have paid at the auction or we somehow partnership by uniting both entities: eztv.it and eztv.ch and we will earn in the course of the next months by percentage of the ads revenues,” Emmanuel told TF.

Novaking rejected this proposal and blocked the .it domain from using official EZTV torrents. EZCLOUD did not give up, however, and now appears to have taken complete control of ETZV’s new domain as well.

Breaking news, more updates may follow

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: A Malicious Word Document Inside a PDF Document, (Sat, Apr 25th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Yesterday Steve Basford informed us of yet another type of malicious document (Sales Invoice 519658.pdf MD5 bfe397fb9b7907ab34ba83f0f086336d). It is a PDF document, containing an embedded file, with JavaScript to extract the embedded file to a temporary folder and then open it. The embedded file is a malicious Word document like we” />

You can analyze such PDFs without using Adobe Reader or Microsoft Word, but with my tools pdfid, pdf-parser and oledump.

If you want to know in detail how to do this, I have a video.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: New Russian Anti-Piracy Law Could Block Sites “Forever”

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Following massive pressure from both local and international rightsholders, 21 months ago Russia took steps to improve its reputation of going soft on piracy.

On August 1, 2013, the country introduced a brand new intellectual property law which provided a mechanism through which sites could be blocked by intermediaries should they not comply with rightsholder takedown requests within 72 hours.

A year later telecoms watchdog Roscomnadzor revealed that during the law’s first year of operation the Moscow City Court imposed preliminary interim injunctions against 175 sites following copyright complaints. It went on to block just 12 file-sharing domains for being unresponsive to takedowns, many of them BitTorrent trackers.

With complaints from copyright holders continuing to mount, Russia decided to make further amendments to the legislation. Initially only video content was covered by the law but with an expansion scheduled for May 1, 2015, all multimedia content (photographs excluded) will receive protection. Furthermore, the law also amends the provisions on preliminary injunctions.

Although it remains unclear how the new system will work in practice, the theory is that intermediaries (ISPs and webhosts) can be ordered by the Court to permanently block websites that continually host or provide access to infringing content. At least at this early stage it appears to be the kind of system U.S. copyright holders are pushing for elsewhere, one in which content that is taken down, stays down.

With the new law just over a week away, State Duma Deputy Speaker Sergei Zheleznyak has been underlining the legislation’s reach.

“The anti-piracy legislation that created the ability to block access to sites that distribute copyright-infringing films and TV shows entered into force on 1 August 2013. On May 1, 2015 amendments to the Act will come into force that apply to music, books and software,” Zheleznyak says.

“This development will mean that the systematic violation of intellectual property rights will result in sites providing access to stolen content being blocked forever.”

Putting operators of torrent and similar sites on notice, Zheleznyak issued a stern warning.

“I would like to warn those who are still abusing piracy: you have until May 1 to try to and enter into constructive dialogue with rightsholders. They are open to cooperation,” he said.

“Our common goal is to ensure that all work is adequately rewarded and that the benefit from successful books, music and wonderful computer programs is enjoyed by those who created them, and not those who stole them. If [site owners] are not interested in legal business, the response of the state will become quite obvious.”

Russia’s first attempt at site blocking legislation failed to produce the apocalyptic conclusion many predicted. Only time will tell what the results of these latest tweaks will mean for local sites.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Toool's Blackbag: Euro-Locks

This post was syndicated from: Toool's Blackbag and was written by: Walter. Original post: at Toool's Blackbag

April 24th, a delegation of Toool visited the Euro-Locks factory in Bastogne, Belgium.

Sales manager Jean-Louis Vincart welcomed us and talked us through the history of Euro-Locks, the factories and products. After that, we visited the actual production facility. The Bastogne factory is huge and almost all of their products are completely build here. We spoke with the R&D people creating new molds, saw molten zamac, steel presses, chrome baths, assembly lines and packaging, so everything from the raw metal to the finished product. It’s interesting to see so many products (both in range of products and the actual number of produced locks) being made here, and having no stock of the finished product.

Thanks to Eric and Martin for making the visit possible.

The Hacker Factor Blog: Great Googly Moogly!

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Google recently made another change to their pagerank algorithm. This time, they are ranking results based on the type of device querying it. What this means: a Google search from a desktop computer will return different results compared to the same search from a mobile device. If a web page is better formatted for a mobile device, then it will have a higher search result rank for searches made from mobile devices.

I understand Google’s desire to have web pages that look good on both desktop and mobile devices. However, shouldn’t the content, authoritativeness, and search topic be more important than whether the page looks pretty on a mobile device?

As a test, I searched Google for “is this picture fake”. The search results on my desktop computer was different than the results from my Android phone. In particular, the 2nd desktop result was completely gone on the mobile device, the FotoForensics FAQ was pushed down on the mobile device, TinEye was moved up on the mobile device, and other analysis services were completely removed from the mobile results.

In my non-algorithmic personal opinion, I think the desktop results returned more authoritative results and better matched the search query than the mobile device results.

Google’s Preference

Google announced that they were doing this change on February 26. They gave developers less than two months notice of this change.

