Posts tagged ‘flash’

Darknet – The Darkside: Facebook Disabled Flash For Video Finally

This post was syndicated from: Darknet – The Darkside and was written by: Darknet. Original post: at Darknet – The Darkside

So Facebook disabled Flash for video finally, sadly it’s still there for games but a large use case for it just went out the window. And really, it’s not surprising after the recent mega patch in Adobe Flash that fixed 78 CVE classified vulnerabilities. There’s just no good reason for anyone to still be using […]

The post…

Read the full post at darknet.org.uk

Darknet – The Darkside: Latest Update Patches 78 CVE-classified Flash Security Vulnerabilities

This post was syndicated from: Darknet – The Darkside and was written by: Darknet. Original post: at Darknet – The Darkside

So as a rule, in 2015 running Adobe Flash is already pretty scary – but the latest patch release covers 78 CVE-classified Flash security vulnerabilities. That’s not scary, that’s terrifying. By now you kinda expect flaws in Flash, it’s just a given. But 78 CVE-classified vulnerabilities in one patch release? That’s…

Read the full post at darknet.org.uk

Errata Security: Tesla is copying Apple’s business model

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

One of the interesting things about Tesla is that the company is trying to copy Apple’s business model. As a Silicon Valley entrepreneur myself, and an owner of a Tesla car, I thought I’d write up what that means.

There are two basic business models in the world. The first is cheap, low-quality, high-volume products. You don’t make much profit per unit, but you sell of a ton of them. The second is expensive, high-quality (luxury), low-volume products. You don’t sell many units, but you make a lot of profit per unit.
It’s really hard to split the difference, selling high-volume, high-quality products. If you spend 1% more on quality, your customers can’t tell the difference (without more research on their part), so you’ll lose 10% of your customers who won’t accept the higher price. Or, you are selling to the luxury market, lowering price to sell more units means lowering quality standards, destroying your brand.
Rarely, though, companies can split the difference. A prime example is Costco. While the average person who shops at Walmart (low-quality, high-volume store) earns less than $20,000 per year, the average income of a Costco customer is over $90,000 per year. Costco sells high-quality products to these customers, but it does so at high-volume, keeping the prices low.
Apple is another company that succeeds at this, selling higher quality products at enormous volumes, at mainstream prices.
It’s at this point that those who don’t like Apple laugh at me for calling it “quality” products. They are wrong. While many aspects of quality are subjective, leading some to dislike Apple, other aspects are objective.
Most luxury products are really only subjectively quality products. Take Ferrari cars, for example. Sure, they go fast, but they also spend a lot of time in the shop. Likewise, a lot of high-fashion falls apart if you wash it. The biggest lie in luxury is Whole Foods, which often sells crap products like bottled tap water for high prices.
At the same time, some quality measurements are objective. That’s how Costco works. For every product category, their buyers apply rigorous quality tests before selling something under their “Kirkland” brand, whether it’s soap, cola, vodka, luggage, or shoes.
Likewise, Apple is objectively a quality product. Take an Apple power supply, remove any branding, and give it to an engineer to compare against other power supplies. The engineer will tell you that the Apple product is better designed and uses higher quality components.
But being higher quality doesn’t work if customers don’t know it. That’s why every other company has crappy power supplies, because it’s not a value that companies can communicate to their customers. The customers don’t care.
That’s where branding comes in. The business models of Costco and Apple are precarious. As soon as customers fail to recognize their better quality, they’ll leave these companies for cheaper products. That makes these companies focus obsessively on maintaining both subjective and objective quality. This communicates the brand of quality even when customers can’t judge for themselves.
Look at the Apple power supply, on the outside. It screams “APPPLE”. It’s not (just) the logo that does this. It’s the fact that the power supply has the same white plastic, curved edged design of the first iPods and MacBooks. Subjectively, every bit of the power supply feels different than the standard industrial bricks sourced from random vendors. Even if it’s not actual quality, subjectively it feels different, and hence (if you like Apple) better.
The problem with all this “quality” is that it gets expensive. It can easily double the price. Customers impressed with Apple’s quality wouldn’t be willing to pay for it. Sure, they’ll pay 30% more, because it’s a status symbol and “cool”, but they won’t pay double. Therefore, Apple has to tackle the cost issue.
They do this with “NRE” or “up-front” payments. The reason quality components are expensive is because they are produced in low volume, the same business model duality described above. Apple has to push its business model down through the supply chain. That means going to vendor, giving them a bunch of money (Non-Recurring Engineering) to design a higher quality part, then capital so they can build a factory to produce that part in volume. In exchange, Apple then gets to buy that part at a low price.
Apple is so good at this that they can produce a high-quality iPhone at the same cost as low-quality competitors. This produces huge profits per iPhone. Even though Apple sells less than 20% of all mobile phones, it earns most of the industry’s profits. Nobody can compete with them. Another vendor wishing to enter the market doesn’t have enough capital to create the same deals Apple gets, so can’t produce a quality phone as cheaply, and thus must sell in lower volumes for lower profits. And even then, they still can’t compete because such a low volume product can’t generate enough profits for the engineering required. And, there is certainly no money left over to create the luxury branding needed to support the marketing.
Thus, not only is Apple’s model unique, nobody else can replicate it. At least, not in any market where Apple competes.

Tesla

Now let’s talk about Tesla. Their endgame is to be like Apple, but for cars. That means selling a high-margin product, but at volume competing against other lower-priced competitors.
That car will probably be the Model 3, a $35k car that sells against a Chevy Volt, Nissan Leaf, and BMW i3.
To get there, Tesla needs to first create a brand, namely “it’s what the cool people drive“. Branding isn’t your name, logo, motto, or anything conscious. Branding is about unconconscious emotions. People move from Android to iPhones (and rarely the other direction) simply because of the emotional feeling that it’s why the cool kids own. It’s like buying a kid an XBox for Christmas, which objectively meets the kid’s needs better any other console, but having the kid cry because all the cool kids at school have PlayStations. Tesla is trying to create a brand that’ll cause kids to cry if you don’t buy them one when they turn 18.
Part of that is their rebranding of “internal combustion engines”, or “ICE”, as uncool. It’s weird talking to Tesla owners and their disdain for ICE, as if they all went to the same cult. It’s like some shameful cooties that other car makers have that they’ll never be able to get rid of. Even though BMW produces an all-electric i3, they still can’t shake their ICE heritage.
And indeed, it is a hard heritage to move beyond, as this story describes. Existing car companies sell through dealers, which make their profits by servicing cars, which electric cars need less of. Thus, the sales people steer customers toward gasoline cars, or try to trick them into paying for a “service” plan that includes free oil changes — something electric cars don’t need. It’s like watching Microsoft flail around with its tragicly un-cool “Zune” against the iPod. Objectively, it was just as good or better. Subjectively, they failed in branding against Apple in every possible way marketing people can fail.
Ultimately, what Tesla is trying to do with the current model (Model S) is to create a “cool” factor that it can later apply to the later mainstream model (Model 3). It’ll take them time to ramp up production and support network, so the number of cars they can build is limited anyway. Therefore, they make the coolest car possible for under $100,000.
And they succeeded. The Model S is better than every other sedan on the market, and also better than most all sports cars. It’s better in every single metric but one (long distance driving). The huge battery means it drives three times further than any other electric car. Because of the huge battery, it can generate faster acceleration than any car costing less than $1 million. Because of the huge battery sitting at the bottom of the car, lowering the center of gravity, it’s handling is better than any other car not specifically tuned for the track. It’s not just this, but a long list of other cool features, like the central control unit, the aluminum body, the self-driving features, and so on.
In short, the Model S is iconic, like Apple. It’s the mostly highly rated car in car enthusiast magazines ever.
The mainstream Model 3 won’t be as iconic, because it’ll be cheaper. But yet, the brand will be established. For example, the high-end Model S is nearly all aluminum, but the cheaper Model 3 will be mostly steel. But yet, marketing will still focus on the few remaining light-weight parts, extolling their virtues, even though in practice they are little different than competitors. The competitors won’t be able to get into a fight over whose car is lightest, because then Tesla will always fight back with the Model S. Apple has been doing this for years with things like processor speed — objectively, it’s no faster, but subjectively, they convince the faithful it’s somehow better.
In much the same way that Apple became the biggest consumer of flash memory, and used it’s capital to guarantee it paid the lowest price in the industry, Tesla is doing the same with batteries. The Model S has three times the battery per car as any other electric vehicle, and sells more electric cars than anyone else. Thus, it drives the battery market.
That’s why they are spending so much capital on the “Gigafactory” to produce batteries, currently partnering with Panasonic. Just like Apple has to spend capital to get low-cost parts and flash memory, Tesla has to spend capital to guarantee cheap batteries. That means when the mainstream Model 3 starts competing against the Volt, Leaf, and i3, it’ll have larger batteries for a cheaper cost than its competitors.
It’s weird watching business models like this unfold. Existing car companies aren’t willing to bet that much capital in an unproven market. Tesla’s investors, on the other hand, are betting everything to create that market. Thus, Tesla can do things that entrenched companies cannot. Assuming Tesla continues to be competent, and that the electric car market grows, then they should command the lion’s share of it — just like Apple.
Recently, industry veteran Bob Lutz wrote an op-ed claiming Tesla was doomed because it didn’t have a dealer network like at traditional car company. It’s just like reading the op-eds from Nokia, Microsoft, and Blackberry when Apple released the iPhone. Lutz might be partly right that Tesla needs dealers to provide capital to for inventory management, but he’s otherwise profoundly wrong. Tesla breaks dealership model even if it didn’t want to, such as different way electrics need servicing. Dealerships are corrupt quasi-monopolies, and nobody likes dealing with them. Sure, Tesla may lose some sales because customers can’t drive a car instantly off the lot, but they’ll also gain customers fed up with corrupt businesses. Putting showrooms in shopping malls instead is just one more way that Tesla easily makes itself distinctly different from its internal combustion competitors.
With all the good ways Tesla is executing on Apple’s business model, it’s also making a lot of mistakes. There are lots of small design flaws in the Model S, and some clearly lacking areas. For example, the voice command system is decade old crap. Tesla desperately needs to license a better one from Apple (Siri), Microsoft (Cortana), or Google (Ok Google).
What these flaws show is that Tesla doesn’t have Musk’s full attention. He’s off dreaming about hyperloops, solar panels, and SpaceX. Tesla doesn’t have somebody like a Steve Jobs, or even a John Ivy, who obsesses over every small detail to make everything perfect. This flaw can be fatal. The Tesla Model S driving experience is so awesome is makes us look past the small flaws, but there’s no excuse for those flaws to exist. If they persist, they’ll kill the Model 3. Imagine test driving a Nissan Leaf with Apple Siri embedded, where you can ask about last night’s game scores, and then step into a Model 3 which can’t even dial a phone properly. Car innovation is continuing beyond the electric model and self-driving features — Tesla needs to be up near the front on all of them.
Conclusion

