Posts tagged ‘Facebook’

Linux How-Tos and Linux Tutorials: How to Install the Prestashop Open Source Ecommerce Tool on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Prestashop is one of the most powerful open source ecommerce tools you will ever have the privilege of using. Last year I decided to test the waters of selling books directly from my web site. To do this, I turned to Prestashop and was amazed at how much power and flexibility it offered. From digital downloads, weekly specials, standard and mobile themes, templates, modules ─ you name it, Prestashop can do it.

The core of Prestashop is free (there are paid modules to extend the functionality as well as a hosted, cloud-based version of the tool). But if you want to host your own Prestashop in-house, you can. The system requirements are fairly basic:

  • Supported operating system: Windows, Mac and Linux

  • Web server: Apache 1.3, Apache 2.x, Nginx or Microsoft IIS

  • PHP 5.2+ installed and enabled

  • MySQL 5.0+ installed with a database created.

I want to walk you through the process of getting Prestashop up and running on the Linux platform. I will demonstrate on Ubuntu 14.04 ─ but the steps are easily transferrable to other distributions. I will assume you already have the requirements met (in particular … the LAMP portion). The Prestashop installer does not create the database for you, so you will have to do that manually. There are a number of ways this can be done ─ my preference is using the PhpMyAdmin tool.

Let’s begin the process.

Database creation

Creating the database through PhpMyAdmin is simple:

  1. Point your browser to the PhpMyAdmin install on the server that will hold the Prestashop instance.

  2. Click on the Databases tab.

  3. Enter the name of the database to be created (Figure 1).

  4. Click Create.

PHPMyAdmin database creation

If you prefer creating databases from the command line, do the following:

  1. From a terminal window, issue the command

    sudo mysql -u root -p
  2. Hit Enter

  3. Type your MySQL root password and hit enter

  4. Type the command

    create database shop ;
  5. Hit Enter.

Your database should now be ready to use.

Download and install

With the database ready, you need to download the latest version of Prestashop and move it to the Apache document root. For our instance, that document root will be /var/www/html. Once you’ve downloaded the .zip file, move it to /var/www/html, change into the document root (using a terminal window and the command

cd /var/www/html

) and then unzip the package with the command

sudo unzip prestashop_XXX.zip 

(where XXX is the release number). This will create a new directory in the document root called prestashop.

 

The remainder of the installation will be done through your web browser. So point the browser to http://ADDRESS_OF_SERVER/prestashop> and start walking through the installation wizard.

Web based install

The first step in the wizard is to select your language. From the language drop-down, make the appropriate selection and click Next. At this point you will need to agree to the licenses (there are more than one) and click Next. At this point, you will find out what all needs to be corrected for the installation to continue.

The most likely fixes necessary are the installation of the GD library, the mcrypt extension, and adding write permissions to a number of folders. Here are the quick fixes:

  1. To install the GD library, issue the command

    sudo apt-get install php5-gd 
  2. To install the mcrypt extension, issue the command

    sudo apt-get install php5-mcrypt
  3. Enable mcrypt with the command

    sudo php5enmod mcrypt
  4. Use the command

    sudo chmod -R ugo+w 

    on the directories (within the /var/www/html/prestashop directory) /config, /cache, /log, /img, /mails, /modules, /themes/default-bootstrap/lang/, /themes/default-bootstrap/pdf/lang/, /themes/default-bootstrap/cache/, /translations/, /upload/, /download/ 

Once you’ve made those corrections (if necessary), hit the Refresh these settings button again and you should see all is well (Figure 2).

prestashop install

Store information

In the next window (Figure 3), you must enter information about your store. Pay close attention to the Main Activity drop-down. If you’re going to offer digital downloads, you’ll want to select the Download option (so you don’t have to manually add that feature later).

prestashop store information

Fill out the information and click Next to continue on.

Database configuration

In the next window (Figure 4), you must enter the information for the database you created earlier. Enter the information and click Test your database connection now. If it returns Database is connected, you are good to go ─ click Next.

prestashop database

Once you click Next, all of the database tables will be created. This step can take some time (depending upon your hardware). Allow it to finish and you will be greeted with a new window with a number of different links. You can click to manage your store, view your store, find new templates or modules, and even share your successful installation on Facebook, Twitter, etc.

You will, most likely, want to head on over to the back office. However, you cannot actually visit the back office until you’ve done the following:

  • Delete the /var/www/html/prestashop/install folder

  • Rename the /var/www/html/prestashop/admin folder

Once you’ve renamed the admin folder, the URL for the Prestashop back office will be http://ADDRESS_TO_SERVER/prestashop/ADMIN_FOLDER> (where ADDRESS_TO_SERVER is the URL or IP address of the server and ADMIN_FOLDER is the new name for the admin folder). Go to that address and log in with the administration credentials you created during the Store Information setup. You will find yourself at the Prestashop Dashboard (Figure 5), where you can begin to manage your ecommerce solution!

prestashop dashboard

If you’re in need of a powerful ecommerce tool, look no further than open source and Prestashop. With this powerhouse online shopping solution, you’ll be selling your products and services with ease.

 

Backblaze Blog | The Life of a Cloud Backup Company: Translating Morse Code for Verizon

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog_verizon

Yesterday, the FCC announced that it would be reclassifying internet service providers as Title II utilities. Net Neutrality has been a topic of great debate over the last few months, and while many people are excited about the change, there is also some dissent. Verizon for their part, looked to the past, claiming that the FCC is going back to 1930’s technology, by posting their official response to the FCC in Morse Code.

We appreciate the humor in their approach, but we think they severely limited the possibility of having their message read and appreciated. We’d like help. We’ve taken the liberty of translating their Morse Code encoded message into a language that is more common among the millions of people whose careers are built on the Internet. The Verizon point of view in Klingon:

Verizon_Klingon

Hopefully this won’t turn into an intergalactic incident, but we’re excited to see how the new internet rules will play out!

LLAP

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Translating Morse Code for Verizon appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Schneier on Security: Everyone Wants You To Have Security, But Not from Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In December, Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck’s show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don’t mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users’ security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I’m not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those “someones” will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they’re vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

Backblaze Blog | The Life of a Cloud Backup Company: The Backblaze Song

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Backblaze has a new jingle, courtesy of Jonathan Mann:

Here’s the crazy story of how this came to pass. A few years ago Jonathan set on the seemingly impossible path of creating a song a day and posting those songs to his YouTube channel. Some of those songs he’s written each day have turned in to jingles for companies that he’s admired and luckily for us, Backblaze was on that list. A few months ago Jonathan reached out to us through our mutual friend Marco and asked if Backblaze was interested in a jingle. He is a Backblaze customer and has been working for the last few months to “bring jingles back”. We’re honored to be part of that pursuit.

When we first started out, being scrappy was our best chance of taking on the task of getting everyone backed up. Jonathan has scrappiness in droves and his story is pretty darn interesting. Jonathan’s a musician who has been active on YouTube since 2006, but his largest undertaking – creating a song a day January of 2009. He passed the 2000 song mark in June 2014, but is still going strong, uploading videos daily.

There are many parallels between Jonathan and Backblaze that make us appreciate his work. Much like Backblaze revealing our storage pod design and releasing our hard drive failure rates, Jonathan has been remarkably open about his personal life in these videos. We once wrote about a failed acquisition, and Jonathan once wrote about breaking up with his girlfriend after 5 years of being together. This type of openness and accessibility have made his songs some of the more entertaining on YouTube, even if they’re about your everyday life.

Being open and honest is a wonderful trait, both in people and in companies, but unfortunately it’s one that we don’t see very often. Jonathan is doing great things with his Song a Day campaign (one of his biggest hits from the campaign was his iPhone Antenna Song, which Steve Jobs even used on stage to open his “antennagate” keynote) and in addition to our thanks for the cool video, wish him nothing but the best. We love this kind of work-ethic and creativity and it just goes to prove that when you pour your heart and soul into a project, impossibilities tend to fade away.

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post The Backblaze Song appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Krebs on Security: TurboTax’s Anti-Fraud Efforts Under Scrutiny

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax – allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

SQUEEZING THE BALLOON

Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”

NO RULES OF THE ROAD

For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO John Koskinen sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Koskinen wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”

ZERO FALSE POSITIVES

Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.

“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”

Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

Williams said Intuit is open to shortening its reporting delay.

