Posts tagged ‘chrome’

Krebs on Security: Yet Another Emergency Flash Player Patch

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time in a week, Adobe has issued an emergency update to fix critical security flaws that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

brokenflash-aLast week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Linux How-Tos and Linux Tutorials: How to Install a Seafile Server to Run a Private Cloud

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

Cloud is a buzzword these days; everyone is moving to the cloud even if most of us don’t even know what it actually means. To me, cloud is a fictional place that processes and stores my data; in the process it liberates me from that one device where my data is stored. With ‘Cloud’ I can access my data from any networked device.

What actually happens is that my data moves from my local machine to a remote machine or a remote cluster of machines – the storage and processing of the data happens at those machines.

This ‘movement’ of data changes things dramatically. If I don’t ‘own’ those remote machines, the one who does also becomes the ‘co-owner’ of my data. The ‘co-owner’ will scan my private data to see if it infringes upon any copyrights and it may block access to my own data for numerous, unclear reasons.

There was one incident where Microsoft allegedly blocked a user from accessing their own data after the company found some objectionable content in the user’s private folder. I wonder what Microsoft was doing in a private folder?

The point is, I don’t trust third party cloud providers, and cases like these further reinforce my belief to not trust them.

That’s why I keep all of my private data on a cloud that I run and own. I have used a couple of open source file sync and storage solutions, including ownCloud, and recently came to know about Seafile which is quickly becoming my favorite.

A few weeks ago I installed Seafile on my server and made it my primary cloud. Since open source is all about sharing, let’s share the procedure I followed to install Seafile on a server.

My server

I am running Seafile on a Virtual Private Server (VPS) running fully patched Ubuntu 14.04. So get yourself an Ubuntu or Debian machine and let’s get started.

Step #1 Install and secure MariaDB

I don’t use MySQL and heavily recommend MariaDB. To get the latest version of MariaDB, which is 10.x (I don’t recommend 5.x branch) on Ubuntu, you need to enable extra repositories. Check out this page to get instructions for adding the appropriate repository for your OS. Since I am using Ubuntu 14.04 I added the repo through following steps:

sudo apt-get install software-properties-common
sudo apt-key adv –recv-keys –keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
sudo add-apt-repository ‘deb http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.0/ubuntu trusty main’

Update the repositories and install MariaDB:

sudo apt-get update
sudo apt-get install mariadb-server

During the installation, MariaDB will ask for a root password for the database, which is different from the system root password. Enter the desired password to proceed.

mariadb

Now we need to secure the database, but we need to kill the database server daemon before we proceed to the next step or you will encounter an error:

sudo killall mysqld

Now run the following command:

sudo mysql_install_db

Once it runs successfully start the database server:

sudo service mysql start

Then run this command:

sudo mysql_secure_installation

It will ask you to provide the root password. In the next step, it will ask whether you want to change the root password for the database: say no. In the rest of the steps, say ‘yes’ to everything. If everything works fine then you will see this message:

Thanks for using MariaDB!

Step #2 Install Apache

Now it’s time to install the web server and enable the needed modules. On this server I am using Apache with FastCGI. Since FastCGI is not available through default repositories we have to enable the Multiverse repository. In most cases, depending on your VPS provider, the multiverse repos are available in the source list but commented out. Open the source list file and uncomment them:

sudo nano /etc/apt/source.list

If the repositories are not in the source.list file, then add them from this page of the Ubuntu Wiki.

The default Ubuntu repositories look like the ones below, but you may want to find a mirror closer to your server for better performance:

deb http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse

Once the multiverse repos are enabled, run an update and install the two packages:

sudo apt-get update
sudo apt-get install apache2 libapache2-mod-fastcgi

Then enable these modules:

a2enmod rewrite
a2enmod fastcgi
a2enmod proxy_http

Step #3 Configure Vhost

Before we move ahead let’s create the web directory where we will download Seafile packages. On Ubuntu it should be under /var/www/

sudo mkdir -p /var/www/directory_name

example

sudo mkdir -p /var/www/sea

Now we have to create a vhost file for the seafile server:

nano /etc/apache2/sites-available/your_vhost_name.conf

Example

nano /etc/apache2/sites-available/sea.conf

The vhost file should look something like the one below:

<VirtualHost *:80>
 ServerName www.your-domain-name.com
 # Use "DocumentRoot /var/www/html" for Centos/Fedora
 # Use "DocumentRoot /var/www" for Ubuntu/Debian
 DocumentRoot /var/www/your-directory/
 Alias /media /var/www/your-directory/seafile-server-latest/seahub/media
 RewriteEngine On 
    #  </Location>
    <Location /media>
        Require all granted
    </Location>
 # seafile fileserver
 ProxyPass /seafhttp http://127.0.0.1:8082
 ProxyPassReverse /seafhttp http://127.0.0.1:8082
 RewriteRule ^/seafhttp - [QSA,L]
 # seahub
 RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</VirtualHost>

In your vhost you have to change three things: ServerName to reflect the URL or your server DocumentRoot: provide the path to the directory we created above Alias /media /var/www/your_directory_path/seafile-server-latest/seahub/media

Open the apache.conf file

nano /etc/apache2/apache2.conf

and add the this line at the end (don’t forget to change the path of directory):

FastCGIExternalServer /var/www/your_directory_path/seahub.fcgi -host 127.0.0.1:8000

Step #4 Install Seafile

First install the packages needed by Seafile:

apt-get install python2.7 python-setuptools python-imaging python-mysqldb python-flup

Now let’s ‘cd’ to the newly create directory where we will install Seafile

cd /var/www/sea/

wget the latest Seafile packages into this directory (you should check the download page for the latest release):

sudo wget https://bitbucket.org/haiwen/seafile/downloads/seafile-server_4.0.5_x86-64.tar.gz

Extract the files:

tar xzvf seafile-server*

Then cd to the extracted ’seafile-server’ directory

cd seafile-server*

Run this script which will create the required databases and directories for the Seafile server:

./setup-seafile-mysql.sh

This script will guide you to setup your Seafile server using MySQL. Choose the default options for steps between 3–6:

“ENTER” to continue 1: Give Server name 2: Server IP or domain 3: Default port 4: Where do you want to put your seafile data? 5: Which port do you want to use for the seafile server? 6: Which port do you want to use for the seafile fileserver? 7: Create user (If you don’t have users then choose the option [1] which will automatically create database and users.)

If you chose option [1] to create databases, you will come across following options: In option 4, instead of using ‘root’ as root user for Seafile database create a new user. In my case, I created a user named ‘seau’. Leave everything else as is.

1 What is the host of mysql server?
[ default “localhost” ] 
2 What is the port of mysql server?
[ default “3306” ] 
3 What is the password of the mysql root user?
[ root password ] 
verifying password of user root … done
4 Enter the name for mysql user of seafile. It would be created if not exists.
[ default “root” ] seau
5 Enter the password for mysql user “seau”:
[ password for seau ] 
6 Enter the database name for ccnet-server:
[ default “ccnet-db” ] 
7 Enter the database name for seafile-server:
[ default “seafile-db” ] 
8 Enter the database name for seahub:
[ default “seahub-db” ]

Once done the script will give you a summary of the tasks performed.

Now we have to edit two configuration files: ccnet.conf and seahub_settings.py. These files reside in the document root directory.

Open ccnet.conf with desired editor, I use nano:

sudo nano /var/www/your-directory/ccnet/ccnet.conf

In this file check that the ‘SERVICE_URL’ points to the correct domain.

SERVICE_URL = http://www.your_domain.com:8000

Now edit the second config file:

sudo nano /var/www/your-directory/seahub_settings.py

and add the following line before DATABASES

FILE_SERVER_ROOT = ‘http://www.your-domain.com/seafhttp’

Step #5 Start the server

First we have to run a script which will enable the site which we configured within the apache2 configuration at Step #3 Configure Vhost.

a2ensite your_vhost_name.conf

In my case it was:

a2ensite sea.conf

Then restart apache:

service apache2 restart

Now let’s run Seafile server

/var/www/your-directory/seafile-server-latest/./seafile.sh start
/var/www/your-directory/seafile-server-latest/./seahub.sh start-fastcgi

The second command will ask you to create an admin account for your Seafile server, which will be an existing email ID and password. This email ID and password will be used to log into your server.

That’s it. You are all set.

