Posts tagged ‘Facebook’

Блогът на Юруков: Хубава си моя горо, където и да си вече

This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков

Горите са били сечени хилядолетия наред. Секат се и днес, а мащабите далеч не са по-големи. Планините ни са били оголвани няколко пъти през историята и възстановявана бавно с общи усилия. Еколозите твърдят, че отново унищожаваме горите си. Ако слушаме индустриалците, то гората не губи почти нищо и всичко отсечено се компенсира с ново залесяване. Камиони с трупи са постоянна гледка в планините, има протести, корупция, свлачища, наводнения и временен меморандум за износ.

За щастие днес имаме технологии и инструменти, с които може да проверим тези твърдения. В рамките на проучването си разбрах колко сложна наука е лесовъдството и колко начина има да се установи състоянието на една гора. В същото време обаче разбрах, че въпросните проучвания масово не се правят от горските, а данните се копират година за година. Така данните за горите са повече от ненадеждни.

Първата ми карта на промяната в горския фонд на населените места

Тук виждате картата на населените места загубили най-много от горите на територията си от 2000 г. насам. След като я пуснах във Facebook, беше споделена и коментирана масово. В нея, какво и във всички други графики, има вложени много условности. За да разберем значението ѝ, нека започнем от началото.

Източник на данните

Преди няколко месеца свалих данните за сечта от Агенцията по горите. Реших, че с тях ще мога да открия къде се сече най-много. Оказаха се обаче безполезни, защото покрай разрешеното доста фирми изсичат и много повече. Затова се обърнах към сателитните снимки на NASA и данните на университета в Мериленд. Те са изкарали в удобен формат горското покритие през 2000 г., както и залесените и оголените територии между 2001 и 2013 г. Използвах също така някои от данните на НСИ в EKATTE регистъра за площта на населените места.

Данните за горите по сателитна снимка на NASA

Илюстрация какво се засича като гора от сателитите

Сателитните снимки обаче имат своите ограничения. Те засичат като гора само растителността с височина над 5 метра. Така младите дървета в новозалесени площи няма да бъдат засечени в първите няколко години. Това има още един важен ефект – данните не може да се използват за разкриване на масова сеч, освен ако тя не оголи гората изцяло оставяйки само ниски дървета и храсти. Сечта, законна или не, която разрежда горите, няма да бъде отбелязана от сателитните снимки. Също така, данните показват склопеността, което приблизително означава гъстотата на короните. По това обаче също не може да съдим за качеството на гората поради наличието на различни видове дървета и други фактори.

Анализ

Когато осъзнаем ограниченията на данните, може да поставим цели на анализа. Това, което аз исках да видя, е каква площ от населените места е заета от гора (по дефиницията посочена горе), колко са загубили и спечелили от нея в дадения период. Анализът на сателитните снимки е с точност 30 метра, затова ми трябваха само границите на землищата на населените места. Именно в тази връзка наскоро отворих административната карта на България. Написах алгоритъм, който да раздели сателитните снимки по населени места и да изкара статистика за тях. На база тази статистика направих първата карта, както и следните две:

Разбивка на горската покривка по землища и процент от площта им

Средна склопеност във всяко землище.
Тези с по-малко гори са с по-бледи цветове

От данните става ясно, че за тези 13 години България е загубила 149000 декара гори. Изсечени са 421000, а са залесени 272000. Отново повтарям, че тук говорим само за границата от 5 метра височина – възможно е да има много млада гора, която да е твърде ниска, както и много изсечени дървета в гори, които да не са непременно оголени изцяло.

Кои места се отличават?

Интересно е също да погледнем по населени места. Показал съм статистика за тези с най-голяма активност, независимост дали става дума за добавяне или унищожаване на горски площи. В лявата графика се виждат водещите 4 в увеличение и намаление в абсолютни проценти спрямо съществуващата горска площ. Забелязва се обаче, че повечето от тях имат малко гори и добавянето на декар-два прави голяма разлика. Затова направих втората справка, където сравнявам не какъв процент от гората си са загубили, а ги подреждам по абсолютната промяна на гора в декари. Отново показвам 4-те най-отгоре и най-отдолу на таблицата. Процентно промяната при тях е малка заради голямата им територия. В декари обаче виждаме сериозни поражения. Най-много изглежда са в Ловешко и Разлог.

Различно подреждане на населените места според загубената и спечелена площ в гори по различни показатели – процент и абсолютна площ

Това сравнение ме накара да се върна към картата в началото на статията. Забелязва се, че в южна България има много населени места със сериозна загуба на гори граничещи с други землища, където пък има голямо увеличение. Тезата на лесовъдите и дърводобивните компании е, че каквото се изсече се залесява наново. Поради малката територия на някои землища, се замислих дали не се случва да се изсичат гори на едно населено място и да се залесява в друго.

Затова направих алгоритъм, които открива съседни землища и преразпределя територията с нова гора. С други думи, нормализирах данните като приобщих залесени територии към близки землища загубили такива. Резултатът е близък до първата карта, но показва още по-отчетливо проблемните зони – целия северен склон на Стара Планина, Странджа, Кърджали, Ивайловград, Смолян и Обзор.

Втора версия на картата за промяната в горските масиви с нормализирани данни

Полезно ли е всичко това?

Първо трябва да се разбере, че не съм лесовъд и всичко, което знам по темата, го научих в последните седмици след разговори във Facebook докато си пих кафето. Докато това е несъмнено пречка, все по-често виждаме практически решения базирани изцяло на данни идващи от екипи без опит в конкретната сфера. При всички тези случаи обаче анализаторите работят тясно със специалисти. Затова за да имат реален ефект тези данни, те трябва да се съчетаят със знанията и опита на място.

Зоните, които виждаме в червено на картите, са само индикация къде има проблеми. Вече се чуха коментари, че първата версия на картата не показа нищо ново за лесовъдите. Това наистина е така, но показва, че методите ми са коректни – потвърждават изводите на горските. Ползата от тези методи би била откриването на други проблеми, които не са видими за обществото или контролните органи.

Най-важното обаче е да разбираме ограниченията на данните, с които работим. На заседание на Министерски съвет преди седмица е била представена карта подобна на моята, но изготвена от Агенцията по горите. Не видяхме картата на записите, но стана ясно, че се базира на сателитни снимки – най-вероятно същите като моите. Спомена се колко малко проценти от гората е загубена. От данните по-горе става ясно, че процентите могат да бъдат много подвеждащи. На места са оголени значителни територии от горите, но сериозните проблеми са невидими за NASA.

Следващи стъпли

Преди няколко месеца разговарях с хора от Агенцията по горите с предложение за app, с който посетители на гората ще могат да подават сигнали за сеч. Идеята беше app-а да предоставя информация дали в рамките на няколко километра има разрешителни за сеч и на тази база туристите да си правят изводи. Отговориха ми, че това няма как да стане, защото повечето разрешителни са за дълъг период от време и е невъзможно да се определи кое кога е изсечено. Още повече, че неспециалисти не могат да разберат кое е трябвало да се сече и кое не.

Всичко това навярно е така, но все пак си мисля, че подобна crowdsource-ната база данни би била полезна – най-малкото за засичане на активността на сечене с голяма точност на място и време. Това би било полезно, например, за откриване на сеч на места, за които няма въобще разрешителни. Такива би трябвало да са частните гори, където единствено собствениците биха могли да позволят да се разреши сеч. Това масово не се спазва, доколкото разбирам, а подобно приложение би предоставило информация както на горските, така и на собствениците.

Алгоритмите, с които изготвих данните, също би могло доста да се подобрят. В последната карта приписвам новозалесени площи към близки землища загубили такива. Това не взима под внимание отдалечеността. Затова би било по-добре да се нормализират данните още преди да се нарежат на землища. Лесовъдите ще кажат каква отдалеченост би имала смисъл, но ми се струва, че 20-30 км. ще е достатъчно.

Не на последно място, трябва да разберем, че анализът на тази информация не може и не трябва да бъде затваряна в няколко офиса на държавната администрация. Експертите в дадена тясна област често нямат опит в анализа и визуализирането на данни. Например, за да направим публично достъпен app, който да ни съобщава дали камионът с трупи пред нас е в частна гора без разрешително за сеч, трябва да имаме в отворен формат не само регистъра на Агенцията по горите, но и Кадастъра. И двете са в плана на кабинета за отваряне на данни и се надявам да ги видим скоро на бял свят. Има обаче съпротива от отделни чиновници и дори цели институции в лицето на Министерството на финансите. Отварянето на тези масиви ще се случи, за да има обществена полза от тях. В противен случай ще продължим да анализираме състоянието на собствените си гори единствено по сателитни снимки на чужда агенция.