When Apple released the iPhone during the recession, I bought a bunch of Apple stock — enough to buy my Tesla Model S from the gains. Just by looking at the product, business model, and the market, it should’ve been obvious to anybody that Apple had changed everything.
Electrics aren’t quite the same game changer — they are still cars. The challenges of charging them, and the inability of pure electrics to drive long distances, mean that they won’t take over the market. In a decade, though, even without government subsidies, they’ll command a good 30% of the market. Even if Tesla isn’t one of the top car companies, there’s a good chance it’ll be one of the most profitable — if it can continue to execute on this model. High margins means that even if it’s not selling the most cars, it could be earning the most profits in the industry.
Their stock is already high, and Musk doesn’t seem to be executing as well as Jobs, so I’m not interested in buying their stock. But really, the Model S is an awesome car to drive.

Errata Security: Tesla is copying Apple’s business model

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

One of the interesting things about Tesla is that the company is trying to copy Apple’s business model. As a Silicon Valley entrepreneur myself, and an owner of a Tesla car, I thought I’d write up what that means.

There are two basic business models in the world. The first is cheap, low-quality, high-volume products. You don’t make much profit per unit, but you sell of a ton of them. The second is expensive, high-quality (luxury), low-volume products. You don’t sell many units, but you make a lot of profit per unit.
It’s really hard to split the difference, selling high-volume, high-quality products. If you spend 1% more on quality, your customers can’t tell the difference (without more research on their part), so you’ll lose 10% of your customers who won’t accept the higher price. Or, you are selling to the luxury market, lowering price to sell more units means lowering quality standards, destroying your brand.
Rarely, though, companies can split the difference. A prime example is Costco. While the average person who shops at Walmart (low-quality, high-volume store) earns less than $20,000 per year, the average income of a Costco customer is over $90,000 per year. Costco sells high-quality products to these customers, but it does so at high-volume, keeping the prices low.
Apple is another company that succeeds at this, selling higher quality products at enormous volumes, at mainstream prices.
It’s at this point that those who don’t like Apple laugh at me for calling it “quality” products. They are wrong. While many aspects of quality are subjective, leading some to dislike Apple, other aspects are objective.
Most luxury products are really only subjectively quality products. Take Ferrari cars, for example. Sure, they go fast, but they also spend a lot of time in the shop. Likewise, a lot of high-fashion falls apart if you wash it. The biggest lie in luxury is Whole Foods, which often sells crap products like bottled tap water for high prices.
At the same time, some quality measurements are objective. That’s how Costco works. For every product category, their buyers apply rigorous quality tests before selling something under their “Kirkland” brand, whether it’s soap, cola, vodka, luggage, or shoes.
Likewise, Apple is objectively a quality product. Take an Apple power supply, remove any branding, and give it to an engineer to compare against other power supplies. The engineer will tell you that the Apple product is better designed and uses higher quality components.
But being higher quality doesn’t work if customers don’t know it. That’s why every other company has crappy power supplies, because it’s not a value that companies can communicate to their customers. The customers don’t care.
That’s where branding comes in. The business models of Costco and Apple are precarious. As soon as customers fail to recognize their better quality, they’ll leave these companies for cheaper products. That makes these companies focus obsessively on maintaining both subjective and objective quality. This communicates the brand of quality even when customers can’t judge for themselves.
Look at the Apple power supply, on the outside. It screams “APPPLE”. It’s not (just) the logo that does this. It’s the fact that the power supply has the same white plastic, curved edged design of the first iPods and MacBooks. Subjectively, every bit of the power supply feels different than the standard industrial bricks sourced from random vendors. Even if it’s not actual quality, subjectively it feels different, and hence (if you like Apple) better.
The problem with all this “quality” is that it gets expensive. It can easily double the price. Customers impressed with Apple’s quality wouldn’t be willing to pay for it. Sure, they’ll pay 30% more, because it’s a status symbol and “cool”, but they won’t pay double. Therefore, Apple has to tackle the cost issue.
They do this with “NRE” or “up-front” payments. The reason quality components are expensive is because they are produced in low volume, the same business model duality described above. Apple has to push its business model down through the supply chain. That means going to vendor, giving them a bunch of money (Non-Recurring Engineering) to design a higher quality part, then capital so they can build a factory to produce that part in volume. In exchange, Apple then gets to buy that part at a low price.
Apple is so good at this that they can produce a high-quality iPhone at the same cost as low-quality competitors. This produces huge profits per iPhone. Even though Apple sells less than 20% of all mobile phones, it earns most of the industry’s profits. Nobody can compete with them. Another vendor wishing to enter the market doesn’t have enough capital to create the same deals Apple gets, so can’t produce a quality phone as cheaply, and thus must sell in lower volumes for lower profits. And even then, they still can’t compete because such a low volume product can’t generate enough profits for the engineering required. And, there is certainly no money left over to create the luxury branding needed to support the marketing.
Thus, not only is Apple’s model unique, nobody else can replicate it. At least, not in any market where Apple competes.

