Posts tagged ‘chrome’

Linux How-Tos and Linux Tutorials: Best in Breed Twitter Clients for Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

twitter choqok client on linux

Twitter is a social networking service that is a bit of a conundrum to many. At any given time it can be used to connect with people of a like mind, and at another it’s an exercise in frustration, thanks to the never-ending stream of data. But for those that depend upon the service as a means to either stay connected, promote a product or service, or even (on certain levels) research a given topic, it’s a boon.

But for Linux users, the client side of things has lagged behind for some time. Thankfully, you can now find solid clients that do the job and do it well. Back in “the day” amazing tools like Tweetdeck were client-based tools for Windows and Mac. Running the best of the best required you install WINE and download the .msi installer and cross your fingers. That was then…this is now. Most services like Tweetdeck now run flawlessly in nearly every browser (even Midori).

But even though the browser has become King of the apps, there are still desktop and command line clients for the likes of Twitter available—each of which offers a variety of features. But if one of those desktop clients won’t do it for you, I’ll show you a handy trick to help make one browser-based client behave a bit more like a desktop client.

Let’s first look at what I consider to be the two best in breed Twitter clients for Linux.

Choqok

Choqok is the Persian word for sparrow and is a Twitter client that has an impressive list of features. Although it is a KDE-centric app (and does run a bit better in its native environment), Choqok will perform splendidly in nearly all desktop environments and it supports the latest Twitter API. Choqok also enjoys panel integration (even with Ubuntu Unity), where you can do quick posts, update your timeline, and configure the app. But what is most impressive about this desktop client is its interface. Unlike Tweetdeck or Hootsuite (which can both very quickly become overwhelming), Choqok simplifies the Twitter experience and even helps to curtail the insanely fast flowing stream of tweets (that can cause you to miss out on twitter Choqok client setupsomething you actually want to see).

Installing Choqok is actually very simple, as it is found in your standard repositories. You can open up the Ubuntu Software Center (or whatever you happen to use—AppGrid, Synaptic, etc.) and, with a single click, install the client. The nice thing about installing from the Ubuntu Software Center is that this is one instance where you actually get the latest release.

Once you’ve installed it, I recommend logging into your Twitter account using the desktop’s default browser. With that out of the way, fire up Choqok and then (when prompted) request an authentication token. Once you have the token, copy/paste it into the requesting Choqok window and grant the app permission to your Twitter account. You will finally be greeted by the Choqok main window (Figure A).

Beyond the interface, one feature you will want to make use of is the Choqok filtering system. With the help of this filtering system you can make it far easier to see exactly what you want from your Twitter feeds. This is actually one area where Choqok excels. Here’s how it works.

Open up Choqok and then click Tools > Configure Filters. When the new window opens, click the + button to open the filter definition window (Figure B).

At this point you have to make a few choices. The first is the Filter field. There are four options:

  • Post Text: filter the text of a post

  • Author Username: filter the name of a Twitter user

  • Reply to User: filter replies from a user

  • Author Client: filter through the client used by the author.

Let’s say you want to set up a filter for posts containing the keyword linux. To do that you would set the following options:

  • Select Post Text from the Filter field

  • Select Contain from the Filter type

  • Enter linux in the Text field

  • Select Highlight Posts from the filter action.

Once you’re done, click OK and the filter is ready. These are considered quick filters, so they are applied immediately. How do they work? Simple. Since we selected Highlight Posts from the Filter action, all posts that match a filter will be highlighted with a red box as your timeline updates (Figure C).

twitter choqok filters

This makes it incredibly easy to scan through your main Twitter feed to find posts related to your filters.

Corebird

Here is another simple-to-use Linux Twitter client with an eye for outstanding interface. Once again you won’t be inundated with a blinding fast timeline that’s nearly impossible to follow. Corebird is to GNOME what Choqok is for KDE…and it does so with a bit more zip. It offers a very similar feature set to Choqok and can be installed from a specific PPA. Here are the steps for installation:

  1. Open up a terminal window

  2. Add the PPA with the command sudo apt-add-repository ppa:ubuntuhandbook1/corebird

  3. Update apt with the command sudo apt-get update 

  4. Install Corebird with the command sudo apt-get install corebird

  5. Allow the installation to complete

  6. If you run into dependency errors during installation, solve the errors with the command sudo apt-get install -f

One of the best features of Corebird is the inclusion of lists. This makes following a collection of users so much easier (especially when you have thousands of people you follow). Say, for example, you follow a number of users interested in (or posting about) linux and you want to be able to quickly see what they’ve posted on a regular basis. You can create a list for these users by doing the following:

  1. Open Corebird

  2. Click on the list icon in the left navigation (third up from the bottom)

  3. Enter a name for the list

  4. Click Create.

Now that the list is created, you have to add users. To do this, simply find a user in your timeline (there’s a handy search function for that) and then, from the drop-down in their profile, select Add to/Remove from list. In the popup window, locate the newly created list(s), select the list, and click Save (Figure D). The user has now been added to the list. Continue adding users until your list is complete.

twitter Corebird client

To read posts associated with that list, click on the List icon, locate the list in question, and double click its name. All posts from users on the list will appear in the feed.

Tweetdeck

At one time, the only way you could enjoy Tweetdeck was to install the Chrome addon and view it from your browser. Now, however, Tweetdeck works perfectly from within Firefox. However, if you happen to be a Chrome (or Chromium) user, here’s a cool trick. You can create a launcher for Tweetdeck such that it will open the webpage in its own app-like window (without the extraneous web browser bits and pieces). I’ll demonstrate how to do that in Elementary OS Freya.

  1. Install the Tweetdeck addon to Chrome (or Chromium)

  2. From within Chrome, click the Apps button

  3. Locate the Tweetdeck icon

  4. Right-click the Tweetdeck icon

  5. Click Create Shortcuts

  6. De-select Desktop

  7. Right-click the Tweetdeck icon again

  8. Select Open as window

  9. Click on the desktop menu (aka Slingshot Menu)

  10. Locate and click the Tweetdeck entry to open the “app”

That’s it. You should see Tweetdeck open in its very own app-like window (Figure E).

twitter tweetdeck linux

While the Tweetdeck window is open, you can right-click its icon on the dock and select Keep In Dock to add a launcher on the dock.

TTYtter

For those who prefer the command line over a GUI, you’re in luck. The TTYtter application is a simple tool you can use to quickly post to Twitter from the command line. It’s easy to install, a bit tricky to set up, and very simple to use.

To install TTYtter, do the following:

  1. Open a terminal window

  2. Issue the command sudo apt-get install ttytter 

  3. Type your sudo password and hit Enter

  4. Type y to continue

  5. Allow the installation to complete

Once installed, you run the app with the command ttytter. On first run, the app will request a token and then return a URL that you then must paste into a browser (one that has already logged into your Twitter account). When prompted (in your browser) click the Authorize App button which will present you with an authorization PIN. Enter that PIN into the waiting command prompt (Figure F) and hit Enter. Run the ttytter command again and you will be logged on with your Twitter account.

twitter command line client

To post to your account with TTYtter, you simply issue a command as such:

ttytter -status=”The Linux Foundation rocks!”

You can also issue the command ttytter and then hit Enter to get a TTYtter prompt, where you can post status simply by typing your post and hitting Enter (without having to add ttytter -status=””). To exit out of TTYtter, hit CTRL+c.

Personally, of the three GUI options, Tweetdeck is by far the best—but it’s not truly a desktop client. If you’re looking for a straight up desktop Twitter client for Linux, you can’t go wrong with either Choqok or Corebird. If you’re okay with a web-based client, you can always trick Tweetdeck into behaving like a desktop app with my handy little trick (which also works for most desktop environments).

Happy tweeting!

