Posts tagged ‘Other’

Raspberry Pi: Picademy South West

This post was syndicated from: Raspberry Pi and was written by: Carrie Anne Philbin. Original post: at Raspberry Pi

Next stop on the great Raspberry Pi Education Team Tour of Great Britain is the South West of England! That’s right: we’re taking Picademy, the offical Raspberry Pi Professional Development for course for Teachers, on the road again, thanks to our friends at Exeter Library in Devon! I’m already packing my bucket, spade and kiss-me-quick hat. As always, Picademy is completely free to attend.

Screen Shot 2015-04-28 at 07.48.31

Raspberry Pi Certified Educators – April 2015 from cohort no. 8. All demonstrating their best super hero pose!

Exeter Library is an appealing venue for Picademy, with an onsite Fab Lab (fabrication workshop) equipped with laser cutters, 3D printers, and more. I expect we will see some fantastic project ideas realised on day two of the course. Maybe even ‘Biscuits’ the robot will get a shiny new hat courtesy of Clive’s mega-making skills.

Picademy South West will take place on 4th and 5th June. We have space for 24 enthusiastic teachers from Primary, Secondary and Post-16 who are open to getting hands on with their learning and having some fun. We’d like to see lots of teachers from Cornwall, Devon, Somerset, and Dorset take full advantage of this two day event. Sign-ups for teachers are open!

Screen Shot 2015-04-28 at 07.42.31

Our Raspberry Pi Certified Educators Map shows that the team are needed in the South West!

For educators in and around Leeds, remember that our Picademy@Google training events are open for sign-ups too, as we continue to spread free training opportunities across the UK. In the coming months we will announce other venues as part of the Google series.

Krebs on Security: A Day in the Life of a Stolen Healthcare Record

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When your credit card gets stolen because a merchant you did business with got hacked, it’s often quite easy for investigators to figure out which company was victimized. The process of divining the provenance of stolen healthcare records, however, is far trickier because these records typically are processed or handled by a gauntlet of third party firms, most of which have no direct relationship with the patient or customer ultimately harmed by the breach.

I was reminded of this last month, after receiving a tip from a source at a cyber intelligence firm based in California who asked to remain anonymous. My source had discovered a seller on the darknet marketplace AlphaBay who was posting stolen healthcare data into a subsection of the market called “Random DB ripoffs,” (“DB,” of course, is short for “database”).

Eventually, this same fraudster leaked a large text file titled, “Tenet Health Hilton Medical Center,” which contained the name, address, Social Security number and other sensitive information on dozens of physicians across the country.

An AlphaBay user named "Boogie" giving away dozens of healthcare records.

An AlphaBay user named “Boogie” giving away dozens of healthcare records he claims to have stolen.

Contacted by KrebsOnSecurity, Tenet Health officials said the data was not stolen from its databases, but rather from a company called InCompass Healthcare. Turns out, InCompass disclosed a breach in August 2014, which reportedly occurred after a subcontractor of one of the company’s service providers failed to secure a computer server containing account information. The affected company was 24 ON Physicians, an affiliate of InCompass Healthcare.

“The breach affected approximately 10,000 patients treated at 29 facilities throughout the U.S. and approximately 40 employed physicians,” wrote Rebecca Kirkham, a spokeswoman for InCompass.

“As a result, a limited amount of personal information may have been exposed to the Internet between December 1, 2013 and April 17, 2014, Kirkham wrote in an emailed statement. Information that may have been exposed included patient names, invoice numbers, procedure codes, dates of service, charge amounts, balance due, policy numbers, and billing-related status comments. Patient social security number, home address, telephone number and date of birth were not in the files that were subject to possible exposure. Additionally, no patient medical records or bank account information were put at risk. The physician information that may have been exposed included physician name, facility, provider number and social security number.”

Kirkham said up until being contacted by this reporter, InCompass “had received no indication that personal information has been acquired or used maliciously.”

So who was the subcontractor that leaked the data? According to PHIprivacy.net (and now confirmed by InCompass), the subcontractor responsible was PST Services, a McKesson subsidiary providing medical billing services, which left more than 10,000 patients’ information exposed via Google search for over four months.

As this incident shows, a breach at one service provider or healthcare billing company can have a broad impact across the healthcare system, but can be quite challenging to piece together.