Open any web browser, Chrome is recommended, and enter the site URL or IP address of your server

Example:

www.seafile.com

or

10.20.11.11

seafile

This will open the login page of your Seafile sever. Enter the username and password, which you created above, and you will be logged into your very own Seafile server! Bye bye Dropbox!

Getting started with Seafile server

Seafile uses a different model. Unlike Dropbox or ownCloud, everything is a library here. You can think of these as directories. These Libraries are the ones that are synced between different machines using desktop clients.

You can either create desired folders inside the default ‘My Library’ or create new Libraries if you want more flexibility with syncing. I simply deleted the default ‘My Library’ and created a couple of Libraries such as Images, Documents, eBooks, Music, Movies, etc. The great news about Seafile is that you can encrypt these libraries right from the web browser.

Go ahead and download the desktop client for your OS. When you run the client for the first time it will ask for the location where you would like the client to keep files.

seafile

Enter the account details for the server. Then right click on the library that you want to sync with this machine.

seafile file sync

seafile desktop

The client will give you the option to choose the desired location for this file. This is one part that I love the most about Seafile, as I can have different Libraries synced with folders on different partitions.

That’s all! Enjoy your very own ‘Seafile Cloud Server’.

SANS Internet Storm Center, InfoCON: green: Adobe updates Security Advisory for Adobe Flash Player, Infocon returns to green, (Mon, Jan 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

On Saturday, 24 JAN 2015, Adobe updated their Security Advisory for Adobe Flash Player specific to CVE-2015-0311. From the update:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

To that end we”>GREEN. Please ensure you apply updates as soon as possible and stay tuned here as additional related information”>|”>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: yellow: Flash 0-Day: Deciphering CVEs and Understanding Patches, (Fri, Jan 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: yellow

(updated with Jan 24thupdate)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version”>yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: How to Install and Update Software on openSUSE Like a Pro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

There are so many reasons why you might be considering the migration to SUSE or openSUSE. For some, it’s the logical step to integrating Linux into a business environment (SUSE paid support is phenomenal and the openSUSE community is always at the ready to help). To others, it’s one of the most power-user friendly Linux distributions on the market.

Regardless of why you are considering a move to the SUSE ecosystem (be it through SUSE or openSUSE), it’s best you know the tools of the trade before you make the leap. Fortunately, as with the whole of the Linux landscape, package management is an incredibly user-friendly task ─ when you know what you’re looking for.

Some distributions make the process of managing software incredibly easy. Take, for instance, Ubuntu Linux. Front and center on the Launcher is the Ubuntu Software Center icon. Click that icon and search hundreds of thousands of apps to install. With openSUSE, you won’t find that launcher so up front and center, but the tool is easy to locate and easy to use.

Let’s dive into the world of package management with openSUSE, from the GUI perspective. After giving this a read, you should be able to easily install software, update your machine, and even add repositories (so you can install third-party applications).

YaST2 is all you need

One outstanding element of the SUSE-verse, is they centralize the vast majority of their system management into a single tool called YaST2 (Yet Another Setup Tool). From within YaST2 you can do a great many things ─ one of which is manage the software on your system.

I’m going to be working with the latest release of openSUSE (13.2) and the KDE desktop. If you’ve opted for the GNOME desktop environment, this will not change YaST (only how you get to YaST2).

The easiest way to get to YaST2 is to open up the KDE “K” menu and type “yast” in the search field (Figure 1). When the YaST2 entry appears, click it to fire up the tool.

yast 1

 Once YaST2 is open, click on the Software entry in the left navigation (Figure 2) to reveal all of the available software-related entries.

yast 2 

Installing software

The first thing I want to demonstrate is how to install a piece of software. This is quite simple. From with the Software section of YaST2, click the Software Management and wait for the software management system to open. 

  1. Enter the title of the software you want to install in the Search field.

  2. Click Search.

  3. When the software appears in the main panel, click the associated check box (Figure 3).

  4. Click Accept.

  5. Read through the dependencies (a popup will appear).

  6. If the dependencies are acceptable, click Continue.

  7. Allow the installation to complete.

  8. When the software is complete, click Finish.

yast 3

That’s it! You’ve officially installed your first piece of software on openSUSE.

Updating software

One of the most important things you can do with YaST2 is update your system. Updates are crucial as they often contain security patches and bug fixes. Updates are handled from within the same YaST2 sub-section (Software). Within that sub-section, you will find an entry called Online Update. Click that and YaST2 will check for available updates. When the check is complete, you will be presented with a full listing of what is available (Figure 4).

Upgrading your system with YaST2.

By default, all available upgrades will be selected for processing. You can comb through the package listing and de-select any packages you might not want to upgrade. However, if you opt to remove packages, from the upgrade list, know that they can impact other upgrades as well. If you’re okay with the list, click Accept and the upgrade will begin.

NOTES: In some instances (as with the upgrade of any Adobe packages), you may have to accept an End User License Agreement (EULA). There may also be conflict resolution to deal with. To resolve any issues, click Continue when presented with the dependency resolutions. If the kernel is being updated, YaST will inform you that a reboot will be necessary. To continue after this warning, you must click Continue (Figure 5).

yast 5

Depending upon how many updates are available, the process can take a while. Sit back and enjoy or go about administering your other machines or network. Once the update completes, reboot the machine (if prompted) and enjoy the latest iteration of your software packages.

Adding repositories

Now we get into something that may be a bit more challenging to newcomers. First and foremost, what is a software repository? Software repositories are simply online locations that house packages for installation. The openSUSE platform has its own, official, repositories and many other applications have their own. When you search for a piece of software to install within YaST2 ─ a software title you know exists for Linux ─ and it doesn’t appear in the search results, most likely YaST2 simply doesn’t know where to find it. Because of this, you have to tell YaST2 where that software can be found: a software repository.

Let’s say, for instance, you want to install the Google Chrome browser onto openSUSE. To do this, you will have to first add the official Google repository. Here are the steps:

  1. Open YaST2

  2. Click on Software (left panel)

  3. Click on Software Repositories (right panel)

  4. From the Software Repositories click Add (Figure 6)

    Figure 6: Adding a new software repository.

  5. Select Specify URL and click Next

  6. Name the repository Google Chrome

  7. Enter the url http://dl.google.com/linux/rpm/stable/i386 (Figure 7)

    yast 7

  8. Click Next

  9. Click OK

  10. Click Yes (when prompted) to accept the GnuPG Key.

NOTE: If you are using a 64-bit machine, the above URL would change to http://dl.google.com/linux/rpm/stable/x86_64

At this point, you can now go back to the Software Management section, search for Google Chrome, and install (Figure 8).

Figure 8: You can now install Google Chrome on openSUSE.

If you find a package you want to install on openSUSE, and it doesn’t show up in YaST2, a bit of googling should locate an available repository for the platform.

Managing software on openSUSE is not in the least bit challenging. Once you know where to look and what to do, you can be installing and updating software like a pro.

 

 

Krebs on Security: Flash Patch Targets Zero-Day Exploit

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users now, but the vulnerability fixed by this update exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

I am looking forward to day in which far fewer sites require Flash Player to view content, and instead rely on HTML5 for rendering video content. For now, it’s probably impractical for most users to remove Flash altogether, but there are in-between options to limit automatic rendering of Flash content in the browser. My favorite is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Darknet - The Darkside: Flash Zero Day Being Exploited In The Wild

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This is not the first Flash Zero Day and it certainly won’t be the last, thanks to the Sandbox implemented in Chrome since 2011 – users of the browser are fairly safe. Those using IE are in danger (as usual) and certain versions of Firefox. It has been rolled into the popular Angler Exploit Kit, […]

The post Flash Zero Day Being…

Read the full post at darknet.org.uk

SANS Internet Storm Center, InfoCON: green: Flash 0-Day Exploit Used by Angler Exploit Kit, (Wed, Jan 21st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The Angler exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatchedFlash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: How to Stream Content from a Linux System to Chromecast

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

chromecast app loginChromecast is one of the most used devices in my household. After using it for over a year now, I believe there is no longer a market for the so-called ‘smart TV’. Inexpensive devices like Chromecast can turn any HDMI-enabled TV into a smart TV with immense possibilities to expand its features.