LWN.net: Detectify: Chrome Extensions – AKA Total Absence of Privacy

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The “Detectify Labs” site has put up a
lengthy analysis
of the user tracking taking place in many Chrome
browser extensions. “Google, claiming that Chrome is the safest web
browser out there, is actually making it very simple for extensions to hide
how aggressively they are tracking their users. We have also discovered
exactly how intrusive this sort of tracking actually is and how these
tracking companies actually do a lot of things trying to hide it. Due to
the fact that the gathering of data is made inside an extension, all other
extensions created to prevent tracking (such as Ghostery) are completely
bypassed.
” At the end they note that the situation with Firefox is
not a whole lot better.

AWS Official Blog: AWS Device Farm Update – Test Web Apps on Mobile Devices

This post was syndicated from: AWS Official Blog and was written by: Jeff Barr. Original post: at AWS Official Blog

If you build mobile apps, you know that you have two implementation choices. You can build native or hybrid applications that compile to an executable file. You can also build applications that run within the device’s web browser.

We launched the AWS Device Farm in July with support for testing native and hybrid applications on iOS and Android devices (see my post, AWS Device Farm – Test Mobile Apps on Real Devices, to learn more).

Today we are adding support for testing browser-based applications on iOS and Android devices. Many customers have asked for this option and we are happy to be able to announce it. You can now create a single test run that spans any desired combination of supported devices and makes use of the Appium Java JUnit or Appium Java TestNG frameworks (we’ll add additional frameworks over time; please let us know what you need).

Testing a Web App
I tested a simple web app. It opens amazon.com and searches for the string “Kindle”. I opened the Device Farm Console and created a new project (Test Amazon Site). Then I created a new run (this was my second test, so I called it Web App Test #2):

Then I configured the test by choosing the test type (TestNG) and uploading the tests (prepared for me by one of my colleagues):

The file (chrome-with-screenshot.zip) contains the compiled test and the dependencies (a bunch of JAR files):

Next, I choose the devices. I had already created a “pool” of Android devices, so I used it:

I started the run and then checked in on it a few minutes later:

Then I inspected the output, including screen shots, from a single test:

Available Now
This new functionality is available now and you can start using it today! Read the Device Farm Documentation to learn more.

Jeff;

Schneier on Security: Ads Surreptitiously Using Sound to Communicate Across Devices

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is creepy and disturbing:

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Related: a Chrome extension that broadcasts URLs over audio.

Linux How-Tos and Linux Tutorials: Neverware’s CloudReady Brings a Chromium-Fueled Chromebook OS to Standard Hardware

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

cloudready installationI have been a Chromebook user for a while now. I find their ease of use, simplicity, and reliability something that is unmatched by most standard laptops or desktops. As someone who spends a vast amount of their PC time writing words, Chrome OS makes perfect sense. The added bonus of Chrome OS being powered by the Linux kernel makes it all the better.

Point in fact… I like the Chrome OS platform so much, I became the proud owner of a Pixel—probably the single most amazing piece of mobile hardware I have ever experienced. But not everyone wants to shell out the cash for such a machine. In fact, some would rather make use of the hardware they already have.

That’s where the likes of Neverware’s CloudReady comes into play. However, this relatively new platform isn’t just a tinker’s toy. Yes, the claim that CloudReady will turn any hardware into a Chromebook is spot on. However, CloudReady isn’t just for individual users. Neverware is putting this platform to good use for educators, individuals, and even enterprises. That Neverware is taking on the educational system is telling. Primary and secondary school systems across the globe are staring down financial burdens that don’t allow them to purchase new hardware or operating systems. By allowing those same institutions to repurpose aging hardware and turn them into efficient, reliable machines, educators are able to squeeze far more out of less.

CloudReady has already found major success in over 100 U.S. school districts with thousands of deployments.

But before you make the connection between your educational district and Neverware, you probably will want to kick the tires first. Or maybe you’re a single user that wants to take an aging piece of hardware and get a bit more use of it. Or… maybe you love the idea of having a Pixel-like machine, but don’t want to shell out the premium for the hardware (and you happen to have an ultrabook lying around, ready to take on the task).

Regardless of why, CloudReady is there to serve. It’s incredibly easy to install and even easier to use. For those individuals who want to run a Chromium-based Chrome OS-like platform on standard hardware (or educators/enterprise users who want to kick the tires and see if it’s the right fit), here’s what you’ll need:

  • Laptop or desktop machine (NOTE: There are over 125 certified models, guaranteed to run CloudReady, listed here*)

  • A USB flash drive of 5 Gb or greater capacity (NOTE: All contents of the USB drive will be erased…so make sure you have all data backed up)

  • The CloudReady free image (download link)

  • A Google account

  • Either a Chromebook running Chrome OS or a machine running Linux. 

*I successfully installed CloudReady on a Sony Vaio, which is not listed in the certified hardware. Chances are, CloudReady will run on your machine. The good news is you can fire it up and run it live, so it’s pretty easy to tell if it will work on your configuration.

Copying the image

There are two ways to copy the CloudReady image onto your USB drive:

Since we’re coming at this from a Linux perspective, let’s copy the image to the flash driving using the dd command. Here are the steps: 

  1. Download the CloudReady image and save it to your ~/Downloads directory

  2. Open a terminal window

  3. Change into the ~/Downloads directory with the command cd ~/Downloads

  4. Unzip the image with the command unzip cloudready-free-XXX.bin.zip (Where XXX is the release number) 

  5. Plug in your USB device

  6. Issue the command sudo fdisk -l to determine the device name of your USB (It will be listed as /dev/sdX where X is the unique identifier)

  7. DOUBLE CHECK THE ABOVE, ELSE YOU COULD ERASE THE WRONG DEVICE

  8. Once you are certain you have the correct device, issue the command sudo dd if=cloudready.bin of=/dev/sdX bs=4M (Where X is the identifier for your USB drive) 

  9. Wait for the command to complete

  10. Unmount the device when the copy completes.

NOTE: If you are using a Linux distribution that doesn’t require sudo, you will have to su to the root user and then issue the dd command, minus sudo. You now have a bootable USB drive, ready to fire up CloudReady.

Installing CloudReady

When you boot your system with the CloudReady USB flash drive, you will first find yourself staring at a very Google-like network connection tool. Connect to your network and then, when prompted, log into your Google account on the CloudReady desktop. What you need to do, while logged in, is check to make sure everything works (video, sound, bluetooth, etc). Once you’ve discerned if the hardware works, log out and then click the system tray. You should now see an entry labelled Install CloudReady (Figure A, above). Click that and the installation will begin. If you attempt to install CloudReady while logged into your Google account, the install will fail.

The installation should take roughly twenty(ish) minutes (depending upon your hardware). Once it is complete, the machine will automatically shut down. Remove the USB device and boot the machine. You should then be prompted to log into your CloudReady device and enjoy the full-blown Chrome OS experience, thanks to Neverware and Chromium (Figure B).

cloudready desktop

At this point, everything will behave exactly as you would expect from a Chromebook. You can also take the USB drive with you and always have a CloudReady desktop ready to boot.

So long as you don’t expect Chromebook-like boot times, you will find the CloudReady experience to be a fantastic replica of the official Google Chrome OS. This is, without a doubt, the closest take on Chrome OS, for standard hardware, that you will ever experience. If you want a Chrome OS platform for your aging laptops and desktops, CloudReady is what you want. And any educational institution looking to keep hardware relevant for as long as possible, this might well be the solution you need.

Krebs on Security: Critical Fixes for Windows, Adobe Flash Player

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

brokenwindowsOne-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical budgets in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk. 

brokenflash-aNew analysis from Recorded Future shows that Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Exploit kits are crimeware packages meant to be stitched into the fabric of hacked Web sites; when a visitor arrives with outdated browser plugins, that visitor’s computer is silently seeded with malware. Eighty percent of the time, these kits are checking for browsers that aren’t up to date with Flash patches.