While two months may be plenty of time for small developers to change their site layout, I suspect that most small developers never heard about this change. For larger organization, two months is barely enough time to have a meeting about having a meeting about scheduling a meeting to discuss a site redesign for mobile devices.

In other words: Google barely gave anyone notice, and did not give most sites time to act. This is synonymous with those security researchers who report vulnerabilities to vendors and then set arbitrarily short deadlines before going public. Short deadlines are not about doing the right thing; it’s about pushing an agenda.

Tools for the trade

On the plus side, Google provided a nice web tool for evaluating web sites. This allows site designers to see how their web pages look on a mobile device. (At least, how it will look according to Google.)

Google also provides a mobile guide that describes what Google thinks a good web page layout looks like. For example, you should use large fonts and only one column in the layout. Google also gives suggestions like using dynamic layout web pages (detect the screen and rearrange accordingly) and using separate servers (www.domain and m.domain): one for desktop users and one for mobile devices.

Google’s documentation emphasizes that this is really for smartphone users. They state that by “mobile devices“, they are only talking about smartphones and not tablets, feature phones, and other devices. (I always thought that a mobile device was anything you could use while being mobile…)

Little Time, Little Effort

One of my big irks about Google is that Google’s employees seem to forget that not every company is as big as Google or has as many resources as Google. Not everyone is Google. By giving developers very little time to make changes that better match Google’s preferred design, it just emphasizes how out of touch Google’s developers are with the rest of the world. The requirements decreed in their development guidelines also show an unrealistic view of the world. For example:

  • Google recommends using dynamic web pages for more flexibility. It also means much more testing and requires a larger testing environment. Testing is usually where someone notices that the site lacks usability.

    Google+ has a flexible interface — the number of columns varies based on the width of the browser window. But Google+ also has a horrible multi-column layout that cannot be disabled. And LinkedIn moved most of their billions of options into popups — now you cannot click on anything without it being covered by a popup window first.

    For my own sites, I do try to test with different browsers. Even if I think my site looks great on every mobile device I tested, that does not mean that it will look great on every mobile device. (I cannot test on everything.)

    Providing the same content to every device minimizes the development and testing efforts. It also simplifies the usability options.

  • Google suggests the option of maintaining two URLs or two separate site layouts — one for desktops and one for mobile devices. They overlook that this means twice the development effort, which translates into twice the development costs.
  • Maintaining two URLs also means double the amount of bot traffic indexing the site, double the load on the server, and double the network bandwidth. Right now, about 75% of the traffic to my site comes from bots indexing and mirroring (and attacking) my site. If I maintained two URLs to the same content with different formatting, I would be dividing the visitor load between the two sites (half go mobile and half go desktop), while doubling the bot traffic.
  • Google’s recommendations normalize the site layout. Everyone should use large text. Everyone should use one column for mobile displays, etc.

    Normalizing web site layouts goes against the purpose of HTML and basic web site design. Your web site should look the way that you want it to look. If you want small text, then you can use small text. If you want a wide layout, then you can use a wide layout. Every web site can look different. Just be aware that Google’s pagerank system now penalizes you for looking different and for expressing creativity.

  • Google’s online test for mobile devices does not take into account whether the device is held vertically or horizontally. My Android phone rotates the screen and makes the text larger when I hold it horizontally. According to Google, all mobile pages should be designed for a vertical screen.

Ironically, there has been a lot of effort by mobile web browser developers (not the web site, but the actual browser developers) to mitigate display issues in the browser. One tap zooms into the text and reflows it to fit the screen, another tap zooms out and reflows it again. And rotating the screen makes the browser display wider instead of taller. Google’s demand to normalize the layout really just means that Google has zero confidence in the mobile browser developers and a limited view on how users use mobile devices.

Moving targets

There’s one significant technical issue that is barely addressed by Google’s Mobile Developer Guide: how does a web site detect a mobile device?

According to Google, your code should look at the user-agent field for “Android” and “Mobile”. That may work well with newer Android smartphones, but it won’t help older devices or smartphones that don’t use those keywords. Also, there are plenty of non-smartphone devices that use these words. For example, Apple’s iPad tablet has a user-agent string that says “Mobile” in it.

In fact, there is no single HTTP header that says “Hi! I’m a mobile device! Give me mobile content!” There’s a standard header for specifying supported document formats. There’s a standard header for specifying preferred language. But there is no standard for identifying a mobile device.

There is a great write-up called “How to Detect Mobile Devices“. It lists a bunch of different methods and the trade-offs between each.

For example, you can try to use JavaScript to render the page. This is good for most smartphones, but many feature-phones lack JavaScript support. The question also becomes: what should you detect? Screen size may be a good option, but otherwise there is no standard. This approach can also be problematic for indexing bots since it requires rendering JavaScript to see the layout. (Running JavaScript in a bot becomes a halting problem since the bot cannot predict when the code will finish rendering the page.)

Alternately, you can try to use custom style sheets. There’s a style sheet extension “@media” for specifying a different layout for mobile devices. Unfortunately, many mobile devices don’t support this extension. (Oh the irony!)