Still, not all breaches involving health information are difficult to backtrack to the source. In September 2014, I discovered a fraudster on the now-defunct Evolution Market dark web community who was selling life insurance records for less than $7 apiece. That breach was fairly easily tied back to Torchmark Corp., an insurance holding company based in Texas; the name of the company’s subsidiary was plastered all over stolen records listing applicants’ medical histories.

HEALTH RECORDS GET AROUND

Health records are huge targets for fraudsters because they typically contain all of the information thieves would need to conduct mischief in the victim’s name — from fraudulently opening new lines of credit to filing phony tax refund requests with the Internal Revenue Service. Last year, a great many physicians in multiple states came forward to say they’d been apparently targeted by tax refund fraudsters, but could not figure out the source of the leaked data. Chances are, the scammers stole it from hacked medical providers like PST Services and others.

In March 2015, HealthCare IT News published a list of healthcare providers that experienced data breaches since 2009, using information from the Department of Health and Human Services. That data includes HIPAA breaches reported by 1,149 covered entities and business associates, and covers some 41 million Americans. Curiously, the database does not mention some 80 million Social Security numbers and other data jeopardized in the Anthem breach that went public in February 2015 (nor 11 million records lost in the Premera breach that came to light in mid-March 2015).

Sensitive stolen data posted to cybercrime forums can rapidly spread to miscreants and ne’er-do-wells around the globe. In an experiment conducted earlier this month, security firm Bitglass synthesized 1,568 fake names, Social Security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the company’s proxy, which automatically watermarked the file. The researchers set it up so that each time the file was opened, the persistent watermark (which Bitglass says survives copy, paste and other file manipulations), “called home” to record view information such as IP address, geographic location and device type.

The company posted the spreadsheet of manufactured identities anonymously to cyber-crime marketplaces on the Dark Web. The result was that in less than two weeks, the file had traveled to 22 countries on five continents, was accessed more than 1,100 times. “Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia,” the report concluded.

Source: Bitglass

Source: Bitglass

SANS Internet Storm Center, InfoCON: green: Actor using Fiesta exploit kit, (Tue, Apr 28th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

An Enduring Adversary

This diary entry documents a criminal group using the Fiesta exploit kit (EK) to infect Windows computers. I previously wrote a guest diary about this group on 2014-12-26 [1] and provided some updated information on my personal blog”>]. I first noticed this group in 2013, and its likely been active well before then.

The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. Im calling this group the BizCN gate actor because all its gate domains are registered through Chinese registrar www.bizcn.com, and they all reside on a single IP address. The registrant data is privacy-protected through Wuxi Yilian LLC.

Earlier this month, the BizCN gate actor changed its gate IPto 136.243.227.9 [3]. Were currently seeing thegate lead to Fiesta EK on 205.234.186.114. Below is a flow chart for” />

Traffic From an Infected Host

The following image shows traffic from 136.243.227.9 (the gate)that occurred on 2015-04-26. ” />

Within the past week or so, Fiesta EK has modified its URL structure. Now youll finddashes and underscores in the URLs (something that wasn” />

A pcap of this traffic at is available at: http://www.malware-traffic-analysis.net/2015/04/26/2015-04-26-Fiesta-EK-traffic.pcap

The malware payload on the infected host copied itself to a directory under the users AppData\Local folder. It also” />

A copy of the malware payload is available at: ” />

Below is an image from Sguil on Security Onion for EmergingThreats and ETPRO snort events caused bythe infection. ” />

Indicators of Compromise (IOCs)

Passive DNS on 136.243.227.9 shows at least 100 domains registered through www.bizcn.com hosted on this IP address. Each domain is paired with a compromised website. Below is a list of the gate domains and their associated compromised websites Ive found so far this month:

(Read: gate on 136.243.227.9 – compromised website)

  • doralerd.org – undertone.com
  • einseeld.com – forum.freeadvice.com
  • fogelicy.org – forum.thegradcafe.com
  • furarryl.org – forum.ppcgeeks.com
  • holamecs.com – marksdailyapple.com
  • hrortict.com – gm-trucks.com
  • indusish.org – christianforms.com
  • jadilips.org – forums.pelicanparts.com
  • khundalt.org – scienceforums.net
  • kroentro.com – longrangehunting.com
  • molporic.com – quiltingboard.com
  • muskiert.org – hacknmod.com
  • naraiarm.org – visajourney.com
  • nealychy.com – iwsti.com
  • nonypeck.com – forms.pinstack.com
  • octaneft.com – droidrzr.com
  • omaidett.com – nano-reef.com
  • rotonexy.org – acne.org
  • sulecass.com – rugerforum.net
  • trobirks.com – gtrlife.com
  • unitturt.org – dbstalk.com

How can you determine if your clients saw traffic associated with this actor? Organizations withweb proxy logs can search for 136.243.227.9 to see theHTTP requests. Those HTTP headers should includea refererline withthe compromised website. Many of these compromised websites use vBulletin.