As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update (version 19.0.0.245 is the latest for Mac and Windows systems), the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

SANS Internet Storm Center, InfoCON: green: This Article is Brought to You By the Letter , (Fri, Oct 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Recently, I managed to register the domain name comindex.jp. This domain name uses thejapanese character, which looks somewhat like aslash typically used at the end of the domain name. As a result, an unsuspecting user may mistake the host name example.comindex.jp for the index.jp page at example.com.

International domain names and lookalikesare nothing new. As a result, registrars as well as browsers implemented various safeguards. But even with these safeguards, it is still possible to come up with creative domain names. Even without international characters, we do see typo squatting domains like rnicrosoft (this is r and n instead of m). There are a number of tools available that are trying to find all look alike domains. For example,Domaintoolsprovides a simple online tool [1]. Some companies attempt to register all look-alike domains. But a domain like comindex.jpcould be used to impersonate arbitrary .com domain names.

The DNS protocol does not understand anything but plain ASCII. To encodeIDNs, punycode is used.Punycodeencoded domain names start with xn--, followed by all the ASCII letters in the domain name, followed by a dash and the international letters in an encoded format. For example, my domain encodes toxn--comindex-634g.jp. To mitigate the risks ofIDNs, some browsers usepunycodeto display the domain name if they consider it invalid.

Punycodeand other related standards are described in a document commonly referred to asIDNA2008(International Domain Names for Applications, 2008) and this document is reflected in RFC 5890-5895. You may still find references to an earlier version inRFCs3490-3492. TheRFCsmention some of the character confusion issues, but for the most part, refer to registrars to apply appropriate policies.

Similarly, there is no clear standard for browsers. Different browsers implementIDNsdifferently.

Safari: Safarirednersmost international characters with few exceptions. For examplecyrillicandgreekcharacters are excluded as they are particularly easily confused with English characters[2]

Firefox: Firefox maintains awhitelistof top level domains for which it will render international characters. See about:config for details. .com is not on thewhitelistby default, but .org is. Country levelTLDsare on thewhitelist.

Chrome: Chromes policy is a bit more granular [3].

Internet Explorer: Similar to chrome. Also, international characters are only supported if the respective language support is enabled in Windows [4]. The document on Microsofts MSDN website was written for Internet Explorer 7, but still appears to remain valid.

Microsoft Edge: I couldnt find any details about Microsoft Edge, but it appears to follow Internet Explorers policy.

And finally here is a quick matrix what I found users reporting with my test URL:

Chrome: displayspunycode.
Firefox: displays Unicode
Safari: displays Unicode (users of Safari on OS X 10.10 report seeingpunycode)
Opera: only a small number of Opera users participated, most reporting Unicode.
Internet Explorer: displayspunycode

Mobile browsers behave just like the desktop version. E.g. Google Chrome on Android does not display Unicode, but Safari on iOS does.

For summaries of Unicode security issues, also seehttp://unicode.org/faq/security.html andhttps://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode(among other OWASP documents)

[1]http://research.domaintools.com/buy/domain-typo-finder
[2]https://support.apple.com/kb/TA22996?locale=en_USviewlocale=en_US
[3]https://www.chromium.org/developers/design-documents/idn-in-google-chrome
[4]http://msdn.microsoft.com/en-us/library/bb250505(VS.85).aspx

NB: Sorry for any RSS feeds that the title may break.


Johannes B.Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: KickassTorrents Blocked Again Over “Harmful Programs”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

kickasstorrents_500x500Starting a few hours ago Chrome and Firefox began blocking user access to KickassTorrents (KAT) again.

Google’s safebrowsing algorithm flagged the website under its ‘unwanted software’ program, which is often triggered by malicious third-party advertising.

Instead of the usual homepage, visitors now see an ominous red warning banner when they enter Kat.cr into their browsers.

“The site ahead contains harmful programs,” Google Chrome informs its users.

“Attackers on kat.cr might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit),” the warning adds.

Mozilla’s Firefox browser displays a similar message

harm

Google previously said that the “unwanted software” policy applies to all websites but added that torrent sites are common targets for ‘unwanted software’ distributors.

The company further stressed that the warnings will automatically disappear when the flagged sites no longer violate Google’s policy.

According to Kat.cr’s safebrowsing page “attackers” might use the torrent site to trick visitors into installing programs that harm their browsing experience. In addition, KAT is believed to link to “dangerous websites.”

Kat.cr’s Safe Browsing diagnostics page
katdiagharm

TF asked the KAT team for a comment and they informed us that this time the block may be a false positive. In any case, they are working hard to address the malware issues.

“We are working on the malware detection system and soon hope to get rid of the problem permanently,” the KAT teams says.

Two weeks ago, when the site was also flagged, the operators were also quick to remove the malicious advertiser. Despite the swift response, it took more than two days before the site was unblocked on both Firefox and Chrome.

Impatient or adventurous users who want to bypass the warning can do so by clicking the details link, or by disabling their browser’s malware warnings altogether, at their own risk.

Update October 27: The problem still hasn’t been fully resolved. Sometimes the site is accessible for a few hours, just to be blacklisted again.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: Flash, Java Patches Fix Critical Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software. Separately, Oracle today released an update to plug more than two-dozen flaws in its Java software. Both programs plug directly into the browser and are highly targeted by malicious software and malefactors. Although Flash and Java are both widely installed, most users could probably ditch each program with little to no inconvenience or regret.

brokenflash-aThe latest Flash version, Flash 19.0.0.226 on Windows and Mac, fixes a flaw that Adobe warned last week was already being exploited in active attacks. As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

JAVA

Separately, Oracle has released its quarterly patch update for Java, another powerful browser plugin that also is heavily targeted by malware and ne’er-do-wells. This update for Java — which brings the program to Java 8 Update 65 — fixes at least 25 security vulnerabilities. According to Oracle, all but one of those flaws may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password.

javamessIf you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

SANS Internet Storm Center, InfoCON: green: When encoding saves the day, (Tue, Oct 20th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Out of most penetration tests I do, XSS vulnerabilities are still probably the most common ones we encounter (if I dont count missing Secure and HttpOnly flags on cookies :)).

Even web application vulnerability scanners have become increasingly successful in finding XSS vulnerabilities so the next question (besides why do we still see them) is related to their exploitation.

I recently encountered a simple, but interesting XSS vulnerability, which demonstrated yet again how standardization is important. So, lets see what this is about.
The vulnerability in question is a very simple reflected XSS vulnerability where contents of a user supplied parameter from a GET HTTP request are copied directly into the resulting HTML.

However, there was a simple catch “>…
form action=”>/myform/action/post id=myform method=post name=myform”>…

The contents of the injected parameter are highlighted in the HTML code shown above (also there should be at the beginning and “>…
form id=myform action=”>/myform/action/post?myparam=123 method=post name=myform

Ok hopefully all of you see where this is going to. If we insert the character we will close the action parameter and are practically free to do whatever we want. If we can insert the character its game over.

The vulnerability shown is very simple and in most cases even web application vulnerability scanners will detect is as such.

So whats the story here you might ask? Well, the tricky thing is in getting the victim to click on a link which will exploit the vulnerability. Remember how we need to send the “>http://www.vulnerable.application/myform/action/post?myparam=”>GET /myform/action/post?myparam=%20Test

Say whaat (insert image from Anchorman 2 here)? Interesting! So, in other words, Internet Explorer is the only browser (of those three I tested) that will not encode the characters. This effectively allows the attacker to launch a reflected XSS attack against Internet Explorer users, while those using Mozilla Firefox and Google Chrome will be safe(r)! (so Internet Explorer is indeed less secure .. /me ducks).

Jokes aside, why is this happening? In order to dig that out we need to check URI syntax, which is specified in RFC 3986 (https://tools.ietf.org/html/rfc3986). The RFC splits characters into several groups: unreserved characters ( ALPHA / DIGIT / – / . / _ / ~ ), reserved characters ( : / / / ? / # / [ / ] / @ and ! / $ / / / ( / ) / * / + / , / / =) and all the others.