Google continues to add new features to Chromecast, except for one much-needed feature: native support for playback of local content. There is no _easy_ way to stream content sitting on your smart phone or desktop to Chromecast. Let me be honest, there are some Chrome apps which can play videos stored on your computer, but none offer a desirable solution.

However, nothing is impossible for a Linux user. 

What’s desirable? The Chromecast is plugged into the TV in the living room whereas my PCs and hard-drives are in my office. There are three doors between these two rooms and I don’t want to shuttle in between my living room and office to play movies. I want the control to be in my hands, while I lay on the couch. The data remains on my PCs and I can use my Android devices to stream content to Chromecast, without having to get up. I am lazy!

Well, that’s exactly what I have done. I have created a local file server on my Linux box, which allows me to access movies, music and images from any device over the local network. Then I use an Android app which works as a remote to access and stream these files to the Chromecast. And I will show you how to do this, too.

Let’s get started. First things first. Let’s make our data accessible over the local network, and there is nothing better than setting up a Samba server.There are different ways of installing and configuring Samba on different distributions. Since I run openSUSE, Arch Linux and Kubuntu on my PCs, in this tutorial I will focus on openSUSE and Ubuntu families (Arch users can refer to the official wiki).

Install Samba Server

The chances are that Samba is already installed on your system; in that case skip this section and fast forward to ‘Grab File Manager’ section:

Step #1: Install Samba

openSUSE:

 $ sudo zypper in samba

Kubuntu/Ubuntu family:

 $ sudo apt-get install samba

chromecast file selectionStep #2: Now we need to add a user to a Samba group so it will have the desired permissions to access the shared data. Since I don’t let guests access my file server I really don’t bother with creating a separate user. In this tutorial we are using the system user for samba share.

openSUSE:

We need to create a Samba group in openSUSE and add the user to that group.

$ sudo groupadd smbgroup
$ sudo usermod -a -G smbgroup name_of_user
$ sudo smbpasswd -a name_of_user

Ubuntu/Kubuntu:

$ sudo smbpasswd -a name_of_user

Step #3 Now we have to edit the Samba configuration files to tell Samba which directories are shared.This step is the same for all distributions:

$ sudo nano /etc/samba/smb.conf

In this file, leave the entire [global] section intact and comment everything below it. Right after the end of the [global] section add a few lines using the following pattern:

[4TB] -> The name of the shared directory
path = /media/4tb/ -> The path of the shared directory 
read only = No -> Ensures that it's not read only
browsable = yes -> Ensures that the subfolder of the directory are browsable 
writeable = yes -> Ensures that user can write to it from networked device
valid users = swapnil -> The system user

In my case it looks something like this:

[4TB]
path = /media/4tb/
read only = No
browsable = yes
writeable = yes
valid users = swapnil

Add a new section for each directory you want to share over the network.

Step #4 start Samba server.

Now we have to start the server and also ensure that it kicks in at system boot.

openSUSE:

Start start Samba services:

systemctl start smb.service 
systemctl start nmb.service 

chromecast play videoThen enable the services to start at system boot:

systemctl enable smb.service 
systemctl enable nmb.service 

Ubuntu/Kubuntu:

sudo service nmbd restart
sudo service smbd restart

You should now be able to access these directories over the local network.

Grab file manager

I use Android because I find iOS to be a sub-standard and extremely restricted OS when it comes to getting some real work done. I couldn’t find a decent free file explorer on the App Store which can compete with the ones available on Android. ES File Manager is one of the best applications out there, for our set-up.

Download and install ES File Manager and it’s Chromecast Plugin from Google Play Store.

Open the app and go to ‘network’ option from the menu.

Select LAN and run ‘scan’.

It will detect your Samba server; provide the app with the username and password (the system user for your PC where Samba is installed). (See Image 1, above.)

Once connected, open the network directory where the media is saved and choose the file that you want to play on Chromecast. (Image 2) Long press on the file and it will show a checkbox. Tick the ‘checkbox’ and then click on the ‘more’ option at bottom left. You will see ‘Chromecast’ in the menu. Select Chromecast and it will scan for the Chromecasts available on your network. Hit on the name of your device when it pops up and your video will start playing on the Chromecast. (Image 3)

Now you can just lay back in your couch and play movies, music and images right from your palm. Linux and open source just turned you into a couch potato.

The Hacker Factor Blog: Two Steps Forward, One Step Back

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Today I moved FotoForensics from the original server to a new server. Back when I first took on this project (Feb 2012), there were a few immediate hurdles. Getting the legal issues covered, designing and developing the server software, and most importantly: finding a hosting site.

I initially tried to get a price quote for using the Amazon Cloud. But after a few hours of their online pricing system, I realized that I could not get a straight answer. It would cost me somewhere between $10 and $1000 a month, but I wouldn’t know more until after I got the bill.

I also priced out a couple of other hosting sites. Nothing was in a range I could afford. And it didn’t help that, starting up a new online service, I had no idea about bandwidth requirements.

Fortunately, my friend Chris came to my rescue. He had a server and offered me a virtual machine on the system. I had one CPU, a good amount of RAM, and a 250 gig partition for storing files.

After nearly three years, FotoForensics has outgrown that system. Today, I moved everything to a new server. Instead of one CPU, the kernel sees six. Instead of a gig of RAM, I’ve allocated four gigs. And disk space? I’ve allocated 1.5T. I left some room to expand, just in case it’s needed. The first server could handle a flood of requests from Reddit. This new server? Should have plenty of power for the next few years.

Thanks Chris — I wouldn’t have been able to do this without your help.

Nothing’s ever easy

The transfer of the FotoForensics site, from the original server to the new hardware, seemed painless. The new OS installed without problems. Files transferred without issue, and the DNS updated properly. Total downtime was about 15 minutes. The new system is really snappy! While the network isn’t any faster, computing time is noticeably reduced.

Of course, there were a few hiccups. I installed the latest-greatest Ubuntu LTS. The original server was running Ubuntu 10.04. Since LTS releases only have 5 years of support, and “10” came out in 2010, it didn’t make sense to stick with an obsolete system. The problem is, between 2010 and 2014, Apache was updated and changed their configuration files. Rather than having the confusing “Order allow,deny” rules, they now have confusing “Required deny/granted” rules. (Less confusing, but a pain to debug on the fly.)

After the server was up and running, everything looked great. Until the first segfault happened. Then another. And another… Here’s what they look like:

[Sun Jan 18 14:08:57.803056 2015] [core:notice] [pid 840] AH00052: child pid 1602 exit signal Segmentation fault (11)
[Sun Jan 18 14:10:38.001748 2015] [core:notice] [pid 840] AH00052: child pid 1604 exit signal Segmentation fault (11)
[Sun Jan 18 14:10:38.001984 2015] [core:notice] [pid 840] AH00052: child pid 1606 exit signal Segmentation fault (11)
[Sun Jan 18 14:17:29.337708 2015] [core:notice] [pid 840] AH00052: child pid 1851 exit signal Segmentation fault (11)
[Sun Jan 18 14:19:54.796962 2015] [core:notice] [pid 2134] AH00052: child pid 2138 exit signal Segmentation fault (11)
[Sun Jan 18 14:37:12.774170 2015] [core:notice] [pid 11312] AH00052: child pid 11613 exit signal Segmentation fault (11)
[Sun Jan 18 15:10:55.751700 2015] [core:notice] [pid 11312] AH00052: child pid 12417 exit signal Segmentation fault (11)
[Sun Jan 18 15:10:55.751901 2015] [core:notice] [pid 11312] AH00052: child pid 12433 exit signal Segmentation fault (11)
[Sun Jan 18 15:13:47.985333 2015] [core:notice] [pid 11312] AH00052: child pid 12592 exit signal Segmentation fault (11)
[Sun Jan 18 15:18:53.698946 2015] [core:notice] [pid 12854] AH00052: child pid 12902 exit signal Segmentation fault (11)
[Sun Jan 18 15:19:43.765232 2015] [core:notice] [pid 12854] AH00052: child pid 12887 exit signal Segmentation fault (11)
[Sun Jan 18 15:38:32.076192 2015] [core:notice] [pid 13150] AH00052: child pid 13346 exit signal Segmentation fault (11)
[Sun Jan 18 15:54:40.371988 2015] [core:notice] [pid 13150] AH00052: child pid 13636 exit signal Segmentation fault (11)
[Sun Jan 18 15:54:40.372105 2015] [core:notice] [pid 13150] AH00052: child pid 13651 exit signal Segmentation fault (11)
[Sun Jan 18 16:31:44.588575 2015] [core:notice] [pid 15416] AH00052: child pid 25734 exit signal Segmentation fault (11)
[Sun Jan 18 17:02:39.581156 2015] [core:notice] [pid 4928] AH00052: child pid 5114 exit signal Segmentation fault (11)
[Sun Jan 18 17:14:55.486788 2015] [core:notice] [pid 4928] AH00052: child pid 5283 exit signal Segmentation fault (11)
[Sun Jan 18 17:15:07.505491 2015] [core:notice] [pid 4928] AH00052: child pid 5122 exit signal Segmentation fault (11)

I searched for these errors online and found literally hundreds of people who see the same problem. There’s lots of guesswork about the cause, but nobody has a solution. Some people think it’s an Apache problem. The Apache community says it is a PHP problem. The PHP people just have an open bug.