Krebs on Security: Who Is the Antidetect Author?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator.

The author of Antidetect uses the nickname “Byte Catcher,” and advertises on several crime forums that he can be reached at the ICQ address 737084, and at the jabber instant messaging handles “byte.catcher@xmpp.ru” and “byte.catcher@0nl1ne.at”. His software is for sale at antidetect[dot]net and antidetect[org].

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Searching on that ICQ number turns up a post on a Russian forum from 2006, wherein a fifth-year computer science student posting under the name “pavelvladimirovich” says he is looking for a job and that he can be reached at the following contact points:

ICQ: 737084

Skype name: pavelvladimirovich1

email: gpvx@yandex.ru

According to a reverse WHOIS lookup ordered from Domaintools.com, that email address is the same one used to register the aforementioned antidetect[dot]org, as well as antifraud[.biz] and hwidspoofer[dot]com (HWID is short or hardware identification, a common method that software makers use to ensure a given program license can only be used on one computer).

These were quite recent registrations (mid-2014), but that gpvx@yandex.ru email also was used to register domains in 2007, including allfreelance[dot]org and a domain called casinohackers[dot]com. Interestingly, one of the main uses that Byte Catcher advertises for his Antidetect software is to help beat fraud detection mechanisms used by online casinos. As we can see from this page at archive.org, a subsection of casinohackers.com was at one time dedicated to advertising Antidetect Patch — a version that comes with its own virtual machine.

That ICQ number is tied to a user named “collisionsoftware” at the Russian cybercrime forum antichat[dot]ru, in which the seller is advertising software that routes the user’s Internet connection through hacked PCs. He directs interested buyers to the web site cn[dot]viamk[dot]com, which is no longer online. But an archived version of that page at archive.org shows the same “collision” name and the words “freelance team.” The contact form on this site also lists the above-referenced ICQ number and email gpvx@yandex.ru, and even includes a résumé of the site’s owner.

Another domain connected to that antichat profile is cnsoft[dot]ru, the now defunct domain for Collision Software, which bills itself as a firm that can be hired to write software. The homepage lists the same ICQ number (737084)

Antidetect retails for between $399 and $999, and includes live support.

Antidetect retails for between $399 and $999, and includes (somewhat unreliable) live support.

Both antifraud[dot]biz and allfreelance[dot]org were originally registered by an individual in Kaliningrad, Russia named Pavel V. Golub. Note that this name matches the initials in the email address gpvx@yandex.ru. KrebsOnSecurity has yet to receive a response to inquiries sent to that email and to the above-referenced Skype profile.

A little searching turns up this profile on Russian social networking giant Odnoklassniki.ru for one Pavel Golub, a 29-year-old male from Koenig, Russia. Written in Russian as “Кениг,” this is Russian slang for Kaliningrad and refers to the city’s previous German name.

One of Pavel’s five friends on Odnoklassniki is 27-year-old Vera Golub, also of Kaliningrad. A search of “Vera Golub, Kaliningrad” on vkontakte.com — Russia’s version of Facebook — reveals a vk.com group in Kaliningrad about artificial fingernails that has two contacts: Vera Ivanova (referred to as “master” in this group), and Pavel Vladimirovich (listed as “husband”).

The Vkontakte profile linked to Pavel’s name on that group has been deleted, but “Vera Ivanova” is the same face as Vera Golub from Pavel’s Odnoklassniki profile.

A profile of one of Vera’s friends – one Natalia Kulikova – shows some photos of Pavel from 2009, where he’s tagged as “Pavel Vladimirovich” and with the link to Pavel’s deleted Vkontakte profile.  Also, it shows his previous car, which appears to be a Mitsubishi Galant.

Pavel, posing with his Mitsubishi Galant

Pavel, posing with his Mitsubishi Galant in 2008.

A search on the phone number “79527997034,” referenced in the WHOIS site registration records for Pavel’s domains — antifraud[dot]biz and hwidspoofer[dot]com — turns up a listing on a popular auto sales Web site wherein the seller (from Kaliningrad) is offering a 2002 Mitsubishi Galant. That same seller sold a 2002 BMW last year.

On one level, it’s amusing that a guy who sells software to help Web criminals evade detection is so easily found on the Internet. Then again, as my Breadcrumbs series demonstrates, many individuals involved in writing malware or selling fraud tools either do not care or don’t take too many precautions to hide their identities — probably because they face so little chance of getting into trouble over their activities as long as they remain in Russia.

The above photo of Pavel in his Mitsubishi isn’t such a clear one. Here are a couple more from Kulikova’s Vkontakte pictures.

Vera and Pavel Golub in April 2012.

Vera and Pavel Golub in April 2012.

Pavel V. Golub, in 2009.

Pavel V. Golub, in 2009.

TorrentFreak: “Pay Off Your Credit Card Debt By Ratting on Software Pirates”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

nopiracyWe hate to be repetitive here at TF, but the Business Software Alliance (BSA) leaves us little choice.

Representing major software companies, the BSA encourages people to report businesses that use unlicensed software.

If one of these reports results in a successful court case, the pirate snitch can look forward to a cash reward, which could amount to a million dollars per case.

According to a BSA executive the campaign has been very successful. It has resulted in many referrals and a decrease in software piracy rates.

Sounds great, but the way BSA recruits their snitches on Facebook is dubious and somewhat surrealistic. Instead of appealing to people’s ethics, the software group chooses to frames the campaign as a get-rich-quick scheme.

BSA continues to surprise us with new ads mainly targeting people who are short on money. For example, a few days ago this ad appeared in the timeline of thousands of Facebook users.

“Looking to pay off your credit card debt? If you know a company using unlicensed business software, file a report today to be eligible for a cash reward,” BSA’s latest Facebook ad reads.

bsacc

It appears that every time we think BSA has found a new low, they come with a new ad that’s even more questionable. During the holidays, for example, they also appealed to the fact that many people are short on cash.

“Money can get tight during the holidays. If you know a company using unlicensed business software, file a report today to be eligible for a cash reward,’ the holiday ad reads, and there are more examples here.

bsaholiday

While the BSA promises a quick cash solution, those who decide to report a pirating company are in it for the long haul. In the fine print it’s explained that people will only get a reward if a successful legal proceeding results in a settlement.

We reached out to the BSA find out more about how many people have been paid since the start of the campaign, but we have yet to hear back.

To be continued…

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Guide: How File-Sharers Can Ruin Their Online Privacy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

unmaskedEvery single day one can hear do-gooders banging on endlessly about staying private on the Internet. It’s all encryption this and Edward Snowden that. Ignore them. They’re lunatics involved in a joint Illuminati / Scientologist conspiracy.

No, what Internet users need is a more care-free approach to online surveillance, one that allows them to relax into a zen-like state of blissful ignorance, free from the “Five Eyes” rantings of Kim Dotcom.

And there are plenty of real people already following this advice. Real events reported here on TF (and investigated by us over the past few months) have shown us that while operating in the world of file-sharing (especially if that involves releasing content or running a tracker) it is absolutely vital to lay down an easily followed trail of information. Here are some golden rules for doing just that.

Naming convention

If at all possible, file-sharers should incorporate their real-life names into their online nickname. Dave Mark Robinson should become DaveR at a minimum, but for greater effect DaveMR should be used. As adding in a date of birth allows significant narrowing down of identities, DaveMR1982 would be a near perfect choice.

This secret codename can then be used on any torrent site, but for best effect it should be used across multiple trackers at once so the user is more easily identified. But let’s not think too narrowly here.

As an added bonus, Dave should also ensure that the same nickname is used on sites that have absolutely nothing to do with his file-sharing. EBay profiles and YouTube accounts are perfect candidates, with the latter carrying some personally identifying videos, if at all possible. That said, Dave would be selling himself short if he didn’t also use the same names on…..

Social media

If Dave doesn’t have an active Facebook account which is easily linked to his file-sharing accounts, he is really missing out. Twitter is particularly useful when choosing the naming convention highlighted above since nicknames can often be cross-referenced with real names on Facebook, especially given the effort made in the previous section.

In addition to all the regular personal and family information readily input by people like Dave, file-sharing Facebook users really need to make sure they put up clear pictures of themselves and then ‘like’ content most closely related to the stuff they’re uploading. ‘Liking’ file-sharing related tools such as uTorrent is always recommended.

File-sharing sites

When DaveMR1982 signs up to (or even starts to run) a torrent site it’s really important that he uses an easy to remember password, ideally one used on several other sites. This could be a pet’s name, for example, but only if that pet gets a prominent mention on Facebook. Remember: make it easy for people, it saves so much time!