Tesla

Now let’s talk about Tesla. Their endgame is to be like Apple, but for cars. That means selling a high-margin product, but at volume competing against other lower-priced competitors.
That car will probably be the Model 3, a $35k car that sells against a Chevy Volt, Nissan Leaf, and BMW i3.
To get there, Tesla needs to first create a brand, namely “it’s what the cool people drive“. Branding isn’t your name, logo, motto, or anything conscious. Branding is about unconconscious emotions. People move from Android to iPhones (and rarely the other direction) simply because of the emotional feeling that it’s why the cool kids own. It’s like buying a kid an XBox for Christmas, which objectively meets the kid’s needs better any other console, but having the kid cry because all the cool kids at school have PlayStations. Tesla is trying to create a brand that’ll cause kids to cry if you don’t buy them one when they turn 18.
Part of that is their rebranding of “internal combustion engines”, or “ICE”, as uncool. It’s weird talking to Tesla owners and their disdain for ICE, as if they all went to the same cult. It’s like some shameful cooties that other car makers have that they’ll never be able to get rid of. Even though BMW produces an all-electric i3, they still can’t shake their ICE heritage.
And indeed, it is a hard heritage to move beyond, as this story describes. Existing car companies sell through dealers, which make their profits by servicing cars, which electric cars need less of. Thus, the sales people steer customers toward gasoline cars, or try to trick them into paying for a “service” plan that includes free oil changes — something electric cars don’t need. It’s like watching Microsoft flail around with its tragicly un-cool “Zune” against the iPod. Objectively, it was just as good or better. Subjectively, they failed in branding against Apple in every possible way marketing people can fail.
Ultimately, what Tesla is trying to do with the current model (Model S) is to create a “cool” factor that it can later apply to the later mainstream model (Model 3). It’ll take them time to ramp up production and support network, so the number of cars they can build is limited anyway. Therefore, they make the coolest car possible for under $100,000.
And they succeeded. The Model S is better than every other sedan on the market, and also better than most all sports cars. It’s better in every single metric but one (long distance driving). The huge battery means it drives three times further than any other electric car. Because of the huge battery, it can generate faster acceleration than any car costing less than $1 million. Because of the huge battery sitting at the bottom of the car, lowering the center of gravity, it’s handling is better than any other car not specifically tuned for the track. It’s not just this, but a long list of other cool features, like the central control unit, the aluminum body, the self-driving features, and so on.
In short, the Model S is iconic, like Apple. It’s the mostly highly rated car in car enthusiast magazines ever.
The mainstream Model 3 won’t be as iconic, because it’ll be cheaper. But yet, the brand will be established. For example, the high-end Model S is nearly all aluminum, but the cheaper Model 3 will be mostly steel. But yet, marketing will still focus on the few remaining light-weight parts, extolling their virtues, even though in practice they are little different than competitors. The competitors won’t be able to get into a fight over whose car is lightest, because then Tesla will always fight back with the Model S. Apple has been doing this for years with things like processor speed — objectively, it’s no faster, but subjectively, they convince the faithful it’s somehow better.
In much the same way that Apple became the biggest consumer of flash memory, and used it’s capital to guarantee it paid the lowest price in the industry, Tesla is doing the same with batteries. The Model S has three times the battery per car as any other electric vehicle, and sells more electric cars than anyone else. Thus, it drives the battery market.
That’s why they are spending so much capital on the “Gigafactory” to produce batteries, currently partnering with Panasonic. Just like Apple has to spend capital to get low-cost parts and flash memory, Tesla has to spend capital to guarantee cheap batteries. That means when the mainstream Model 3 starts competing against the Volt, Leaf, and i3, it’ll have larger batteries for a cheaper cost than its competitors.
It’s weird watching business models like this unfold. Existing car companies aren’t willing to bet that much capital in an unproven market. Tesla’s investors, on the other hand, are betting everything to create that market. Thus, Tesla can do things that entrenched companies cannot. Assuming Tesla continues to be competent, and that the electric car market grows, then they should command the lion’s share of it — just like Apple.
Recently, industry veteran Bob Lutz wrote an op-ed claiming Tesla was doomed because it didn’t have a dealer network like at traditional car company. It’s just like reading the op-eds from Nokia, Microsoft, and Blackberry when Apple released the iPhone. Lutz might be partly right that Tesla needs dealers to provide capital to for inventory management, but he’s otherwise profoundly wrong. Tesla breaks dealership model even if it didn’t want to, such as different way electrics need servicing. Dealerships are corrupt quasi-monopolies, and nobody likes dealing with them. Sure, Tesla may lose some sales because customers can’t drive a car instantly off the lot, but they’ll also gain customers fed up with corrupt businesses. Putting showrooms in shopping malls instead is just one more way that Tesla easily makes itself distinctly different from its internal combustion competitors.
With all the good ways Tesla is executing on Apple’s business model, it’s also making a lot of mistakes. There are lots of small design flaws in the Model S, and some clearly lacking areas. For example, the voice command system is decade old crap. Tesla desperately needs to license a better one from Apple (Siri), Microsoft (Cortana), or Google (Ok Google).
What these flaws show is that Tesla doesn’t have Musk’s full attention. He’s off dreaming about hyperloops, solar panels, and SpaceX. Tesla doesn’t have somebody like a Steve Jobs, or even a Jonathan Ive, who obsesses over every small detail to make everything perfect. This flaw can be fatal. The Tesla Model S driving experience is so awesome is makes us look past the small flaws, but there’s no excuse for those flaws to exist. If they persist, they’ll kill the Model 3. Imagine test driving a Nissan Leaf with Apple Siri embedded, where you can ask about last night’s game scores, and then step into a Model 3 which can’t even dial a phone properly. Car innovation is continuing beyond the electric model and self-driving features — Tesla needs to be up near the front on all of them.
Conclusion

When Apple released the iPhone during the recession, I bought a bunch of Apple stock — enough to buy my Tesla Model S from the gains. Just by looking at the product, business model, and the market, it should’ve been obvious to anybody that Apple had changed everything.
Electrics aren’t quite the same game changer — they are still cars. The challenges of charging them, and the inability of pure electrics to drive long distances, mean that they won’t take over the market. In a decade, though, even without government subsidies, they’ll command a good 30% of the market. Even if Tesla isn’t one of the top car companies, there’s a good chance it’ll be one of the most profitable — if it can continue to execute on this model. High margins means that even if it’s not selling the most cars, it could be earning the most profits in the industry.
Their stock is already high, and Musk doesn’t seem to be executing as well as Jobs, so I’m not interested in buying their stock. But really, the Model S is an awesome car to drive.

Krebs on Security: OPM Breach: Credit Monitoring vs. Freeze

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.

OPM offices in Washington, DC. Image: Flickr.

OPM offices in Washington, DC. Image: Flickr.

Earlier this week I got the following message from a reader:

“I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”

The reader continued:

“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”

I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:

@sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.

@shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.

@danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado

@flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.

@ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.

Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.

As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

If you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth signing up for these credit monitoring and repair services. Otherwise, I’d strongly advise my US readers to consider freezing their credit files at the major credit bureaus. 

Depending on in which state you reside, there may be a small fee to place and/or thaw a freeze on your credit file, and freezing them at all four major bureaus (Equifax, Experian, Innovis and Trans Union) could cost as much as $60. But this is a small price to pay for peace of mind.

In a perfect world, breached organizations would offer to pay the costs involved in freezing your credit files, but sadly the standard playbook in corporate breach response is to pay for credit monitoring.

PROTECTING DEPENDENTS FROM ID THEFT

One area where credit monitoring makes more sense is with dependents and children under the age of 18. That’s because it’s impossible to freeze a credit file that doesn’t exist, and most minors aren’t going to have one (hopefully).

According to Experian, if your children already have credit reports in their names, one of three things has happened: You have applied for credit in their names and the applications were approved; you have added them as authorized users or joint account holders on one or more of your accounts; someone has fraudulently used their information to apply for credit and they are already identity theft victims.

One way to find out is to visit annualcreditreport.com to apply for a copy of their credit report. The most important precaution parents can take is to keep a close eye on dependent credit files when kids reach their mid-teens. That way, if a credit file materializes for your child because of identity theft, there is still time to sort it out before the kid actually needs a line of credit or loan. However, if your child becomes the victim of ID theft at a very young age, it probably makes more sense to freeze the kid’s credit file.

Most credit monitoring services will allow you to enroll your children as well, but that coverage generally expires after they reach 18. KrebsOnSecurity reader Michael found this out when he tried to sign up his five kids after receiving a notice from the OMB.

“For some reason, coverage for adult children was not provided when I signed up and is discontinued once they reach 18, so at the outset, only 2 of my 5 kids were included even though their data was also compromised,” Michael wrote.

If you’re considering freezing your credit file, have a look at this primer which walks through the various steps needed to place a freeze. It also includes pointers to additional steps that consumers can take to avoid becoming victims of identity theft.

Were you or your family impacted by the OPM breach? How have you responded? Sound off in the comments below.

Raspberry Pi: Creating and Kickstarting Slice, the Compute Module-Based Media Player

This post was syndicated from: Raspberry Pi and was written by: James Adams. Original post: at Raspberry Pi

Back in August 2014, a startup company called FiveNinjas launched Slice, the first ever Compute Module-based media player, on Kickstarter.

c5ef4415c18fce7c5f9f454bc73631bb_original

FiveNinjas with five Slices. Front to back: Gordon, James, Mo, John, Paul

We are FiveNinjas: James Adams and Gordon Hollingworth from Raspberry Pi, Jonathan Williamson and Paul Beech of Pimoroni, and Mo Volans, entrepreneur and music producer. We’re here to tell you how we created a consumer product with the Raspberry Pi Compute Module in our spare time, and launched it using Kickstarter. It has been a long journey, but we’ve learned a lot and now have a growing and enthusiastic community over on our forums, a video channel, and even a user-created HOWTO Wiki. Finally, all Slice’s software (which is a modified version of the fantastic OpenELEC and Kodi) is available on GitHub. We hope this post will be interesting or inspiring to those who want to follow in our footsteps: grab a mug of tea and read on…

Gordon gives the background:

FiveNinjas began with the Mo Volans’s idea of a media centre built around the Raspberry Pi, including everything you needed to get going without requiring lots of knowledge about how media centres work. He first got in touch with Paul and Jon from Pimoroni to discuss the idea, thinking that he could create the simple software build required and Paul and Jon would be able to create a laser-cut case to contain the Raspberry Pi, a hard drive, and WiFi. They also came up with the idea of adding the LED ring to provide visual feedback. Between them, they created the first Slice video, which they showed to us at Pi Towers.

I was amazed by the idea, and believed that Slice was going to be a great product, but I also thought it could be better. Around that time, we were developing the Raspberry Pi Compute Module which would allow smaller and more custom hardware in a very small package. It was perfect for the Slice, as it would also allow us to use a standard SODIMM connector, while remaining backward-compatible with future Compute Modules, and enabling users to upgrade their boxes.

I came on board, bringing James Adams with me. James went to work on the hardware schematics and I went to work on the software. At this stage, we were still trying to start up the Kickstarter but knew we had to wait until we had the first version of the hardware because Kickstarter require you to have implemented a first prototype.

The first thing we had to do is to set a timescale for the Kickstarter, which can be tricky. The longer time you set, the more opportunity you’ll have to get people interested in the product. However, you’ll also have a longer delay before you can start ordering supplies for your project. In the end, we had to wait about six weeks to be able to order the PCBs, even though we had already finished the design. Interestingly, the optimum time for a Kickstarter is probably significantly less than you’d expect: we took five days to hit our funding target but then couldn’t start ordering parts until around four weeks later! Finally, we ordered the first set of PCBs, and I began the task of developing the test code.