“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”

BUILDING A BETTER MOUSETRAP

The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.

Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry  have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.

MacDougall said that about a year ago he had a meeting with the head of Intel’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’

In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.

“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”

But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.

“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”

whattodo copyOnly after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.

Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.

“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.

At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.

“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”

Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.

“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”

TorrentFreak: How a Private ‘Anime’ Torrent Tracker Became an Essential Tool For Facebook

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

shareLarge scale web-services need tens of thousands of servers to keep things running smoothly for their millions of users.

Keeping all of these servers updated with the latest code can be time and resource intensive and it was no different at Facebook during its early years.

However, most problems disappeared when the social networking company discovered BitTorrent. With BitTorrent all servers in the network could help to distribute code updates and as a result deployment took minutes rather than hours or days.

After discovering these benefits Facebook changed its BitTorrent implementation quite a bit. Among other tools, the company is now using the open source tracker software Chihaya, named after a school girl starring in the manga series Chihayafuru.

While this might seem like a peculiar name for a piece of BitTorrent tracking code, all becomes clear when you look at the history of the software and its links to a private anime torrent tracker.

In 2012 a developer named Kotoko started working on a new tracker backend written in the then-new programming language Go. Named Chihaya, the project (originally developed for a private anime community) aimed to become a replacement for the Ocelot tracker used by many Gazelle-based torrent sites.

Around the same time the people behind the Waffles community were working on a full replacement for Gazelle named Batter, and the Chihaya developer eventually jumped on this bandwagon. The project also drew the attention of other programmers, including Jimmy Zelinskie and Justin Li, both college students at the time.

“I was interested in helping out with Chihaya back then because I wanted to work on a project to cement my skills in the Go programming language,” Zelinskie tells TF.

After a while priorities changed. Chihaya was never connected to a tracker frontend, but Zelinskie and Li kept improving it bit by bit.

“The Batter project fizzled out, but Chihaya development continued,” Zelinskie says. “We restructured Chihaya a few times, trying to decide how to make it scalable and ultimately landed on what we have today.”

Chihaya
chi

Over the past several years Chihaya has evolved into one of the most advanced pieces of tracker software around, with support for multi-cored processors and peers announcing on IPv4, IPv6 or both.

“The architecture of the project is entirely modular and in doing so, we’ve made the tracker so it could potentially support any transport protocol like HTTP or UDP and any backend BitTorrent indexing software like Gazelle,” Zelinskie tells TF.

This didn’t go unnoticed by others, including the engineering team at Facebook who also started to use the code for their server deployment.

“Facebook started using the project because of our proper IPv6 support,” Zelinskie says, adding that they optimized the tracker even more for a local setup.

“We soon after added the ability to prefer peers based on a subnet of their IP address; for example, if your IP address is 192.168.1.1, you can configure the tracker to deliver you all the ‘closest’ peers in the 192.168.1.X range before any others,” he notes.

Zelinskie currently works at CoreOS, a company that specializes in the deployment of software. He believes that BitTorrent-supported distribution is the future for companies, large and small. Chihaya certainly fits into this picture.

This leads to the remarkable conclusion that an open source private tracker, originally programmed to serve anime torrents, is now powering one of the largest technology companies in the world.

For Zelinskie, this transition not only shows the true power of open source, but also of BitTorrent.

“This is the reason why I write open source software and my company releases so much of what we do open source. Having as many people as possible working towards a common goal, in this case a solid BitTorrent tracker implementation, is beneficial to all of society, not just one set of individuals,” he says.

“BitTorrent is far too often associated with copyright infringement. When in reality, BitTorrent is simply the best file transfer protocol. Whether it’s being used by you, me, or even Facebook.”

Image credit

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: New Book: <i>Data and Goliath</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

After a year of talking about it, my new book is finally published.

This is the copy from the inside front flap:

You are under surveillance right now.

Your cell phone provider tracks your location and knows who’s with you. Your online and in-store purchasing patterns are recorded, and reveal if you’re unemployed, sick, or pregnant. Your e-mails and texts expose your intimate and casual friends. Google knows what you’re thinking because it saves your private searches. Facebook can determine your sexual orientation without you ever mentioning it.

The powers that surveil us do more than simply store this information. Corporations use surveillance to manipulate not only the news articles and advertisements we each see, but also the prices we’re offered. Governments use surveillance to discriminate, censor, chill free speech, and put people in danger worldwide. And both sides share this information with each other or, even worse, lose it to cybercriminals in huge data breaches.

Much of this is voluntary: we cooperate with corporate surveillance because it promises us convenience, and we submit to government surveillance because it promises us protection. The result is a mass surveillance society of our own making. But have we given up more than we’ve gained? In Data and Goliath, security expert Bruce Schneier offers another path, one that values both security and privacy. He shows us exactly what we can do to reform our government surveillance programs and shake up surveillance-based business models, while also providing tips for you to protect your privacy every day. You’ll never look at your phone, your computer, your credit cards, or even your car in the same way again.

And there’s a great quote on the cover:

“The public conversation about surveillance in the digital age would be a good deal more intelligent if we all read Bruce Schneier first.” –Malcolm Gladwell, author of David and Goliath

This is the table of contents:

Part 1: The World We’re Creating

Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake

Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It

Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-off

I’ve gotten some great responses from people who read the bound galley, and hope for some good reviews in mainstream publications. So far, there’s one review.

You can buy the book at Amazon, Amazon UK, Barnes & Noble, Powell’s, Book Depository, or IndieBound — which routes your purchase through a local independent bookseller. E-books are available on Amazon, B&N, Apple’s iBooks store, and Google Play.

And if you can, please write a review for Amazon, Goodreads, or anywhere else.

Schneier on Security: Samsung Television Spies on Viewers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn’t just processed by the television; it may be forwarded over the Internet for remote processing. It’s literally Orwellian.

This discovery surprised people, but it shouldn’t have. The things around us are increasingly computerized, and increasingly connected to the Internet. And most of them are listening.

Our smartphones and computers, of course, listen to us when we’re making audio and video calls. But the microphones are always there, and there are ways a hacker, government, or clever company can turn those microphones on without our knowledge. Sometimes we turn them on ourselves. If we have an iPhone, the voice-processing system Siri listens to us, but only when we push the iPhone’s button. Like Samsung, iPhones with the “Hey Siri” feature enabled listen all the time. So do Android devices with the “OK Google” feature enabled, and so does an Amazon voice-activated system called Echo. Facebook has the ability to turn your smartphone’s microphone on when you’re using the app.

Even if you don’t speak, our computers are paying attention. Gmail “listens” to everything you write, and shows you advertising based on it. It might feel as if you’re never alone. Facebook does the same with everything you write on that platform, and even listens to the things you type but don’t post. Skype doesn’t listen — we think — but as Der Spiegel notes, data from the service “has been accessible to the NSA’s snoops” since 2011.

So the NSA certainly listens. It listens directly, and it listens to all these companies listening to you. So do other countries like Russia and China, which we really don’t want listening so closely to their citizens.

It’s not just the devices that listen; most of this data is transmitted over the Internet. Samsung sends it to what was referred to as a “third party” in its policy statement. It later revealed that third party to be a company you’ve never heard of — Nuance — that turns the voice into text for it. Samsung promises that the data is erased immediately. Most of the other companies that are listening promise no such thing and, in fact, save your data for a long time. Governments, of course, save it, too.

This data is a treasure trove for criminals, as we are learning again and again as tens and hundreds of millions of customer records are repeatedly stolen. Last week, it was reported that hackers had accessed the personal records of some 80 million Anthem Health customers and others. Last year, it was Home Depot, JP Morgan, Sony and many others. Do we think Nuance’s security is better than any of these companies? I sure don’t.

At some level, we’re consenting to all this listening. A single sentence in Samsung’s 1,500-word privacy policy, the one most of us don’t read, stated: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Other services could easily come with a similar warning: Be aware that your e-mail provider knows what you’re saying to your colleagues and friends and be aware that your cell phone knows where you sleep and whom you’re sleeping with — assuming that you both have smartphones, that is.

The Internet of Things is full of listeners. Newer cars contain computers that record speed, steering wheel position, pedal pressure, even tire pressure — and insurance companies want to listen. And, of course, your cell phone records your precise location at all times you have it on — and possibly even when you turn it off. If you have a smart thermostat, it records your house’s temperature, humidity, ambient light and any nearby movement. Any fitness tracker you’re wearing records your movements and some vital signs; so do many computerized medical devices. Add security cameras and recorders, drones and other surveillance airplanes, and we’re being watched, tracked, measured and listened to almost all the time.