Dave’s participation in site forums is a must too. Ideally he will speak a lot about where he lives and his close family, as with the right care these can be easily cross-referenced with the information he previously input into Facebook. Interests and hobbies are always great topics for public discussion as these can be matched against items for sale on eBay, complete with item locations for added ease.

Also, Dave should never use a VPN if he wants his privacy shattered, with the no-log type a particular no-go. In the event he decides to use a seedbox he should pay for it himself using his own PayPal account, but only if that’s linked to his home address and personal bank account. Remember, bonus points for using the same nickname as earlier when signing up at the seedbox company!

Make friends and then turn them into enemies

Great friendships can be built on file-sharing sites but in order to maximize the risks of a major privacy invasion, personal information must be given freely to these almost complete strangers whenever possible.

In an ideal world, trusting relationships should be fostered with online ‘friends’ and then allowed to deteriorate into chaos amid a petty squabble, something often referred to in the torrent scene as a “tracker drama”. With any luck these people will discard friendships in an instant and spill the beans on a whim.

Domain registration

Under no circumstances should Dave register his domains with a protected WHOIS as although they can be circumvented, they do offer some level of protection. Instead (and to comply with necessary regulations) Dave should include his real home address and telephone number so he is easily identified.

If for some crazy reason that isn’t possible and Dave is forced to WHOIS-protect his domain, having other non-filesharing sites on the same server as his file-sharing site is always good for laying down breadcrumbs for the anti-privacy police. If the domains of those other sites don’t have a protected WHOIS, so much the better. Remember, make sure the address matches the home location mentioned on Facebook and the items for sale on eBay!

Conclusion

As the above shows, with practice it’s easy to completely compromise one’s privacy, whether participating in the file-sharing space or elsewhere. In the above guide we’ve simply cited some genuine real-life techniques used by people reported in previous TF articles published during the last year, but if you have better ideas at ruining privacy online, please feel free to add them in the comments.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: Sys Admins & Datacenter Techs Assemble!

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

need-heroes2
Backblaze is growing quickly and we are looking to expand our Operations Team with the addition of 2 superstars.

All positions require:

* Good attitude and willingness to do whatever it takes to get the job done
* Strong desire to work for a small fast paced company
* Desire to learn and adapt to rapidly changing technologies and work environment
* Rigorous adherence to best practices
* Relentless attention to detail
* Excellent troubleshooting and problem solving skills
* Excellent communication, time management, problem solving and organizational skills

Systems Administrator – San Mateo, CA

Responsibilities:
* Manage Linux, Mac and Windows installation & configuration
* Manage web services installation & configuration (Tomcat, Apache, Ngnix, WordPress, Java, etc)
* Manage infrastructure services installation & configuration (DNS, DHCP, NTP, Clonezilla, PXE, etc)
* Manage monitoring installation & configuration (Zabbix, PagerDuty, etc)
* Maintain strong network security (including PCI compliance, firewalls, ACLs, Log Analysis, etc)
* Manage enterprise class storage installation & configuration (EMC & Dell MD1120 and MD1220 drive shelves, etc)
* Push out software changes (patches & system updates)
* Debug & Repair software problems (File system, RAID & boot drive repairs)
* Make occasional trips to datacenter near Sacramento
* Help administer network infrastructure (switches, VPNs, routers, etc)
* Help automate provisioning & deployment of new software with Ansible, custom script and other tools
* Help administer database servers (MySQL)
* Help Datacenter Techs debug hardware problems
* Help maintain operational documentation and scripts
* Participate in the 24×7 on-call pager rotation and respond to alerts as needed.
* Assist in training & supervising junior operations staff when necessary.

Requirements:
* 5+ years of experience
* Strong knowledge of Linux system administration, Debian experience preferred
* Bash scripting skills desired
* Ability to lift/move 50-75 lbs and work down near the floor as needed
* Position based in the San Francisco Bay Area, California requiring 3+ days/week in San Mateo

Datacenter Technician – Sacramento, CA

Responsibilities
* Work as Backblaze’s physical presence in Sacramento area datacenter(s)
* Maintain physical infrastructure including racking equipment, replacing hard drives and other system components
* Repair and troubleshoot defective equipment with minimal supervision
* Recieve deliveries, maintain accurate inventory counts/records and RMA defective components
* Provision, test & deploy new equipment via the Linux command line and web GUIs
* Help qualify new hardware & software configurations (load & component testing, qa, etc)
* Help train new Datacenter Technicians
* Follow and improve datacenter best practices and documentation
* Maintain a clean and well organized work environment
* On-call responsibilities include 24×7 trips to datacenter to resolve issues that can’t be handled remotely

Requirements
* Ability to learn quickly
* Ability to lift/move 50-75 lbs and work down near the floor on a daily basis
* Position based near Sacramento, California and may require periodic visits to the Corporate office in San Mateo

Preferred
* Working knowledge of Linux
* 1-2 years experience in technology related field
* Experience working at a datacenter in a support role

Interested?

Check out these videos on our Datacenter Operations team:

Want to join our team? Follow these three steps:

  1. Send an Email to jobscontact@backblaze.com with one of the positions listed above in the subject line
  2. Include your resume
  3. Include your answers to 2 of the following 3 questions:
    • What about working at Backblaze excites you the most?
    • Provide 3 adjectives that best describe your personal workspace.
    • How would you manage boot images and system configurations on 1,000+ servers (i.e. Backblaze Storage Pods)?

We’ll be interviewing candidates over the next couple of weeks. Join us and help us continue to build a great online backup company.

Backblaze is an Equal Opportunity Employer and we offer competitive salary and benefits, including our no policy vacation policy.

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Sys Admins & Datacenter Techs Assemble! appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

SANS Internet Storm Center, InfoCON: green: How Victims Are Redirected to IT Support Scareware Sites, (Fri, Mar 20th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. Ive seen this accomplished in two ways:

  • Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
  • Scammers set up scarewarewebsites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization. Johannes Ullrich described a typo squatting variation of this technique in an earlier diary. Lets take a look a domain redirection variation of this scam below.

In the following example, the victim visited a link that was once associated with a legitimate website: 25yearsofprogramming.com. The owner of the domain appears to haveallowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records. The record was assigned DNS servers under the domains cashparking.com, hastydns.com, dsredirection.com and eventually brainydns.com.

Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as malicious, such as 0357al.com, 18aol.com, 520host.com, 60dayworkout.us, 61kt.com, 7x24sex.net, 9tmedia.com, adobecrobat.info, adultfantasynetwork.com, allappsforpc.com, apkcracks.net, etc. (Dont visit these domains.)

Landing on the Fake Malware Warning Site

Visiting the once-legitimate URL a few days ago landed the victim on a scammyscareware page, designed to persuade the person to contact Microsoft Certified Live Techniciansat the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemespresentvictims with fake virus warnings, designed to scare people into submission.

The site in our example also”>This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue.

To see and hear what the victim experienced, play the video clip below or watch it on YouTube.

Here are the redirection steps that brought the victim to the scareware site mentioned above:

http ://25yearsofprogramming.com/blog/2010/20100315.htm -https ://p2.dntrax.com/tr?id=f2d252736d65832f11811ad8cb43ceff00313e75.r -http ://247tech.help/crt/us_seg0303/m1/us_windos_3806/index.html

You can see the source code to the final page on Pasebin, if youre interested. According to the code, it was mirrored from clients.worldnetconsultants.com/Lander3 using the free non-malicious tool HTTrack Website Copier on 08 Jan 2015. (More on this interesting tidbit in my diary
Who Develops Code for IT Support Scareware Websites?)

If you visited the top page of the247tech.help website (dont go there), you would see a friendly, professional-lookingpage, gently inviting the visitor to Call Now for Instant Support by dialing 844-878-2550. Please don however, if youd like to hear a details account of what people experience when they do call, read my article”>stark contrast to the”>warnings-filled trap shown above, which redirection victims encountered.

Other Redirection Possibilities

The website hosting 25yearsofprogramming.com at the time of this writingredirects visitors to various places, perhaps randomly, perhaps based on the persons geography or browser details. I encountered twoother redirection flows that led to scarewarewebsites set up for IT support scams.