One of the most important parts of the PCB manufacturing process is developing the manufacturing test system, which is the test that tells you whether the manufacturer has actually built the hardware correctly. If you find a problem at the manufacturing stage in China it is relatively quick and cheap to fix it right there. Whereas if we find the bug later when the PCBs have been transported to the UK, we’d have to either throw them away, fix them by hand, or send them back to China! The test system for Slice was built around a simple Buildroot Linux kernel, which is actually the same way the Compute Module is tested. The Buildroot kernel can be pushed into the Compute Module over USB; the software can then run through the test process.

Slice testing

This is a video of the FiveNinjas Slice product being tested. It is actually very simple to execute a linux buildroot on a compute module without having to program the Flash at all

The test schedule included the audio output, the LEDs, HDMI output, the USB connections, the internal SATA hard disk, and the infrared sensor; each test required the operator to complete various checks, whereupon it would output test results and the serial numbers for the Compute Modules.

I also wrote a similar but slightly different programming Buildroot kernel. This was used to program the Slice eMMC, copy data from a server onto the hard drive, install the licenses, install the recovery system and then boot into the Slice operating system to check everything was working. This takes about one minute, but, because the whole process is done automatically, it could be done in parallel.

IMG_2977

Slices being programmed automatically in parallel (Raspberry Pi for scale)

The testing was a success: Slices are now programmed with the latest version of our software as they leave the warehouse (as you can see in the picture). The Slice software (which is fully open and available on www.github.com/FiveNinjas) has also been maturing thanks to lots of feedback from users, and we are continuing to improve it.

Jon says: Friends don’t let friends do cases (unless they’re made from laser cut perspex!).

Early on we decided that we wanted to make Slice something premium and special. We quickly decided that milled aluminium (aircraft grade, what else?) was the order of the day.

We had loads of experience making acrylic cases but had never embarked on something that required full 3D modelling. With a vision of simplicity that would accentuate the lighting ring, we knew exactly what we wanted. The only problem was we didn’t know where to start. Luckily an old friend works for Autodesk, and could provide some tips on how to get started which were amazingly useful. Armed with a killer CAD package, I spent a weekend producing the first design files. We had a viable model for machining! Fortunately, in those days Pimoroni was next door to a tooling company, who prepared a few prototypes for us to test with.

image (8)

The first Slice case prototype machined from aircraft grade aluminium!

Machining in the UK was impossible due to costs, but fortunately we had friends in Taiwan who visited a few machining companies and came back with quotes that would work. The only downside to production in Taiwan was that we couldn’t risk placing a single order for all the units at once. We had to quality control batches as they arrived otherwise there was a risk that we could receive a heap of junk and the whole project would have been in trouble. We settled on batches of 200-400 units at a time, which balanced risk with speed. Generally this worked pretty well but it was slower than we would have liked.

The case production process was fraught with delays due to the fact that there are three steps: machining, bead blasting, and anodising, all of which are done at different places. The end result is, however, undeniably lovely and makes Slice something quite special.

IMG_4843-web

Red Slice with remote. Also available in black or grey!

Paul says: It’s hard to be Jony Ive on a budget of less than £1m.

The Slice Kickstarter was a success. This is a lot harder to achieve than it looks, but we had a stellar team with a good overlap of talents and a great, supportive community. For me, the joy was getting back to the days of hard disk players, but smaller and sleeker. Nowadays, everything and its dog has Netflix, so I was keen to see something with usable software and a simple setup for the old skool crowd.

Slice capture 5

The Slice UI

Unfortunately, 500-1500 backers is pretty much the valley of death for hardware. If you want to make 100 of something, you can do it locally, at high cost, but probably beautifully. If you want to make 10000 of something, you can do it in the Far East, quite economically and with good quality. In between, you’re in a sticky middle ground. Things like electronic components come in reels of 2000-3000, factories don’t get out of bed for less than 10,000 pieces, and you don’t have time to play with R&D of 100 units to get things right and smooth. You have the higher costs of smaller-run production but without the benefits of doing things big.

Fortunately we had a lot of advantages, or we might have struggled. There have been mid-sized crowdfunding projects that have gone horribly wrong. We haven’t been one of those, and the results have always been satisfying, even when late.

I got a real kick out of seeing the case come to life. It’s simple, beautifully finished, and without fussy details. I didn’t expect us to be able to nail the finish this well, but the results are pro-style and built to last, which is handy as we’ve made the Slice upgradeable.

James says: Circuits are fun, but there’s more to it than that…

Designing the circuitry and circuit board (PCB) for Slice turned out to be more of a challenge than expected despite having lots of experience.

The hard part of any design is the balance of features and trying to come up with low cost yet functional and well engineered circuitry. Using the Compute Module made the entire project possible, as we knew we were building on a stable platform and could concentrate on all the other parts.

We spent many hours working out how to mount the hard disk, the LEDs, and Slice’s LED diffuser. Eventually we settled on the solution we have today, which works remarkably well despite being very simple!

We created three sets of prototypes at our own expense, and did all the testing as well as compliance testing. Thankfully this all went relatively smoothly, but even for the professionals it takes a lot of work and usually several prototypes to get things right. Let’s not go into how much time was spent arguing about and testing the layout of the ports on the back of Slice and spacings between them….

Slice’s PCB including Compute Module

Mo says: I had an idea in my kitchen, gained a team in Sheffield and lost my voice in New York.

My journey with Slice has been a little different: from the initial idea to putting together the Kickstarter campaign, everything has been about concept and image for me. I’m always a little obsessed with how things appear and whether or not people will perceive something as a quality product. This moulded my interactions with Slice.

It all started in my kitchen. A Raspberry Pi, a hard drive, a few sensors and a huge bunch of wires were stuck to a TV. I was convinced the whole contraption could fit into a box and become something that people would want to use, so I got to work with my Dremel and took my first prototype on the road.

Mo's very first Slice prototype!

Mo’s very first Slice prototype! Fortunately production Slices are a little better.

I approached a few companies at this point but the best fit by far were the guys at Pimoroni in Sheffield. After a few boozy meetings, the first solid Slice unit was born.

After my wife Emma coined the name Slice, Jon added some LEDs, and Paul came up with a killer logo, it was time to get to work. Kickstarter was our chosen route but we needed a working prototype and some great footage. We made some progress but something was missing, Slice was just too big, and our efforts were a little unstructured.

It was at this point that Jon and Paul introduced me to Gordon and James at Raspberry Pi. They loved the idea of Slice and FiveNinjas was created (Emma gets credit for a second name here). We suddenly had expertise in marketing, hardware, software, logistics and design, as well as the new Compute Module.

In no time the new compact Slice, complete with custom PCB and milled aluminium case, was born. It was a great moment to see my humble concept transformed into a solid working unit.

It was time to go back to Kickstarter, where the real work began for me. The guys had done such a good job I knew I had to go all out to make the slickest proposal I could, and nothing was left to chance. The campaign itself was no less intense, with thousands of questions, some awesome press coverage and trip to New York Maker Faire (where I lost my voice talking to thousands of people and Slice won two editors’ awards). In the end we smashed our target and we’re now distributing thousands of Slices.

Slice: Raspberry Pi Media Player

Mo Volans from FiveNinjas shares Slice at World Maker Faire New York 2014. It’s a set-top media player that’s based on the brand new Raspberry Pi Compute Module. They’re in the process of crowdfunding the project, and have met their funding goal. Since it’s based on the Raspberry Pi hardware and XBMC software, the platform is totally hackable.

The journey post-Kickstarter has been bumpy: we’ve hit some serious obstacles but we’ve tackled them and come out with a bunch of happy users. Slices are now flowing freely and we are good to go. Hopefully this just the beginning for Slice.

The post Creating and Kickstarting Slice, the Compute Module-Based Media Player appeared first on Raspberry Pi.

Raspberry Pi: GPIO Zero: a friendly Python API for physical computing

This post was syndicated from: Raspberry Pi and was written by: Ben Nuttall. Original post: at Raspberry Pi

Physical computing is one of the most engaging classroom activities, and it’s at the heart of most projects we see in the community. From flashing lights to IoT smart homes, the Pi’s GPIO pins make programming objects in the real world accessible to everybody.

Some three years ago, Ben Croston created a Python library called RPi.GPIO, which he used as part of his beer brewing process. This allowed people to control GPIO pins from their Python programs, and became a hit both in education and in personal projects. We use it in many of our free learning resources.

However, recently I’ve been thinking of ways to make this code seem more accessible. I created some simple and obvious interfaces for a few of the components I had lying around on my desk – namely the brilliant CamJam EduKits. I added interfaces for LED, Button and Buzzer, and started to look at some more interesting components – sensors, motors and even a few simple add-on boards. I got some great help from Dave Jones, author of the excellent picamera library, who added some really clever aspects to the library. I decided to call it GPIO Zero as it shares the same philosophy as PyGame Zero, which requires minimal boilerplate code to get started.

led-gpio17

This is how you flash an LED using GPIO Zero:

from gpiozero import LED
from time import sleep

led = LED(2)

while True:
    led.on()
    sleep(1)
    led.off()
    sleep(1)

(Also see the built-in blink method)

As well as controlling individual components in obvious ways, you can also connect multiple components together.