It’s the age of ubiquitous surveillance, fueled by both Internet companies and governments. And because it’s largely happening in the background, we’re not really aware of it.

This has to change. We need to regulate the listening: both what is being collected and how it’s being used. But that won’t happen until we know the full extent of surveillance: who’s listening and what they’re doing with it. Samsung buried its listening details in its privacy policy — they have since amended it to be clearer — and we’re only having this discussion because a Daily Beast reporter stumbled upon it. We need more explicit conversation about the value of being able to speak freely in our living rooms without our televisions listening, or having e-mail conversations without Google or the government listening. Privacy is a prerequisite for free expression, and losing that would be an enormous blow to our society.

This essay previously appeared on CNN.com.

ETA (2/16): A German translation by Damian Weber.

LWN.net: [$] Matrix: a new specification for federated realtime chat

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The free-software community has frequently advocated the
development of new decentralized, federated network services—for
example, promoting XMPP as an alternative to AOL Instant Messenger,
StatusNet as an alternative to Twitter, or Diaspora as an alternative
to Facebook. The recently launched Matrix project
takes on a different service: IRC-like multi-user chat.

LWN.net: Matrix: a new specification for federated realtime chat

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The free-software community has frequently advocated the
development of new decentralized, federated network services—for
example, promoting XMPP as an alternative to AOL Instant Messenger,
StatusNet as an alternative to Twitter, or Diaspora as an alternative
to Facebook. The recently launched Matrix project
takes on a different service: IRC-like multi-user chat.

Darknet - The Darkside: Facebook Launches ThreatExchange – Security Clearinghouse API

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So Facebook has launched ThreatExchange, a social network for information security intelligence and cyberthreat sharing, how apt. They have signed up some fairly heavyweight partners from the get go with Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo! being involved initially. With those kind of names, it’s a sure bet more people will…

Read the full post at darknet.org.uk

SANS Internet Storm Center, InfoCON: green: Raising the “Creep Factor” in License Agreements, (Sun, Feb 8th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

When I started in this biz back in the 80s, I was brought up short when I read my first EULA (End User License Agreement). Back then, software was basically wrapped in the EULA (yes, like a Christmas present), and nobody read them then either. Imagine my surprise at the time that I hadnt actually purchased the software, but was granted the license to use the software, and ownership remained with the vendor (Microsoft, Lotus, UCSD and so on).

Well, things havent changed much since then, and the concept of ownership has been steadily creeping further and further into information territory that we dont expect. Google, Facebook and pretty much any other free service out there sells any information you post, as well as any other metadata that they can scrape from photos, session information and so on. The common proverb in those situations is if the service is free, then YOU are the product. Try reading the Google, Facebook or Twitter terms of service if you have an hour to spare and think your blood pressure is a bit low that day

The frontier of EULAs, and the market where you seem to be giving up the most private information you dont expect however seems to be in home appliances – in this case Smart Televisions. Samsung recently posted their EULA for their SmartTV here:

https://www.samsung.com/uk/info/privacy-SmartTV.html

Theyre collecting the shows you watch, internet sites visited, IP addresses you browse from, cookies, likes, search terms (really?) and all kinds of other easy to collect and apparently easy to apologize for (in advance) information. With this information, so far Im pretty sure Im not hooking up my TV to my home wireless or ethernet, but Im not surprised – pretty much every Smart TV vendor collects this same info.

But the really interesting passage, where the creep factor is really off the charts for me is:
Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

No word of course who the third partys are, and what their privacy policies might be.

Really and truly a spy in your living room. I guess its legal if its in a EULA or you work for a TLA? And its morally OK as long as you apologize in advance?

=====================================

https://www.facebook.com/legal/terms
https://www.facebook.com/about/privacy/
http://www.google.com/intl/en/policies/terms/

http://www.google.com/intl/en/policies/privacy/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The diaspora* blog: diaspora* development review, January 2015

This post was syndicated from: The diaspora* blog and was written by: Diaspora* Foundation. Original post: at The diaspora* blog

These are the changes made to diaspora*'s codebase during January. They will take effect with the release of diaspora* v0.5.0.0.

Say a big thank you to everyone who has helped improve diaspora* this month!

This list has been created by volunteers from the diaspora* community. We'd love help in creating a development review each month; if you would like to help us, get in touch via the related thread on Loomio.


Augier @AugierLe42e

  • fixed the style of the header for the new statistics page: #5587
  • fixed the information about available services and open registrations, which wasn't correctly displayed on the new statistics page: #5595 and #5599

Marco Colli @collimarco

  • fixed a bug that linked a profile image from facebook instead of downloading it to the pod for the diaspora* profile: #5493
  • fixed the translation of timestamps on the mobile website: #5489

Dumitru Ursu @dimaursu

  • added a autoprefixer for CSS vendor prefixes: #5532, #5535 and #5536
  • converted MySQL fields to 4-byte unicode which improves the range of supported chars in posts on pods using MySQL: #5530

Faldrian @Faldrian

  • added an environment variable to specify the Firefox version for our test suite: #5584. The test suite sometimes has problems with recent Firefox versions, which can lead to failing tests when running the test suite on your own computer.
  • added buttons to the single-post view to hide/remove a post and to ignore a user: #5547

Fla @Flaburgan

  • added a currency setting to Paypal donations and allowed unhosted donation buttons for podmins: #5452
  • added followed tags to the mobile menu: #5468
  • removed the truncation for notification emails: #4830
  • fixed the active users count on the new statistics page: #5590

François Lamontagne @flamontagne

  • added a missing link in the FAQ: #5509

James Kiesel @gdpelican

  • improved the profile export feature. The export is now generated in the background and the user receives a notification mail as soon as the export is done: #5499 and #5578

Jason Robinson @jaywink

  • refactored javascript code for the mobile website to get rid of console errors: #5470
  • added some missing configuration for the profile export background job: #5570

maliktunga @maliktunga

  • improved the README: #5550

Marcelo Briones @margori

  • added the ability to strip privacy-sensitive EXIF data when uploading images: #5510

Sakshi Jain @sjain1107

  • removed the community spotlight setting from the settings page if it has not been enabled on the pod: #5562

SansPseudoFix @SansPseudoFix

  • fixed the style of the profile exporter on the settings page: #5582
  • added a statistics page. We already had statistics before but now they are more readable for non-technical users: #5464

Steffen van Bergerem @svbergerem

  • removed unused code from the ProfileHeaderView: #5472
  • ported the contacts page to Backbone.js: #5473. This implements client-side rendering of the contact list, which should speed up page load times.
  • replaced the markdown renderer pagedown by markdown-it: #5526, #5541, #5543, #5545 and #5574
  • added plugins for the markdown-it markdown renderer: #5551

TorrentFreak: Pirate Site’s Deal With Police Backfires Massively

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dreamfilm-polisWhile BitTorrent is considered the king when it comes to obtaining video online, there are other ways to obtain content that eclipse it in ease of use.

So-called ‘streaming’ sites have grown massively in popularity in recent years, largely due to the way they’re presented. Rather than the text-heavy indexes associated with large volume torrent sites, streaming portals present the latest movies and TV shows in a user-friendly interface with plenty of graphics.

What’s more, for the novice ‘pirate’ these sites are simplicity itself. Find a movie, click it, deal with the pop-ups, and in a few moments the latest blockbuster plays in a browser-based YouTube-style window. Even the Swedes, largely proud supporters of The Pirate Bay, have embraced the concept. Sadly for them, however, they’re now one sizable portal down.

In the wake of The Pirate Bay raid in December, Swedish police intensified their focus on one of the country’s top streaming portals, Dreamfilm.se. The site had been growing in popularity for some time but it appears that in recent weeks police had been homing in.

Early January everything seemed fairly normal when the site ran a promotion offering 100 movie tickets to fans who shared the picture below on Facebook. Plenty of people participated.

dreamfilm-polis

On January 14 the site published the Facebook links of 100 winners and requested that they send in their names and addresses to claim their prizes. But just a few weeks later and it’s now all over for Dreamfilm.

“After an administrator was detained and interrogated, it has been mutually agreed that dreamfilm.se will be shut down for good,” the site reveals in a statement.