One redirection flow employed p2.dntrax.com, as the example above, but took the victim to alert.windows.com.computers-supports.com (dont go there):

http ://25yearsofprogramming.com/blog/2010/20100315.htm - https://p2.dntrax.com/tr?id=f2d252736d65832f11811ad8cb43ceff00313e75.r -http ://alert.windows.com.computers-supports.com/index-1.html?isp=Time%20Warner%20Cablebrowser=Internet%20Explorerbrowserversion=Internet%20Explorer%2011ip= 108.61.226.4os=Windowsosversion=Windows%208.1

The resulting site is a bit more sophisticated than the one in the previous example, because it uses JavaScript to customize the web page to include the victims ISP, browser name, IP address and Windows version. For instance:

document.write(getURLParameter(ip))

You can see the source code of that page on Pastebin. Here in this example, the website didnt receive the victims IP and other details and therefore didn” />

Sometimes the victim was redirected using a longer trail to a different IT support scareware site (dont go there):

http ://25yearsofprogramming.com/blog/2010/20100315.htm -http ://xml.revenuehits.com/click?i=cEuxzuX2fpc_0 -http ://zh.zeroredirect1.com/zcvisitor/fddce3a1-ccbb-11e4-ab5a-0a92e2e12617 -http ://claimyourfree.com/promo/base.php?c=734key=0cdc58908ab3a694320034e391aa520atarget=oscar-vox-zKU0jhQu -http ://fb.surveydonkeys.com/us/index.php?target=oscar-vox-zKU0jhQu -http ://ajax.surveydonkeys.com/imp/g38a0n?data=eyJicm93c2VyX3R6X29mZnNldCI6LTI0MCwiY2IiOjEwNTExNSwibHBfcmVmIjoiIiwibHBfdXJsIjoiaHR0cDovL2ZiLnN1cnZleWRvbmtleXMuY29tL3VzL2luZGV4LnBocD90YXJnZXQ9b3NjYXItdm94LXpLVTBqaFF1In0= -http ://securedgo.com/d3ed9240-61de-48c1-9a7b-b10dbafaa7d2 -http ://fb.surveydonkeys.com/us/windowswarning.php?os=Windowsosversion=Windows%208.1isp=Time%20Warner%20Cablebrowser=Internet%20Explorer" />

The design of this page matches closely the site">Johannes">">bed in the">typo squatting variation of this scenarioon December 15.The latest page employed the sound filegp-msg.mp3 to scare visitors.VirusTotal has a record of thisfile,which was first uploaded to VirusTotal on December 11, 2014.

Who is Redirecting, Why and How?

We seem to be dealing with two different redirection engines and companies: p2.dntrax.com and xml.revenuehits.com after the initial 25yearsofprogramming.com redirect.

The domain dnstrax.com was registered by Team Internet AG, which is associated with over 44,000 domains, including several that DomainTools classifies as malicious: anonse24.de, natursteindichtstoff.de, seospecialists.de, etc. The domain revenuehits.com is registered to MYADWISE LTD, which is associated with about 50 domains.

The companies behind these servers, as well as the firm presently controlling 25yearsofprogramming.com are probably receiving referral fees for their roles in the redirection scheme.

Theres much to explore regarding the domain names, systems and companies involved in the schemes outlined above. If you have additional information about these entities, or would like to contribute towards this analysis, please leave a comment. If you decide to explore any of these systems, do so from an isolated laboratory environment.

Also, if you encounter a tech support scam, please register it with our database of such incidents.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: OpenSSL Patch to Plug Severe Security Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL Software Foundation said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.

iheartOpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.

The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.

Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner.

In the wake of Heartbleed, media organizations asked how such a bug — which many security experts said was a fairly obvious blunder in hindsight — could have gone undetected in the guts of the open-source code for so long. Marquess took to his blog to explain, posting an open letter requesting additional financial support for the OpenSSL project and pointing out the stark fact that so much of the Internet runs on top of software that maintained by a tiny team with a shoestring budget.

“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” said of the Heartland bug,

In an interview with KrebsOnSecurity, Marquess said the updates to be released tomorrow are partly the product a spike in donations and funding the organization received in the wake of Heartbleed.

In that brief glare of publicity, the OpenSSL Foundation landed two Linux Foundation fellowships — meaning the group gained two new people who are paid for two years to work full-time on improving the security and stability of OpenSSL. Using donations and some commercial revenues, the foundation also is self-funding two additional people to maintain the code.

“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. We’re also doing a major overhaul of the source code, which is going to be probably the biggest crypto audit ever.”

LWN.net: The GNU Manifesto Turns Thirty (New Yorker)

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The New Yorker notes
the 30th anniversary of the GNU Manifesto
.
Stallman was one of the first to grasp that, if commercial entities
were going to own the methods and technologies that controlled computers,
then computer users would inevitably become beholden to those
entities. This has come to pass, and in spades. Most computer users have
become dependent on proprietary code provided by companies like Apple,
Facebook, and Google, the use of which comes with conditions we may not
condone or even know about, and can’t control; we have forfeited the
freedom to adapt such code according to our needs, preferences, and
personal ethics.

TorrentFreak: BitTorrent-Style Updates Revealed in Leaked Windows 10

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

microsoftThere once was a time when one could simply throw a disc – floppy or otherwise – into a machine and enjoy software functionality right off the bat. Those days have long gone.

Massive complexity, online connectivity and associated cloud features have given way to a culture of almost continual updates with some component or other requiring a ‘fix’ or performance-based software upgrade on an annoyingly regular basis.

While huge technology companies have plenty of bandwidth at their disposal, shifting data around doesn’t come free. It is relatively cheap, granted, but those bits and bytes soon cause the dollars to mount up. Much ‘better’ then, is to try and offload some of that load onto consumers.

It could be that with its upcoming Windows 10, Microsoft is mulling doing just that. Deep in the settings of a leaked build spotted by Neowin, the company has introduced settings which give users the option of where to obtain updates and apps for their new operating system.

Download apps and OS updates from multiple sources to get them more quickly

update

Of course, this is where distributed BitTorrent-like systems come into their own, with each user helping to share the load of shifting around data and providing excellent speeds, without any single entity (in this case Microsoft) footing the lion’s share of the bills.

If Microsoft did choose BitTorrent, they would be in excellent company. Half a decade ago it was revealed that Twitter had implemented the protocol and in the same year Facebook confirmed deploying its own servers with technology.

“It’s ‘superduper’ fast and it allows us to alleviate a lot of scaling concerns we’ve had in the past, where it took forever to get code to the webservers before you could even boot it up and run it,” the company said at the time.

But even though Facebook is still having fun with torrent technology to this day, it seems likely that Microsoft has its own, more proprietary tricks up its sleeve.

More than a decade ago with BitTorrent in its infancy, Microsoft also began looking at developing P2P distribution. Researcher Christos Gkantsidis published his paper Network Coding for Large Scale Content Distribution which begins with a now very familiar concept.

“We propose a new scheme for content distribution of large files that is based on network coding. With network coding, each node of the distribution network is able to generate and transmit encoded blocks of information. The randomization introduced by the coding process eases the scheduling of block propagation, and, thus, makes the distribution more efficient,” the paper’s abstract reads.

In 2006, Microsoft published Anatomy of a P2P Content Distribution System with Network Coding but by then the existence of a Microsoft equivalent to BitTorrent was public knowledge – Project Avalanche had been born.

Named after traditional avalanches that start small but gain massive momentum as more snow (or peers) get involved, Avalanche claimed it would improve on BitTorrent in a number of ways. At the time, however, BitTorrent’s Bram Cohen criticized the project technically and concluded that it amounted to vaporware.

But today in 2015, almost ten years on, things have definitely changed. Although there is no confirmation that Avalanche (or the Microsoft Secure Content Downloader as it was once described) is behind the Windows 10 update process option, there’s little doubt that Microsoft will have sharpened its tools.

In addition, Microsoft owns patents (1,2) which describe DRM-protected P2P distribution systems which could potentially help to keep any P2P Windows 10 update system secure, a requirement predicted by Avalanche years before.

“The Avalanche model includes strong security to ensure content providers are uniquely identifiable, and to prevent unauthorized parties from offering content for download. The project also ensures content downloaded to each client machine is exactly the same as the content shared by the content provider,” Microsoft said.

Only time will tell if Microsoft takes the distributed update route for its eventual release of Windows 10, and whether avalanches or torrents cascade into (and out of) homes worldwide as a result.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: Looking for a Junior Staff Accountant

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Junior Staff Accountant

ACCOUNTS PAYABLE:

  • Ensures timely and accurate payment to vendors and employees
  • Obtain approval and/or confirmation of receipt/completion of services
  • Check expense reports submitted for completion/accuracy
  • Enter approved invoices and expense reports in Quickbooks
  • Handle and resolve invoice/payable discrepancies
  • Ensure there are receipts for all charges on the credit cards & accuracy of account assignment
  • Maintain bank to Quickbooks connection and upload credit card charges on a regular basis
  • Maintain AP files
  • Obtain & maintain W-9 as needed
  • File 1099 at year-end

GENERAL ACCOUNTING:

  • Process Accounts Receivable receipts via checks or wire
  • Prepare miscellaneous tax filings – sales & use tax, property, franchise
  • Maintain and review fixed assets – conduct a fixed asset inventory
  • Perform other duties and special projects as assigned

QUALIFICATIONS:

  • 3-4 years relevant accounting experience including AP & GL
  • Quickbooks, Excel, Word experience desired
  • Organized with excellent attention to detail, meticulous, quick-learner
  • Good interpersonal skills and a team player
  • Flexibility and ability to adapt and wear different hats

This position is located in San Mateo, California. Regular attendance in the office is expected. Backblaze is an Equal Opportunity Employer and we offer competitive salary and benefits, including our no policy vacation policy.