GPIO_Zero_Diagram_3

Here’s an example of controlling an LED with a push button:

from gpiozero import LED, Button
from signal import pause

led = LED(2)
button = Button(3)

button.when_pressed = led.on
button.when_released = led.off

pause()

We’ve thought really hard to try to get the naming right, and hope people old and young will find the library intuitive once shown a few simple examples. The API has been designed with education in mind and I’ve been demoing it to teachers to get feedback and they love it! Another thing is the idea of minimal configuration – so to use a button you don’t have to think about pull-ups and pull-downs – all you need is the pin number it’s connected to. Of course you can specify this – but the default assumes the common pull-up circuit. For example:

button_1 = Button(4)  # connected to GPIO pin 4, pull-up

button_2 = Button(5, pull_up=False)  # connected to GPIO pin 5, pull-down

Normally, if you want to detect the button being pressed you have to think about the edge falling if it’s pulled up, or rising if it’s pulled down. With GPIO Zero, the edge is configured when you create the Button object, so things like when_pressed, when_released, wait_for_press, wait_for_release just work as expected. While understanding edges is important in electronics, I don’t think it should be essential for anyone who wants to

Here’s a list of devices which currently supported:

  • LED (also PWM LED allowing change of brightness)
  • RGB LED
  • Buzzer
  • Motor
  • Button
  • Motion Sensor
  • Light Sensor
  • Analogue-to-Digital converters MCP3004 and MCP3008
  • Robot

Also collections of components like LEDBoard (for any collection of LEDs), FishDish, Traffic HAT, generic traffic lights – and there are plenty more to come.

There’s a great feature Dave added which allows the value of output devices (like LEDs and motors) to be set to whatever the current value of an input device is, automatically, without having to poll in a loop. The following example allows the RGB values of an LED to be determined by three potentiometers for colour mixing:

from gpiozero import RGBLED, MCP3008
from signal import pause

led = RGBLED(red=2, green=3, blue=4)
red_pot = MCP3008(channel=0)
green_pot = MCP3008(channel=1)
blue_pot = MCP3008(channel=2)

led.red.source = red_pot.values
led.green.source = green_pot.values
led.blue.source = blue_pot.values

pause()

Other wacky ways to set the brightness of an LED: from a Google spreadsheet – or according to the number of instances of the word “pies” on the BBC News homepage!

Alex Eames gave it a test drive and made a video of a security light project using a relay – coded in just 16 lines of code.

GPIO Zero Security Light in 16 lines of code

Using GPIO Zero Beta to make a security light in 16 lines of code. See blog article here… http://raspi.tv/?p=8609 If you like the look of the RasPiO Portsplus port labels board I’m using to identify the ports, you can find that here http://rasp.io/portsplus

Yasmin Bey created a robot controlled by a Wii remote:

Yasmin Bey on Twitter

@ben_nuttall @RyanteckLTD pic.twitter.com/JEoSUlHtF6

Version 1.0 is out now so the API will not change – but we will continue to add components and additional features. GPIO Zero is now pre-installed in the new Raspbian Jessie image available on the downloads page. It will also appear in the apt repo shortly.

Remember – since the release of Raspbian Jessie, you no longer need to run GPIO programs with sudo – so you can just run these programs directly from IDLE or the Python shell. GPIO Zero supports both Python 2 and Python 3. Python 3 is recommended!

Let me know your suggestions for additional components and interfaces in the comments below – and use the hashtag #gpiozero to share your project code and photos!

A huge thanks goes to Ben Croston, whose excellent RPi.GPIO library sits at the foundation of everything in GPIO Zero, and to Dave Jones whose contributions have made this new library quite special.

See the GPIO Zero documentation and recipes and check out the Getting Started with GPIO Zero resource – more coming soon.

The post GPIO Zero: a friendly Python API for physical computing appeared first on Raspberry Pi.

Raspberry Pi: University of York: Raspberry Pi Challenge 2015

This post was syndicated from: Raspberry Pi and was written by: Gordon Hollingworth. Original post: at Raspberry Pi

For the last three years I’ve been visiting the University of York Computer Science building on the last day of Freshers’ Week to see what the new entrants have been doing with Raspberry Pi.

York is using the Pi to help get the students started with computing (for those whose contact has been limited to tablets and desktops!) before they get to university: every year, they send a free Raspberry Pi to their new undergraduates who are about to start a Computer Science course, and support them to prepare for the Raspberry Pi Challenge. It also forms a great social event which gets the computer science students together (along with beery delights) to fight it out in the Pi Squared arena!

Raspberry Pi Challenge at York 3.0 2015

We’ve just held our third Raspberry Pi Challenge at York. Our new undergraduates receive a free Raspberry Pi when they confirm their place at York and have a month to do something creative or take part in our knock out competition. Here’s what happened in 2015. Would you like to take part in 2016?

Last year they used a version of Battleships to compete, but this year they’ve changed to Squares.  One of the great things about this game is that the simplest few lines of code can make a huge difference over the random player (simply iterating through all possible ‘walls’ and drawing one if it closes a box is a big improvement on drawing walls at random), but there is much more that can be done to improve and optimise the strategy (there is a time limit per move, so you are a little limited!).

If you’re interested in playing the game and writing an implementation yourself (or if you’re another university and you’d like to compete against York’s outstanding undergraduates), the code and documentation is all freely available on GitHub:

waps101/PiSquare

PiSquare – This is a python template allowing two Raspberry Pis to play against each other in a variant of the classic game “dots and boxes”. The game was used in the University of York Raspberry Pi challenge 2015.

As an alternative challenge, there is also the chance to compete in Blue Pi Thinking, which is an opportunity for the students to create something ingenious using a Raspberry Pi.  The results from this project have been quite amazing.

One student created a tabletop food ordering system using the Raspberry Pi touch display.  The idea is that the screen is embedded into the table at a fast food restaurant, and you can order your food and pay for it using NFC without actually having to leave your table!  I can’t wait to see the first fast food joint with fully integrated Raspberry Pi shopping!

Another student wanted to create a pill diary system for an elderly relative. Here the central idea was to create a simple schedule for the pills which would beep or flash when it was time to take a pill.  It also would have the ability to take a photo or a time-lapse video, so a family member or carer could check they were being taken correctly.

University of York Computer Science Raspberry Pi Challenge: an undergrad works on his entry to recreate photographed objects in Minecraft

The picture above is from one student who connected his camera to the Pi. His system would take a photo of a scene from four sides, and then recreate the object in Minecraft!

University of York Computer Science Raspberry Pi Challenge: an undergrad tests his entry to map the mood of Twitter on a map of the UK

The project shown above was created to map the mood of the UK.  It took Twitter feeds from around the country and used various recurring words and phrases to decide on the mood of people from different places, then displayed them on a map of the UK with different colours to indicate the mood.

University of York Computer Science Raspberry Pi Challenge: an entry to use Raspberry Pi to control solar tracking in a solar panel installation

Lastly, a project to demonstrate how a Raspberry Pi can be used to control a solar panel installation and track the sun!

Read more about the Raspberry Pi Challenge from York’s Department of Computer Science. They’re already thinking ahead to next year’s Challenge with a new group of first-year undergraduates – I can’t wait to see what the next lot get up to!

The post University of York: Raspberry Pi Challenge 2015 appeared first on Raspberry Pi.

LWN.net: Security advisories for Tuesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated lib32-libpng (two vulnerabilities) and libpng (two vulnerabilities).

CentOS has updated xen (C5: code execution).

Fedora has updated cyrus-imapd
(F23: information disclosure), pdns (F23:
denial of service), python-pygments (F23:
shell execution), and webkitgtk4 (F23: two vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities).

Mageia has updated chromium-browser-stable (information leak), iceape (multiple vulnerabilities), krb5 (code execution), and mariadb (multiple vulnerabilities).

openSUSE has updated xen (13.2: multiple vulnerabilities).

Oracle has updated xen (OL5: code
execution).

Red Hat has updated xen (RHEL5:
code execution).

Scientific Linux has updated xen
(SL5: code execution).

SUSE has updated krb5
(SLEDebuginfo11SP3: denial of service).

Ubuntu has updated libxml2
(multiple vulnerabilities) and strongswan
(15.10, 15.04, 14.04: authentication bypass).

Raspberry Pi: The Digital Eagles have landed

This post was syndicated from: Raspberry Pi and was written by: Marc Scott. Original post: at Raspberry Pi

Like many institutions, Barclays Bank recognises that digital literacy is an essential component of modern life. It was for this reason that, back in 2013, the bank launched its Digital Eagles initiative. Branch volunteers offered to give up their time and skills to teach members of the community how to get online, perform web searches, use email and video chat, and of course how to use online banking.

The Digital Eagles have since expanded, and the project now includes an initiative to get kids coding, called Code Playground. This is more than just a website, however. Digital Eagles now run monthly sessions at branches and other venues, all over the country, where kids aged from seven to 17 can come along and learn the pleasures of coding.

So what has this to do with Raspberry Pi? Well, where there’s kids and code, the Raspberry Pi is sure to follow. Last week, the Foundation’s education team hauled themselves down to the marble-and-glass palaces of Canary Wharf to deliver workshops to a group of specially selected Digital Eagles, that they might then cascade the training down to their colleagues, and bring Raspberry Pi to Code Playgrounds all over the country.

jodie on Twitter

@Digitaleagles @Raspberry_Pi..looking forward to our training! RaspberryPi is coming to a code playground near you! pic.twitter.com/eNbcucz2sk

It was a spectacularly successful day, as we ripped through sessions on physical computing with Scratch, the new GPIO Zero library, hacking the world of Minecraft, and motion-triggered animations with the Sense HAT.