We can see that , and are in neither of the lists above! However, the RFC says the following:

then only those octets that do not correspond to characters in the unreserved set should be percent-encoded.

One would probably read this as the following: *everything* apart from unreserved characters should be encoded. However, while reading the RFC I missed what really a new URI scheme is?

In any case, it looks as Internet Explorer developers decided that they will strictly encode only reserved characters (plus some extras), but they left couple of important ones such as , and .

I had a lively discussion with my colleague Marin about reporting such vulnerabilities in penetration tests. Our conclusion was to always report it (of course), even though exploitability might be more or less difficult (or even impractical) with some browsers the underlying vulnerability is still here and should be fixed.

How does your browser behave? Let us know!


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Ongoing Flash Vulnerabilities, (Thu, Oct 15th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

We got a number readers asking about the ongoing issues with Flash. Adobe released its regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645)is being exploited. Adobe is currently talking about targeted and limited attacks.

Sometime next week, an update to Flash will be released to address this vulnerability.

So what should you do and what does this all mean?

Next weeks patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.

What should you do?

If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This Click to Run behavior should be enabled for all plugins that support it (e.g. Java).

Here are some quick tipson how to enable click-to-run:

Firefox: It should be enabled by default. Check the plugins.click_to_play setting in about:config to make sure it is enabled.

Internet Explorer: Click the gear icon and select Manage Add-ons. For the Shockwave Flash Object, select More Information. By default, all sites are approved due to the wildcard * in the approved site box. Delete it.

Google Chrome: In chrome://settings click on Show advanced settings… at the bottom fo the page. Click on the Content Settings button under Privacy and select Let me choose when to run plugin content under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.

Safari: Check the Security tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.

[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft on Tuesday each released security updates to remedy critical vulnerabilities in their software. Adobe pushed patches to plug at least 56 security holes present in Adobe Reader and Acrobat, as well as a fix for Flash Player that corrects 13 flaws. Separately, Microsoft issued six update bundles to address at least 33 security problems in various versions of Windows, Microsoft Office and other software.

Three of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning they could be exploited by hackers or malware to take complete control over vulnerable systems without any help from users. According to security firm Shavlik, four of the flaws involve vulnerabilities that were publicly disclosed by someone other than Microsoft prior to this week. The implication here is that malware writers may have had a head start figuring out ways to exploit several of these flaws, so it’s probably best not to let too much grass grow under your feet before applying this month’s updates.

As per usual, the largest number of flaws addressed in a single patch from Microsoft target multiple versions of Internet Explorer, the default browser on Windows — as well as Microsoft Edge, Redmond’s replacement browser for IE. Other critical fixes concern the Windows operating system and Office.

brokenflash-aAs it usually does on Patch Tuesday, Adobe pushed a critical update for its ubiquitous Flash Player software that plugs multiple flaws. Find out if you have Flash installed and its current version number by visiting this page.

If you use and need Flash Player, it’s time to update the program (the latest version is19.0.0.207 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest.

Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

There is also a security update available for Adobe AIR. If you use this program, please take a moment today to patch it. AIR should prompt you to update to the latest version if you launch an application the requires AIR, such as Pandora.

Finally, Adobe issued a fairly substantial fix for Adobe Reader and Acrobat that fixes more than four dozen vulnerabilities in these programs. For more on the latest versions and download link, check out Adobe’s security advisory.

TorrentFreak: Chrome and Firefox Block KickassTorrents Over “Harmful Programs”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

kickasstorrents_500x500Starting a few hours ago Chrome and Firefox users are unable to access KickassTorrents (KAT) directly.

Instead of a page filled with the latest torrents, visitors now see an ominous red warning banner when they visit Kat.cr.

“The site ahead contains harmful programs,” Google Chrome informs its users.

“Attackers on kat.cr might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit),” the warning adds.

Mozilla’s Firefox browser displays a similar message

harm

The warning messages are triggered by Google’s “Unwanted Software” scanner which flags websites that pose a potential danger to visitors. Chrome and Firefox both use the service to prevent users from running into malicious software.

The policy applies to all websites but torrent sites are common targets of ‘unwanted software’ distributors, according to Google.

The company further stresses that the warnings will automatically disappear when the flagged sites no longer violate Google’s policy.

Kat.cr’s Safe Browsing diagnostics page
katmalware

This is not the first time that the red warning banner has shown up at Kat.cr. The same happened a few months ago and at the time several other large torrent sites were also affected.

Coincidentally, KAT’s operators just issued a warning to avoid malicious copycat sites, which only adds to the confusion. This warning is unrelated to the alert triggered by Google.

Previously, the Chrome and Firefox warnings did indeed disappear after the affected websites disabled certain advertisements, so it’s likely that the current issue will also be resolved in due time.

Impatient or adventurous users who want to bypass the warning can do so by clicking the details link, or disable their browser’s malware warnings altogether, at their own risk.

Update: The KAT team informs us that the bad advertiser has been removed, so the warning should disappear after Google reviews it.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

AWS Official Blog: Amazon WorkSpaces Update – BYOL, Chromebooks, Encryption

This post was syndicated from: AWS Official Blog and was written by: Jeff Barr. Original post: at AWS Official Blog

As I have noted in the past, I am a huge fan and devoted user of Amazon WorkSpaces. In fact, every blog post that I have written and illustrated over the last 6 or 7 months has been written on my WorkSpace. The most recent set of AWS podcasts were edited on the same WorkSpace.

Several months ago the hard drive in my laptop crashed and was replaced. In the past, I would have spent several hours installing and customizing my apps and my environment. All of my work in progress is stored in Amazon WorkDocs, so that aspect of the recovery would have been painless. At this point, the only truly personal items on my laptop are the 12-character registration code for my WorkSpace and my hard-won set of stickers. My laptop has become little more than a generic display and I/O device (with some awesome stickers).

I have three pieces of good news for Amazon WorkSpaces users:

  1. You can now bring your Windows 7 Desktop license to Amazon WorkSpaces.
  2. There’s a new Amazon WorkSpaces Client App for Chromebook.
  3. The storage volumes used by WorkSpaces (both root and user) can now be encrypted.

Bring Your Windows 7 Desktop License to Amazon WorkSpaces (BYOL)
You can now bring your existing Windows 7 Desktop license to Amazon WorkSpaces and run the Windows 7 Desktop OS on hardware that is physically dedicated to you. This new option entitles you to a discount of $4.00 per month per WorkSpace (a savings of up to 16%) and also allows you to use the same Windows 7 Desktop golden image on-premises and the AWS cloud. The newly launched images can be activated using new or existing Microsoft activation servers running in your VPC, or that can be reached from your VPC.

To take advantage of this option, at a minimum your organization must have an active Enterprise Agreement (EA) with Microsoft and you must commit to running at least 200 WorkSpaces in a given AWS region each month. To learn more, take a look at the WorkSpaces FAQ.

In order to ensure that you have adequate dedicated capacity allocated to your account and to get started with BYOL, please reach out to your AWS account manager or sales representative or create a Technical Support case with Amazon WorkSpaces.

New Amazon WorkSpaces Client App for Chromebook
Today we are making Amazon WorkSpaces even more flexible and accessible by adding support for the Google Chromebook. These low-cost “thin client” laptops are simple and easy to manage. They run Chrome OS and were designed specifically for internet users. This makes them a great match for Amazon WorkSpaces because you can access your cloud desktops, your productivity apps, and your corporate network from devices that are simple to manage, secure, and available at a low cost.

The newest Amazon WorkSpaces client app runs on Chromebooks (version 45 of Chrome OS and newer) with ARM and Intel chipsets, and supports both touch and non-touch devices.  You can download the WorkSpaces client for Chromebook now and install it on your Chromebook today.

The Amazon WorkSpaces client app is also available for Mac OS X, iPad, Windows, Android Tablet, and Fire Tablet environments.

Encrypted Storage Volumes Using KMS
Amazon WorkSpaces enables you to deliver a high quality desktop experience to your end-users and can also help you to address regulatory requirements or to conform to organizational security policies.