There’s a wide variety of suggestions. Increase the number of worker threads, remove unused modules, etc. I’ve tried them all. Nothing solves the issue.

I even tried to regress the version of PHP, but that caused other problems. (Seriously: don’t try regressing.) Looking over the changelogs, it looks like the most recent PHP versions fixed various memory leaks. I grabbed the last two stable PHP releases and tried to compile them. They compile fine, but both fail the self tests. I’m not going to install “stable” code that fails a self-test.

I was just about to reinstall with 10.04 LTS (since it was stable and didn’t have these errors), but then I noticed something… My site has one visitor every 1-2 seconds, so it’s easy to match the error to the visitor. So far, 100% of the time, my site identifies an iPhone/iPad user visiting the site a fraction of a second before the segfault occurs. Firefox doesn’t have a problem. Chrome is fine. Only iPhone/iPad browsers. It isn’t every iPhone/iPad, and I’m not seeing any access logs showing an error result. So as far as I can tell, users are not seeing this — only me.

I searched for this same bug associated iPhone devices and found one great hint: Apache-2.4 Gives Segmentation Fault On Apple-clients. In this posting from 2012, Pascal describes the problem and the symptoms perfectly. He concludes by speculating about an AppleWebkit issue. However, I’m not sure that the problem is related to AppleWebkit. I think it might be related to how user-agent strings are processed in .htaccess files.

The closest thing I could find is in /etc/apache2/mods-enabled/setenvif.conf. This file contains a bunch of special handling rules for specific user-agents. For example:

BrowserMatch “Mozilla/2″ nokeepalive
BrowserMatch “MSIE 4.0b2;” nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch “RealPlayer 4.0″ force-response-1.0
BrowserMatch “Java/1.0″ force-response-1.0
BrowserMatch “JDK/1.0″ force-response-1.0

I went ahead and disabled these special exceptions. I also added in code to check for undefined superglobals, as Pascal identified. The net result is that these steps reduced the problem from every few seconds to once every 10-30 minutes. The crashes are not gone, but they’re less often. And they are still related to iOS devices. I cannot help but wonder if iOS is doing something weird with the network socket. Maybe sending unexpected packets, not closing, or sending something out of band? Or maybe it’s a problem with MPM?

I’m very open to suggestions, recommendations, and possible solutions.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

brokenwindowsLeading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.

For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch. Somehow I doubt this is the last time we’ll see this tension between these two software giants. But then again, who said patching had to be boring? For a full rundown of updates fixed in today’s release, see this link.

Adobe, as it is prone to do on Patch Tuesday, issued an update to fix a whole mess of security problems with its Flash Player program. Adobe’s update brings the Player to v. 16.0.0.257 for Windows and Mac users, and fixes at least nine critical bugs in the software. Adobe said it is not aware of exploits that exist in the wild for any of the vulnerabilities fixed in this release.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As always, please feel free to sound off in the comments section below with your experience about applying any of these security patches.

SANS Internet Storm Center, InfoCON: green: Adobe Patch Tuesday – January 2015, (Tue, Jan 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released one bulletin today, affecting Flash Player. The update should be applied to Windows, OS X as well as Linux versions of Adobes Flash player. It is rated with a priority of 1 for most Windows versions of Flash Player.

Adobe Air, as well as browser like Chrome and Internet Explorer are affected as well.

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Errata Security: A Call for Better Vulnerability Response

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.

Ten years ago, Microsoft dominated the cybersecurity industry. It employed, directly or through consultancies, the largest chunk of security experts. The ability to grant or withhold business meant influencing those consulting companies — Microsoft didn’t even have to explicitly ask for consulting companies to fire Microsoft critics for that to happen. Every product company depended upon Microsoft’s goodwill in order to develop security products for Windows, engineering and marketing help that could be withheld on a whim.

This meant, among other things, that Microsoft dictated the “industry standard” of how security problems (“vulnerabilities”) were reported. Cybersecurity researchers who found such bugs were expected to tell the vendor in secret, and give the vendor as much time as they needed in order to fix the bug. Microsoft sometimes sat on bugs for years before fixing them, relying upon their ability to blacklist researchers to keep them quiet. Security researchers who didn’t toe the line found bad things happening to them.

I experienced this personally. We found a bug in a product called TippingPoint that allowed us to decrypt their “signatures”, which we planned to release at the BlackHat hacker convention, after giving the vendor months to fix the bug. According to rumors, Microsoft had a secret program with TippingPoint with special signatures designed to track down cybercriminals. Microsoft was afraid that if we disclosed how to decrypt those signatures, that their program would be found out.

Microsoft contacted our former employer, ISS, which sent us legal threats. Microsoft sent FBI agents to threaten us in the name of national security. A Microsoft consultant told the BlackHat organizer, Jeff Moss, that our research was made up, that it didn’t work, so I had to sit down with Jeff at the start of the conference to prove it worked before I was allowed to speak.

My point is that a decade ago in the cybersecurity industry, Microsoft dictated terms.

Today, the proverbial shoe is on the other foot. Microsoft’s products are now legacy, so Windows security is becoming as relevant as IBM mainframe security. Today’s cybersecurity researchers care about Apple, Google Chrome, Android, and the cloud. Microsoft is powerless to threaten the industry. It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.

This is a nasty trick, of course. Google uses modern “agile” processes to develop software. That means that after making a change, the new software is tested automatically and shipped to customers within 24 hours. Microsoft is still mired in antiquated 1980s development processes, so that it takes three months and expensive manual testing before a change is ready for release. Google’s standard doesn’t affect everyone equally — it hits old vendors like Microsoft the hardest.

We saw the effect this last week, where after notifying Microsoft of a bug 90 days ago, Google dumped the 0day (the information hackers need to exploit the bug) on the Internet before Microsoft could release a fix.

I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs. It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.

But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing “secure” software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long. Microsoft either needs to move forward with the times and adopt “agile” methodologies, or just accept its role of milking legacy for the next few decades as IBM does with mainframes.

Krebs on Security: Lizard Stresser Runs on Hacked Home Routers

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, KrebsOnSecurity.com has discovered.

Just days after the attacks on Sony and Microsoft, a group of young hoodlums calling themselves the Lizard Squad took responsibility for the attack and announced the whole thing was merely an elaborate commercial for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. As it turns out, that service draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.

The Lizard Stresser's add-on plans. In case it wasn't clear, this service is *not* sponsored by Brian Krebs.

The Lizard Stresser’s add-on plans. Despite this site’s claims, it is *not* sponsored by this author.

In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad. As I noted in a previous story, the booter service — lizardstresser[dot]su — is hosted at an Internet provider in Bosnia that is home to a large number of malicious and hostile sites.

That provider happens to be on the same “bulletproof” hosting network advertised by “sp3c1alist,” the administrator of the cybercrime forum Darkode. Until a few days ago, Darkode and LizardStresser shared the same Internet address. Interestingly, one of the core members of the Lizard Squad is an individual who goes by the nickname “Sp3c.”

On Jan. 4, KrebsOnSecurity discovered the location of the malware that powers the botnet. Hard-coded inside of that malware was the location of the LizardStresser botnet controller, which happens to be situated in the same small swath Internet address space occupied by the LizardStresser Web site (217.71.50.x)

The malicious code that converts vulnerable systems into stresser bots is a variation on a piece of rather crude malware first documented in November by Russian security firm Dr. Web, but the malware itself appears to date back to early 2014 (Google’s Chrome browser should auto-translate that page; for others, a Google-translated copy of the Dr. Web writeup is here).