I should, by now, be accustomed to the excitement and sense of achievement that people get from blinking an LED with the touch of a button and a few lines of Python, yet each time I see it happen it brings a smile to my face and renewed enthusiasm for the Foundation’s educational mission.

Charlotte Snell on Twitter

Loving my @Raspberry_Pi training today just made my traffic light flash using Python & a button @Digitaleagles pic.twitter.com/EozSuI4DfO

The Sense HAT, in particular, went down a storm. The unique combination of sensors and the LED display means that you can jump right into physical computing with ease. Several of the Digital Eagles mentioned that they thought the little device would be a perfect addition to the Code Playgrounds, and couldn’t wait to get using it with the kids who attend.

Charlotte Snell on Twitter

So my bear gets angry when you shake him! @Raspberry_Pi training for @Digitaleagles #CodePlaygrounds pic.twitter.com/bk7kSWUXgp

So now it’s over to the Digital Eagles! Soon, Raspberry Pis, Sense HATs, CamJam EduKits and a variety of other goodies will be wending their way to Barclays Bank branches the length and breadth of the country. There the Eagles will be able to pass on their new-found skills and spread the joys that the Raspberry Pi can bring to the next generation of eager coders. We’ll be sure to report back to you on their progress and successes in the near future, so keep checking the blog for updates, or maybe check out a Code Playground near you!

The post The Digital Eagles have landed appeared first on Raspberry Pi.

Linux How-Tos and Linux Tutorials: Neverware’s CloudReady Brings a Chromium-Fueled Chromebook OS to Standard Hardware

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

cloudready installationI have been a Chromebook user for a while now. I find their ease of use, simplicity, and reliability something that is unmatched by most standard laptops or desktops. As someone who spends a vast amount of their PC time writing words, Chrome OS makes perfect sense. The added bonus of Chrome OS being powered by the Linux kernel makes it all the better.

Point in fact… I like the Chrome OS platform so much, I became the proud owner of a Pixel—probably the single most amazing piece of mobile hardware I have ever experienced. But not everyone wants to shell out the cash for such a machine. In fact, some would rather make use of the hardware they already have.

That’s where the likes of Neverware’s CloudReady comes into play. However, this relatively new platform isn’t just a tinker’s toy. Yes, the claim that CloudReady will turn any hardware into a Chromebook is spot on. However, CloudReady isn’t just for individual users. Neverware is putting this platform to good use for educators, individuals, and even enterprises. That Neverware is taking on the educational system is telling. Primary and secondary school systems across the globe are staring down financial burdens that don’t allow them to purchase new hardware or operating systems. By allowing those same institutions to repurpose aging hardware and turn them into efficient, reliable machines, educators are able to squeeze far more out of less.

CloudReady has already found major success in over 100 U.S. school districts with thousands of deployments.

But before you make the connection between your educational district and Neverware, you probably will want to kick the tires first. Or maybe you’re a single user that wants to take an aging piece of hardware and get a bit more use of it. Or… maybe you love the idea of having a Pixel-like machine, but don’t want to shell out the premium for the hardware (and you happen to have an ultrabook lying around, ready to take on the task).

Regardless of why, CloudReady is there to serve. It’s incredibly easy to install and even easier to use. For those individuals who want to run a Chromium-based Chrome OS-like platform on standard hardware (or educators/enterprise users who want to kick the tires and see if it’s the right fit), here’s what you’ll need:

  • Laptop or desktop machine (NOTE: There are over 125 certified models, guaranteed to run CloudReady, listed here*)

  • A USB flash drive of 5 Gb or greater capacity (NOTE: All contents of the USB drive will be erased…so make sure you have all data backed up)

  • The CloudReady free image (download link)

  • A Google account

  • Either a Chromebook running Chrome OS or a machine running Linux. 

*I successfully installed CloudReady on a Sony Vaio, which is not listed in the certified hardware. Chances are, CloudReady will run on your machine. The good news is you can fire it up and run it live, so it’s pretty easy to tell if it will work on your configuration.

Copying the image

There are two ways to copy the CloudReady image onto your USB drive:

Since we’re coming at this from a Linux perspective, let’s copy the image to the flash driving using the dd command. Here are the steps: 

  1. Download the CloudReady image and save it to your ~/Downloads directory

  2. Open a terminal window

  3. Change into the ~/Downloads directory with the command cd ~/Downloads

  4. Unzip the image with the command unzip cloudready-free-XXX.bin.zip (Where XXX is the release number) 

  5. Plug in your USB device

  6. Issue the command sudo fdisk -l to determine the device name of your USB (It will be listed as /dev/sdX where X is the unique identifier)

  7. DOUBLE CHECK THE ABOVE, ELSE YOU COULD ERASE THE WRONG DEVICE

  8. Once you are certain you have the correct device, issue the command sudo dd if=cloudready.bin of=/dev/sdX bs=4M (Where X is the identifier for your USB drive) 

  9. Wait for the command to complete

  10. Unmount the device when the copy completes.

NOTE: If you are using a Linux distribution that doesn’t require sudo, you will have to su to the root user and then issue the dd command, minus sudo. You now have a bootable USB drive, ready to fire up CloudReady.

Installing CloudReady

When you boot your system with the CloudReady USB flash drive, you will first find yourself staring at a very Google-like network connection tool. Connect to your network and then, when prompted, log into your Google account on the CloudReady desktop. What you need to do, while logged in, is check to make sure everything works (video, sound, bluetooth, etc). Once you’ve discerned if the hardware works, log out and then click the system tray. You should now see an entry labelled Install CloudReady (Figure A, above). Click that and the installation will begin. If you attempt to install CloudReady while logged into your Google account, the install will fail.

The installation should take roughly twenty(ish) minutes (depending upon your hardware). Once it is complete, the machine will automatically shut down. Remove the USB device and boot the machine. You should then be prompted to log into your CloudReady device and enjoy the full-blown Chrome OS experience, thanks to Neverware and Chromium (Figure B).

cloudready desktop

At this point, everything will behave exactly as you would expect from a Chromebook. You can also take the USB drive with you and always have a CloudReady desktop ready to boot.

So long as you don’t expect Chromebook-like boot times, you will find the CloudReady experience to be a fantastic replica of the official Google Chrome OS. This is, without a doubt, the closest take on Chrome OS, for standard hardware, that you will ever experience. If you want a Chrome OS platform for your aging laptops and desktops, CloudReady is what you want. And any educational institution looking to keep hardware relevant for as long as possible, this might well be the solution you need.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated chromium (information leak) and putty (code execution).

Debian has updated krb5
(denial of service).

Fedora has updated kernel
(F21: privilege escalation),
openstack-ironic-discoverd (F23;
F22: remote code execution), python-cryptography (F23: denial of service), python-cryptography-vectors (F23: denial of service), sddm (F22: denial of service), and wpa_supplicant (F23: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities).

SUSE has updated MozillaFirefox, mozilla-nspr,
mozilla-nss
(SLE11 SP2; SLE11 SP3, SP4: multiple vulnerabilities).

Ubuntu has updated krb5
(multiple vulnerabilities)
and lxd (15.10: privilege escalation).

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated flashplugin (multiple vulnerabilities) and powerdns (denial of service).

Fedora has updated lxc (F22; F21:
directory traversal).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated git (13.2,
13.1: code execution), java-1_7_0-openjdk
(42.1: multiple vulnerabilities), and xen (13.1; 42.1: multiple vulnerabilities, one from 2014).

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Update, (Wed, Nov 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released an update for Flash Player yesterday [1]. The update fixes 17 vulnerabilities and is rated with a criticality of 1 for. Microsoft Windows users will receive the related update for Internet Explorer 10 and Microsoft Edge from Microsoft directly [2].

As usual, consider the click to play option many browser provide to prevent exposing Flash Player to sites that do not need it.

[1]https://helpx.adobe.com/security/products/flash-player/apsb15-28.html
[2]https://technet.microsoft.com/library/security/2755801


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated sssd (C6: memory leak).

Debian has updated wpa (multiple vulnerabilities).

Fedora has updated php-udan11-sql-parser (F23; F21: content spoofing) and phpMyAdmin (F23; F21: content spoofing).

Mageia has updated kernel-linus (denial of service), libreoffice (multiple vulnerabilities), putty (memory corruption), python-curl (use-after-free), and sudo (privilege escalation).

Oracle has updated sssd (OL6: memory leak).

Red Hat has updated flash-plugin (RHEL6; RHEL5:
multiple vulnerabilities).

SUSE has updated xen (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated linux-lts-wily
(14.04: denial of service) and wpa (15.10,
15.04, 14.04: multiple vulnerabilities).

Krebs on Security: Critical Fixes for Windows, Adobe Flash Player

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

brokenwindowsOne-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical budgets in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk. 

brokenflash-aNew analysis from Recorded Future shows that Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Exploit kits are crimeware packages meant to be stitched into the fabric of hacked Web sites; when a visitor arrives with outdated browser plugins, that visitor’s computer is silently seeded with malware. Eighty percent of the time, these kits are checking for browsers that aren’t up to date with Flash patches.