Final Notes

Researchers may have a hard timegeneratinginfection trafficfrom compromised websites associated with this actor. Most often, HTTP GET requests to the gate domain returna 404 Not Found. “>In some cases, the gate domain might not appear in traffic at all.Other times, the HTTP GET request for theFiesta EK landing page doesnt return anything. Its tough to get a fullinfection chain when youre trying to do it on purpose.

The BizCN gate actor occasionally changes the IP address for these gate domains. Since their information is now public through this diary entry, the actor will likely change the gates IP address and domains again.

Unless theres a drastic change in their pattern of operations, this BizCNgate actor will be found relatively soon after any upcoming changes.


Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/diary/Gate+to+Fiesta+exploit+kit+on+9424221669/19117
[2] http://www.malware-traffic-analysis.net/2015/02/05/index.html
[3] http://urlquery.net/search.php?q=136.243.227.9
[4]https://www.virustotal.com/en/file/66c4d1b42081a33a14f601b72fe513d9baa8a8aec083103dc3dc139d257644a2/analysis/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: Reducing power consumption on Haswell and Broadwell systems

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

Haswell and Broadwell (Intel’s previous and current generations of x86) both introduced a range of new power saving states that promised significant improvements in battery life. Unfortunately, the typical experience on Linux was an increase in power consumption. The reasons why are kind of complicated and distinctly unfortunate, and I’m at something of a loss as to why none of the companies who get paid to care about this kind of thing seemed to actually be caring until I got a Broadwell and looked unhappy, but here we are so let’s make things better.

Recent Intel mobile parts have the Platform Controller Hub (Intel’s term for the Southbridge, the chipset component responsible for most system i/o like SATA and USB) integrated onto the same package as the CPU. This makes it easier to implement aggressive power saving – the CPU package already has a bunch of hardware for turning various clock and power domains on and off, and these can be shared between the CPU, the GPU and the PCH. But that also introduces additional constraints, since if any component within a power management domain is active then the entire domain has to be enabled. We’ve pretty much been ignoring that.

The tldr is that Haswell and Broadwell are only able to get into deeper package power saving states if several different components are in their own power saving states. If the CPU is active, you’ll stay in a higher-power state. If the GPU is active, you’ll stay in a higher-power state. And if the PCH is active, you’ll stay in a higher-power state. The last one is the killer here. Having a SATA link in a full-power state is sufficient to keep the PCH active, and that constrains the deepest package power savings state you can enter.

SATA power management on Linux is in a kind of odd state. We support it, but we don’t enable it by default. In fact, right now we even remove any existing SATA power management configuration that the firmware has initialised. Distributions don’t enable it by default because there are horror stories about some combinations of disk and controller and power management configuration resulting in corruption and data loss and apparently nobody had time to investigate the problem.

I did some digging and it turns out that our approach isn’t entirely inconsistent with the industry. The default behaviour on Windows is pretty much the same as ours. But vendors don’t tend to ship with the Windows AHCI driver, they replace it with the Intel Rapid Storage Technology driver – and it turns out that that has a default-on policy. But to make things even more awkwad, the policy implemented by Intel doesn’t match any of the policies that Linux provides.

In an attempt to address this, I’ve written some patches. The aim here is to provide two new policies. The first simply inherits whichever configuration the firmware has provided, on the assumption that the system vendor probably didn’t configure their system to corrupt data out of the box[1]. The second implements the policy that Intel use in IRST. With luck we’ll be able to use the firmware settings by default and switch to the IRST settings on Intel mobile devices.

This change alone drops my idle power consumption from around 8.5W to about 5W. One reason we’d pretty much ignored this in the past was that SATA power management simply wasn’t that big a win. Even at its most aggressive, we’d struggle to see 0.5W of saving. But on these new parts, the SATA link state is the difference between going to PC2 and going to PC7, and the difference between those states is a large part of the CPU package being powered up.