“The police gave us an ultimatum, to shut down the site and be free, or to keep it online and be detained again.”

It seems that after an extended period trying to close the site, the authorities finally had the upper hand.

“Following controversial interrogation methods it was decided that the site and everything to do with it will be shut down for good. With this, all other administrators decided to resign altogether from the site’s operations with immediate effect,” the site’s operators add.

Thanking users for their dedication over the years, the admins bid farewell to the site and its members. Well, sort of…..

It appears that while some of the site’s admins agreed to close down the site, others did not give the police the same undertakings. They have now broken ranks and created a brand new venture. Today, DreamFilm.se is dead but DreamFilmHD.com lives on in its predecessor’s form.

“By the way, if you are film-goers, then that part of the crew who chose not to resign cloned [DreamFilm.se] to continue on their own,” the former admins say. “The administrators of DreamFilm.se do not in any way endorse this move, but the site is available at: DreamfilmHD.com.”

Sure enough, the replacement site at that address is more or less identical to the site now closed down following an agreement with the police. How this will be viewed by the authorities remains to be seen, but it’s a safe bet that this outcome wasn’t the one they’d hoped for.

At the time of publication Rights Alliance, the anti-piracy outfit behind most file-sharing site complaints in Sweden, had not responded to TorrentFreak’s request for comment.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

The diaspora* blog: Our team at FOSDEM ’15

This post was syndicated from: The diaspora* blog and was written by: Diaspora* Foundation. Original post: at The diaspora* blog

Our diaspora* community volunteers are back from a crazy time at FOSDEM. The weekend featured a lot of talking about diaspora* and the free federated social web in general, a lot of fun, quite a lot of beer, and not a lot of sleep! Augier kindly composed a video of the action.

Jason Robinson picks up the story …

The weekend

Quickly spotting our table between the #FSFE and #ownCloud, we pushed up the diaspora* flag and spread out the stickers and flyers. People instantly started stopping by, picking up stickers, reading the flyer and asking questions. It was insane! We didn't have any time to do the hacking we were planning on: our laptops quickly became demo screens to show off the diaspora* UI. I barely even had time to drink the coffee that Lukas sneaked away to buy at some point. When I finally remembered to take a few pictures, it was a few hours before I had chance to post them online.

Fla arrived quite soon to help answer the flood of questions relating to diaspora* and, later on, we were joined by Lukas @Zauberstuhl, Steffen van Bergerem, Augier and dada. The whole day was spent at the diaspora* table talking to people, giving interviews, meeting other projects and drinking beer. What could be more awesome than this? :)

The diaspora\* table at FOSDEM

I was really surprised by how many people wanted to talk about diaspora*. Being here, talking to people, really pushed up my faith in the project. The #internet really needs projects like this! We are important! This was the message I heard over and over again.
Also the team was beefed up by Pavithran S, Benoît Majerus and Pablo Cúbico (who also gave a talk on open UX design).

The interest in diaspora*

What was interesting to me was what kind of interest people had for diaspora*. I half-expected it to be mostly people walking by and the ones who do come to talk to be all “didn't diaspora* fail already?This was not the case. I guess the people who stopped at the table and that I talked to could be categorised roughly as follows:

  • diaspora* users. This group is obvious – they already use diaspora* and came to say hi and pick up stickers. We love you ♥
  • People who knew what diaspora* is but don't use it. Many of these people, some of whom had tried diaspora* a long time ago, were surprised that the project still exists – which is exactly why we were there talking about diaspora*. The mainstream media really did some huge damage to this project. On the other hand, diaspora* would have never become such a big thing if it wasn't for the mainstream media attention.
  • People who (somehow) had never heard about diaspora*. These were the most interesting people to talk with. I consider people working on open source projects to be some of the brightest minds around, and the people at FOSDEM were all open source geeks. I had super-interesting talks with people explaining what diaspora* is and how it works – and people were genuinely interested, especially the way public content is federated around based on relationships raised interest in many people.
  • People who represented other projects. Talked to many people representing other decentralized social networks, federated or server applications, including MediaGoblin, Salut-A-Toi, Cozy Cloud and ownCloud. It was interesting comparing ideas and getting a feeling on what kind of things people are working on.
  • The press. I gave three interviews, and Lukas did at least one. You can hear some of them on Hacker Public Radio and spielend-programmieren (links below).

The future of (federated social) web

It's important to note that while we were representing diaspora* directly, open source in general is a very collaborative field. People (in my sense at least) then to be very supportive and collaborative towards other projects – ones that are even direct competitors. When you are doing something for the love of doing it, you cannot IMHO have direct hostility to other people who are also doing something out of love for something, even if it is a "competitor."

Thus a lot of the people I spoke to I mentioned the ongoing #W3C SocialWG work to create a standard to integrate social web via a common protocol and API. It did surprise me that even many people deeply into social applications had not heard of this, but it did raise many interesting discussions and everyone agreed that it is something that could be a major unifying component for the social web.

After all, people just want to talk to each other – they shouldn't care what software the other person uses. Federated social web can be compared to email. If I want to contact a person and I know their address, I don't need to think about what software they use; I just send them a message. That is how the social web should work.

The W3C led group is currently working on the draft of the social API. It will be really awesome once this work finishes, and hopefully it will be widely adopted. This is the way we create a social web – not through centralized sites like #Facebook or #Twitter.

Maybe at FOSDEM next year we could attempt to organize a Social web room. Who is with us to apply for this? We could try to have someone from the W3C working group attend for a talk too.

See you at FOSDEM next year! Was especially nice to meet some of the other contribs and users in our community. You're all awesome!

Jason

Photos

You can see photos of the event taken by Jason, Augier and dada.

Interviews

Several interviews were made, two of which have been released and can be found here.

spielend-programmieren

Hacker Public Radio

Backblaze Blog | The Life of a Cloud Backup Company: Hard Drive Stats – FAQ

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-hd-faq-yev

Recently, Backblaze released our 2015 hard drive failure rate statistics. After each blog post, and especially popular ones, I spend a large amount of time reading through the comments, answering what I can, and gathering a series of frequently asked questions to help us frame future blog posts better. In order to answer some of these, I spoke with Brian Beach (author of our drive stats posts), Time Nufire (author of many storage pod posts), and Ariel (the man behind our purchasing department). What follows is a list of some frequently asked questions that I hope to update if the data changes, or if we decide to go a bit more in-depth:

  • Q: Do you have any data on solid state drives?
    A: At this time we do not have any data about SSD drives. We put a high premium on a good price-to-density ratio, and currently SSDs are just too expensive at the density that we need. We hope that changes soon and when it does, we’d love to test them!
  • Q: Are you testing any 8TB drives?
    A: We’re currently well underway with testing of 6TB hard drives, but as of yet don’t have enough 8TB drives for a good test in our environment. We do have some, but we hope to get more soon!
  • Q: What do you use to test your hard drives?
    A: We use SMART stats to make sure that all of our drives are operating correctly, and you can read more about that on our “Hard Drive SMART Stats” blog post.
  • Q: Why did you start using HGST instead of Hitachi? Aren’t they all Western Digital?
    A: Western Digital bought Hitachi in 2012. At that time Hitachi hard drives rebranded to HGST and is currently run as a separate subsidiary of Western Digital.
  • Q: Do you have any stats about the distribution of failure other than MTTF?
    A: MTTF (mean time to failure) is just another way of expressing the annual failure rate (some people call it MTBF). For us, we find the annual failure rate easier to deal with for planning and cost estimation. If the failure rate is 2%, that means we need to plan on replacing 2% of the drives each year.
  • Q: Are power requirements considered when calculating which drives to buy?
    A: Yes, we prefer to buy low-powered drives as they tend to help us keep our data center costs lower. That said, higher powered drives are not excluded if they perform well in our environment.
  • Q: Why don’t you use enterprise or NAS drives?
    A: We’ve done a bit of analysis and in our environment there really is not much of a difference between enterprise and consumer hard drives. You can read our findings on our “Enterprise Drives: Fact or Fiction” blog post, but the TL:DR version is that their higher cost does not make up for their performance.
  • Q: What do you do with failed drives?
    A: When a hard drive fails we securely wipe the drive and then recycle it.
  • Q: What affects hard drive purchasing? Only price? Fail percentage? What’s the ratio?
    A: When purchasing hard drives, the most important thing for us to consider is a density to price ratio, but really close to that ratio is the performance of that drive in our ecosystem, depending on which, the density to price ratio can be superseded. If a hard drive is inexpensive and has a lot of density for the price, but fails often, then it is not a viable hard drive for us to purchase in bulk. We often buy small batches of hard drives to test in our pods, and if they work then we will buy them in bulk.
  • Q: Do you buy internal or external drives?
    A: We buy internal hard drives for our storage pods and external hard drives for restores. There was a brief period when we bought external hard drives for our storage pods as they were much less expensive than their internal counterparts, and performed equally well. We have not done this since April of 2013, and are happy to say that the majority of those drives that were “shucked” are still spinning in our data center!
  • Q: You use a variety of storage pods, doesn’t vibration matter?
    A: While we do use different storage pods, the hard drives that we use are spread out throughout most of them. Typically our hard drives don’t experience a high level of vibration, but it is more than one might typically find inside a single hard-drive enclosure such as an external hard drive. Of course, some external hard drives are carried around in backpacks, dropped on floors, and such.
  • Q: Your drives are running 24/7/365 – is that detrimental to their longevity?
    A: In our datacenter Storage Pods are “up” unless they need to be taken down for maintenance or there is a power outage. This happens infrequently as noted in our Smart Stats post when we talked about “Power Cycles”. This begs the age-old question: is it better for your hard drive to turn off your computer when you’re not using it or keep it running? Our vote is to keep them running.
  • Q: Why do you use consumer drives?
    A: The redundancy built into our data storage model with RAID 6, along with our own data integrity checking, and our SMART stats monitoring, ensures that the data we store will be safe and available regardless of the drive models used. This allows us to purchase drives that have a lifecycle cost that is the least expensive when considering the initial cost, warranty, failure rate, product availability, etc. In short, Enterprise and Consumer drives both deliver the same reliability in our environment, so we choose to the drives that have the lowest lifecycle cost.
  • Q: Do your hard drive stats really matter for a consumer trying to make a purchase?
    A: That depends. If you view our data center as a “worst-case” scenario for hard drives, then yes, you can surmise that any hard drive that a consumer would buy, would perform at a slightly better rate than our hard drives. You could also conclude that the drives that “survive” in our data center are really good.
    If you don’t view it as a stress-test, then no, the data is merely an interesting results summary from a company with a lot of spinning hard drives.
  • Q: What about temperature?
    A: Our hard drives are relatively cool, and don’t tend to overheat. We’ve looked at this in-depth and you can read about our findings on our “Hard Drive Temperature – Does it Matter?” blog post!
  • Q: Why do you hate Seagate?
    A: We love Seagate! This is a common misconception about our hard drive stats posts. Both of our hard drive stat posts indicated a slightly elevated failure rate from their compatriots, however, the price of the Seagate drives cannot be beat, and they work great in our environment. This goes back to the price to density to failure-rate ratio that Backblaze likes to use, and in it, Seagate often comes out on top!

We hope to update these if things change, or if there is additional wisdom that we can impart. Hopefully this helps answer some of the common questions I’ve been seeing while reading the comments surrounding our blogs!

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Hard Drive Stats – FAQ appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

TorrentFreak: In Memory Of The Liberties Lost In The War on Piracy

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedThere are a couple of things we of the net generation knew all along in the so-called piracy debate that started.

The first of those things is that the copyright industry had a medical case of severe rectocranial inversion when they made the sloppy business assumption that an unlicensed copy of a movie or a piece of music was equivalent to a lost sale.

The second of those things is that it wouldn’t have mattered even if it were true (which it wasn’t), because no industry gets to eliminate fundamental civil liberties like the private letter, completely regardless of whether the continued existence of civil liberties means they can make money or not.

So we of the net generation knew all along that the copyright industry was not only wrong and stupid, but also that their assertion was – or should have been – irrelevant in the first place.

However, the copyright industry was absolutely determined to prevent people from discussing and sharing interesting things (which is what file-sharing amounts to), damn the consequences to civil liberties and society at large to hell. If you put it this way – what kind of measures would it take to physically and legally prevent people from discussing the things they want in private? – you should arrive at conclusions which make hairs rise on your arms. The measures required would amount to something beyond Orwellian, and that’s exactly what the copyright industry demanded.

Unfortunately and tragically, the politicians didn’t understand what the copyright monopoly was asking for. They regarded the Internet as some kind of novel and regulatable toy, and not as the space for private correspondence that it is. When you mistake a private conversation arena for something completely different, and regulate it like any ordinary commercial toy, disaster to civil liberties is just around the corner.

That’s exactly what happened. But what would you expect when lawmakers get their e-mail printed for them by their secretaries (yes, really), and still think they understand what the internet is.

Last week, we saw that the entire initial business assumption – that unlicensed manufacturing of music and movies had been the root cause of the collapse of profit – was utterly wrong. With unlicensed file-sharing reduced to a mere 4% in Norway, without a significant effect on revenues, it’s trivial to observe that file-sharing was never a business problem in the first place. To the contrary, we of the net generation assert confidently that sharing has a positive – not negative – correlation with sales.

So the copyright industry has successfully lobbied for laws that ban people from sharing and discussing interesting things in private, and done so from the sloppiest conceivable of false business assumptions. As a result of this dimwitted business sense combined with diehard foolhardiness, we’re left with nowhere to talk or walk in private.

It’s helpful to remember what rights have been lost to this dumb crusade, when you compare to the analog equivalent:

The right to communicate anonymously has been lost, due to the copyright industry’s lobbying. This was so fundamental a right – putting up anonymous posters – that the United States would not exist without it (see the Federalist Papers which were anonymously posted everywhere).

We no longer have the right to modify, rebuild, and repurpose our own possessions, because we may do so with an intent of discussing interesting things with our friends.cameraspy

Mail carriers no longer have messenger immunity, something that had otherwise been a sacred constant between the Roman Empire and the Dimwitted Copyright Industry.

We no longer have the legal right to point at or give directions to interesting places if what happens in that location breaks a law somewhere. (Just to illustrate the special treatment of the copyright industry here, compare this to the fact that Wikipedia has a helpful page on nuclear weapons design.)

The copyright industry has been given the right to write its own laws thanks to an intentional legal loophole that prohibits us from circumventing digital restriction measures, even when those measures prevent still-legal uses of our own possessions.

The right to send private letters is being lost, due to a long-standing tirade. The copyright industry has successfully lobbied the largest correspondence carriers today – Facebook and the like – to just ban anything they don’t like. Not long ago, if you posted a link to The Pirate Bay on Facebook, you would be interrupted by a message saying that you had discussed a forbidden subject. Imagine that happening in an old-fashioned phonecall or a conversation in the street, and you’ll realize what a horrifying development it is.

A diary has extensive protection in law against search and seizure in most legislations. However, a computer – which is far more sensitive – does not. After all, it may contain a copy of a bad movie.

The right to be presumed innocent has been lost, thanks to the copyright industry’s lobbying for things like Data Retention – laws that log all our conversations pre-emptively, whom we talk to and from where and when and how, just in case it was found out later that the copyright industry didn’t like what we discussed.

The right to have laws enforced by dedicated law enforcement has been lost – the copyright industry has successfully lobbied for laws that give them a fast lane past the slow judiciary with its irritating “due process” and other nonsense, when it comes to forcefully enforcing their commercial monopolies against dangerous single mothers. The copyright industry specifically intended to use this in combination with Data Retention above.

Did you know the copyright industry has even sued Internet Service Providers with the demand to install wiretapping-and-censorship equipment in the deepest of their switches, effectively demanding to wiretap and censor an entire country? We’re not talking about the NSA or GCHQ here, but a private dimwitted industry that are going on a crusade against its evil customers?

This is just a short list of examples. There are many more.

And these civil liberties – vital, fundamental civil liberties that aren’t passing from our parents to our children – were lost because of a damn dimwitted sloppy business assumption that turned out to be 180 degrees wrong. It’s beyond depressing. It’s enraging.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Блогът на Юруков: Три добри аналогии защо антиваксърите грешат

This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков

Т.н. „welfare queen“ – нарицателно за живеещите
на гърба социалната система

Днес злоупотребих леко с познатите си във Facebook като направих кратък експеримент. Влизам често в спорове с някои от тях на социални и икономически теми. Затова исках да видя какво би станало, ако пусна следното съобщение:

Онзи ден проведох интересен разговор. Една ми обясняваше, че е абсурдно, че трябва да работи, щом може да получава социални помощи. Обясних ѝ, че не става така – ами ако половината решат просто така, че не им се работи. Тя ми се сопна, че си е нейно право да избира и какво ми пука щом социалните идват от държавата. Какво ме засягало лично мен това? Който искал да работи, който искал – не.