If this sounds like you — contact us on our jobs form. Candidates only, no recruiters.
We’ll be accepting resumes through March 31, 2015.

 

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Looking for a Junior Staff Accountant appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Errata Security: GitHub won because it’s social-media

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Today Google shut down Google Code, because GitHub has taken over that market. GitHub won not because Git is a better version-control system, but because it became a social-media website like Facebook and Twitter. Geeks like me express ourselves through our code. My GitHub account contains my projects just like Blogger contains my blogs or Twitter contains my tweets.
To be sure, Git’s features are important. The idea of forking a repo fundamentally changed who was in control. Previously, projects were run with tight control. Those in power either accepted or rejected changes made by others. If your changes were rejected, you could just fork the project, making it your own version, with your own changes. That’s the beauty of open-source: by making their source open, the original writers lost the ability to stop you from making changes.
However, forking was discouraged by the community. That’s because it split efforts. When forks became popular, some people would contribute to one fork, while others would contribute to the other. Drama was a constant factor in popular open-source projects over the evil people who “hurt” projects by forking them.
But with Git, forking is now encouraged. Indeed, that’s now the first step in contributing changes to a project. You fork it, make changes to your own version, then ask the original project to pull your changes from your fork.
This caused an explosion in social coding. Look at the average coder’s GitHub account and you’ll see a bunch of forked projects, plus a bunch of their original projects forked by others. For example, on my GitHub account, you’ll see my Masscan project which 395 people have forked. You’ll also see that I’ve forked and made a change to SecureDrop, a project for secure submissions by leakers to newspapers. I found a vulnerability, so I submitted a fix for it. The original project didn’t accept my pull request, but instead just completely rewrote that part of the code.
Sometimes when I write blog posts, I include code. That code is on GitHub. When I hacked the Lenovo/Superfish key for example, I had to write a small password cracker for SSL certificate files. I just put it on GitHub. Others have forked it. Since it was a quick and dirty project, I put the comment “DON’T JUDGE ME” in the code. So somebody forked it and simply committed a change saying “…not judging“. As I said: GitHub makes coding social.
Like blog posts, Facebook posts, or Tweets, people can post comments. An example of this was a pull request to libuv (an important networking library) that simply changed a comment from using the gendered pronoun “he” to a neutral “they”. This resulted in a long comment chain as people debated this.
I sometimes write blogposts that go viral and get a million hits. I sometimes write tweets that go viral and get passed around everywhere. The same is true of GitHub. When I announced my Masscan project, it went viral, and was the “top trending project” on GitHub for a day. That they even track such a thing shows yet again how they are a social media site.
FedEx is famous for saying that what it really sells is procrastination. It’s not that they can overnight something in an emergency, it’s that you can wait until the last moment to send something. The same is true of the Internet. The tendency is to believe that a website is solely what it claims, that GitHub won with better version control, as this Wired article claims. That’s not true. GitHub won because it made the solitary task of coding extremely social. GitHub won because it enabled anti-social Asperger coders to express themselves through their code.

SANS Internet Storm Center, InfoCON: green: Who got the bad SSL Certificate? Using tshark to analyze the SSL handshake., (Thu, Mar 12th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with thisquick tshark and shell script trickto extract the necessary information from a packet capture.

First, you may want to compare the host name your clients connect to, to the host name returned as part of the certificate. While the Host header is encrypted and not accessible, modern SSL libraries use Server Name Indication (SNI) as part of the SSL Client Hello to indicate to the server which site they are trying to connect to. The SNI option is sent in the clear to allow for name virtual hosting with SSL.

To extract the SNI fields, I use:

tshark -r file.pcap-Y ssl.handshake.type==1 -T fields -e ip.dst -e tcp.srcport -e ssl.handshake.extensions_server_name | sed s/t/:/ /tmp/ssi

The tshark command extracts all the SSL Client Hello messages (ssl.handshake.type==1) and then pulls out the destination IP, the destination port as well as the SNI field. I remove the first tab and replace it with a : to receive output like:

173.194.219.108:61879 imap.gmail.com

Your sed command will look a bit different if you are using OS X.

Next, we need to extract the host names advertised by the certificate that the server returns. This is a bit tricky as a certificate may either use a distinguished name (DN) or a subject alternative name if more then one hostname is included in the certificate.

tshark -r file.pcap-Y ssl.handshake.type==11 -T fields -e ip.src -e tcp.dstport -e x509sat.uTF8String -e x509ce.dNSName | sed s/t/:/ /tmp/in

Just like before, we now filter for certificate messages (type 11) and extract the source ip and the destination port, so we can match up connections with what we extracted above. The output should look like:

173.194.219.109:61898 California,Mountain View,Google Inc,imap.gmail.com imap.gmail.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com

Note how it is quite common to include a large list of hostnames.

Next, we need to link the two files. The join command is pretty useful here:

join -1 1 -2 1 -e empty /tmp/in /tmp/out | tr t

This will join the two files, pretty much how a SQL join would combine two tables, using the first column in each file as index. The output looks now like:

17.172.208.83:61878 *.icloud.com,icloud.com p02-mailws.icloud.com
17.172.208.8:61881 *.icloud.com,management:idms.group.506364,Apple Inc.,California *.icloud.com p02-ckdatabase.icloud.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com -) )


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Ebook Library Punishes Anti-Piracy Outfit For Wrongful DMCA Notices

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

tueblLike many other Internet-based services, The Ultimate Ebook Library (TUEBL) has to process numerous takedown requests to make sure that pirated content is swiftly removed from the site.

Unfortunately, not all requests they receive are legitimate. According to TUEBL there’s one company that stands out negatively, and that’s the London-based outfit MUSO.

When browsing through the takedown notices TUEBL founder Travis McCrea stumbled upon several automated requests that were submitted by MUSO, each listing inaccurate information.

The takedown notices were not merely incorrect, according to McCrea. They also circumvented the site’s CAPTCHA system, which is a violation of the Computer Fraud and Abuse Act.

This isn’t the first time TUEBL has noticed problems with MUSO’s takedown tactics. The company previously tried to remove several legitimately hosted titles, including a Creative Commons licensed book by Cory Doctorow.

“A year ago, after another issue where they were sending requests without any of the required information, they had filed a wrongful DMCA request for one of our featured authors Laurel Russwurm, and we sent them a warning,” McCrea tells TF.

“They further used our system to send a DMCA request for a book by Cory Doctorow. At that time we sent them an $150 invoice for our time reverting their improper DMCA request. When they didn’t reply, we let it slide… not wanting to make waves.”

MUSO never paid the $150 ‘fine’ and TUEBL initially let them get away with that. But after the recent mistakes McCrea decided that enough is enough.

On Sunday evening TUEBL sent the anti-piracy company an ultimatum. If MUSO fails to pay up, the company will be banned from sending further notices. In addition, hundreds of previously removed books will be restored.

“Today we are going to insist that your $150 fine be paid, or we will cut off all MUSO IP addresses, computers, and/or servers from accessing our DMCA page. Emailed requests will also be rejected as SPAM and all requests to be removed will have to come directly from the copyright holder instead of MUSO,” TUEBL wrote to the company.

MUSO has until 10PM PST today to respond, but thus far TUEBL hasn’t received a reply. The ebook library is still holding out for a peaceful resolution, but as the hours pass by this becomes less likely.

Despite the current problems, TUEBL’s founder says that the site respects copyright and notes that the amount of infringing material on its server is less than one percent of all books. However, wrongful takedown notices are making it harder to keep the site clean.

“DMCA abuse is a real threat to not only community websites like Facebook, YouTube, Flickr, and our own… but it also makes it more difficult to successfully process legitimate DMCA requests by authors who have had their copyright violated,” McCrea says.

“We have decided to fight this, not in spite of authors and their rights regarding their work, but rather to protect authors and to ensure our automated system remains open for them to use for the rare cases that copyrighted material make it onto our site,” he adds.