But this isn’t the full story. There’s still work to be done on other components, especially the GPU. Keeping the link between the GPU and an internal display panel active is both a power suck and requires additional chipset components to be powered up. Embedded Displayport 1.3 introduced a new feature called Panel Self-Refresh that permits the GPU and the screen to negotiate dropping the link, leaving it up to the screen to maintain its contents. There’s patches to enable this on Intel systems, but it’s still not turned on by default. Doing so increases the amount of time spent in PC7 and brings corresponding improvements to battery life.

This trend is likely to continue. As systems become more integrated we’re going to have to pay more attention to the interdependencies in order to obtain the best possible power consumption, and that means that distribution vendors are going to have to spend some time figuring out what these dependencies are and what the appropriate default policy is for their users. Intel’s done the work to add kernel support for most of these features, but they’re not the ones shipping it to end-users. Let’s figure out how to make this right out of the box.

[1] This is not necessarily a good assumption, but hey, let’s see

comment count unavailable comments

TorrentFreak: Police Arrest Potential Mayweather / Pacquiao Pirate

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

maypaThe highly anticipated Mayweather / Pacquiao fight later this week is destined to become the most pirated live sports event in history.

Hundreds of thousands, if not millions of fans, will tune into various pirated streams to avoid paying for the “fight of the century.

This prospect has many rightsholders worried. Sports streaming sites can expect an avalanche of takedown notices as soon as the broadcast starts, but TV outfit ABS-CBN is also taking a more proactive stance.

The company filed a complaint with the Philippine National Police Anti-Cybercrime Group (PNP-ACG) which led to the arrest of Jonathan Dela Cruz, an IT professor at a local university.

The professor, described as one of the most wanted movie and TV pirates, is the alleged operator of pinoy-tv-replay.com.

In addition to triggering the local investigation, ABS-CBN filed a lawsuit at a federal court in the United States (pdf). In the complaint the company mentions various trademark and copyright infringements as well as Dela Cruz’s plan to stream the Mayweather / Pacquiao fight.

“Defendant Dela Cruz’s pinoy-tv-replay.com website also promises to offer a live stream channel of the upcoming Floyd Mayweather v. Manny Pacquiao boxing match, which will be offered by ABS-CBN and other legitimate entertainment companies through various platforms,” ABS-CBN writes.

The TV company added a screencap of the advertisement for the unofficial broadcast which Dela Cruz allegedly used to lure in visitors.

mannymay

To stop any further infringements ABS-CBN asked the Florida court for a temporary restraining order, which was granted a few days ago.

Dela Cruz is now forbidden from operating any site that infringes ABS-CBN’s rights and the TV-company also gets control over his domain name. In addition, the professor faces millions of dollars in damages.

At the time of writing pinoy-tv-replay.com is not responding, although a cached version is still available through CloudFlare’s “Always Online” service.

ABS-CBN’s Elisha Lawrence is happy that the “pirate” has been taken off the streets and encourages the public to avoid sketchy websites that offer free streams.

“We are enforcing against these sites to protect our viewers. But in the meantime as we go after each and every one of these sites, protect yourself and your family and stay away from free sites and free streaming sites. Don’t pay the high price for free,” Lawrence said.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Grooveshark Faces $736 Million in Copyright Damages

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

groove2Streaming music service Grooveshark has been through some turbulent times in its relatively short history, but events this week could determine the company’s future.

The dispute with the world’s largest recording labels in UMG Recording Inc et al v. Escape Media Group Inc et al is without doubt Grooveshark parent company Escape Media’s biggest challenge yet. At its heart is a copyright infringement claim that could run into hundreds of millions of dollars.

While the suit itself is complex, at its core is the complaint that Grooveshark co-founders and employees historically uploaded more than 150,000 infringing tracks to Grooveshark in order to increase its popularity.

“Please share as much music as possible from outside the office, and leave your computers on whenever you can,” wrote co-founder Josh Greenberg in an email to staff. “This initial content is what will help to get our network started—it’s very important that we all help out!”

As a result, last September U.S. District Judge Thomas P. Griesa ruled that the company’s two co-founders were directly and secondarily liable for infringing the copyrights of nine large recording labels.

Ahead of the trial which is due to begin today in the Federal Courthouse, New York, Judge Thomas P. Griesa delivered yet another blow to Grooveshark parent company Escape Media.

Noting that the case now involves ‘just’ 4,907 recordings (2,963 tracks plus 1,944 “employee uploads”) Judge Griesa said that the label plaintiffs have chosen to pursue statutory damages, meaning that if infringements are found to be “willful”, Grooveshark could be on the hook for $150,000 per track.