Today we are announcing an additional security option: encryption for WorkSpaces data in motion and at rest (this includes the disk volume and the snapshots associated with it). The WorkSpaces administrator now has the option to encrypt the C: and D: drives as part of the launch and configuration process for each newly created WorkSpace.  This encryption is performed using a customer master key (CMK) stored in AWS Key Management Service (KMS).

Encryption is supported for all types of Amazon WorkSpace bundles including custom bundles created within your organization, but must be set up when the WorkSpace is created (encrypting an existing WorkSpace is not supported). Each customer master key from KMS can be used to encrypt up to 30 WorkSpaces.

Launching a WorkSpace with an encrypted root volume can take additional time. Once launched, you can expect to see a minimal impact on latency or IOPS. Here is how you (or your WorkSpaces administrator) choose the volumes to be encrypted along with the KMS key at launch time:

The encryption status of each WorkSpace is also visible from within the WorkSpaces Console:

There’s no charge for the encryption feature, but you will pay the standard KMS charges for any keys that you create.

Jeff;

PS – Before you ask, I am planning to ditch my laptop in favor of a Chromebook immediately after AWS re:Invent!

SANS Internet Storm Center, InfoCON: green: TLS Everywhere: Upgrade Insecurity Requests Header, (Tue, Sep 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

TLS (I still have to get used to saying TLS instead of SSL) everywhere is a goal many sites attempt to achieve. There are however issues if you try to convert an existing site to all SSL. Many legacy pages may refer to resources by the full URL using the http protocol. For example, we keep finding image tags in old diarieson our site from timethat are still pointing to http.

Having a mix of secure and insecure content can be a problem. An attacker could manipulate the insecure content, and with that, affect the content the browser loaded securely. Rightfully so, browsers have become more picky when it comes to mixed content, and stopped displaying or executing some mixed content.

After you convert your site to https only, the first thing to do to reduce the impact of legacy http links is adding the String Transport Security header (HSTS). This header will let browsers know that your site is only valid via https, and browsers will refuse to connect to your site via http going forward [RFC6797].

HSTS does however not help if the browser comes across a page including insecure content. The warning regarding insecure content will still be displayed. A new technique, Upgrade Insecure Requests can be used instead.

All this is made possible by Content Security Policies (CSP). A new standard [1] defines a upgrade-insecure-requests option that will instruct the browser to rewrite all references for insecure content to https. This way, the mixed content warning will no longer be displayed.

The advantage of this method is that you do not have to update the content of the pages. If you run a site with thousands of legacy pages (like us), it can be difficult to find and fix every last image and script reference. Instead, we let the browser handle it and all we have to do is to add the header to our server configuration.

To enable this feature, add the Content-Security-Policy: upgrade-insecure-requests header,or ameta http-equiv=Content-Security-Policy content=upgrade-insecure-requests meta tag. As an added bonus, if a reporting URL has been defined for the CSP violation, it will be reported to the site and remaining insecure content can be eliminated. The header of course should not prevent you from cleaning up your site.

According to caniuseit.com, this option is currently supported in Chrome and Opera with support in Firefox coming[2]. It is marked as under consideration for Internet Explorer.

Thanks to Caleb for alerting me about this new option. Caleb also collect HTTP headers as a hobby athttps://securityheaders.com .

[1]http://www.w3.org/TR/upgrade-insecure-requests/
[2]http://caniuse.com/#feat=upgradeinsecurerequests


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe Flash Patch, Plus Shockwave Shocker

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has released a critical software update to fix nearly two-dozen security holes in its Flash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes.

brokenflash-aIf you use and need Flash Player, it’s time to update the program (the latest version is 19.0.0.185 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest. Find out if you have Flash installed and its current version number by visiting this page.

Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

SHOCKWAVE SHOCKER

In other Adobe patch news, on Sept. 8, 2015 I urged readers who have the Shockwave media player installed to update to the latest version or else junk the program altogether. In an post more than a year ago, I outlined Why You Should Ditch Adobe Shockwave, noting that the program bundles a component of Adobe Flash that was more than 15 months behind on security updates.

shockwaveI checked back with Adobe last week to find out whether the version of Shockwave that the company released earlier this month is caught up on Flash flaws. Turns out, it’s still woefully behind. The version of Shockwave released just two weeks ago bundles the Flash runtime 16.0.0.305, a version of Flash that Adobe released in February 2015.

Translation: The version of Shockwave that Adobe released two weeks ago lacks fixes for a whopping 155 vulnerabilities in Flash that can be used to backdoor virtually any computer running it! Included in those missing fixes are patches for a half-dozen Flash flaws that were being actively exploited at the time they were fixed in Flash Player.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.

Linux How-Tos and Linux Tutorials: How To Convert Media Files in Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

swap-1-vlcOnce in a while, you need to convert media from one format to another, even in a cloud-centric world where everything is a “stream.” There can be different reasons for doing so. In most cases, I have to convert videos that I shoot or purchase so that I can play them on my mobile devices or other players, which support only certain formats.

Converting media files or transcoding is extremely easy in Linux, thanks to many open source projects.

Transcoding Videos

I have a heterogeneous environment at home, a mix of Mac OS X, Linux desktops, Chrome OS devices, Android phones and tablets, Yamaha music system, and car infotainment. So, I always convert my videos in a format that is supported on all these platforms and, in most cases, the supported format is .mp4.

There are two ways you can convert your videos to mp4: either using a less-known feature of VLC or with the standalone app Handbrake.

Use VLC to Convert Videos

VLC is known as the media playback Swiss army knife because it can play virtually every media format out there. However, many features of VLC are less known, and transcoding is one of them.

To get started, open VLC and, from the main menu, choose Media > Convert/Save (see Figure 1 above).

Then, click on the Add button and browse the video file that you want to transcode. Click on the Convert/Save button at the bottom and it will open another window. Here you will see the source file, and under Settings, you can choose what format do you want to convert it into.

You can also click on the wrench/screwdriver icon, which will allow you to fine-tune your transcoding as you can choose the appropriate container, codecs for your video (Figure 2).

swap-4-vlc

If you are transcoding for a particular device or platform, for example YouTube, you can choose appropriate format from the drop-down menu (Figure 3)

swap-5-vlcOnce you have chosen the desired output format, it’s time to choose the destination. Click on the Browse button and choose the location where you want the converted file to be saved. At this point, you need to give a name to the file you are going to convert. (I wish it used the current name of the file.) Give it a name and then click on Save.

Once everything looks good, hit the Start button and VLC will start transcoding your video.

Handbrake for Batch Transcoding

Although VLC does an excellent job of transcoding, Handbrake is the open source app that was created just to do this. And, it can also do batch conversion. If you are on an Ubuntu-based system, you need to install two packages in order to get .mp4 support. Add the handbrake repository to your system and install those packages:

sudo add-apt-repository ppa:stebbins/handbrake-git-snapshots
sudo apt-get update
sudo apt-get install handbrake-cli handbrake-gtk

Open Handbrake and click on Source. Then, select the file you want to convert; once it’s loaded, click on the Enqueue button, and it will add the file to the queue. Click on Source again, select the next file, and add it to the queue. Repeat the process to add all the files that you want to convert (Figure 4).

swap-7-handbrakeAlternatively, if you want to make it easier, create a folder and copy all the files that you want to convert into that folder. Then select that entire folder — instead of a file — from Source. Once Handbrake scans all files, click on Queue from main menu and choose Add Multiple. Handbrake will then add all the files from that directory to the conversion queue.

Once all the files are added to the queue, choose the desired output format from the Preset List. You can further fine-tune it by adjusting the settings from the options on the main window.

Next, choose the destination for the exported/converted files. If everything looks good, go ahead and start conversion either from Queue > Start Queue or by hitting the Start button.