As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update (version 19.0.0.245 is the latest for Mac and Windows systems), the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Anchor Cloud Hosting: Online retail growth in Australia and FOMO

This post was syndicated from: Anchor Cloud Hosting and was written by: Matt Sumner. Original post: at Anchor Cloud Hosting

survivaltipsAustralians are famous for their love of sunshine, surf, a beer and a good BBQ. But current stats show Aussies to be just as passionate about shopping, the Internet and smartphones.

Half of Australians also jump on social media every day, to drown the world in pictures of food, outfits, new cars, weddings, current mood, ‘no make up selfies’ and provide updates as to their every move up until the time they go to bed. Even after lights out, they lie in bed for hours staring at a small screen, increasing their sleep debt as they experience the Gen Y phenomenon of FOMO (‘Fear of missing out’).

Now for the statistics overload:

  • Out of nearly 24m people, only 15% of the population is over 65, with 86.9% of the country using the Internet.
  • In 2015, almost 90% of the population owned a smartphone and 60% owned a tablet
  • According to 2015 Sensis, 50% of consumers access social media everyday (up to 79% for the 18-29 age group).
  • Almost 70% of the population shops online.

It has been forecast that retail e-commerce (e-tail) sales in Australia will rise 14.4% this year, passing $10b. Compare this to the predicted 3% rise in total retail sales in Australia ($231b in 2014, expected to reach $238b this year), and it is clear that e-tail is a major source of growth for the sector.

183094 (1)

The digital revolution has transformed retail more than just about any other industry. With such strong growth, the online retail market is reaching a level of maturity, with new players unlikely to see the same growth spikes enjoyed by the original pioneers. Increased competition is great for consumers, but not so great for start-ups, as prices are driven down by larger sites opting for below cost flash sales to drive volume based supplier incentives.

Most online marketing practices revolve around the retailer’s website, with subscription based models, social media advertising and retargeting campaigns all trying to steer the consumer back to the main site or app.

And that makes the website and/or app a potential single point of failure in a retailer’s marketing strategy.

Consumers are brutal and impatient with online purchases. Pause at check-out, too many pop-ups, too many questions, payment gateway issues etc etc, can really make it hard to get the customer to purchase, let alone return to the site.

Unlike a chain of retail stores that can redirect customers around a city to another store when there’s an issue in the shop, when a site is down and the consumer is set on making that purchase, there’s a good chance they’ll ‘Google’ the item and go elsewhere.

So if you’re an e-tailer, what steps can you take to keep your site up?

1. Choose the right CMS

A content management system is software that keeps track of every piece of content on your website, much like your local public library catalogues and stores books for easy access. A major advantage of using a CMS is that it requires almost no technical skill or knowledge to manage. Since the CMS manages all of your content, you don’t have to. The most popular CMS’s for ecommerce are Magento and WooCommerce (WordPress).

Each CMS has different requirements to achieve maximum performance and reliability. So make sure your web host understands and has experience with your chosen CMS.

2. Be ready for sales

Websites often crash or come unstuck when a marketing campaign, flash sale or social media strategy attracts large volumes of customers without first checking that the infrastructure can cope. It’s no good waiting until just before the campaign goes viral before calling the developer or host in a panic to check there is enough server capacity.

If you’re in the habit of paying for extra everything just in case you may need them some day, you might already have a heap of machines ready to take the load (and a much bigger monthly bill to boot). But If you’re not a fan of throwing money away, you need to forecast and prepare for the increase in traffic.

Based on prior trends, your host can help you determine how far to scale up and for what time frame. However, for complete confidence, cloud-based elastic computing can burst up and down as required, making sure your site is always prepared for any unexpected uplift.

3. Code deployment

There’s many a slip betwixt cup and lip, so make sure your developer has a process for thoroughly testing code before it goes live into a production environment. The last thing you want is to have some unruly code slip through into production and scupper all of your inventory items just before the big sale launch.

Most developers schedule code deployments infrequently, as it’s an arduous process. So when bad code is somehow deployed, the dev has to go back to trawl through the recent releases to find the culprit. While this long and painful process happens, the site may be slow (or down), leading to a potential reduction in sales.

Ideally, the developer should use staging and testing environments to thoroughly check any code. As any variations between these environments will mean the results of testing will be inconclusive, these should always be an exact mirror of the production environment. A solid testing, staging and production setup makes it easy to test and deploy, without the downtime involved with traditional deployments.

4. High Availability

As a single server is also a potential single point of failure, High Availability (HA) infrastructures involve more than one server. The benefits of a highly available environment tend to be straight-forward and relatively obvious. However, a number of considerations come into play; most commonly, cost.

But this increase in cost should be balanced against overall uptime and performance, recovery time in the event of a failure, and maintenance flexibility. Each of these can also pose a major expense to your business, through lost sales, increased man-hours and speed to market.

To see whether High Availability would work for you, ask your host about its SLAs. What is the guaranteed turnaround time to rectify a problem in a non-HA environment before you become eligible for compensation? Usually this is measured in hours, if not days, so consider what this would mean for you in lost sales terms if the worst were to happen during your biggest sale of the year.

5. Stay on top of patching, updates and security

Your site is made up of many layers of software, sitting on top of infrastructure. Software vulnerabilities are regularly found and exploited, placing your website and your customers at risk. Without the preventative work of your developer and host, these can harm the integrity of your site, resulting in downtime and customer loss.

The site’s stability is only as good as the health of this software, with the application layer at the top. Your CMS, plugins, underlying language framework and Operating System should also be continually updated and patched.

These are but a taste of best practices involved in keeping a business-critical website up. Until a generation feels the need for a digital detox, online retail will remain the most effective method for reaching a wider audience with your products. Architecting a robust website front and back end will ensure that the FOMO generation can continecontinue to shop with you without a hitch.

* Sources: http://www.emarketer.com/Article/Australian-Retail-Ecommerce-Sales-Top-10-Billion-2015/1011823 https://www.sensis.com.au/content/dam/sas/PDFdirectory/Sensis_Social_Media_Report_2015.pdf http://www.hapticgeneration.com.au/survey-tells-us-how-australians-use-smartphones-and-tablets/

The post Online retail growth in Australia and FOMO appeared first on Anchor Cloud Hosting.

Schneier on Security: Flash Drive Lock

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This device is clever: it’s a three-digit combination lock that prevents a USB drive from being read. It’s not going to keep out anyone serious, but is a great solution for the sort of casual security that most people need.

Krebs on Security: Flash, Java Patches Fix Critical Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software. Separately, Oracle today released an update to plug more than two-dozen flaws in its Java software. Both programs plug directly into the browser and are highly targeted by malicious software and malefactors. Although Flash and Java are both widely installed, most users could probably ditch each program with little to no inconvenience or regret.

brokenflash-aThe latest Flash version, Flash 19.0.0.226 on Windows and Mac, fixes a flaw that Adobe warned last week was already being exploited in active attacks. As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

JAVA

Separately, Oracle has released its quarterly patch update for Java, another powerful browser plugin that also is heavily targeted by malware and ne’er-do-wells. This update for Java — which brings the program to Java 8 Update 65 — fixes at least 25 security vulnerabilities. According to Oracle, all but one of those flaws may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password.

javamessIf you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated postgresql-9.4 (two vulnerabilities) and wordpress (multiple vulnerabilities).

Fedora has updated opensmtpd
(F22: multiple vulnerabilities) and sssd (F22; F21: memory leak).

openSUSE has updated flash-player
(11.4: multiple vulnerabilities).

SUSE has updated librsvg
(SLE11SP3,4: denial of service) and qemu
(SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (14.04; 12.04:
multiple vulnerabilities), linux-lts-trusty
(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple
vulnerabilities), and linux-ti-omap4
(12.04: multiple vulnerabilities).

LWN.net: Security updates for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated flashplugin (multiple vulnerabilities), miniupnpc (code execution), and spice (multiple vulnerabilities).

Debian has updated owncloud (multiple vulnerabilities).

Debian-LTS has updated freeimage
(integer overflow) and postgresql-8.4 (denial
of service).

Fedora has updated firefox (F22: multiple vulnerabilities) and lxdm (F22; F21: two vulnerabilities).

Gentoo has updated bind (denial of service).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated docker
(13.2: two vulnerabilities).

Red Hat has updated flash-plugin
(RHEL6: multiple vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Adobe Flash Update, (Fri, Oct 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released a new Flash Player update to fix the latest 0-day vulnerabilities.

Flash Player v 19.0.0.226
Flash Player ESR v 18.0.0.255

To update, visit https://get.adobe.com/flashplayer/


Alex Stanford – GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Raspberry Pi: Compute Module CubeSats

This post was syndicated from: Raspberry Pi and was written by: David Honess. Original post: at Raspberry Pi

CubeSats are a type of miniature satellite that’s around the size of a shoe box and made from easily available, non-aerospace, parts. Because CubeSats use widely supported technologies, you no longer have to be a government or a space corporation to send a satellite into orbit: building a CubeSat is within the reach of individuals, universities and other organisations. The small size of the Raspberry Pi Compute Module makes it suitable for this very exciting application, and today we have a guest blog post from the University of Surrey to tell us more.