As we can see in that writeup, in addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as “admin/admin,” or “root/12345”. In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials.

The botnet is not made entirely of home routers; some of the infected hosts appear to be commercial routers at universities and companies, and there are undoubtedly other devices involved. The preponderance of routers represented in the botnet probably has to do with the way that the botnet spreads and scans for new potential hosts. But there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.

KrebsOnSecurity had extensive help on this project from a team of security researchers who have been working closely with law enforcement officials investigating the LizardSquad. Those researchers, however, asked to remain anonymous in this story. The researchers who assisted on this project are working with law enforcement officials and ISPs to get the infected systems taken offline.

This is not the first time members of LizardSquad have built a botnet. Shortly after their attack on Sony and Microsoft, the group’s members came up with the brilliant idea to mess with the Tor network, an anonymity system that bounces users’ connections between multiple networks around the world, encrypting the communications at every step of the way. Their plan was to set up many hundreds of servers to act as Tor relays, and somehow use that access to undermine the integrity of the Tor network.

This graphic reflects a sharp uptick in Tor relays stood up at the end of 2015 in a failed bid by the Lizard Squad to mess with Tor.

This graphic reflects a sharp uptick in Tor relays stood up at the end of 2014 in a failed bid by the Lizard Squad to mess with Tor.

According to sources close to the LizardSquad investigation, the group’s members used stolen credit cards to purchase thousands of instances of Google’s cloud computing service — virtual computing resources that can be rented by the day or longer. That scheme failed shortly after the bots were stood up, as Google quickly became aware of the activity and shut down the computing resources that were purchased with stolen cards.

A Google spokesperson said he was not able to discuss specific incidents, noting only that, “We’re aware of these reports, and have taken the appropriate actions.” Nevertheless, the incident was documented in several places, including this Pastebin post listing the Google bots that were used in the failed scheme, as well as a discussion thread on the Tor Project mailing list.

ROUTER SECURITY 101

Wireless and wired Internet routers are very popular consumer devices, but few users take the time to make sure these integral systems are locked down tightly. Don’t make that same mistake. Take a few minutes to review these tips for hardening your hardware.

wrtFor starters, make sure you change the default credentials on the router. This is the username and password that were factory installed by the router maker. The administrative page of most commercial routers can be accessed by typing 192.168.1.1, or 192.168.0.1 into a Web browser address bar. If neither of those work, try looking up the documentation at the router maker’s site, or checking to see if the address is listed here. If you still can’t find it, open the command prompt (Start > Run/or Search for “cmd”) and then enter ipconfig. The address you need should be next to Default Gateway under your Local Area Connection.

If you don’t know your router’s default username and password, you can look it up here. Leaving these as-is out-of-the-box is a very bad idea. Most modern routers will let you change both the default user name and password, so do both if you can. But it’s most important to pick a strong password.

When you’ve changed the default password, you’ll want to encrypt your connection if you’re using a wireless router (one that broadcasts your modem’s Internet connection so that it can be accessed via wireless devices, like tablets and smart phones). Onguardonline.gov has published some video how-tos on enabling wireless encryption on your router. WPA2 is the strongest encryption technology available in most modern routers, followed by WPA and WEP (the latter is fairly trivial to crack with open source tools, so don’t use it unless it’s your only option).

wpsBut even users who have a strong router password and have protected their wireless Internet connection with a strong WPA2 passphrase may have the security of their routers undermined by security flaws built into these routers. At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

But WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as vulnerable, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet. If your router maker doesn’t offer a firmware fix, consider installing an open source alternative, such as DD-WRT (my favorite) or Tomato.

opendnsWhile you’re monkeying around with your router setting, consider changing the router’s default DNS servers to those maintained by OpenDNS. The company’s free service filters out malicious Web page requests at the domain name system (DNS) level. DNS is responsible for translating human-friendly Web site names like “example.com” into numeric, machine-readable Internet addresses. Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.

Most Internet users use their ISP’s DNS servers for this task, either explicitly because the information was entered when signing up for service, or by default because the user hasn’t specified any external DNS servers. By creating a free account at OpenDNS.com, changing the DNS settings on your machine, and registering your Internet address with OpenDNS, the company will block your computer from communicating with known malware and phishing sites. OpenDNS also offers a fairly effective adult content filtering service that can be used to block porn sites on an entire household’s network.

The above advice on router security was taken from a broader tutorial on how to stay safe online, called “Tools for a Safer PC.”

TorrentFreak: PirateSnoop Browser Unblocks Torrent Sites

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-cardBlocking of file-sharing related sites is becoming widespread in Europe, particularly so in the UK. In fact, it’s now almost impossible to access a top torrent site from any of the country’s leading ISPs, with the notable exception of OldPirateBay since the site is so new.

Users in the United States can’t rest easy either. As reported here in December, the MPAA is working hard to introduce site-blocking by utilizing creative interpretations of existing law. It seems unlikely that Hollywood will stop until it gets its way.

It’s becoming clear that Internet users everywhere will need to prepare if they want unfettered access to the Internet. While that can be achieved using premium services such as VPNs, there will always be those looking for a free solution. Today we have news of one such product.

In appearance PirateSnoop looks a lot like the popular Chrome browser. In fact the only immediate giveaway that things are a little different is the existence of a small pirate-themed button on the right hand side of its toolbar.

pirate-unblock

Underneath, however, PirateSnoop is based on the freeware web browser SRWare Iron which aims to eliminate some of the privacy-compromising features present in Google Chrome. PirateSnoop is then augmented with special extensions to enable its site unblocking features.

PirateSnoop (PS) was created by the team at public torrent site RARBG. While certainly less referenced by the mainstream media than The Pirate Bay for example, RARBG is now the 7th most popular torrent site in the world and a force to be reckoned with. It was also blocked by major UK ISPs recently.

Anti-censorship agenda

rarbg-logo“Nazi Germany had less censorship than we have today on the Internet,” the PS team informs TorrentFreak.

“However you are not paying for the Internet itself to your ISPs, but for the carrying of the Internet connectivity. ISPs are legally enforced by their countries to block content and what we are worried about is that little to none of the ISPs decided to fight any blocking court order.”

PirateSnoop vs PirateBrowser

The web-blocking features of PirateSnoop are similar to those of The Pirate Bay’s PirateBrowser, but there are some important differences. Although users are not rendered anonymous, PirateBrowser uses the TOR network. PirateSnoop sees this as problematic as torrent sites are increasingly blocking TOR IPs.

“The TOR network is abused by a lot of people – uploading fakes for example. It’s also used by DMCA agencies to scan sites. TOR is no longer an option to access sites. Its blocked on almost every site I know,” a dev explains.

Instead, PirateSnoop uses its own custom proxy network which utilizes full HTTPS instead of the HTTP used by basic proxies. Just like a regular browser to website connection, PS allows websites to see their users’ IP addresses (unless they’re using a VPN) in order to cut down on abuse.

Overall, PirateSnoop should be a faster browsing solution than PirateBrowser, its creators say.

Limitations and future upgrades

Currently several major blocked sites are supported by PirateSnoop but there are a couple of omissions. However, the team is prepared to expand the browser’s reach based on user demand.

“Any site that is requested to be added will be added immediately with no questions asked,” the team note.

The PirateSnoop team say they are committed to upgrades of their software to include proxy updates (added automatically upon browser restart) and full browser updates following any Iron browser core updates.

PirateSnoop can be downloaded here (using BitTorrent, of course).

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Configure a Touchscreen on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Ah the touchscreen ─ that piece of hardware that promises to finally strip humanity of an interface very much long in the tooth. I’m talking about the mouse. It’s that piece of technology that is being threatened with extinction, thanks to the touchscreen. And with good reason. Once you’ve used the touchscreen, you fully understand that they are, in fact, a much-needed breath of fresh air.

But in Linux-land, all isn’t exactly rosy. Once you get your hands on a supported device (such as the fantastic System76 Sable Touch running Ubuntu 14.10), you’ll find that not everything works as you’d expect. Sure there are some handy three and four finger multi-touch gestures that work out of the box, but the go-to gestures (such as right mouse click and Firefox scrolling) simply don’t work.