Handbrake will start converting your files (Figure 5).

swap-10-handbrake

Audio Conversion with Sound Converter

swap-13-lf-soundVLC can convert audio files as well, just follow the instructions above and choose audio files instead of videos files. But if you are looking for batch processing or a simpler app, then you can install the Sound Converter application on your Linux box; it’s available in the main repo of major distributions. The app has a very simple interface.

If you want to convert only one audio track, choose Add File, if you have more than one file, then choose Add Folder option.

Once all files are added, click on Preferences and change the destination in the Where to place results option. You can also choose how to rename files (if you want to).

The third and the most important option is output format. Most players support .mp3 format, so that’s the one I would prefer. Adjust the bitrate and quality, if you want to, and close the window (Figure 6).

swap-14-soundYou will see the list of all the files you added; select them all and click on Convert; Sound Convert will transcode all your files in the desired audio format.

One of the greatest features of Sound Converter is that it can also “extract” audio from video files. So, if you need to rip just the audio, this is the app for you. Just add the video files and convert them to the desired audio format. As you can see in Figure 7, there are three video files that I am converting to audio files.

That’s pretty much what you need to convert media in Linux. It’s Linux, so there’s more than three ways to do it; tell us how do you do it.

Krebs on Security: Microsoft Pushes a Dozen Security Updates

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.

brokenwindowsAccording to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among others.

A critical fix for a Windows graphics component addresses flaws that previously showed up in two public disclosures, one of which Shavlik says is currently being exploited in the wild (CVE-2015-2546).  The 100th patch that Microsoft has issued so far this year — a salve for Windows Media Player – fixes two different vulnerabilities that were publicly disclosed before today (CVE-2015-2509 and CVE-2015-2504).

In other important patch news today, Adobe has released a security update for its Shockwave Player browser plugin. If you need this program, then update it; the latest version is v. 12.2.0.162. But in my experience, most users don’t need it and are better off without it. For more on what I say that, see Why You Should Ditch Adobe Shockwave.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.

SANS Internet Storm Center, InfoCON: green: A Close Look at PayPal Overpayment Scams That Target Craigslist Sellers, (Tue, Sep 8th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

My hope is that when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, Id like to describe my recent interactions with miscreants who target sellers on Craigslist. Perhaps the details Ive gathered about the scammers operation will help curtail such activities.This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment scam that has been quite prolific in the recent years.

Working in a very rural area”>The text message from 731-907-0226 arrived in response to my Craigslist post that advertised a furniture item for sale. Text me back at (7312777303 if you still have it, am interested. Text only”>My name is Rick Smith. I am buying this as a surprise,I work with Turner Construction,we are currently working at a very rural area which makes it very hard for me to make phone calls. I have a Mover who will come for the pickup, I will be making the payment via PayPal that is the only payment option.”>This message achieved two critical objectives for the scammer. First, the person began crafting a story that will later provide an excuse for asking the victim to wire funds to a third party. In addition, the scammer was establishing a reason why he could interact with me using voice calls. The supposed buyer was claiming to be in an area where voice calls didnt work. In another variation of a Craigslist-originating scam, scammers used the excuse of being on active”>The scammer also requested my email address, so he could send me payment. He insisted that PayPal was the only payment method he could accommodate. As is common in schemes that target Craigslist users, the scammer didn”>The scammers phone numbers above were associated with the VoIP company Bandwidth.com, which makes its virtual numbers available to other providers, such as Google Voice according to Phone Validator.

You are required to send the $680.00″>Please check your email for the notification and instructions,but if you dont get the notification in your inbox please check the spam. PayPal must have sent you some emails by now, I think you need to follow some steps. please check both spam/junk and inbox and get back to me ASAP.”>Indeed, my Hotmail inbox included a message with the subject Notification Of An Instant Payment From Rick Smith(brwnsmith20@gmail.com) x-hmca=none header.id=Email.transactionverifier@consultant.comX-SID-PRA: Email.transactionverifier@consultant.comSender: joylove270@gmail.comFrom: Service@PayPal.com email.transactionverifier@consultant.comDate: Sun, 30 Aug 2015 19:20:59 +0100Subject: Notification Of An Instant Payment From Rick Smith(brwnsmith20@gmail.com)”>All emails”>The notice listed the buyer”>Rick Smith has made his intentions known to PayPal that he will like $680.00 USD to be sent to the recipients address below.You are required to send the $680.00 USD via Money Gram Money Transfer.”>This was a setup for the overpayment scam, in which victims are persuaded to pay a third-party on behalf of the miscreant.

We are working with Money Gram on this transaction.”>Despite the (fake) email confirmation of payment, no funds were actually deposited into the PayPal account I set up for such interactions. When I asked the buyer”>As per the e-mail PayPal sent to me which is also similar to yours which i hope you receive, you will have to pay an upfront payment out of your pocket via Money Gram to the address given to you, and you will be given the information which is the Reference Number you will email to PayPal by replying to the confirmation mail from them regarding the details you have from Money Gram, you will receive the whole money in your account without any delay.”>The fake PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer”>The money has now been deducted from the buyers account and is ready to be deposited into your PayPal account. Please reply this email directly with the Information needed from you. While funds are pending, the money belongs to you but is not available to spend or withdraw.”>My name is Mellisa and it is my pleasure to assist you in regards to the transaction between you and Rick Smith. We cannot credit your account until you send us the transfer details, but I am very happy to be assigned to tell you that the transaction is 100% secure and legitimate, we want to use this medium to tell you once again that the amount of $1,680.00 USD has been made to your account by Rick Smith.”>Go to any Money Gram Outlet close to your home”>According to fake PayPals emails, I had to take one last step to complete the transaction: I had to send money via Money Gram to the buyer”>I want you to know that i added an extra fee of $680 to the total payment which i need you to help send to the agent coming for pick up and it needs to be sent via Money Gram as thats the only way they can get it. I am sorry i should have informed you but i only got the urgent message from the pick up agent that they will need the funds before they can come to pick up when i was about making the payment. […] I also added $100 the Money Gram charges.”>Though my emails to the fake PayPal account Email.transactionverifier@consultant.com went unanswered, the scammer did respond from ric.smith222@gmail.com when I asked why he couldn”>There is no money gram here to make the transfer and I tried more that 4 times making the transfer online but they keep on rejecting my card.”>So, to receive payment for the item I was selling, I had to first send irrevocable funds to someone in Pennsylvania. In this case, the scammer requested funds via MoneyGram. Other variations of the scam that Ive seen asked the victim to transfer funds using Western Union.”>Surf anonymously”>Curious whether I could gather any information about the scammer, I emailed him (or her) a link to a benign image that resided on my temporary web server. In my email message to the scammer I asked for help making sense of MoneyGram”>
GET /images/screenshot15.jpg HTTP/1.1Host: 104.131.115.41Connection: keep-aliveq=0.8Upgrade-Insecure-Requests: 1 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Accept-Encoding: gzip, deflate, sdchq=0.8″>The connection came from 208.31.49.29. This IP is on a /24 subnet assigned to Kaia Global Networks in the US, on the Sprint network according to Robtex. One Wikipedia page I found indicated that this subnet hosted CyberGhost VPN exit nodes. I downloaded this provider”>Alas, the scammer was careful to obscure his origins by tunneling through the this Romania-based VPN service, which is designed protect your online privacy, surf anonymously and access blocked or censored content. According to my testing, CyberGhosts VPN doesn”>The nature of my work”>I searched the web for the artifacts exhibited by the scammer in the interactions above to assess the scope of the malevolent activities. I found a few complaints associated with the two phone numbers. They dated to 2014, possibly because these VoIP numbers were misused for other shady machinations (1, 2, 3) at the time. I saw no mention of ric.smith222@gmail.com, though joylove270@gmail.com was associated with several complaints that began in April 2014 and matched the pattern of this scam. At the time, Rick Smith”>When I pivoted my search on Rick Smith,”>2, The scammer”>The earliest mention of the activities I observed and attributed to this scammer date to January 2012. At the time, the scammer used the email address brwnsmith20@gmail.comthe same address included in the body of the fake PayPal notification email that I received. The scammers target wrote that the scammer claimed to be on active duty in the military, using that excuse to explain why he could not speak on the phone or pick up the item in person. The scammer reportedly stated, Am not available to talk through phone due to the nature of my work.”>This set of scams might be the work of a single miscreant. Its also possible that a group of scammers is using a common toolkit to prey on Craigslist sellers. Regardless, I”>For more of my articles about onlinescams, take a look atHow Victims Are Redirected to IT Support Scareware Sites“>Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Starting in September, Chrome will stop auto-playing Flash ads