Usually people try to detect the mobile device on the server side. Every web browser sends a user-agent string that describes the browser and basic capabilities. For example:

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.3) Gecko/20150308 Firefox/31.9 PaleMoon/25.3.0

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4

Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG SM-T530NU Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36

Opera/9.80 (Android; Opera Mini/7.6.40234/36.1701; U; en) Presto/2.12.423 Version/12.16

The first sample user-agent string identifies the Pale Moon web browser (PaleMoon 25.3.0) on a 64-bit Windows 7 system (Windows NT 6.1; Win64). It says that it is compatible with Firefox 31 (Firefox/31.9) and supports the Gecko toolkit extension (Gecko/20150308). This is likely a desktop system.

The second sample identifies Mobile Safari 8.0 on an iPhone running iOS 8.1.2. This is a mobile device — because I known iPhones are mobile devices, and not because it says “Mobile”.

The third sample identifies the Android browser 1.5 on a Samsung SM-T530NU device running Android 4.4 (KitKat) and configured for English from the United States. It doesn’t say what it is, but I can look it up and determine that the SM-T530NU is a tablet.

The fourth and final example identifies Opera Mini, which is Opera for mobile devices. Other than looking up the browser type, nothing in the user-agent string tells me it is a mobile device.

The typical solution is to have the web site check the user-agent string for known parts. If it sees “Mobile” or “iPhone” then we can assume it is some kind of mobile device — but not necessarily a smartphone. The web site Detect Mobile Browsers offers code snippets for detecting mobile devices. Google’s documentation says to look for ‘Android’ and ‘Mobile’. Here’s the PHP code that Detect Mobile Browsers suggest using:

$useragent=$_SERVER[‘HTTP_USER_AGENT’];
if (preg_match(‘/(android|bbd+|meego).+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0|symbian|treo|up.(browser|link)|vodafone|wap|windows ce|xda|xiino/i’,$useragent)||preg_match(‘/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i’,substr($useragent,0,4))) { then… }

This is more than just detecting ‘Android’ and ‘Mobile’. If the user-agent string says Android or Meego or Mobile or Avantgo or Blackberry or Blazer or KDDI or Opera (with mini or mobi or mobile)… then it is probably a mobile device.

Of course, there are two big problems with this code. First, it has so many conditions that it is likely to have multiple false-positives (e.g., detecting a tablet or even a desktop as a mobile phone). In fact, we can see this this problem since the regular expression contains “kindle” — the Amazon Kindle is a tablet and not a smartphone. (And the Kindle user-agent string also includes the word ‘Android’ and may include the word ‘Mobile’.)

Second, this long chunk of code is a regular expression — a language describing a pattern to match. All regular expressions are slow to evaluate and more complicated expressions take more time. Unless you have unlimited resources (like Google) or have low web volume, then you probably do not want to run this code on every web page request.

If Google really wants to have every web site provide mobile-specific content, then perhaps they should push through a standard HTTP header for declaring a mobile device, tablet, and other types of devices. Right now, Google is forcing web sites to redesign for devices that they may not be able to detect.

(Of course, none of this handles the case where an anonymizer changes the user-agent setting, or where users change the user-agent value in their browser.)

Low Ranking Advice

Some of Google’s mobile site suggestions are good, but not limited to mobile devices. Enabling server compression and designing pages for fast loading benefit both desktop and mobile browsers.

I actually think that there may be a hidden motivation behind Google’s desire to force web site redesigns… The recommended layout — with large primary text, viewport window, and single column layout — is probably easier for Google to parse and index. In other words, Google wants every site to look the same so it will be easier for Google to index the content.

And then there is the entire anti-competitive edge. Google’s suggestion for detecting mobile devices (look for ‘Android’) excludes non-android devices like Apple’s iPhone. Looking for ‘Mobile’ misclassifies Apple’s iPad, potentially leading to a lesser user experience on Apple products. And Google wants you to make site changes so that your web pages work better with Googlebot. This effectively turns all web sites into Google-specific web sites.

Promoting aesthetics over content seems to go against the purpose of a search engine; users search for content and not styling. Normalizing content layout contracts the purpose of having configurable layouts. Giving developers less than two months to make major changes seems out of touch with reality. And requiring design choices that favor the dominant company’s strict views seems very anti-competitive to me.

Many web sites depend on search engines like Google for income — either directly through ads or indirectly through visibility. This recent change at Google will dramatically impact many web sites — sites with solid content but, according to Google, less desirable layouts. Moreover, it forces companies to comply with Google’s requirements or lose future revenue.

Google has a long history of questionable behavior. This includes multiple lawsuits against Google for anti-competitive behavior and privacy violations. However, each of these cases are debatable. In contrast, I think that this requirement for site layout compliance is the first time that the “do no evil” company has explicitly gone evil in a non-debatable way.