The good news, getting those very necessary gestures to work isn’t all that challenging. It does, however, require the installation of an app and a Firefox extension. The bad news is that not all distributions respond the same way to these workarounds. Ultimately, this falls into the hands of the Linux community to resolve, as touchscreens aren’t going away (and, in fact, will continue to rise in popularity). With that said, let’s take a look at what you can do to get that shiny new touchscreen device working in a way that actually makes sense.

What you will need

First we’re going to address the browser ─ since that is one of the most-used tools of the desktop trade. There’s a bit more bad news on that front ─ you’re going to have to scrap Google Chrome. Why? Because, at least as of this writing, Google Chrome and Linux touchscreens do not play well together. With that said, we’re going to focus our efforts on Firefox and a simple extension.

Second, you will need to install and use a handy app called Touchegg. This app will serve as a means to configure specific events for touchscreen interaction.

With that said, let’s begin.

Firefox

Out of the box, Firefox doesn’t much care for touchscreens. However, there is an extension you can install that will overcome that issue. The extension is called Grab and Drag. This extension will enable grab and drag scrolling as well as flick scrolling and momentum scrolling.

To install this extension click Tools > Add-ons and then click Get Add-ons. In the search bar of the new tab, enter “grab and drag.” When the results appear (Figure 1), click the Install button associated with the Grab and Drag extension.

touchscreen 1

You will be prompted to restart Firefox. Do this and then, when it reopens go back into the Add-ons window, tap Extensions, select Grab and Drag, and then tap Preferences. In the Preferences screen, you can ignore the Momentum tab (as this feature doesn’t work with touchscreens). You will, most likely, want to open the More Options tab and play with the Drag Multiplier setting (Figure 2). By default, the scrolling is rather slow. I’ve found a Drag Multiplier of 1.6 to be ideal for using touchscreens and Firefox.

touchscreen 2

Now that you have Firefox enabled, let’s install an app that (in some instances) will allow you to control nearly every multi-touch gesture on Linux.

Touchegg

I’ll demonstrate how to install this app on Ubuntu 14.10. I will also add a GUI tool that allows easier control over the configuration of gestures. The GUI tool, touchegg-gce, does have a number of dependencies that must be first installed.

Before we install the GUI, let’s install the base tool. Touchegg can be found in the standard repositories, so a single command will install:

sudo apt-get install touchegg

Once that installation completes, let’s install the dependencies for the GUI tool. The command for this is:

sudo apt-get install build-essential libqt4-dev libx11-6

After the dependencies are installed, download the Touchegg-gce file and place it in a directory that gives you write access (such as ~/). Here are the steps to install this app:

  1. Change to the directory holding the .zip file.

  2. Issue the command unzip Touchegg-gce-master.zip to extract the file.

  3. Change into the Touchegg-gce-master folder.

  4. Issue the command qmake

  5. Issue the command make

  6. Copy the touchegg-gce file to /usr/bin

That’s it. You can now issue the command touchegg-gce from any directory and the app will run. When the app starts, you must first choose your language (this happens every time you run the app). From the app main window (Figure 3), tap the Load button to load your Touchegg configuration file (the default should be ~/.config/touchegg/).

touchscreen 3

At this point, you can either modify an existing gesture or add a new gesture. What you need to know about this process is the configuration options available. With each entry, there are four options:

  • Fingers: How many fingers make up the entry

  • Gesture: What is the actual gesture (tap, drag, pinch, rotate, Tap & Hold, Double Tap)

  • Direction: The direction of the gesture (All, Up, Down, Left, Right)

  • Action: What is the action associated with the gesture (i.e. Mouse Click, Scroll, Minimize, Maximize, Close, etc).

Tap (or click) the Add button to create a new gesture. For the purpose of example, we’ll create a two finger drag for scrolling up. We’ll create this gesture under the All Group (which means it will apply to all applications ─ more on this in a bit). From the popup window (Figure 4), configure the following:

  • Fingers: 2

  • Gesture: Drag

  • Directions: Up

  • Action: Scroll.

When you’ve configured this, tap OK and the gesture is ready to try out.

touchscreen 4

Let’s say, however, you want to associate a specific gesture with a specific application (or group of applications). For that you must create a new Group. To do this, tap the Add button under the groups (on the left side of the window). In the popup (Figure 5), you have to configure three options:

  • Applications: The applications this gesture will use

  • Add to: Select <New Group> to create a new group

  • Take gestures from: You can import gestures from another group to serve as a template.

touchscreen 5

Once you’ve created the new group, you can create new gestures that will work only for that group.

After you’ve completed the process of creating gestures and groups, make sure to tap (or click) the Save button. If you do not do this final step, your configurations will be lost when you close the app. When you save the configuration, Touchegg will be restarted and your new gestures should work.

Even with the help of apps like Drag and Grab and Touchegg, Linux and the touchscreen have a long way to go. Not every gesture will work on every device and, in some cases, you might still find yourself grabbing a mouse more often than not. Hopefully, over the next year, we’ll see major improvement on this front ─ otherwise Linux will struggle as more and more touchscreen devices are adopted.

Schneier on Security: How Browsers Store Passwords

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good information on how Internet Explorer, Chrome, and Firefox store user passwords.

Krebs on Security: Microsoft, Adobe Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited.

brokenwindowsFour of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.

Another critical patch plugs two vulnerabilities in Microsoft Word and Office Web Apps (including Office for Mac 2011). There are actually three patches this month that address Microsoft Office vulnerabilities, including MS14-082 and MS-14-083, both of which are rated “important.” A full breakdown of these and other patches released by Microsoft today is here.

Adobe’s Flash Player update brings the player to v. 16.0.0.235 for Windows and Mac users, and fixes at least six critical bugs in the software. Adobe said an exploit for one of the flaws, CVE-2014-9163, already exists in the wild.

“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” the company said in its advisory.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe Acrobat and Adobe Reader users will need to apply a critical update that fixes at least 20 critical security in these programs. See Adobe’s Reader advisory for more details on that. The latest updates live here.

Linux How-Tos and Linux Tutorials: 11 Things to Do After You Install Fedora 21

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

Fedora 21 was announced yesterday and it turned out to be a great release. Fedora comes pre-installed with a lot of applications. Users can start working as soon as they boot into Fedora. However, like most operating systems Fedora also needs some work to prepare it to handle your workload.

Update your system

The first thing to do after installing Fedora is to update the system. Open the terminal and run the following command as sudo:

sudo yum update

If you forgot to add yourself (the default user) to the administrative group during install you won’t be able to use the sudo command. Open the Gnome System Settings then go to users. Unlock the window and change the Account Type to ‘Administrator’. Now you will be able to perform administrative tasks as sudo.

fedora user

Install extra repositories

Fedora doesn’t provide a lot of software through the official repository due to patent and licensing issues. Like any other Linux-based operating system such packages are offered through third party repositories. You can easily add RPMFusion repository to install such applications.

There are two repositories within RPMFusion. First you need to enable the free repository and then the non-free one.

Install both repositories from RPMFusion (if you don’t see repositories for 21 yet, wait for a few days or add Rawhide repos).

Install VLC

VLC is like a swiss knife for video playback. It can play virtually any video format. A lesser known but quite powerful feature of VLC is to convert media formats; you can also extract audio from video files. Another even lesser known feature is VLC’s ability to play online videos from services like YouTube.

Install VLC by running this command:

 sudo yum install vlc

How to play MP3 files in Fedora

You need mp3 codecs to play such files in Fedora. Open the terminal and install gstreamer plugins:

yum install gstreamer-plugins-ugly

I like the Clementine music player so I went ahead and installed it from the terminal. It’s plays mp3’s without any hassle.

Install Chrome browser

Fedora has made a surprise move and replaced Gnome’s own Epiphany web browser with Firefox. However if you want Google Chrome, you can install it by downloading the binaries from the respective websites.

Go to the Chrome download page and grab the .rpm binaries for your architecture (32 bit or 64v bit whichever you installed on your system). Linux binaries can be installed just the way .exe files are installed on Windows. Just double click on them or right click and choose ‘Open with Software Install’ and follow instructions.

Ride high on cloud

The only cloud I trust is the one that I own and run. I am a heavy ownCloud user. If you are running ownCloud on your server you can install the ownCloud client for Fedora:

sudo yum install owncloud-client

If you are a dropbox user you can get the executable images from their sites and install them the way you installed Chrome.