TF contacted MUSO for a comment on the allegations, but we haven’t heard back from the company at the time of publication.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: <i>Data and Goliath</i>’s Big Idea

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Data and Goliath is a book about surveillance, both government and corporate. It’s an exploration in three parts: what’s happening, why it matters, and what to do about it. This is a big and important issue, and one that I’ve been working on for decades now. We’ve been on a headlong path of more and more surveillance, fueled by fear­–of terrorism mostly­–on the government side, and convenience on the corporate side. My goal was to step back and say “wait a minute; does any of this make sense?” I’m proud of the book, and hope it will contribute to the debate.

But there’s a big idea here too, and that’s the balance between group interest and self-interest. Data about us is individually private, and at the same time valuable to all us collectively. How do we decide between the two? If President Obama tells us that we have to sacrifice the privacy of our data to keep our society safe from terrorism, how do we decide if that’s a good trade-off? If Google and Facebook offer us free services in exchange for allowing them to build intimate dossiers on us, how do know whether to take the deal?

There are a lot of these sorts of deals on offer. Wayz gives us real-time traffic information, but does it by collecting the location data of everyone using the service. The medical community wants our detailed health data to perform all sorts of health studies and to get early warning of pandemics. The government wants to know all about you to better deliver social services. Google wants to know everything about you for marketing purposes, but will “pay” you with free search, free e-mail, and the like.

Here’s another one I describe in the book: “Social media researcher Reynol Junco analyzes the study habits of his students. Many textbooks are online, and the textbook websites collect an enormous amount of data about how­–and how often­–students interact with the course material. Junco augments that information with surveillance of his students’ other computer activities. This is incredibly invasive research, but its duration is limited and he is gaining new understanding about how both good and bad students study­–and has developed interventions aimed at improving how students learn. Did the group benefit of this study outweigh the individual privacy interest of the subjects who took part in it?”

Again and again, it’s the same trade-off: individual value versus group value.

I believe this is the fundamental issue of the information age, and solving it means careful thinking about the specific issues and a moral analysis of how they affect our core values.

You can see that in some of the debate today. I know hardened privacy advocates who think it should be a crime for people to withhold their medical data from the pool of information. I know people who are fine with pretty much any corporate surveillance but want to prohibit all government surveillance, and others who advocate the exact opposite.

When possible, we need to figure out how to get the best of both: how to design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually.

The world isn’t waiting; decisions about surveillance are being made for us­–often in secret. If we don’t figure this out for ourselves, others will decide what they want to do with us and our data. And we don’t want that. I say: “We don’t want the FBI and NSA to secretly decide what levels of government surveillance are the default on our cell phones; we want Congress to decide matters like these in an open and public debate. We don’t want the governments of China and Russia to decide what censorship capabilities are built into the Internet; we want an international standards body to make those decisions. We don’t want Facebook to decide the extent of privacy we enjoy amongst our friends; we want to decide for ourselves.”

In my last chapter, I write: “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge. Almost all computers produce personal information. It stays around, festering. How we deal with it­–how we contain it and how we dispose of it­–is central to the health of our information economy. Just as we look back today at the early decades of the industrial age and wonder how our ancestors could have ignored pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we addressed the challenge of data collection and misuse.”

That’s it; that’s our big challenge. Some of our data is best shared with others. Some of it can be ‘processed’­–anonymized, maybe­–before reuse. Some of it needs to be disposed of properly, either immediately or after a time. And some of it should be saved forever. Knowing what data goes where is a balancing act between group and self-interest, a trade-off that will continually change as technology changes, and one that we will be debating for decades to come.

This essay previously appeared on John Scalzi’s blog Whatever.

Krebs on Security: Feds Indict Three in 2011 Epsilon Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

epsilonThe government alleges the defendants made more than $2 million blasting out spam to more than one billion email addresses stolen from several email service providers (ESPs), companies that manage customer email marketing on behalf of major corporate brands.  The indictments further allege that the men sent the junk missives by hijacking the email servers used by these ESPs.

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney John Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

To be clear, prosecutors haven’t specifically outed Epsilon as the victim, nor did they name any of the other email service providers (ESPs) allegedly harmed by the defendants. But a press release issued today Horn’s office states that “the data breach into certain ESPs was the subject of a congressional inquiry and testimony before a U.S House of Representatives subcommittee on June 2, 2011.”

That date aligns with a June 2, 2011 House Energy and Commerce Committee panel on the data breaches at Sony and Epsilon. Epsilon officials could not be immediately reached for comment.

In early April 2011, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with those companies. On April 2, 2011, Epsilon started notifying consumers that hackers had stolen customer email addresses and names belonging to a “subset of its clients.”

Those clients were ESPs that send email to customers on behalf of some the biggest firms in the world. Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.

A scam web site that tried to sell copies of Adobe Reader.

A scam web site that tried to sell copies of Adobe Reader.

As I noted in that April 2011 story, consumers had complained of received junk email with links to sites that tried to sell versions of software made by Adobe Systems Inc. Some of the sites reportedly even tried to sell copies of Adobe Reader — software that Adobe gives away for free.

Sure enough, the men indicted today are accused of hacking into a major ESP to steal more than a billion email addresses, which they allegedly used to promote knockoff versions of Adobe software (among other dubious products).

Prosecutors in Atlanta today unsealed indictments against Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam who resided for a period of time in the Netherlands. The government also unsealed an indictment against David-Manuel Santos De Silva, a Canadian citizen who was charged with conspiring with Nguyen and others to launder the proceeds of Nguyen’s alleged computer hacking offenses.

The government alleges that Nguyen used various methods — including targeted email phishing campaigns — to trick recipients at email marketing firms into clicking links to sites which attempted to exploit browser vulnerabilities in a bid to install malicious software. For more on those targeted attacks, see my Nov. 24, 2010 story, Spear Phishing Attacks Snag E-Mail Marketers.

A copy of one spear phishing email sent to ESP employees in Nov. 2010.

A copy of one spear phishing email sent to ESP employees in Nov. 2010.

“Nguyen’s phishing campaigns allegedly delivered malware, which allowed him backdoor access to the ESP employees’ computer systems and enabled him to steal sensitive information, including the employees’ access credentials for the ESP’s computer systems,” the government alleged. “Using stolen access credentials, Nguyen was not only able to allegedly steal confidential information by downloading the information from the ESPs’ computer systems to a server that he controlled in the Netherlands, but was also able to utilize the ESPs’ computer systems to launch spam attacks on tens of millions of stolen email addresses.”

Nguyen, in undated Facebook profile photo.

Prosecutors released this photo of Nguyen, in undated Facebook profile photo.

Vu allegedly assisted in the spamming. De Silva allegedly helped launder the proceeds of the spam campaigns. Prosecutors say De Silva ran an affiliate marketing firm called Marketbay.com, and that through that service he provided Vu and Nguyen a way to monetize their spam campaigns.

If recipients of the spam emails clicked through and paid for the products advertised in the junk email, those customers would be directed through Marketbay’s affiliate links. According to the government, De Silva knew Vu and Nguyen were using stolen email addresses and hijacked ESPs to drum up sales, which prosecutors allege generated more than $2 million for the men.

Vu was arrested by Dutch authorities in 2012 and was later extradited to the United States. He has pleaded guilty to conspiracy to commit computer fraud, and is slated to be sentenced in April 2015.

De Silva was arrested in Ft. Lauderdale, Fla. on Feb. 12, and is expected to make his first appearance today before a federal magistrate in Atlanta. Nguyen is not in custody and remains a fugitive.

Linux How-Tos and Linux Tutorials: How to Install the Prestashop Open Source Ecommerce Tool on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Prestashop is one of the most powerful open source ecommerce tools you will ever have the privilege of using. Last year I decided to test the waters of selling books directly from my web site. To do this, I turned to Prestashop and was amazed at how much power and flexibility it offered. From digital downloads, weekly specials, standard and mobile themes, templates, modules ─ you name it, Prestashop can do it.

The core of Prestashop is free (there are paid modules to extend the functionality as well as a hosted, cloud-based version of the tool). But if you want to host your own Prestashop in-house, you can. The system requirements are fairly basic:

  • Supported operating system: Windows, Mac and Linux

  • Web server: Apache 1.3, Apache 2.x, Nginx or Microsoft IIS

  • PHP 5.2+ installed and enabled

  • MySQL 5.0+ installed with a database created.

I want to walk you through the process of getting Prestashop up and running on the Linux platform. I will demonstrate on Ubuntu 14.04 ─ but the steps are easily transferrable to other distributions. I will assume you already have the requirements met (in particular … the LAMP portion). The Prestashop installer does not create the database for you, so you will have to do that manually. There are a number of ways this can be done ─ my preference is using the PhpMyAdmin tool.