The Surrey Space Centre, Chris Bridges and CubeSats

Dr Chris Bridges leads the spacecraft On-Board Data Handling group in the Surrey Space Centre at the University of Surrey. He researches and teaches computer hardware and software to provide reliable computer processing in the harsh radiation environment of space. Chris is also an amateur radio enthusiast, with a passion for hacking almost any electronics for space and telling everyone that the sky is most definitely not the limit. He was involved at the beginning of the Astro Pi project back in 2014, since he has been working on numerous space flight projects involving Raspberry Pi devices and has been doing thermal and vacuum tests on them with his students.

Dr Chris Bridges

Dr Chris Bridges

Together with Surrey Satellite Technology Ltd, he designed, built, programmed, launched, and operated the UK’s first CubeSat, called STRaND1. The STRaND1 mission aimed to train new researchers and students as well as to launch novel payloads aboard CubeSats, including a smartphone. The team is proud of the enthusiastic coverage that the BBC and New Scientist magazine gave to the world’s first ‘phone-sat’!

 STRaND-1 CubeSat

STRaND-1 flight ready February 2013 with Shaun Kenyon, Dr Peter Shaw, Dr Chris Bridges | Photo courtesy of Surrey Satellite Technology Ltd

Raspberry Pi in space: detecting other CubeSats

Space is a harsh environment where it’s difficult to ensure that a computer will operate reliably for an extended period of time. Cosmic radiation interferes with transistors and can bit-flip computer memory (change the state of a single binary bit from a 0 to a 1 or from a 1 to a 0) causing what’s known as a single event upset crash.

Solving this is traditionally highly expensive, but using commercial off-the-shelf technologies has been proven as an effective method in reducing these costs. Being small, powerful, and low-cost, with large community support, Raspberry Pis are an obvious candidate here, provided that they can operate reliably in space. Chris says,

CubeSats and nanosatellites are a great educational tool used around the world – for students, staff, and researchers to learn about the Earth, and explore further into our solar system. For me, the new tech I’d like to try out is towards better computing parts – the Raspberry Pi fits the bill here.

Led by Professor Craig Underwood at the Surrey Space Centre, Chris is working on the on-board computer for the STRaND2 and AAReST CubeSat missions, along with CalTech and the NASA Jet Propulsion Laboratory in the US. These CubeSat missions require the processing and detection of other CubeSats in flight for rendezvous and docking experiments, as well as for collision avoidance manoeuvres.

These kinds of CubeSats employ light detection and ranging technologies (LIDAR) as a way to measure distance to nearby objects in space. This works by illuminating the target with a laser beam and then analysing the reflected light to calculate how far away the target is.

Postgrad student Richard Duke achieved this with a Raspberry Pi, an ordinary Microsoft Kinect and some custom Linux drivers that he rewrote himself. He now works at Surrey Space Centre as a software engineer. Enthusiasts can find detailed information in Craig and Chris’ paper on AAReST published in Acta Astronautica and their paper on STRaND2 at the IEEE/AIAA Aerospace Conference.

image002

AAReST concept demonstrating the launch of four CubeSats (left), initial configuration (middle) and secondary configuration (right) after successful in-flight docking manoeuvres.

Richard says,

The project allowed me to gain real-world technical knowledge into Linux hardware drivers and the building of a full LIDAR sensor package. Using low-cost but highly capable components such as the Raspberry Pi in spaceflight is a hugely exciting area of technology. It’s been fantastic to be a part of developing real space projects as part of my Masters degree.

Here is a video of Richard’s work, showing a Raspberry Pi Model B controlling a CubeSat on a frictionless test platform. It’s sending the LIDAR information over WiFi back to a Windows laptop which is processing it. The detection algorithm autonomously obtains the range and pose of the target/obstacle (the cardboard Kinect box) sixteen times every second. You can even hear the compressed air propulsion from the CubeSat firing as it gets close to the target in order to avoid a collision.

Raspberry Pi + SoftKinectic + WiFi + Battery Pack = Satellite LIDAR

Towards the AAResT mission with CalTech and NASA JPL, MSc student Richard Duke shows us his developments for soft and hard real-time rendezvous and docking on the granite table for new close proximity operations. It shows the RPi B+ routing the LIDAR information over WiFi TCP back to be plotted.

IMG_20140725_140704

A Model B Raspberry Pi sits at the top of this LIDAR CubeSat stack

The Raspberry Pi Compute Module and reliability through redundancy

One way of making sure that a Raspberry Pi can operate reliably in space is through redundancy: if multiple Raspberry Pis are used, then if one of them should fail, another can take over (the same system used on the space shuttle). Using this method, students at the Surrey Space Centre have developed several on-board computer systems.

The smallest size of the popular CubeSat format measures just 10x10x10cm (known as 1U), and the largest 10x10x34cm (3U). As physical space is at a premium inside a CubeSat, undergraduate Oliver Launchbury-Clark developed a new on-board computer specifically for the AAReST CubeSat mission. Designed in KiCad (an open source PCB design tool), Oliver’s board is PC/104-compliant and features two Raspberry Pi Compute Modules and an MSP430 microcontroller to provide some ultra-low power functionality.

Raspberry Pi Compute Module, as used in CubeSats

The Compute Module contains the guts of a Raspberry Pi (the BCM2835 processor and 512Mbyte of RAM) as well as a 4Gbyte eMMC Flash device (which is the equivalent of the SD card in the Pi). This is all integrated onto a small 67.6x30mm board which fits into a standard DDR2 SODIMM connector (the same type of connector as that used for laptop memory).

The Raspberry Pis kindle an interest in space, programming and engineering in general by providing an accessible method for students of any age to have their programs run in space.

CubeSat on-board computer, featuring two Raspberry Pi Compute Modules

CubeSat on-board computer, featuring two Raspberry Pi Compute Modules

CubeSats: widening access to space

Building CubeSats is just as hard as building a full satellite – but being able to use the latest technologies that are widely supported means that access is no longer restricted to government space programmes or large space corporations. Now, universities and private individuals can undertake these ambitious projects too.

Craig and Chris visited Caltech in Pasadena USA and got a chance to visit the NASA Jet Propulsion Laboratory in September 2015. Chris writes,

It’s a truly inspiring place – and we now need to build and work on the software to meet all the mission requirements.

IMG_20150915_103136

Craig and Chris at NASA Jet Propulsion Laboratory

At the SmallSat Conference in Utah, it was announced that the AAReST mission is planned for launch in 2018 – just one of the many CubeSat missions NASA is working on.

The tweet below shows different CubeSat missions (rows) and when they were/are planned to fly (columns). For more information go here.

Chris Brunskill on Twitter

Cubesat business worth $100m to @NASAJPL. 17 missions planned through to 2018 #SpaceMissionUK #SmallSat15 pic.twitter.com/sWSdH73tlZ

Many thanks to the Raspberry Pi Foundation for donating Pis and a Compute Module to begin all this development. Chris will be looking for more Surrey students to get involved to create new software chains with US partners – so feel free to get in touch with him to help develop their line of CubeSats!

The post Compute Module CubeSats appeared first on Raspberry Pi.

LWN.net: Security advisories for Friday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated firefox (information disclosure).

Debian-LTS has updated zendframework (SQL injection).

Fedora has updated kernel (F22: privilege escalation).

Mageia has updated 389-ds-base (cipher downgrade), cyrus-imapd (unspecified), and wireshark (denial of service).

openSUSE has updated flash-player
(13.2, 13.1: unspecified).

Oracle has updated lxc (OL7; OL6: apparmor policy bypass).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities), openstack-glance
(RHELOSP: two vulnerabilities), openstack-neutron (RHELOSP: ACL bypass), openstack-nova (RHELOSP: denial of service),
openstack-swift (RHELOSP: information
disclosure), python-django (RHELOSP:
multiple vulnerabilities), and qemu-kvm-rhev (RHELOSP: code execution).

SUSE has updated flash-player (SLE12; SLE11SP3,4: unspecified).

Ubuntu has updated click (15.04,
14.04: privilege escalation), firefox
(15.04, 14.04, 12.04: information disclosure), and postgresql-9.1, postgresql-9.3, postgresql-9.4
(15.04, 14.04, 12.04: two vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Ongoing Flash Vulnerabilities, (Thu, Oct 15th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

We got a number readers asking about the ongoing issues with Flash. Adobe released its regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645)is being exploited. Adobe is currently talking about targeted and limited attacks.

Sometime next week, an update to Flash will be released to address this vulnerability.

So what should you do and what does this all mean?

Next weeks patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.

What should you do?

If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This Click to Run behavior should be enabled for all plugins that support it (e.g. Java).

Here are some quick tipson how to enable click-to-run:

Firefox: It should be enabled by default. Check the plugins.click_to_play setting in about:config to make sure it is enabled.

Internet Explorer: Click the gear icon and select Manage Add-ons. For the Shockwave Flash Object, select More Information. By default, all sites are approved due to the wildcard * in the approved site box. Delete it.

Google Chrome: In chrome://settings click on Show advanced settings… at the bottom fo the page. Click on the Content Settings button under Privacy and select Let me choose when to run plugin content under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.

Safari: Check the Security tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.

[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.