Това, наистина се случи и то не с „една“, а с много в мрежата напоследък. Разликата обаче е, че не става дума за социални помощи, а за имунна защита и не спорехме дали им се работи, а дали децата трябва да се имунизират. Надявам се да виждате аналогията. Не може да направим пълен паралел между експлоатирането на социални помощи и отказа от ваксинации. Освен по честите документални измами, те си приличат по две важни точки – неразбиране как работи системата и чувство за лично право, което всички останали трябва да ти осигурят за тяхна сметка.

Съвсем естествено, само за 10 минути този статус получи редица възмутени коментари колко нагло е такова отношение, как въпросната не разбира елементарни неща и тем подобни. Тогава обясних, че „съм се объркал“ и всъщност става дума за ваксини и че не се експлоатира социалната система, а обществената имунна защита (herd immunity).

Тези 10 минути във Facebook показаха един интересен феномен – готови сме да скочим веднага в защита на една кауза, когато тя ни удря макар и косвено по джобовете. Когато обаче става дума за здравен проблем, който ни засяга по абсолютно същия начин и сила, хората някак го отминават. Слава Богу, в последната седмица видяхме много хора, които се противопоставяха на течащата сега кампания срещу задължителните ваксини.

Дали експлоатиращите социалните помощи са толкова по-страшни от това, че смъртоносни болести се завръщат заради глупостта и активизма на шепа хора?

Затегнете коланите

Знаят ли родителите му, че тези колани предизвикват
аутизъм и са по-опасни от катастрофите?

Трудно е да се обясни как работят ваксините на хора, които отричат основите на химията и биологията. Всъщност, невъзможно е да ги убедим, че говорят глупости, но е съвсем лесно да се покаже как логическият им процес и подбирането на удобни цифри води до смешни резултати. Добър пример за това е тази статия, която показва с примери и статистика как коланите в колите и столчетата за деца водят до повече наранявания, отколкото самите катастрофи. Посочва се също, че химикалите в коланите (aliphatic polyamides) водят до аутизъм и натравяния и че оцеляването от катастрофа води до по-добра гъвкавост и защита от следващите катастрофи. Сравняват се данни, които показват, че аутизмът и използването на колани в колите са се покачвали паралелно, както и че единствената цел да има задължителни детски столчета е, за да могат големите компании да печелят.

Тестът е написан изцяло в стила на антиваксърите, със същите аргументи и дори източници. Завършва с обяснение, че това е сатира, която обаче много добре показва как с изкривяване на фактите и насаждане на страх от неизвестното можеш да отречеш всичко. Определено ви препоръчвам да я прочетете цялата.

Не бихте ли си взели чадър?

„Абе хора, не усещам никакъв дъжд!
Защо като овце всички сте с чадъри?“

Тази аналогия ми е навярно най-любимата. В една картинка е показано толкова много, че напълно потвърждава поговорката. Когато стоиш на сухо е лесно да отречеш, че съществува дъжд и небе.

Малко история

Вместо заключение ще ви оставя с една карикатура от списанието Australian Women’s Weekly публикувана на 3 October 1956. Тогава морбилито съвсем не било шега. Днес антиваксърите твърдят, че заразните болести, срещу които има задължителна ваксинация, всъщност се карат като настинки.

„Пошегувал си се с КОЙ, че имаш морбили?“

Raspberry Pi: Teaching literature with Raspberry Pi

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

Last week, checking out posts people had made on our Facebook page and the projects they were telling us about, one in particular caught my attention. Sarah Roman, a high school English teacher from New Jersey, had written:

Our English class is going to be using the Raspberry Pi in order to build book-based video games, incorporating Scratch, Sonic Pi, and Python. The students are incredibly excited […]

There was a link to an Indiegogo campaign; we love to see Raspberry Pi used creatively outside of computing lessons, so I clicked on it. A minute of video opened with the title “English Classroom”, but it didn’t look like my high school English lessons. Students work around computers, ignoring the camera as they concentrate intently on… wait, is that Minecraft?

We got in touch with Miss Roman to find out more. She intends (for starters) to get students in her Junior Honors class (15-16 years old) building Pi-based games consoles with games that draw on their reading of Dracula by Bram Stoker, and she is raising funds to kit out her classroom with Raspberry Pis and accessories. The students will use Scratch, working collaboratively to create their own graphics, sounds, and housing for the console. Older students will be using the Raspberry Pis in their study of William Faulkner’s As I Lay Dying. Of course, these plans are only the beginning of the road for the Pis, both within and beyond Miss Roman’s classroom; her project proposal notes that there could be an opportunity to work with other instructors to show them how they might use Raspberry Pi in their teaching.

English Literature students

This isn’t the first time that Miss Roman has introduced video games to the English Literature classroom. Last year, Juniors reading William Golding’s Lord of the Flies worked in groups to build the island where the story is set from the imagery evidence they found in the text, adding significant quotes and moments to it via signposts and books; putting each student group into the same Minecraft world allowed them to explore each other’s work. Students were thrilled to use information from the book to build their own islands, and would sigh when the class came to an end. Miss Roman says,

Essentially, the Pi is helping me to integrate fiction and nonfiction, different literacies, and boost creative thinking […] I’m extremely happy with the Pi, and I’m sometimes staggered by the applicability it has for my classroom. I think that complex texts and ideas deserve projects that offer complexity as well, and by opening avenues of this kind for students, they have the ability to understand texts in ways that haven’t been previously accessed.

We’re excited to learn about Raspberry Pi being used in this way, and we hope that this crowdfunding campaign garners plenty of support – we’d love to hear more from New Jersey as this project takes off!

Backblaze Blog | The Life of a Cloud Backup Company: Broadband is Getting Broader

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

shutterstock_120548806-720

Today, the Federal Communications Commission took measures to redefine broadband as 25 Mbps down and 3 Mbps up in the United States. This is wonderful news for internet users, and will hopefully lead to more broadband availability for everyone in the US! The increase to 25/3 is up from 4 Mbps down and 1 Mbps up which was the previous designation. Our customers use their upload stream when backing up to Backblaze so having access to larger upstream pipes is great news.

Of course simply changing the definition of what “broadband” means doesn’t actually change anything, but as Gizmodo points out: “The redefinition of broadband should increase competition between ISPs and cable companies as well as encourage the development of better infrastructure.”

As a backup company, we are absolutely in favor of increased internet speeds and infrastructure for everyone, as it helps the overall state and speed of the internet. For instance, at the old broadband definition of 4 Mbps it would take roughly 10 seconds to download a song, at the new definition, that’s closer to 2 seconds. HD movies would take about 50 minutes at the 4 Mbps, at 25 Mbps that’s nearer to 10 minutes. As the United States is shifting towards online streaming (with the latest company to offer streaming video being Nickelodeon), a shift towards more available bandwidth is welcome.

We love seeing the global average internet speeds increase. Right now the United States ranks 11th with an average internet speed of 10.5 Mbps. First place is South Korea, with 23.6 Mpbs, as their average internet speed. That’s astonishing, and we hope that speeds continue to increase in the US, so that it can one day catch up with South Korea!

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Broadband is Getting Broader appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Блогът на Юруков: Медиите, ваксините и една интересна снимка в Дневник

This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков

Вчера следобед беше разпространена подписката срещу задължителните ваксини, за която писах по-рано. Реакциите на медиите надали учудиха някой. Много пуснаха дословно прес-съобщението както винаги без навярно дори да го прочетат. Такива бяха TV7, News.bg, Lentata.com, Мениджър.News, Фактите.bg и дори Mediapool.bg. Сред тези, които пискаха мнение на специалисти, са Нова ТВ, БНР, Дарик и Дневник.

Забелязва се лесно коя медия е сериозна и коя е просто пощенска кутия. Коментарите под горните статии, както и дискусиите във Facebook в последните 48 часа, ми дават надежда. От една страна са ясен знак, че подписката няма да успее, но най-вече, че има още много българи, които осъзнават какъв проблем е отказа от ваксиниране и са готови активно да говорят по темата.