Let’s begin the process.

Database creation

Creating the database through PhpMyAdmin is simple:

  1. Point your browser to the PhpMyAdmin install on the server that will hold the Prestashop instance.

  2. Click on the Databases tab.

  3. Enter the name of the database to be created (Figure 1).

  4. Click Create.

PHPMyAdmin database creation

If you prefer creating databases from the command line, do the following:

  1. From a terminal window, issue the command

    sudo mysql -u root -p
  2. Hit Enter

  3. Type your MySQL root password and hit enter

  4. Type the command

    create database shop ;
  5. Hit Enter.

Your database should now be ready to use.

Download and install

With the database ready, you need to download the latest version of Prestashop and move it to the Apache document root. For our instance, that document root will be /var/www/html. Once you’ve downloaded the .zip file, move it to /var/www/html, change into the document root (using a terminal window and the command

cd /var/www/html

) and then unzip the package with the command

sudo unzip prestashop_XXX.zip 

(where XXX is the release number). This will create a new directory in the document root called prestashop.

 

The remainder of the installation will be done through your web browser. So point the browser to http://ADDRESS_OF_SERVER/prestashop> and start walking through the installation wizard.

Web based install

The first step in the wizard is to select your language. From the language drop-down, make the appropriate selection and click Next. At this point you will need to agree to the licenses (there are more than one) and click Next. At this point, you will find out what all needs to be corrected for the installation to continue.

The most likely fixes necessary are the installation of the GD library, the mcrypt extension, and adding write permissions to a number of folders. Here are the quick fixes:

  1. To install the GD library, issue the command

    sudo apt-get install php5-gd 
  2. To install the mcrypt extension, issue the command

    sudo apt-get install php5-mcrypt
  3. Enable mcrypt with the command

    sudo php5enmod mcrypt
  4. Use the command

    sudo chmod -R ugo+w 

    on the directories (within the /var/www/html/prestashop directory) /config, /cache, /log, /img, /mails, /modules, /themes/default-bootstrap/lang/, /themes/default-bootstrap/pdf/lang/, /themes/default-bootstrap/cache/, /translations/, /upload/, /download/ 

Once you’ve made those corrections (if necessary), hit the Refresh these settings button again and you should see all is well (Figure 2).

prestashop install

Store information

In the next window (Figure 3), you must enter information about your store. Pay close attention to the Main Activity drop-down. If you’re going to offer digital downloads, you’ll want to select the Download option (so you don’t have to manually add that feature later).

prestashop store information

Fill out the information and click Next to continue on.

Database configuration

In the next window (Figure 4), you must enter the information for the database you created earlier. Enter the information and click Test your database connection now. If it returns Database is connected, you are good to go ─ click Next.

prestashop database

Once you click Next, all of the database tables will be created. This step can take some time (depending upon your hardware). Allow it to finish and you will be greeted with a new window with a number of different links. You can click to manage your store, view your store, find new templates or modules, and even share your successful installation on Facebook, Twitter, etc.

You will, most likely, want to head on over to the back office. However, you cannot actually visit the back office until you’ve done the following:

  • Delete the /var/www/html/prestashop/install folder

  • Rename the /var/www/html/prestashop/admin folder

Once you’ve renamed the admin folder, the URL for the Prestashop back office will be http://ADDRESS_TO_SERVER/prestashop/ADMIN_FOLDER> (where ADDRESS_TO_SERVER is the URL or IP address of the server and ADMIN_FOLDER is the new name for the admin folder). Go to that address and log in with the administration credentials you created during the Store Information setup. You will find yourself at the Prestashop Dashboard (Figure 5), where you can begin to manage your ecommerce solution!

prestashop dashboard

If you’re in need of a powerful ecommerce tool, look no further than open source and Prestashop. With this powerhouse online shopping solution, you’ll be selling your products and services with ease.

 

Backblaze Blog | The Life of a Cloud Backup Company: Translating Morse Code for Verizon

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog_verizon

Yesterday, the FCC announced that it would be reclassifying internet service providers as Title II utilities. Net Neutrality has been a topic of great debate over the last few months, and while many people are excited about the change, there is also some dissent. Verizon for their part, looked to the past, claiming that the FCC is going back to 1930’s technology, by posting their official response to the FCC in Morse Code.

We appreciate the humor in their approach, but we think they severely limited the possibility of having their message read and appreciated. We’d like help. We’ve taken the liberty of translating their Morse Code encoded message into a language that is more common among the millions of people whose careers are built on the Internet. The Verizon point of view in Klingon:

Verizon_Klingon

Hopefully this won’t turn into an intergalactic incident, but we’re excited to see how the new internet rules will play out!

LLAP

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Translating Morse Code for Verizon appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Schneier on Security: Everyone Wants You To Have Security, But Not from Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In December, Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck’s show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don’t mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users’ security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I’m not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those “someones” will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they’re vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

Backblaze Blog | The Life of a Cloud Backup Company: The Backblaze Song

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Backblaze has a new jingle, courtesy of Jonathan Mann:

Here’s the crazy story of how this came to pass. A few years ago Jonathan set on the seemingly impossible path of creating a song a day and posting those songs to his YouTube channel. Some of those songs he’s written each day have turned in to jingles for companies that he’s admired and luckily for us, Backblaze was on that list. A few months ago Jonathan reached out to us through our mutual friend Marco and asked if Backblaze was interested in a jingle. He is a Backblaze customer and has been working for the last few months to “bring jingles back”. We’re honored to be part of that pursuit.

When we first started out, being scrappy was our best chance of taking on the task of getting everyone backed up. Jonathan has scrappiness in droves and his story is pretty darn interesting. Jonathan’s a musician who has been active on YouTube since 2006, but his largest undertaking – creating a song a day January of 2009. He passed the 2000 song mark in June 2014, but is still going strong, uploading videos daily.

There are many parallels between Jonathan and Backblaze that make us appreciate his work. Much like Backblaze revealing our storage pod design and releasing our hard drive failure rates, Jonathan has been remarkably open about his personal life in these videos. We once wrote about a failed acquisition, and Jonathan once wrote about breaking up with his girlfriend after 5 years of being together. This type of openness and accessibility have made his songs some of the more entertaining on YouTube, even if they’re about your everyday life.

Being open and honest is a wonderful trait, both in people and in companies, but unfortunately it’s one that we don’t see very often. Jonathan is doing great things with his Song a Day campaign (one of his biggest hits from the campaign was his iPhone Antenna Song, which Steve Jobs even used on stage to open his “antennagate” keynote) and in addition to our thanks for the cool video, wish him nothing but the best. We love this kind of work-ethic and creativity and it just goes to prove that when you pour your heart and soul into a project, impossibilities tend to fade away.

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post The Backblaze Song appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Krebs on Security: TurboTax’s Anti-Fraud Efforts Under Scrutiny

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax – allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

SQUEEZING THE BALLOON

Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”

NO RULES OF THE ROAD

For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO John Koskinen sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Koskinen wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”

ZERO FALSE POSITIVES

Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.

“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”

Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

Williams said Intuit is open to shortening its reporting delay.

“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”

BUILDING A BETTER MOUSETRAP

The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.

Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry  have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.

MacDougall said that about a year ago he had a meeting with the head of Intel’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’

In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.

“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”

But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.

“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”

whattodo copyOnly after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.

Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.

“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.

At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.

“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”

Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.

“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”

TorrentFreak: How a Private ‘Anime’ Torrent Tracker Became an Essential Tool For Facebook

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

shareLarge scale web-services need tens of thousands of servers to keep things running smoothly for their millions of users.

Keeping all of these servers updated with the latest code can be time and resource intensive and it was no different at Facebook during its early years.

However, most problems disappeared when the social networking company discovered BitTorrent. With BitTorrent all servers in the network could help to distribute code updates and as a result deployment took minutes rather than hours or days.

After discovering these benefits Facebook changed its BitTorrent implementation quite a bit. Among other tools, the company is now using the open source tracker software Chihaya, named after a school girl starring in the manga series Chihayafuru.

While this might seem like a peculiar name for a piece of BitTorrent tracking code, all becomes clear when you look at the history of the software and its links to a private anime torrent tracker.

In 2012 a developer named Kotoko started working on a new tracker backend written in the then-new programming language Go. Named Chihaya, the project (originally developed for a private anime community) aimed to become a replacement for the Ocelot tracker used by many Gazelle-based torrent sites.