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Google has announced
that, beginning September 1, Chrome will no longer auto-play
Flash-based ads in the company’s popular AdWords program. The post
frames this as a move to improve browsing performance for users, and
notes that most Flash ads are automatically converted to HTML5
already. Commenting on the news, The Register notes
that the change should also offer some additional protection against
malware delivered via Flash. Chrome will continue to auto-play Flash
content in the main body of pages, however. The Register‘s story says
the change is, in fact, just a modification of the default setting for
plugin behavior, which already supports
an option to disable plugin content not deemed “important.” Mozilla,
of course, blacklisted the Flash
plugin in July, although that action only disabled the then-current,
vulnerable release—which was subsequently updated.

TorrentFreak: Should Web Browsers Block Copyright Infringing URLs?

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedWith more than 150 million active users per month uTorrent is without a doubt the most popular file-sharing application.

Many people use the software to download pirated material, which worries copyright holder groups such as the RIAA.

Earlier this month the music group sent a letter to uTorrent’s parent company BitTorrent Inc. urging it to do something about this unauthorized use. Ideally, the RIAA would like infringing hashes to be banned so that users can no longer share these files.

“We are willing to establish a process to share the hashes with BitTorrent Inc. on a regular basis so that BitTorrent Inc. can use the information to deter further infringement of those files via its goods and services,” the RIAA wrote in a letter to the company.

Technically speaking it’s quite easy to block hashes. Several BitTorrent trackers already do this to keep copyright holders appeased, but thus far this has been a bridge too far for the company behind uTorrent.

BitTorrent Inc. hasn’t responded to our repeated requests for comment, but in a brief statement provided to Venturebeat the company notes that the protocol is open source, legal and that they themselves don’t host any infringing content. This is true, but the response also misses the main point.

The RIAA’s request isn’t about the protocol or the technology. It’s about adding a piracy prevention mechanism to a neutral piece of software. Should BitTorrent be obliged to do that?

Legally speaking BitTorrent Inc isn’t required to take any action. Browser developers don’t have to block infringing URLs either, even though hundreds of millions of people use their software to download or stream pirated content.

However, the RIAA’s letter shows that the music group is trying to shift this obvious boundary, and they are not only focusing on BitTorrent.

TF has learned that the RIAA and MPAA are pushing for automated pirate site blocking/warning technology. Outright takedown requests to browser vendors are not going to happen anytime soon, but subtle changes may appear.

The RIAA previously noted that it would like Google to expand Chrome’s malware warning system to cover pirate sites. This would mean that users see a red warning screen when they attempt to visit known piracy sites.

For its part the MPAA is actively lobbying for “site scoring” tools behind closed doors. A leaked copy of the group’s anti-piracy strategies lists site scoring services, which identify pirate sites, as a high priority.

The Hollywood group writes that these pirate site lists can then be used as a blocking tool by advertisers, payment processors, domain name registrars, hosting providers and search engines. Web browsers are not mentioned specifically, but it’s not hard to imagine these also appearing on the MPAA’s wish list.

In any case, the efforts outlined above show that copyright holders would like to extend anti-piracy measures beyond traditional service providers to software vendors. Today it’s BitTorrent clients but browser vendors may be next.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: Adobe, MS Push Patches, Oracle Drops Drama

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system. Not to be left out of Patch Tuesday, Oracle‘s chief security officer lobbed something of a conversational hand grenade into the security research community, which responded in kind and prompted Oracle to back down.

brokenflash-aAdobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.

Adobe recommends users of Adobe Flash Player on Windows and Macintosh update to Adobe Flash Player 18.0.0.232. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.

However, I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

MICROSOFT

Microsoft may have just released Windows 10 as a free upgrade to Windows 7 and 8 customers, but some 40 percent of the patches released today apply to the new flagship OS, according to a tally by security firm Qualys. There is even an update for Microsoft Edge, the browser that Microsoft wants to replace Internet Explorer.

win10Nevertheless, IE gets its own critical update (MS15-089), which addresses at least 13 flaws — most of which can be exploited remotely without any help from the user, save from perhaps just visiting a hacked or malicious site.

Another notable update plugs scary-looking flaws in Microsoft Office (MS15-081). Qualys says it appears the worst of the flaws fixed in the Office patch could be triggered automatically — possibly through the Outlook e-mail preview pane, for example.

According to security firm Shavlik, there are two flaws fixed in today’s release from Microsoft that are being actively exploited in the wild: One fixed in the Office Patch (CVE-2015-1642) and another in Windows itself (CVE-2015-1769). Several other vulnerabilities fixed today were publicly disclosed prior to today, increasing the risk that we could see public exploitation of these bugs soon.

If you run Windows, take some time soon to back up your data and update your system. As ever, if you experience any issues as a result of applying any of these updates, please leave a note about your experience in the comments section.

ORACLE

I’ve received questions from readers about a rumored software update for Java (Java 8, Update 60); I have no idea where this is coming from, but this should not be security-related patch. Generally speaking, even-numbered Java updates are non-security related. More importantly, Oracle has moved to releasing security updates for Java on a quarterly patch cycle, except for extreme emergencies (and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place).

Alas, not to be left out of the vulnerability madness, Oracle’s Chief Security Officer Mary Ann Davidson published a provocative blog post titled “Don’t, Just Don’t” that stirred up quite a tempestuous response from the security community today.

Davidson basically said security researchers who try to reverse engineer the company’s code to find software flaws are violating the legal agreement they acknowledged when installing the software. She also chastised researchers for spreading “a pile of steaming FUD” (a.k.a. Fear, Uncertainty and Doubt).

Oracle later unpublished the post (it is still available in Google’s cache here), but not before Davidson’s rant was lampooned endlessly on Twitter and called out by numerous security firms. My favorite so far came from Twitter user small_data, who said: “The City of Rome’s EULA stipulates Visigoths cannot recruit consultants who know about some hidden gate to gain entry.”

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

TorrentFreak: Google Publishes Chrome Fix For Serious VPN Security Hole

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As large numbers of Internet users wise up to seemingly endless online privacy issues, security products are increasingly being viewed as essential for even basic tasks such as web browsing.

In addition to regular anti-virus, firewall and ad-busting products, users wishing to go the extra mile often invest in a decent VPN service which allow them to hide their real IP addresses from the world. Well that’s the theory at least.

January this year details of a serious vulnerability revealed that in certain situations third parties were able to discover the real IP addresses of Chrome and Firefox users even though they were connected to a VPN.

This wasn’t the fault of any VPN provider though. The problem was caused by features present in WebRTC, an open-source project supported by Google, Mozilla and Opera.

By placing a few lines of code on a website and using a STUN server it became possible to reveal not only users’ true IP addresses, but also their local network address too.

While users were immediately alerted to broad blocking techniques that could mitigate the problem, it’s taken many months for the first wave of ‘smart’ solutions to arrive.

Following on the heels of a Chrome fix published by Rentamob earlier this month which protects against VPN leaks while leaving WebRTC enabled, Google has now thrown its hat into the ring.

Titled ‘WebRTC Network Limiter‘, the tiny Chrome extension (just 7.31KB) disables the WebRTC multiple-routes option in Chrome’s privacy settings while configuring WebRTC not to use certain IP addresses.