Get started with online accounts

Gnome has made it extremely easy to set up the default email, calendar, and chat clients. Open Online Accounts and choose the service you want to integrate with the system. If you chose Gmail, it will automatically configure Evolution and Contacts for that account. It’s very easy, just follow the on-screen instructions.

online accounts

Install Gnome Tweak Tool and install extensions

Gnome Tweak Tool is the most important tool for a great Gnome experience. I wonder why Fedora didn’t include it in the ISO image. You can easily install the tool from Software.

Once the tool is installed you can customize the system to your liking. I always enable the window minimize button; you can call me old school.

I also install a couple of extensions from the Gnome Extensions site. Open the site in Firefox, allow the pop-up and search for the desired extensions. Some of my favorite extensions are: Windows List, Dash To Dock, User Themes, Application Menu, Advanced settings in user menu, etc.

Installing non-free drivers for Nvidia and ATI

Fedora will work out of the box using open source drivers. But if you experience video tearing or if you play video games you may need proprietary drivers to get the most out of your GPU. Installing graphics drivers is a tricky area in Fedora. Installing the wrong drivers may break your system. I previously broke my Fedora installs so I don’t bother with non-free graphics drivers anymore. If you do want to install non-free drivers, follow the guide by RPMFusion.

Setting up printers

Setting up printers is a breeze in Fedora. Just open the Printers from Dash and click on the Add Printer button, Fedora will scan and detect the printers connected to the system physically or available over the local network. Select the printer from the list, click on the ‘Add’ button and you are all set.

fedora printer

How to change themes or icons

Even if Gnome aims to offer an easy-to-use desktop, customizing it is not that elegant. Go to Gnome Look site and download the desired Gtk3 or icon theme. Extract the content of the downloaded files.

Go to home folder and enable ‘show hidden and system folder’. If you don’t see .icons and .themes folder, create them. Now copy the extracted folders to appropriate directories: themes go in .themes directory and icons go in .icons directory.

Open the Gnome Tweak Tool and you will see the themes that you just downloaded.

These are just a few things I do after installing Fedora. It’s Linux so there are endless possibilities of personalizing and optimizing your system! Let us know if you have some cool tricks for Fedora up your sleeve.

TorrentFreak: Google Removes Pirate Bay Apps From Play Store

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayFacing harsh criticism from copyright holders, Google is gradually changing its attitudes towards sites and services that are often associated with piracy.

A few weeks ago the company implemented a major change to its search algorithm, aimed at downranking sites that often link to copyright infringing material.

Another drastic move came today when Google began removing many Pirate Bay related apps from its Play store. The apps in question include “The Pirate Bay Proxy,” “The Pirate Bay Premium,” “The Pirate Bay Mirror” and “PirateApp.”

The apps targeted by Google offer mobile optimized web-browsers for The Pirate Bay. In addition, many of them used proxy sites so users could easily circumvent local ISP blockades.

The apps appear to have been removed proactively as there is no mention of a DMCA takedown notice. According to an email sent to the developers, the apps in question are violating the intellectual property provisions of Google’s content policy.

“REASON FOR REMOVAL: Violation of the intellectual property and impersonation or deceptive behavior provisions of the Content Policy. Please refer to the IP infringement and impersonation policy help article for more information,” the email reads.

piratebaygoogleplay

The developers are further informed that they received a “policy strike” which may lead to the termination of their accounts, if similar problems arise in the future.

TF spoke with Gavin, the developer of “The Pirate Bay Proxy” app, which has 900,000 downloads and 45,000 active users per day. He is disappointed with Google’s decision and has filed an appeal hoping to get his software reinstated.

According to Gavin, his app doesn’t do anything different than other browsers, Google Chrome included. It simply points people to a working proxy site and then acts as any other browser.

“The app is no different from Firefox or Chrome in that it’s a tool which provides access to TPB or any other web address,” Gavin says.

Gavin originally developed the app as a simple tool to bypass court-ordered ISP blockades. However, the app itself is now being censored as well, which is somewhat ironic.

“The removal has a sense of irony as the app is described as an anti-censorship tool,” Gavin notes.

Those who have already downloaded the apps can continue to use them, for now. New downloads from the Google Play Store are no longer allowed, but a copy of “The Pirate Bay Proxy” is available on the app’s website.

Alternatively, people can still use Google and the Chrome browser as these points of access remain uncensored for now.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Adobe Pushes Critical Flash Patch

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14

Linux How-Tos and Linux Tutorials: How to Easily Install Ubuntu on Chromebook with Crouton

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

installing kubuntu

I am a huge fan of Chromebooks and so is Linus Torvalds. He believes that “…Chromebooks are the kind of things that will make the year of the desktop more possible.”

I love Chromebooks not only because they run the Linux-based operating system Chrome OS, but also because they are inexpensive and the app ecosystem around the OS is evolving rapidly. The device needs zero maintenance. It has ended the ‘paid’ OS upgrade model used by some companies and ensures that you don’t have to be a rocket scientist to run a PC. I was surprised to see the drop in support calls I used to get from my wife when she was on Windows or Mac, because Chrome OS is extremely simple to use and there is virtually nothing that one can break.

However, as a Linux user, I cringe to run a ‘full-blown’ desktop on my Chromebook (even if I don’t need one). There are many ways to install a Linux-based OS on your Chromebook. For this tutorial I have chosen Crouton (aka Chromium OS Universal Chroot Environment), which is a set of scripts that bundle up into an easy-to-use, Chromium OS-centric chroot generator. The scripts are hosted on GitHub and currently support only Ubuntu and Debian. It offers various desktop environments including Xfce, Unity, and KDE. Unity can be quite heavy for your Chromebook, depending on your hardware, and I don’t find Xfce to be enough eye candy, so I am going to try KDE and see how it works.

Some of the advantages of Crouton are that unlike other methods, you don’t have to reboot your machine to switch operating systems; you can switch between them using keyboard shortcuts as if you are switching between two apps. I tested it on a Samsung Chromebook.

How to Install Ubuntu

#Step 1: Back up your data 

Before we start poking around, please ensure that you have a back-up of your data. Since all of your data is synced to Google Server, you actually don’t have to worry about losing any data. The only data that you must make a back-up of is the ‘Download’ folder because the content of this folder is not synced. Once you have taken the back-up, it’s also a fail-safe plan to create a restore USB of ChromeOS, in case something goes wrong and you need to re-install ChromeOS.

#Step 2: Create a restore image for Chrome OS 

Since Crouton is not going to wipe your Chrome OS, there is no risk of corrupting your Chrome OS. It’s always a good idea to keep a restore image of your OS.

Install Chromebook recovery utility from the Chrome web store. Open the app and follow the instructions to create the recovery drive. It’s an easy three-step, click next process. All you need is working Internet and a USB drive with at least 4GB space.

recovery

Once the recovery disk is created, unplug it and follow the following steps.

#Step 3: Enable developer mode 

In order to install your own operating system on Chromebooks, you have to enable the developer mode. It’s extremely easy to do and is very well documented by Google. The latest Chromebooks use a combination of keys to enter the developer mode, whereas older devices have a
physical switch. Different devices have different locations for the switch, so please Google your device to find the location of the switch and flip it. If you are on the latest Chromebook then you can enable the developer mode by holding Esc + Refresh keys and then push the ‘power’ button. The recovery screen will show a scary warning. Just ignore it and let Chrome OS wipe your data. The process can take up to 15 minutes, so don’t turn off your Chromebook.

dev mode warning

Also keep in mind that once Chrome OS is reinstalled you will continue to see this warning every time you boot your system, as long as the developer mode is enabled. However, it won’t wipe the data every time. You can simply hit Ctrl+d to quickly boot into Chrome OS (don’t do it this time while Chrome OS is preparing your system for developer mode).

Step #4: Let’s install Crouton 

1- Log into your Chromebook and open the GitHub page of Crouton and download the latest script.

Check the download folder to see if crouton is downloaded.