Around the same time the people behind the Waffles community were working on a full replacement for Gazelle named Batter, and the Chihaya developer eventually jumped on this bandwagon. The project also drew the attention of other programmers, including Jimmy Zelinskie and Justin Li, both college students at the time.

“I was interested in helping out with Chihaya back then because I wanted to work on a project to cement my skills in the Go programming language,” Zelinskie tells TF.

After a while priorities changed. Chihaya was never connected to a tracker frontend, but Zelinskie and Li kept improving it bit by bit.

“The Batter project fizzled out, but Chihaya development continued,” Zelinskie says. “We restructured Chihaya a few times, trying to decide how to make it scalable and ultimately landed on what we have today.”

Chihaya
chi

Over the past several years Chihaya has evolved into one of the most advanced pieces of tracker software around, with support for multi-cored processors and peers announcing on IPv4, IPv6 or both.

“The architecture of the project is entirely modular and in doing so, we’ve made the tracker so it could potentially support any transport protocol like HTTP or UDP and any backend BitTorrent indexing software like Gazelle,” Zelinskie tells TF.

This didn’t go unnoticed by others, including the engineering team at Facebook who also started to use the code for their server deployment.

“Facebook started using the project because of our proper IPv6 support,” Zelinskie says, adding that they optimized the tracker even more for a local setup.

“We soon after added the ability to prefer peers based on a subnet of their IP address; for example, if your IP address is 192.168.1.1, you can configure the tracker to deliver you all the ‘closest’ peers in the 192.168.1.X range before any others,” he notes.

Zelinskie currently works at CoreOS, a company that specializes in the deployment of software. He believes that BitTorrent-supported distribution is the future for companies, large and small. Chihaya certainly fits into this picture.

This leads to the remarkable conclusion that an open source private tracker, originally programmed to serve anime torrents, is now powering one of the largest technology companies in the world.

For Zelinskie, this transition not only shows the true power of open source, but also of BitTorrent.

“This is the reason why I write open source software and my company releases so much of what we do open source. Having as many people as possible working towards a common goal, in this case a solid BitTorrent tracker implementation, is beneficial to all of society, not just one set of individuals,” he says.

“BitTorrent is far too often associated with copyright infringement. When in reality, BitTorrent is simply the best file transfer protocol. Whether it’s being used by you, me, or even Facebook.”

Image credit

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: New Book: <i>Data and Goliath</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

After a year of talking about it, my new book is finally published.

This is the copy from the inside front flap:

You are under surveillance right now.

Your cell phone provider tracks your location and knows who’s with you. Your online and in-store purchasing patterns are recorded, and reveal if you’re unemployed, sick, or pregnant. Your e-mails and texts expose your intimate and casual friends. Google knows what you’re thinking because it saves your private searches. Facebook can determine your sexual orientation without you ever mentioning it.

The powers that surveil us do more than simply store this information. Corporations use surveillance to manipulate not only the news articles and advertisements we each see, but also the prices we’re offered. Governments use surveillance to discriminate, censor, chill free speech, and put people in danger worldwide. And both sides share this information with each other or, even worse, lose it to cybercriminals in huge data breaches.

Much of this is voluntary: we cooperate with corporate surveillance because it promises us convenience, and we submit to government surveillance because it promises us protection. The result is a mass surveillance society of our own making. But have we given up more than we’ve gained? In Data and Goliath, security expert Bruce Schneier offers another path, one that values both security and privacy. He shows us exactly what we can do to reform our government surveillance programs and shake up surveillance-based business models, while also providing tips for you to protect your privacy every day. You’ll never look at your phone, your computer, your credit cards, or even your car in the same way again.

And there’s a great quote on the cover:

“The public conversation about surveillance in the digital age would be a good deal more intelligent if we all read Bruce Schneier first.” –Malcolm Gladwell, author of David and Goliath

This is the table of contents:

Part 1: The World We’re Creating

Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake

Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It

Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-off

I’ve gotten some great responses from people who read the bound galley, and hope for some good reviews in mainstream publications. So far, there’s one review.

You can buy the book at Amazon, Amazon UK, Barnes & Noble, Powell’s, Book Depository, or IndieBound — which routes your purchase through a local independent bookseller. E-books are available on Amazon, B&N, Apple’s iBooks store, and Google Play.

And if you can, please write a review for Amazon, Goodreads, or anywhere else.

Schneier on Security: Samsung Television Spies on Viewers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn’t just processed by the television; it may be forwarded over the Internet for remote processing. It’s literally Orwellian.

This discovery surprised people, but it shouldn’t have. The things around us are increasingly computerized, and increasingly connected to the Internet. And most of them are listening.

Our smartphones and computers, of course, listen to us when we’re making audio and video calls. But the microphones are always there, and there are ways a hacker, government, or clever company can turn those microphones on without our knowledge. Sometimes we turn them on ourselves. If we have an iPhone, the voice-processing system Siri listens to us, but only when we push the iPhone’s button. Like Samsung, iPhones with the “Hey Siri” feature enabled listen all the time. So do Android devices with the “OK Google” feature enabled, and so does an Amazon voice-activated system called Echo. Facebook has the ability to turn your smartphone’s microphone on when you’re using the app.

Even if you don’t speak, our computers are paying attention. Gmail “listens” to everything you write, and shows you advertising based on it. It might feel as if you’re never alone. Facebook does the same with everything you write on that platform, and even listens to the things you type but don’t post. Skype doesn’t listen — we think — but as Der Spiegel notes, data from the service “has been accessible to the NSA’s snoops” since 2011.

So the NSA certainly listens. It listens directly, and it listens to all these companies listening to you. So do other countries like Russia and China, which we really don’t want listening so closely to their citizens.

It’s not just the devices that listen; most of this data is transmitted over the Internet. Samsung sends it to what was referred to as a “third party” in its policy statement. It later revealed that third party to be a company you’ve never heard of — Nuance — that turns the voice into text for it. Samsung promises that the data is erased immediately. Most of the other companies that are listening promise no such thing and, in fact, save your data for a long time. Governments, of course, save it, too.

This data is a treasure trove for criminals, as we are learning again and again as tens and hundreds of millions of customer records are repeatedly stolen. Last week, it was reported that hackers had accessed the personal records of some 80 million Anthem Health customers and others. Last year, it was Home Depot, JP Morgan, Sony and many others. Do we think Nuance’s security is better than any of these companies? I sure don’t.

At some level, we’re consenting to all this listening. A single sentence in Samsung’s 1,500-word privacy policy, the one most of us don’t read, stated: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Other services could easily come with a similar warning: Be aware that your e-mail provider knows what you’re saying to your colleagues and friends and be aware that your cell phone knows where you sleep and whom you’re sleeping with — assuming that you both have smartphones, that is.

The Internet of Things is full of listeners. Newer cars contain computers that record speed, steering wheel position, pedal pressure, even tire pressure — and insurance companies want to listen. And, of course, your cell phone records your precise location at all times you have it on — and possibly even when you turn it off. If you have a smart thermostat, it records your house’s temperature, humidity, ambient light and any nearby movement. Any fitness tracker you’re wearing records your movements and some vital signs; so do many computerized medical devices. Add security cameras and recorders, drones and other surveillance airplanes, and we’re being watched, tracked, measured and listened to almost all the time.

It’s the age of ubiquitous surveillance, fueled by both Internet companies and governments. And because it’s largely happening in the background, we’re not really aware of it.

This has to change. We need to regulate the listening: both what is being collected and how it’s being used. But that won’t happen until we know the full extent of surveillance: who’s listening and what they’re doing with it. Samsung buried its listening details in its privacy policy — they have since amended it to be clearer — and we’re only having this discussion because a Daily Beast reporter stumbled upon it. We need more explicit conversation about the value of being able to speak freely in our living rooms without our televisions listening, or having e-mail conversations without Google or the government listening. Privacy is a prerequisite for free expression, and losing that would be an enormous blow to our society.

This essay previously appeared on CNN.com.

ETA (2/16): A German translation by Damian Weber.

LWN.net: [$] Matrix: a new specification for federated realtime chat

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The free-software community has frequently advocated the
development of new decentralized, federated network services—for
example, promoting XMPP as an alternative to AOL Instant Messenger,
StatusNet as an alternative to Twitter, or Diaspora as an alternative
to Facebook. The recently launched Matrix project
takes on a different service: IRC-like multi-user chat.

LWN.net: Matrix: a new specification for federated realtime chat

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The free-software community has frequently advocated the
development of new decentralized, federated network services—for
example, promoting XMPP as an alternative to AOL Instant Messenger,
StatusNet as an alternative to Twitter, or Diaspora as an alternative
to Facebook. The recently launched Matrix project
takes on a different service: IRC-like multi-user chat.