In addition to hiding local IP addresses that are normally inaccessible to the public Internet (such as 192.168.1.1), the extension also stops other public IP addresses being revealed.

“Any public IP addresses associated with network interfaces that are not used for web traffic (e.g. an ISP-provided address, when browsing through a VPN) [are hidden],” Google says.

“Once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic, typically the same addresses that are already provided to sites in browser HTTP requests.”

While both the Google and Rentamob solutions provide more elegant responses to the problem than previously available, both admit to having issues.

“Some WebRTC functions, like VOIP, may be affected by the multiple routes disabled setting. This is unavoidable,” Rentamob explains.

Google details similar problems, including issues directly linked to funneling traffic through a VPN.

“This extension may affect the performance of applications that use WebRTC for audio/video or real-time data communication. Because it limits the potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality (e.g. through a VPN). We are attempting to determine how common this is,” the company concludes.

After applying the blocks and fixes detailed above, Chrome users can check for IP address leaks by using sites including IPLeak and BrowserLeaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Linux How-Tos and Linux Tutorials: Installing Android Apps on Linux with ARChon

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

android apps on linux

I’ve spent a lot of time on the Google Play Store. During that time I have discovered plenty of really useful apps that would be great on the Linux desktop. Fortunately, thanks to some crafty developers, it is quite possible (and actually easy) to run Android apps on the Linux desktop.

Of course, this statement does come with some caveats. First and foremost, this is all handled with the help of the Chrome browser. To make matters easier, you’ll need to be running the Chrome Developer channel. The second caveat is that not all apps will actually work. That some apps do not function should not surprise you (you won’t be getting an app that requires the functionality of a phone service to run on your desktop). As for other apps, the results can be hit and miss. The third caveat is that, to make this process easier, you’ll also need an Android device to package the .apk file that will be used on the desktop.

With that said, let’s dive into the process of getting Android apps running on Linux. I will be demonstrating on an Ubuntu 14.04 LTS installation.

Installing Chrome

If you haven’t already installed Chrome, let’s walk through that quick process. Remember, you’re installing the dev channel (you can safely install all three channels—stable, beta, and dev—on the same machine). Here’s how this is done:

  1. From the download page, select the installer associated with your package manager and architecture (because I’m using Ubuntu, I’ll download a .deb file)
  2. Click Accept and Install
  3. When prompted, select Open with and make sure /usr/bin/software-center (default) is selected
  4. Click OK
  5. When the Software Center opens, click Install
  6. When prompted, enter your sudo password
  7. Allow the installation to complete.

You should now find an entry for Google Chrome (unstable) in your Dash (Figure 1, above).

Installing ARChon

The tool that will do the heavy lifting for this task is called ARChon. This is an Android runtime, created by Vlad Filippov, which brings a specialized version of the Android runtime that works on the desktop version of Chrome. This phase of the process is also quite simple:

  1. Download the ARChon runtime for your architecture—32-bit or 64-bit
  2. Open your file manager and navigate to the Downloads directory (or wherever you have downloaded the .zip file)
  3. Right-click the ARChon zip file and select Extract Here
  4. Rename the newly created folder (right-click and select Rename) to archon
  5. Move the newly named folder to your home directory (right-click on archon, select Move To…, select Home, and click Select (Figure 2).

android

Adding ARChon to Chrome

It’s time to add the runtime to Chrome. This will enable you to finally run those Android apps on your desktop. Here’s how:

  1. Open Chrome
  2. Click on what is often referred to as the Overflow Menu (three horizontal bars in the top right corner)
  3. Select More tools > Extensions
  4. Click to enable Developer mode
  5. Click Load unpacked extension… (Figure 3)
  6. Navigate to your home directory
  7. Select archon
  8. Click Open. 

android-3

ARChon should now appear in the listing of Chrome extensions.

Generating APKs

Now we move over to the Android platform. It used to be necessary to build APK files manually (which wasn’t always successful). Thankfully, there are now apps for Android that can build APKs with a few taps. The app I prefer is called ARChon Packager and can be installed from within the Google Play Store for free. Install that app, and you’re ready to go.

With ARChon Packager, you can generate APKs from installed apps or from APKs within the phone’s storage. I highly recommend you install the desired app onto your phone and then have ARChon Packager generate the APK from the installed app.

Here’s how to use ARChon Packager. 

  1. Open the app from your Android device
  2. Tap NEXT
  3. Select Installed application and tap NEXT
  4. Select the app you want to install from the pop-up listing
  5. Select the necessary options for the app (Figure 4)
  6. Tap NEXT
  7. When the APK generation is complete, tap SHARE CHROME APPLICATION
  8. Share the file in whatever way will best allow you to save it to your desktop (I opted for Google Drive)
  9. Click FINISH when complete. 

Android-Linux-ARChon-4

Retrieve the file and save it to your ~/Downloads directory on your Linux PC.

Installing the APK

You’re ready to now install the app. This is done in the same manner as was ARChon. Here are the steps:

  1. Open up your file manager
  2. Navigate to the ~/Downloads directory
  3. Right-click the downloaded APK zip file
  4. Select Extract here
  5. Open Chrome
  6. Click the Overflow Menu
  7. Click More Tools > Extensions
  8. Click Load unpacked extension…
  9. Navigate to the ~/Downloads directory
  10. Select the folder for the newly extracted APK
  11. Click Open.

That’s it! Now, if the app is usable on the desktop version of Chrome, it should be ready to run.

Running the App

Chrome has a handy tool called Apps. Open Chrome and you should see a button in the upper left corner labeled Apps. Click on that and the newly installed apps will be ready to run. Click on the app you want to run to see how well it functions. To demonstrate, I installed the Nest App from the Google Play Store to find it runs flawlessly (Figure 5). 

Android-Linux-ARChon-5 copy

The ability to easily run Android apps on Linux is a real boon to the desktop. Not only does this functionality extend the reach of the desktop, it empowers it to join the ever-expanding mobile generation. If you happen to enjoy the Android platform, give this a try and see how well your favorite mobile apps perform on the Linux desktop.

TorrentFreak: uTorrent Flagged As ‘Harmful’ by Anti-Virus Companies and Google

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

utorrent-logo-newWith millions of new downloads per month uTorrent is without doubt the most used BitTorrent client around.

The software is the main source of revenue for the San Francisco based company BitTorrent Inc. and generates income through advertisements and bundled software.

The latter now appears to be causing trouble as several anti-virus vendors have begun listing uTorrent as a security risk. The scanning result below from VirusTotal shows that at least six anti-virus applications, including ESET and Symantec, have flagged the software as problematic.

The anti-virus scans associate the uTorrent.exe file with Trojan.Win32.Generic!BT and the controversial OpenCandy bundling software. While this isn’t the first time that uTorrent has been flagged in this manner, we haven’t seen it being reported by this many independent tests before.

uTorrent’s Virustotal results
utorrentvirus

In addition to action by the anti-virus companies, uTorrent is also being blocked by Google in several ways. When attempting to download the latest stable release of the torrent client, Chrome flags the software as malicious and blocks the download, although this only appears to happen sporadically.

Google is also actively blocking several pages that link to uTorrent and other BitTorrent Inc. software. According to Google, parts of the uTorrent website contain “harmful programs.”

uTorrent.com warning in Chrome
utorrentharm

The same “harmful software” warning from Google also prevented millions of people from accessing popular torrent sites earlier this month.

A Google spokesperson informed us that this was the result of the company’s increased efforts to block programs that make “unexpected changes” to people’s computers.

“Google Safe Browsing’s ability to detect deceptive software has steadily improved,” the company explained in a recent blog post.

“In the coming weeks, these detection improvements will become more noticeable in Chrome: users will see more warnings about unwanted software than ever before,” Google adds.

These and the other uTorrent threat reports all seem to be triggered by bundled third-party software bundled. There is no indication or evidence that the BitTorrent client itself is harmful.

We asked BitTorrent Inc. for a comment on the recent reports but the company has yet to respond.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.