Schneier on Security: Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting:

While most female squid and octopuses have just one reproductive cycle before they die, vampire squid go through dozens of egg-making cycles in their lifetimes, scientists have found.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Клошкодил: 2015-04-24 първи upgrade на сървър до jessie

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

Новия Debian stable (Jessie) се кани да излезе след ден-два, та по случая реших да upgrade-на cassie (router/сървър-a в initLab). Причина за upgrade беше и продължаващия проблем с drop-ване на определени пакети, най-вероятно от интеракция на route cache и двата отделни пътя навън.

Като цяло нещата минаха съвсем спокойно (mysql-а се upgrade-на сам, за postgres-а трябваше да се направи една кратка процедура по upgrade, пак сравнително автоматична), и за няколко неизползвани неща (като varnish) ми каза, че трябва да си пренапиша конфигурацията. Имаше обаче два мрежови проблема (за справка, описанието на мрежовия setup там):

– в последната quagga, която е в jessie, ospf6d е счупен, съответно външната IPv6 свързаност изобщо не захапа. След някакво ровене в changelog-ове намерих следното на сайта на quagga:
“[ospf6d] A large amount of changes has been merged for ospf6d. Careful evaluation prior to deployment is recommended.”
Реших да не го дебъгвам повече и минах нещата на BGP, с което така и така се чувствам по-комфортно (при v6 и quagga изборът не е много голям).

– след 3.6 са махнали routing cache, което води до любопитното поведение, че един tcp connection не може да просъществува дълго, понеже пакетите му почват да се мятат между двете връзки и доста бързо идва един reset. Оказа се, че има хубаво решение с CONNMARK, като връзката в началото се маркира откъде е излязла, след което с policy routing правила се праща през вече определения ѝ път.

Чакам да видя какво още ще се счупи (поне отварянето/отключването на вратата работят, та няма да се наложи да я режем с флекс).

LWN.net: Rust Once, Run Everywhere

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The Rust blog has posted a guide
to using Rust’s foreign function interface (FFI) with C code.
Highlighted in particular are Rust’s safe abstractions, which are said
to impose no costs. “Most features in Rust tie into its core
concept of ownership, and the FFI is no exception. When binding a C
library in Rust you not only have the benefit of zero overhead, but
you are also able to make it safer than C can! Bindings can leverage
the ownership and borrowing principles in Rust to codify comments
typically found in a C header about how its API should be
used.

Darknet - The Darkside: OAT – Microsoft OCS Assessment Tool (Office Communication Server)

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

OAT is an Open Source Microsoft OCS Assessment Tool designed to check the password strength of Lync and Microsoft Office Communication Server users. After a password is compromised, OAT demonstrates potential UC attacks that can be performed by legitimate users if proper security controls are not in place. We first wrote about OAT when it…

Read the full post at darknet.org.uk

Schneier on Security: Signed Copies of <i>Data and Goliath</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

You can now order signed copies of Data and Goliath from my website.

[Медийно право] [Нели Огнянова] : Цифров преход BG: решение по дело C-376/13 Европейска комисия срещу България

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

На 23 април 2015 стана известно решението на Съда на ЕС по делото С-376/13 Комисия срещу България.

За подробен коментар на решението е рано,  то трябва да се чете внимателно и да се коментира отговорно.

Но има напълно очевидни факти.

  • Съдът потвърждава трите твърдения на ЕК според  Мотивираното  становище на ЕК – нарушение №  2011/4025  за нарушения на конкурентното право на ЕС.
  • Съдът потвърждава, че по време на досъдебната процедура България не отстранява последиците от твърдяното от ЕК неизпълнение на изискванията на правото на ЕС по време на управлението на ГЕРБ.
  • Съдът потвърждава, че причините за откриване на досъдебната процедура са в
    • нормативната рамка на българския модел на цифров преход, в частност ЗЕС, приета по време на управлението на Тройната коалиция, и
    • прилагането й  относно издаване на разрешения за ползване на индивидуален ресурс – радиочестотен спектър през 2009 г. по време на управлението на Тройната коалиция – това е решението на КРС от април 2009 и последващите решения на КРС.
    • съдебното потвърждаване на регулаторните актове – и ВАС е правораздал в полза на процедурата –  – Решение №11018/2011

С искане по някои от обявените днес за несъвместими с правото на ЕС разпоредби е бил  сезиран и българския Конституционен съд (уви, сезиран е доста селективно – решението и особените мнения по дело 3/2009 днес имат нужда от нов прочит).

Реакцията срещу правната рамка тогавашният – и днешен – председател на КРС нарича пушилка някаква.

КЗК начело с тогавашния – и днешен – председател  разрешава правата за ползване на спектъра на империята Манселорд.  Европейската комисия деликатно изразява шока си: как една държава от ЕС първо ограничава конкуренцията, за да не допусне силен играч да стане още по-силен, а веднага след това допуска въпросният играч да овладее цялата конструкция: “Аргументът, че абсолютната забрана е била абсолютно необходима, за да се предотврати операторите на мрежи да контролират мултиплексите, се опровергава от факта, че операторът на излъчващата мрежа НУРТС  е поел контрола над два мултиплекса.”