2- Open the terminal in Chromebook (yes, there is now a terminal in Chromebook! by hitting Alt+Ctrl+t 

3 -Type this command to open shell: shell

enter shell

4- Now we are going to install Ubuntu. There are several desktop environments available including KDE Plasma, Unity and Xfce. Unity can be quite heavy for Chromebook hardware and xfce is way too plain for my taste, so I am going to install KDE Plasma.

sudo sh ~/Downloads/crouton -t kde

(If you don’t want KDE, then you can replace kde with xfce, or unity )

For example:

sudo sh ~/Downloads/crouton -t xfce

We have not encrypted the chroot, if you want to encrypt it then add -e parameter to the command above:

sudo sh -e ~/Downloads/crouton -t kde

If you are installing it on a Chromebook with touchscreen then also add the ‘touch’ parameter:

sudo sh -e ~/Downloads/crouton -t touch,kde

Since the script will download Ubuntu from the Internet, depending on your broadband speed, it may take a while, so go and grab some Indian chai or coffee. With my 150Mbps download speed it took me around 18 minutes. Once the install is finished Crouton will ask you to enter the user-name and UNIX password for it – which will be used to perform administrative tasks in Kubuntu.

user-name

Now you can start Plasma by running the following command in shell:

sudo startkde

If you installed xfce then run:

sudo startxfce4

You will be greeted by the KDE greeter.

kubuntu chromebook

Fine tune Ubuntu 

The install will be bare-minimum and won’t come with the applications that are packed by distributions, but you can easily install applications from Konsole / terminal. It’s also a good idea to update the system.

sudo apt-get update sudo apt-get upgrade sudo apt-get install

I installed all that I needed – LibreOffice, Sublime Text, Chrome browser (so I can watch Netflix), GIMP, VLC, etc.

How to switch between Chrome OS and Ubuntu? 

To go back to Chrome OS, and keep KDE running, use this key combination Alt+Ctrl+Shift+Back. To come back to Kubuntu from Chrome OS, use this combination:Alt+Ctrl+Shift+Forward. You can find the back/forward keys on the top row of the keyboard.

When you log out of KDE, it exits you from Chroot and you will have to again run the sudo startkde command to start Plasma or the desktop that you have installed.

Chrome OS Linux vs Ubuntu Linux? 

You might need a full blown desktop Linux, like Ubuntu, on your Chromebook, or not. It depends heavily upon what you do on your computer. I use the appropriate platform for that particular task so I don’t struggle to do something on a platform which it’s not meant to do. I am a heavy Chromebook user; my wife is a full-time Chromebook user. I can do pretty much everything in Chromebook that I do on my openSUSE or Arch Linux box, excluding professional image and audio/video editing. As I writer, I can live within Chromebook and would not need anything – all the needed tools are there.

A majority of these apps work in offline mode, so you don’t have to worry about Internet connectivity no matter what Microsoft tells you in their Pawn Star ad campaign. You don’t have to give all of your data to Google to be able to work using Chromebook. Just grab the apps which support offline mode, go offline, insert a good capacity USB drive and start working – nothing will leave your network.

However, at times you may need some tools which are not yet available for Chrome OS and that’s where you may need a full-blown Linux desktop.

Chromebook vs PC 

There is no doubt that installing your favorite Linux distribution onto a Chromebook is not as comfortable as it is on a regular PC, and considering the small onboard storage, it may not seem to be as appealing as a PC with 500GB HDD. But keep in mind that Chromebooks have SSDs which are much faster and durable than hard drives. On top of that, Chromebooks are extremely affordable – you can get one for just under $200; it’s better to set-them up and give to your verification offkids and employees rather than buying expensive $500+ PCs.

To my surprise, I found Kubuntu to be much faster on my Chromebook than on a Windows netbook. There is virtually no driver issue on Chromebook, which can be a big problem on many Windows PCs which use proprietary hardware. I never keep any of my data on my laptop, it’s always on my ownCloud server or on my hard drives so on-board storage has never been an issue for me – which can be a big factor for many others. If I am looking for inexpensive hardware to mostly do online work, I would prefer a Chromebook over a Windows PC.

I must admit that I live my life on the Internet. The browser is the first app that I open after booting into my system. I spend 90% of my time inside a browser – in Chrome, to be precise – so I don’t really mind Chrome OS and would not bother with installing some other Linux on it. If I do need to install Linux, then Crouton is my favorite method. The advantage of Crouton is that you don’t give up on one system to use the other; you run them simultaneously. Since it shares the ‘Downloads’ folder between the two operating system so you can easily share data – create some work in KDE and it’s already there in Chrome OS.

If you want to get rid of Linux and go back to the ‘verified’ Chrome OS, hit the space bar when your Chromebook reboots to re-activate verification. On older hardware, you will need to flip the physical switch and Chrome OS will restore to verified state. If something goes wrong, use the restore drive that we created in the beginning to restore the OS.

As they say, “Best of both worlds!”

TorrentFreak: The Pirate Beacon Pimps TPB With Movie Trailers and Info

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayMany Pirate Bay users are avid movie fans, who use their favorite torrent site to discover and download fresh content.

Since not all titles immediately ring a bell, they often use third-party sites and services such as IMDb to find more info. In fact, nearly 2% of all IMDb visitors browsed The Pirate Bay before coming to the site, and vice versa.

To save these users a few clicks there is now a new browser extension that pulls up movie information automatically. The Pirate Beacon, as it’s called, shows users descriptions, IMDb ratings and trailers when users hover over Pirate Bay link.

We reached out to Jordan, the developer of Pirate Beacon, who tells us that the idea actually came from a friend who made a mockup of the discovery tool last year. After working on it for a while the project was shelved, but last Saturday he picked it up again.

A few hours of coding later The Pirate Beacon was online.

The extension uses IMDb links to gather movie info, so it’s only available for torrents that have this listed. The trailers are then pulled from trailersapi.com and when this fails a movie poster is displayed instead.

“It works pretty good for newer movies but doesn’t do so well for older ones. So if I can’t find a trailer, I fall back to the IMDb posters api to grab a movie poster for it,” Jordan says.


tpb-afk-beacon

Jordan explains that the addon will help people to gather info about movies without having to leave the site, which can be quite cumbersome at times.

“I think it is most useful for discovery purposes. If you’ve ever spent any time browsing TPB you will know that it’s somewhat annoying to see a movie that you’ve not heard of then have to go find it. This just takes that annoyance away,” Jordan.

The idea appeals to a lot of fellow Pirate Bay users as it has immediately started to gain traction. After an initial Chrome release it’s now available for Firefox too. Additionally, support for many TPB proxies has been added as well.

Jordan says he will continue to work on the project. Support for the Opera browser is one of the next items on the todo list, and he also wants to add support for more torrent sites, starting with KickassTorrents.

“I am planning to expand it to other torrent sites as well. People have been requesting it to work with some other sites. It’s now available on Firefox and Chrome and soon to be available on Opera,” he notes.

The Pirate Beacon’s source code is available on GitHub and the Chrome and Firefox extensions are up on the official site.

The MPAA, meanwhile, is trying to steer people away from The Pirate Bay. The movie group launched its own search engine earlier this week.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

brokenwindowsMicrosoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

macrosms

According to Shavlik, the two pending patches, MS14-068 and MS14-075, are both listed on the bulletin summary page as “release date to be determined,” which apparently is an anomaly we haven’t seen before. “Typically, a pulled patch is removed from the list entirely,” wrote Chris Goettl, product manager at Shavlik. “This could mean it may still come this month, but not today. These two patches were likely an OS and the Exchange patch based on the advanced notification list,” That is at least one less major product admins will need to be concerned about this Patch Tuesday, although the date to be determined could come at any time.”

As I’ve noted in previous posts, the few times I’ve experienced troubles after applying Microsoft updates have almost all included a fix for Microsoft’s widely-installed .NET platform. If you have .NET installed, it’s probably a good idea to install this one separately after applying the other updates and rebooting.

Adobe’s update addresses a whopping 18 security holes in Flash Player and Adobe AIR. Updates are available for Windows, Mac and Linux versions of Flash. Adobe says Adobe Flash Player users should update the program to the version 15.0.0.223. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.356 for Windows, Mac, and Android.

adobeflash15-0-0-223

Krebs on Security: Google Accounts Now Support Security Keys

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubikey.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.

The move comes a day after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for stuff at participating merchants merely by tapping the phone on the store’s payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, government Web sites may also offer consumers more authentication options than many financial sites.  An Executive Order announced last Friday by The White House requires the National Security Council Staff, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) to submit a plan to ensure that all agencies making personal data accessible to citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.