Дяволът е в детайлите

Нещо обаче в статията на Дневник ми направи впечатление. Те са последните, които трябва да критикувам в цялата тази сага и дори трябва да ги поздравя, че са искали мнението на водещ експерт по епидемиология. Илюстрацията, която са избрали, обаче е интересна по няколко причини. Виждате я в началото на този текст. След малко ще стане ясно защо снимка е неподходяща за материала им, но в никакъв случай не ги виня, че са я избрали – все пак виждаме лекар, който внимателно приготвя ваксина, нали? Дори бих им благодарил, че я поставят в този контекст, защото може да научим доста от нея.

Първото, което трябва да забележите е, че докторката на снимката носи предпазни очила и ръкавици. Това не се прави при поставянето на ваксини, защото няма риск за лекаря. Понякога лекарите слагат еднократни ръкавици, за да предпазят от замърсяване. Това не е изискване, защото се взимат много други мерки, а без ръкавици се работи по-лесно с шаващо детенце, която не обича да го боцкат.

Второто може лесно да се намери в мрежата. Тази снимка не е просто stock илюстрация, която се продава на медиите за такива статии. Това д-р Фелисити Харнел и снимката показва как приготвя експериментална ваксина срещу ебола, която ще бъде бита на първия доброволец за тестването ѝ върху хора във Великобритания. Това и налага допълнителните мерки за сигурност, които споменахме преди малко – ваксината не е тествана върху хора и има известни протоколи, които трябва да се спазват.

Третото нещо, което тази снимка може да ни научи, е свързано с историята на ваксините и антиваксърското движение. Виждаме една докторка, която зарежда доза ваксина в спринцовка, нали? Работата е, че в Европа и щатите няма да видите нещо такова що се отнася до задължителните ваксини. Дозите за многократни ваксинации са се използвали откакто са открити ваксините и все още се използват в по-голямата част от света. Причината е, че са много по-лесни и евтини за производство, пренасяне и съхранение. Това е възможно заради използването на минимални количества тиомерсал (thiomersal). Това е антисептично средство, което предпазва от бактерии и гъбички. За разлика от други антисептици, този не намалява ефективността на ваксините и причинява само леко раздразнение на мястото на инжектиране.

Преди около 15-тина години обаче антиваксърското движение насажда паника заради това, че съединението съдържа един атом живак (съдържа също атом сяра, но както и да е). Внушават за връзка с аутизма и въпреки становищата на всички експерти и многобройните доказателства, че такава връзка няма, регулаторните органи и производителите на ваксини решават да махнат съединението от масовите ваксини. Затова във ваксините, които се бият на децата ни днес няма тиомерсал. Интересно наблюдение тук е, че спирането на съединението не се е отразило на броя случаи на аутизъм сред родените по-късно, но това е друга тема.

Това решение е направило използването на многократни ваксини невъзможно и се прибягва до еднократни. Затова горната снимка всъщност е по-подходяща от онази, с която започнахме и която използва Дневник. В България, както и в Европа и щатите се използват еднократни ваксини и в тях практически няма тиомерсал. За отделни е съобщено, че има откъслечни количества (разбирайте няколко молекули), което не е достатъчно за активно действие, пък какво остава за реакция върху тялото. В новата шествалентна ваксина, например, няма абсолютно никакъв тиомерсал.

Впрочем спирането на многократните ваксини е възможно само за развитите страни. Ние имаме добра инфраструктура, която позволява правилния превоз и съхранение на еднократните дози. В много от страните в Африка, Южна Америка и южна Азия това не е така. Затова там все още се използват многократни ваксини, които са също толкова ефективни и безопасни, колкото нашите. Цената също е аргумент. Докато една шествалентна ваксина ни струва 48 лв. без ДДС (защото я плащаме през данъците си, все пак), то с многократна доза цената би била около 10 пъти по-ниска.

Високата цена и спирането на производство на многокрани дози от някои ваксини са причината за забавена ваксинация в някои части на света. Има съмнения, че заради този необоснован страх от една иначе безопасна субстанция със страшно име са си отишли десетки хиляди деца по света, които иначе можеше да бъдат ваксинирани по-рано и спасени. Това е един от приносите на отричащите ваксини и пример защо трябва да говорим по темата.

TorrentFreak: Canadian Government Spies on Millions of File-Sharers

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spyBeing monitored online is a reality largely acknowledged by millions of file-sharers worldwide. Countless rightsholders, anti-piracy outfits, analytics companies and other interested parties crawl BitTorrent and other P2P networks every day, spying on downloads and gathering data.

While the public nature of these networks is perfect for those looking to eavesdrop, individuals who use file-hosting sites are often under the impression that their transfers cannot be monitored by third parties since transactions take place privately from user to site via HTTP.

That assumption has today been blown completely out of the water amid revelations that Canada’s top electronic surveillance agency has been spying on millions of downloads from more than 100 file-sharing sites.

Led by the Communications Security Establishment (CSE), Canada’s equivalent of the NSA, and codenamed LEVITATION, the project unveils widespread Internet surveillance carried out by Canadian authorities.

A document obtained by U.S. whistleblower Edward Snowden and released to CBC News shows that in an effort to track down extremists the spy agency monitors up to 15 million downloads carried out by users around the world every day.

cse-ffu

According to the 2012 document, 102 file-sharing platforms were monitored by CSE. Just three were named – RapidShare, SendSpace, and the now defunct Megaupload. None of the sites were required to cooperate with the Canadian government since CSE had its own special capabilities.

“A separate secret CSE operation codenamed ATOMIC BANJO obtains the data directly from internet cables that it has tapped into, and the agency then sifts out the unique IP address of each computer that downloaded files from the targeted websites,” The Intercept‘s analysis of the document notes.

Once harvested those IP addresses are cross-referenced with vast amounts of additional data already intercepted by the United States’ NSA and its British counterpart GCHQ. Subsequent searches have the ability to show a list of other websites visited by those downloading from file-hosting sites.

Further associations can then be made with Facebook or Google accounts (via Google analytics cookies) which have the potential to link to names, addresses and other personal details. It’s a potent mix but one apparently designed to weed out just a small number of files from millions of daily events.

fewdocs

According to the LEVITATION documents the system has the ability to track downloads in countries across Europe, the Middle East, North Africa and North America.

Under law, CSE isn’t allowed to spy on Canadians, but IP addresses belonging to a web server in Montreal appeared in a list of “suspicious” downloads. Also monitored by CSE were downloads carried out by citizens located in closely allied countries including the U.S., UK, Germany and Spain.

“CSE is clearly mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” CSE spokesman Andrew McLaughlin told CBC.

While it may be of comfort for Canadians to learn that the government is only interested in a small number of files being exchanged outside the country’s borders, mass surveillance of this kind always has the potential to unnerve when mission-creep raises its head.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: The Great Date Debate

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-great-date-debate
The Backblaze blog recently went through a lot of changes. We moved our service to the most up-to-date version of WordPress. We changed the design. We changed the layout. We added categories (Cloud Storage, Entrepreneurship, Backing Up, and Backblaze Bits) so that it would be easier to get to the types of articles that you wanted to read. Also, it was time for the blog to look more pretty!

Another big change was the date scheme on our blog. We got rid of it. Why? As the Marketing team started to focus more on generating good content for our followers and fans to read, we decided that it was time to make our blog posts more “evergreen”. Additionally, in our old blog environment the date was included in the URL, which was bad for web search results. Yes, we had delved into the deep, dark arts of SEO (search engine optimization).

The problems started when we would have to go back in time and look for a specific blog post that occurred on a very specific date. For example, if you go to Google and ask it to find you the articles about the Backblaze Storage Pods, it’ll give you a list of 4 blog posts on the topic. Unfortunately though, you wouldn’t know which ones are the most recent, as there are no dates associated with them in Google. We also had problems trying to find other articles, for example the ones about hard drive stats. We would search for them in Google and we’d get a lot of answers, though we wouldn’t know chronologically, which ones were the more timely ones. This led to great internal debates between the practical value and the SEO value of our blog.

This internal debate came to a head last week when we were featured as a top story on Hacker News, where we achieved as high as the 4th rank. While we were thrilled to get that much attention from some key individuals and knowledgeable folks, the main question and indeed the highest rated one was not about the hard drive stats that we produced, but was about the dates missing from our blog. A fine example by user mmastrac:

“Always love reading HDD reliability stats from Backblaze — but this demonstrates one of the reasons why post dating is so important, especially when the information in the post is time-sensitive. Nowhere on the page does it say that the post date is today, unless you click the “latest posts” tab by the author below.