Тогавашният (2012) – и днешен министър казва, че не знае кои са собствениците на мултиплексите, ще провери и ще каже в понеделник. Твърдения от серията “не знаем какво става с КТБ”.

Да не се забравя колко още известни фигури се позиционират и препозиционират през този период, продажбата на ТВ2, промените в ЗРТ, информационната кампания за цифровия преход и пр.

Сега осъдената България трябва да се съобрази с решението: според Съда неизпълнението “продължава да е налице, докато съществуват правата на ползване на предоставените в нарушение на тези разпоредби честоти”.  Не са обявявани намерения по отношение на порочните процедури за издаване на разрешения  нито през 2009, след идването на ГЕРБ на власт, нито по-късно, нито днес. Не е тайна, че председателят на КРС в последно време обявява модела за сбъркан. И не е тайна, че присвоилите цифровия преход – защото той е присвоен от онези, чиито имена министърът не знае – имат идея да се оттласнат от това решение на Съда  към избавлението си – а също да  прехвърлят тежестта на данъкоплатеца.

Удовлетворението от решението на Съда на ЕС, отново откриващо път за повече конкуренция и плурализъм,  отстъпва пред  тези угнетяващи и съвсем реалистични в български условия сценарии.

Schneier on Security: Federal Trade Commissioner Julie Brill on Obscurity

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I think this is good:

Obscurity means that personal information isn’t readily available to just anyone. It doesn’t mean that information is wiped out or even locked up; rather, it means that some combination of factors makes certain types of information relatively hard to find.

Obscurity has always been an important component of privacy. It is a helpful concept because it encapsulates how a broad range of social, economic, and technological changes affects norms and consumer expectations.

TorrentFreak: Pirate Bay Blockade Censors CloudFlare Customers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cloudflareLike any form of censorship web blockades can sometime lead to overblocking, targeting perfectly legitimate websites by mistake.

This is also happening in the UK where Sky’s blocking technology is inadvertently blocking sites that have nothing to do with piracy.

In addition to blocking domain names, Sky also blocks IP-addresses. This allows the site to stop https connections to The Pirate Bay and its proxies, but when IP-addresses are shared with random other sites they’re blocked too.

This is happening to various customers of the CDN service CloudFlare, which is used by many sites on the UK blocklist. Every now and then this causes legitimate sites to be blocked, such as CloudFlare customers who shared an IP-address with Pirate Bay proxy ilikerainbows.co.uk.

Although the domain is merely a redirect to ilikerainbows.co, it’s listed in Sky’s blocking system along with several CloudFlare IP-addresses. Recently, the CDN service received complaints from users about the issue and alerted the proxy owner.

“It has come to our attention that your website — ilikerainbows.co.uk — is causing CloudFlare IPs to be blocked by SkyB, an ISP located in the UK. This is impacting other CloudFlare customers,” CloudFlare wrote.

The CDN service asked the proxy site to resolve the matter with Sky, or else it would remove the site from the network after 24 hours.

“If this issue does not get resolved with SkyB though we will need to route your domain off CloudFlare’s network as it is currently impacting other CloudFlare customers due to these blocked IP addresses.”

cfemail

The operator of the “Rainbows” TPB proxy was surprised by Sky’s overbroad blocking techniques, but also by CloudFlare’s response. Would CloudFlare also kick out sites that are blocked in other countries where censorship is common?

“What do they do when Russia starts blocking sites under their system? Are they going to kick users off CloudFlare because there’s a Putin meme that the Russians don’t like?” Rainbows’ operator tells TF.

Instead of waiting for the domain to be switched off by CloudFlare he reverted it back to the domain registrar’s forwarding services. The main .co domain still uses CloudFlare’s services though, as does the official Pirate Bay site.

This is not the first time that CloudFlare customers have been blocked by mistake. Earlier this year the same thing happened to sites that shared an IP-address with The Pirate Bay. At the time we contacted Sky, who informed us that they do all they can to limit collateral damage.

“We have a process in place to monitor requested site blocks to limit the chances of inadvertently blocking sites, and in addition to this if we are advised by a site owner or Sky customer that a site is being inadvertently blocked we take the necessary steps to remove any unintended blocks,” a Sky spokeswoman said.

In addition to Sky we also contacted CloudFlare about the issue multiple times this year, but the company has yet to reply to our inquiries.

It’s clear though that despite cheers from copyright holders, website blocking is not all rainbows and unicorns. Without any significant change to Sky’s blocking setup, more of these inadvertent blocks are bound to happen in the future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Fileless Malware, (Fri, Apr 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why memory forensics is important.

Michael Marcos from Trend Micro wrote about Fileless malware. POWELIKS is one of the example he talked about.

POWELIKS hides its malicious code inside Windows Registry Key and it is use Windows PowerShell to run additional encoded code.

Phasebot is the second malware that Marcos has talked about is Phasebot can be defined as a new variant of Solarbot.

The Phasebot has additional features such as Virtual Machine detection and an external module loader which give the malware the ability to add and remove features.

Phasebot encrypt the communication with its Command and Control server using a random password each time it connects to the CC server.

The malware was designed to check for .Net Framework 3.5 and Windows PowerShell which are installed by default in recent versions of Windows.

Then it will creates the following registry key where the encrypted shell code will be written:

  • HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value namedJavaScriptthat will decrypt and execute the Rc4Encoded32/64 values.

If the programs are not found in the system, Phasebot drops a copy of itself in the%User Startup%folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFileAPI to hide the file and hooksNtReadVirtualMemoryto hide the malware process

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.

===========================================================

http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/

“>

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: How to Configure Your Dev Machine to Work From Anywhere (Part 3)

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jeff Cogswell. Original post: at Linux How-Tos and Linux Tutorials

In the previous articles, I talked about my mobile setup and how I’m able to continue working on the go. In this final installment, I’ll talk about how to install and configure the software I’m using. Most of what I’m talking about here is on the server side, because the Android and iPhone apps are pretty straightforward to configure.

Before we begin, however, I want to mention that this setup I’ve been describing really isn’t for production machines. This should only be limited to development and test machines. Also, there are many different ways to work remotely, and this is only one possibility. In general, you really can’t beat a good command-line tool and SSH access. But in some cases, that didn’t really work for me. I needed more; I needed a full Chrome JavaScript debugger, and I needed better word processing than was available on my Android tablets.

Here, then, is how I configured the software. Note, however, that I’m not writing this as a complete tutorial, simply because that would take too much space. Instead, I’m providing overviews, and assuming you know the basics and can google to find the details. We’ll take this step by step.

Spin up your server

First, we spin up the server on a host. There are several hosting companies; I’ve used Amazon Web Services, Rackspace, and DigitalOcean. My own personal preference for the operating system is Ubuntu Linux with LXDE. LXDE is a full desktop environment that includes the OpenBox window manager. I personally like OpenBox because of its simplicity while maintaining visual appeal. And LXDE is nice because, as its name suggests (Lightweight X11 Desktop Environment), it’s lightweight. However, many different environments and window managers will work. (I tried a couple tiling window managers such as i3, and those worked pretty well too.)

The usual order of installation goes like this: You use the hosting company’s website to spin up the server, and you provide a key file that will be used for logging into the server. You can usually use your own key that you generate, or have the service generate a key for you, in which case you download the key and save it. Typically when you provide a key, the server will automatically be configured to log in only using SSH with the key file. However, if not, you’ll want to follow disable password logins.

Connect to the server

The next step is to actually log into the server through an SSH command line and first set up a user for yourself that isn’t root, and then set up the desktop environment. You can log in from your desktop Linux, but if you like, this is a good chance to try out logging in from an Android or iOS tablet. I use JuiceSSH; a lot of people like ConnectBot. And there are others. But whichever you get, make sure it allows you to log in using a key file. (Key files can be created with or without a password. Also make sure the app you use allows you to use whichever key file type you created–password or no password.)

Copy your key file to your tablet. The best way is to connect the tablet to your computer, and transfer the file. However, if you want a quick and easy way to do it, you can email it. But be aware that you’re sending the private key file through an email system that other people could potentially access. It’s your call whether you want to do that. Either way, get the file installed on the tablet, and then configure the SSH app to log in using the key file, using the app’s instructions.

Then using the app, connect to your server. You’ll need the username, even though you’re using a key file (the server needs to know who you’re logging in as with the key file, after all); AWS typically uses “ubuntu” for the username for Ubuntu installations; others simply give you the root user. For AWS, to do the installation you’ll need to type sudo before each command since you’re not logged in as root, but won’t be asked for a password when running sudo. On other cloud hosts you can run the commands without sudo since you’re logged in as root.

Oh and by the way, because we don’t yet have a desktop environment, you’ll be typing commands to install the software. If you’re not familiar with the package installation tools, now is a chance to learn about them. For Debian-based systems (including Ubuntu), you’ll use apt-get. Other systems use yum, which is a command-line interface to the RPM package manager.

Install LXDE

From the command-line, it’s time to set up LXDE, or whichever desktop you prefer. One thing to bear in mind is that while you can run something big like Cinnamon, ask yourself if you really need it. Cinnamon is big and cumbersome. I use it on my desktop, but not on my hosted servers, opting instead for more lightweight desktops like LXDE. And if you’re familiar with desktops such as Cinnamon, LXDE will feel very similar.

There are lots of instructions online for installing LXDE or other desktops, and so I won’t reiterate the details here. DigitalOcean has a fantastic blog with instructions for installing a similar desktop, XFCE.

Install a VNC server

Then you need to install a VNC server. Instead of using TightVNC, which a lot of people suggest, I recommend vnc4server because it allows for easy resolution changes, as I’ll describe shortly.

While setting up the VNC server, you’ll create a VNC username. You can just use a username and password for VNC, and from there you’re able to connect from a VNC client app to the system. However, the connection won’t be secure. Instead, you’ll want to connect through what’s called an SSH tunnel. The SSH tunnel is basically an SSH session into the server that is used for passing connections that would otherwise go directly over the internet.