I had originally though it was a repost of the many older articles from Backblaze until seeing a reference to Dec 31 2014. While not terribly ambiguous now, the ambiguity will only grow as the year marches on.

If someone from Backblaze happens to see this: you don’t need to put it in your URL, but please date your post near the top or bottom of the text.”

In my initial response I walked the party line:

“Yev from Backblaze here -> it’s an internal debate as to whether we should put dates on everything. It used to be that they were part of the URL (because of the way our blog was designed) but that is no longer the case. We decided to leave them off for a while to see if that made posts more “evergreen”, but we definitely see where it can lead to some confusion. We’ll keep chatting about it internally, there’s likely a good middle-ground.”

The reaction to me jumping in to the stream was lukewarm at best:

“Date of information is one of the most important contexts in IT. I can’t count the times somebody has said “This says this and that about such and such”, and I have to say “Yeah bro, when was that written? Oh, three years ago? What’s the story now?”.”

I waited for my marketing companions to get to the office and then called for an emergency meeting of the minds. While the SEO value of having the blog posts go undated was good, we decided that it was time to overrule our SEO overlords and bring the blog back to the people. We quickly made the change and I made the following announcement:

“BREAKING NEWS -> There are now dates on all of the individual blog posts. The landing page is “date-free” but is in chronological order, if you open a post, the date will be below the title…AS NATURE INTENDED!”

This was met with thunderous applause:

“That’s amazing – I’m reading the post right now (as in, 11:28 AM pacific)- and I switched back to the tab, and it doesn’t show the date. But I opened it less than 10 minutes ago. They couldn’t have changed it that real time could they. Hit Refresh. Lo and behold – there is the date.

Now that’s an agile organization. Thanks very much – I really appreciate the date on these posts as well.”

For a comparison, when I wrote my initial response about having meetings and pondering about the change, that comment got 29 upvotes. However, when we made the change and I announced it, that got a full 41. Now that’s some real-time customer appreciation!

We try to move quickly and make the right decisions, unfortunately, that doesn’t always work out, and we have be willing to rollback especially when we’ve accidently made the user experience worse. Our blogs are written for our fans after all, and if they aren’t happy with them, we’re not happy with them. We hope you enjoy having the dates back, and I personally appreciate everyone in the Hacker News comments for helping me win an argument!

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post The Great Date Debate appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Krebs on Security: Spreading the Disease and Selling the Cure

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults.

Grimbooter

Grimbooter

Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch.

As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani.

In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story.

The work that Rattani does for these booter services brings in roughly $2,500 a month — far more than he could ever hope to make in a month slinging sandwiches. Asked whether he sees a conflict of interest in his work, Rattani was ambivalent.

“It is kind of [a conflict], but if my friend won’t sell [the service], someone else will,” he said.

Rattani and his partner are among an increasing number of young men who sell legally murky DDoS-for-hire services. The proprietors of these services market them as purely for Web site administrators to “stress test” their sites to ensure they can handle high volumes of visitors.

But that argument is about as convincing as a prostitute trying to pass herself off as an escort. The owner of the attack services (the aforementioned Mr. Rajput) advertises them at hackforums[dot]net, an English language forum where tons of low-skilled hackers hang and out and rent such attack services to prove their “skills” and toughness to others. Indeed, in his own first post on Hackforums in 2012, Rajput states that “my aim is to provide the best quality vps [virtual private server] for ddosing :P”.

Damon McCoy, an assistant professor of computer science at George Mason University, said the number of these DDoS-for-hire services has skyrocketed over the past two years. Nearly all of these services allow customers to pay for attacks using PayPal or Google Wallet, even though doing so violates the terms of service spelled out by those payment networks.

“The main reason they are becoming an increasing problem is that they are profitable,” McCoy said. “They are also easy to setup using leaked code for other booters, increasing demand from gamers and other customers, decreasing cost of attack infrastructure that can be amplified using common DDoS attacks. Also, it is relatively low-risk to operate a booter service when using rented attack servers instead of botnets.”

The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online. That includes the Lizardstresser, the attack service launched by the same Lizard Squad (a.k.a. Loser Squad) criminals whose assaults knocked the Microsoft Xbox and Sony Playstation networks offline on Christmas Day 2014.

The sad truth is that most booter services probably would not be able to remain in business without CloudFlare’s free service. That’s because outside of CloudFlare, real DDoS protection services are expensive, and just about the only thing booter service customers enjoy attacking more than Minecraft and online gaming sites are, well, other booter services.

For example, looking at the (now leaked) back-end database for the LizardStresser, we can see that TheHosted and its various properties were targeted for attacks repeatedly by one of the Loser Squad’s more prominent members.

The Web site crimeflare.com, which tracks abusive sites that hide behind CloudFlare, has cataloged more than 200 DDoS-for-hire sites using CloudFlare. For its part, CloudFlare’s owners have rather vehemently resisted the notion of blocking booter services from using the company’s services, saying that doing so would lead CloudFlare down a “slippery slope of censorship.”

As I observed in a previous story about booters, CloudFlare CEO Matthew Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.

I suppose it’s encouraging that prior to CloudFlare, Prince was co-creators of Project Honey Pot, which bills itself as the largest open-source community dedicated to tracking online fraud and abuse. In hacking and computer terminology, a honeypot is a trap set to detect, deflect or otherwise counteract attempts at unauthorized use or abuse of information systems.

It may well turn out to be the case that federal investigators are allowing these myriad booter services to remain in operation so that they can gather copious evidence for future criminal prosecutions against their owners and users. In the meantime, however, it will continue to be possible to purchase powerful DDoS attacks with little more than a credit card or prepaid debit card.

TorrentFreak: Zombie Pirate Bay Tracker Fuels Chinese DDoS Attacks

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayOn November 2009 The Pirate Bay announced that it would shut down its tracker for good.

Trackers were outdated according to the site’s owners. Instead, they encouraged BitTorrent users to rely on DHT, PEX and other trackerless technologies.

Despite the fact that the tracker is no longer functional, many old and some new torrents still include the tracker.thepiratebay.org announce address.

While the tracker hasn’t responded to these calls for five years, for some server admins it has now risen from the dead.

Starting early January hundreds of websites have been plagued by traffic from China. While the exact reason remains unclear, it appears that the Great Firewall of China may be in part causing the problems.

Due to a reconfiguration the Pirate Bay domain is being linked to random IP-addresses. This problem applies to various censored sites, but the thousands of connections per second coming from tracker.thepiratebay.org stand out for most people.

It is no secret that BitTorrent users can easily DDoS websites if the tracker address points to the wrong IP, but we haven’t witnessed something of this magnitude before.

Below is a graph Craig Hockenberry posted of a DDoS on his server where the number of requests peaked at 52 Mbps per second, with torrent announces being the most common source.

dailyddos

The suspicion that Chinese efforts to censor the Internet have something to do with the problems seems plausible. Querying Chinese DNS servers returns many seemingly random IP-addresses that change all the time.

In other words, requests to the dead Pirate Bay trackers are sent to seemingly random servers, and none of these have anything to do with the notorious torrent site.

Johannes Ullrich, CTO of SANS Internet Storm Center, came to a similar conclusion and many of his readers reported problems of the same nature.

“We also get a lot of this type of traffic for the last 2 weeks. At moments it causes a total DoS for our webserver. Most of the traffic has thepiratebay as hostname in the http request, but we also see akamai, edgecdn and some more obscure and explicit sites passing in our logs,” Arjan says.

“I work in the banking sector in the UK. We started to see this traffic hit our web servers just before the new year and it has continued since, but thankfully not on a harmful scale. We’ve seen various sites in the host header, including thepiratebay, facebook, googlevideo – all of which appear to be restricted within China,” Anonymous adds.

And the list goes on and on.

Over the past several days reports have come from all over the place, all describing the same problem. Thus far, most server admins have decided to filter out Chinese traffic, which eases the load. But the underlying problem persists.

For now the true origin of the zombie DDoSes remains unknown, but hopefully those responsible will soon realize the crippling mistake they’ve made, and put Pirate Bay’s tracker back in the ground.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.