When you connect to a server over the Internet, you use a protocol and a port. VNC usually uses 5900 or 5901 for the port. But with an SSH tunnel, the SSH app listens on a port on the same local device, such as 5900 or 5901. Then the VNC app, instead of connecting to the remote server, connects locally to the SSH app. The SSH app, in turn, passes all the data on to the remote system. So the SSH serves as a go-between. But because it’s SSH, all the data is secure.

So the key is setting up a tunnel on your tablet. Some VNC apps can create the tunnel; others can’t and you need to use a separate app. JuiceSSH can create a tunnel, which you can use from other apps. My preferred VNC app, Remotix, on the other hand, can do the tunnel itself for you. It’s your choice how you do it, but you’ll want to set it up.

The app will have instructions for the tunnel. In the case of JuiceSSH, you specify the server you’re connecting to and the port, such as 5900 or 5901. Then you also specify the local port number the tunnel will be listening on. You can use any available port, but I’ll usually use the same port as the remote one. If I’m connecting to 5901 on the remote, I’ll have JuiceSSH also listen on 5901. That makes it easier to keep straight. Then you’ll open up your VNC app, and instead of connecting to a remote server, you connect to the port on the same tablet. For the server you just use 127.0.0.1, which is the IP address of the device itself. So to re-iterate:

  1. JuiceSSH connects, for example, to 5901 on the remote host. Meanwhile, it opens up 5901 on the local device.
  2. The VNC app connects to 5901 on the local device. It doesn’t need to know anything about what remote server it’s connecting to.

But some VNC apps don’t need another app to do the tunneling, and instead provide the tunnel themselves. Remotix can do this; if you set up your app to do so, make sure you understand that you’re still tunneling. You provide the information needed for the SSH tunnel, including the key file and username. Then Remotix does the rest for you.

Once you get the VNC app going, you’ll be in. You should see a desktop open with the LXDE logo in the background. Next, you’ll want to go ahead and configure the VNC client to your liking; I prefer to control the mouse using drags that simulate a trackpad; other people like to control the mouse by tapping exactly where you want to click. Remotix and several other apps let you choose either configuration.

Configuring the Desktop

Now let’s configure the desktop. One issue I had was getting the desktop to look good on my 10-inch tablet. This involved configuring the look and feel by clicking the taskbar menu < Preferences < Customize Look and Feel (or run from the command line lxappearance).

lxappearance

I also used OpenBox’s own configuration tool by clicking the taskbar menu < Preferences < OpenBox Configuration Manager (or runobconf).

obconf

My larger tablet’s screen isn’t huge at 10 inches, so I configured the menu bars and buttons and such to be somewhat large for a comfortable view. One issue is the tablet has such a high resolution that if I used the maximum resolution, everything was tiny. As such, I needed to be able to change resolutions based on the work I was doing, as well as based on which tablet I was using. This involved configuring the VNC server, though, not LXDE and OpenBox. So let’s look at that.

In order to change resolution on the fly, you need a program that can manage the RandR extensions, such as xrandr. But the TightVNC server that seems popular doesn’t work with RandR. Instead, I found the vvnc4server program works with xrandr, which is why I recommend using it instead. When you configure vnc4server, you’ll want to provide the different resolutions in the command’s -geometry option. Here’s an init.d service configuration file that does just that. (I modified this based on one I found on DigitalOcean’s blog.)

#!/bin/bash
PATH="$PATH:/usr/bin/"
export USER="jeff"
OPTIONS="-depth 16 -geometry 1920x1125 -geometry 1240x1920 -geometry 2560x1500 -geometry 1920x1080 -geometry 1774x1040 -geometry 1440x843 -geometry 1280x1120 -geometry 1280x1024 -geometry 1280x750 -geometry 1200x1100 -geometry 1024x768 -geometry 800x600 :1"
. /lib/lsb/init-functions
case "$1" in
start)
log_action_begin_msg "Starting vncserver for user '${USER}' on localhost:${DISPLAY}"
su ${USER} -c "/usr/bin/vnc4server ${OPTIONS}"
;;
stop)
log_action_begin_msg "Stoping vncserver for user '${USER}' on localhost:${DISPLAY}"
su ${USER} -c "/usr/bin/vnc4server -kill :1"
;;
restart)
$0 stop
$0 start
;;
esac
exit 0

The key here is the OPTIONS line with all the -geometry options. These will show up when you run xrandr from the command line:

xrandr.png

You can use your VNC login to modify the file in the init.d directory (and indeed I did, using the editor called scite). But then after making these changes, you’ll need to restart the VNC service just this one time, since you’re changing its service settings. Doing so will end your current VNC session, and it might not restart correctly. So you might need to log in through JuiceSSH to restart the VNC server. Then you can log back in with the VNC server. (You also might need to restart the SSH tunnel.) After you do, you’ll be able to configure the resolution. And from then on, you can change the resolution on the fly without restarting the VNC server.

To change resolutions without having to restart the VNC server, just type:

xrandr -s 1

Replace 1 with the number for the resolution you want. This way you can change the resolution without restarting the VNC server.

Server Concerns

After everything is configured, you’re free to use the software you’re familiar with. The only catch is that hosts charge a good bit for servers that have plenty of RAM and disk space. As such, you might be limited on what you can run based on the amount of RAM and cores. Still, I’ve found that with just 2GB of RAM and 2 cores, with Ubuntu and LXDE, I’m able to have open Chrome with a few pages, LibreOffice with a couple documents open, Geany for my code editing, and my own server software running under node.js for testing, and mysql server. Occasionally if I get too many Chrome tabs open, the system will suddenly slow way down and I have to shut down tabs to free up more memory. Sometimes I run MySQL Workbench and it can bog things down a bit too, but it isn’t bad if I close up LibreOffice and leave only one or two Chrome tabs open. But in general, for most of my work, I have no problems at all.

And on top of that, if I do need more horsepower, I can spin up a bigger server with 4GB or 8GB and four cores or eight cores. But that gets costly and so I don’t do it for too many hours.

Multiple Screens

For fun, I did manage to get two screens going on a single desktop, one on my bigger 10-inch ASUS transformer tablet, and one on my smaller Nexus 7 all from my Linux server running on a public cloud host, complete with a single mouse moving between the two screens. To accomplish this, I started two VNC sessions, one from each tablet, and then from the one with the mouse and keyboard, I ran:

x2x -east -to :1

This basically connected the single mouse and keyboard to both displays. It was a fun experiment, but in my case, provided little practical value because it wasn’t like a true dual-display on a desktop computer. I couldn’t move slide windows between the displays, and the Chrome browser won’t open under more than one X display. In my case, for web development, I wanted to be able to open up the Chrome browser on one tablet, and then the Chrome JavaScript debug window on the other, but that didn’t work out.

Instead, what I found more useful was to have an SSH command-line shell on the smaller tablet, and that’s where I would run my node.js server code, which was printing out debug information. Then on the other I would have the browser running. That way I can glance back and forth without switching between windows on the single VNC login on the bigger tablet.

Back to Security

I can’t understate the importance of making sure you have your security set up and that you understand how the security works and what the ramifications are. I highly recommend using SSH with a keyfile login only, and no password logins allowed. And treat this as a development or test machine; don’t put customer data on the machine that could open you up to lawsuits in the event the machine gets compromised.

Instead, for production machines, allocate your production servers using all the best practices laid out by your own IT department security rules, and the host’s own rules. One issue I hit is my development machine needs to log into git, which requires a private key. My development machine is hosted, which means that private key is stored on a hosted server. That may or may not be a good idea in your case; you and your team will need to decide whether to do it. In my case, I decided I could afford the risk because the code I’m accessing is mostly open-source and there’s little private intellectual property involved. So if somebody broke into my development machine, they would have access to the source code for a small but non-vital project I’m working on, and drafts of these articles–no private or intellectual data.

Web Developers and A Pesky Thing Called Windows

Before I wrap this up, I want to present a topic for discussion. Over the past few years I’ve noticed that a lot of individual web developers use a setup quite similar to what I’m describing. In a lot of cases they use Windows instead of Linux, but the idea is the same regardless of operating system. But where they differ from what I’m describing is they host their entire customer websites and customer data on that one machine, and there is no tunneling; instead, they just type in a password. That is not what I’m advocating here. If you are doing this, please reconsider. (I personally know at least three private web developers who do this.)

Regardless of operating systems, take some time to understand the ramifications here. First, by logging in with a full desktop environment, you’re possibly slowing down your machine for your dev work. And if you mess something up and have to reboot, during that time your clients’ websites aren’t available during that time. Are you using replication? Are you using private networking? Are you running MySQL or some other database on the same machine instead of using virtual private networking? Entire books could (and have been) written on such topics and what the best practices are. Learn about replication; learn about virtual private networking and how to shield your database servers from outside traffic; and so on. And most importantly consider the security issues. Are you hosting customer data in a site that could easily be compromised? That could spell L-A-W-S-U-I-T. And that brings me to my conclusion for this series.

Concluding Remarks

Some commenters on the previous articles have brought up some valid points; one even used the phrase “playing.” While I really am doing development work, I’m definitely not doing this on production machines. If I were, that would indeed be playing and not be a legitimate use for a production machine. Use SSH for the production machines, and pick an editor to use and learn it. (I like vim, personally.) And keep the customer data on a server that is accessible only from a virtual private network. Read this to learn more.

Learn how to set up and configure SSH. And if you don’t understand all this, then please, practice and learn it. There are a million web sites out there to teach this stuff, including linux.com. But if you do understand and can minimize the risk, then, you really can get some work done from nearly anywhere. My work has become far more productive. If I want to run to a coffee shop and do some work, I can, without having to take a laptop along. Times are good! Learn the rules, follow the best practices, and be productive.

See the previous tutorials:

How to Set Up Your Linux Dev Station to Work From Anywhere

Choosing Software to Work Remotely from Your Linux Dev Station