In the event the ruling notes that the court has already determined that Grooveshark acted both “willfully” and “in bad faith” although some defense will be allowed.

“Defendants may present proof as to the degree and extent of their willfulness or bad faith,” the Judge writes.

Among other things, Escape will argue that between 2007 and 2009 it showed good faith by approaching a number of the record company plaintiffs in an attempt to negotiate licensing deals.

“[The] court will permit defendants to present evidence at trial concerning the general factual background – but not the substantive financial terms – of the
parties’ negotiations for future licensing. Such evidence or argument must be tethered to defendants’ state of mind or conduct in infringing the Works in Suit,” Judge Griesa adds.

If the jury doesn’t buy the arguments of Escape / Grooveshark and decides it appropriate to award the top rate, Escape Media could be forced to pay in excess of $736 million in damages. The jury could also award much less, but it’s difficult to envision an affordable outcome to the case for the streaming music service.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: What’s Your Security Maturity Level?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Not long ago, I was working on a speech and found myself trying to come up with a phrase that encapsulates the difference between organizations that really make cybersecurity a part of their culture and those that merely pay it lip service and do the bare minimum (think ‘15 pieces of flair‘). When the phrase “security maturity” came to mind, I thought for sure I’d conceived of an original idea and catchy phrase.

It turns out this is already a thing. And a really notable thing at that. The graphic below, produced last year by the Enterprise Strategy Group, does a nice job of explaining why some companies just don’t get it when it comes to taking effective measures to manage cyber risks and threats.

SecurityMaturity

Very often, experience is the best teacher here: Data breaches have a funny way of forcing organizations — kicking and screaming — from one vertical column to another in the Security Maturity matrix. Much depends on whether the security professionals in the breached organization have a plan (ideally, in advance of the breach) and the clout for capitalizing on the brief post-breach executive attention on security to ask for changes and resources that can assist the organization in learning from its mistakes and growing.

But the Security Maturity matrix doesn’t just show how things are broken: It also provides a basic roadmap for organizations that wish to change that culture. Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority. The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.

At last week’s RSA Security Conference in San Francisco, I had a chance to meet up with Demetrios “Laz” Lazarikos, the former chief information security officer at Sears. Now founder of the security consultancy blue-lava.net, Laz spends a great deal of time trying to impress upon his clients the need to take the security maturity model seriously. Here’s his sliding scale, which measures maturity in terms of preparedness and expectations.

Source: Blue Lava

Source: Blue Lava

I like Laz’s models because they’re customized to every organization, breaking down each business unit into its own security maturity score. The abbreviations in the graphic below — SDLC and PMO — stand for “security development life cycle” and “project management office,” respectively. Dark red boxes (marked with a “1”) indicate areas where the organization’s business unit needs the most work.

Source: Blue Lava Consulting

Source: Blue Lava Consulting

Laz’s security maturity hierarchy includes five levels:

  • Level 1 – Information Security processes are unorganized, and may be unstructured. Success is likely to depend on individual efforts and is not considered to be repeatable or scalable. This is because processes would not be sufficiently defined and documented to allow them to be replicated.
  • Level 2 – Information Security efforts are at a repeatable level where basic project management techniques are established and successes can be repeated. This is due to processes being established, defined, and documented.
  • Level 3 – Information Security efforts have greater attention to documentation, standardization, and maintenance support.
  • Level 4 – At this level, an organization monitors and controls its own Information Security processes through data collection and analysis.
  • Level 5 – This is an optimizing level where Information Security processes are constantly being improved through monitoring feedback from existing processes and introducing new processes to better serve the organization’s particular needs.

Where does your organization fit in these models? Are they a useful way for getting a handle on security and increasing maturity within your organization? Has your employer recently moved from one security maturity level to another? If so, tell us what you think prompted that shift? Sound off on these or any other thoughts on this subject in the comments below, please.

TorrentFreak: Farmers Unable to Repair Tractors Because Copyright: Never a Side Effect, But Core Intention of Law

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

This week, there have been stories about farmers who can’t legally repair their John Deere tractors, as copyright monopoly legislation prohibits tampering with computer code in something you own. This has been described as an “unexpected side effect” of the copyright monopoly legislation in general and the DMCA/EUCD in particular.

That’s wrong. It’s not a side effect and it’s not unexpected. That is exactly what those laws intended to accomplish. Being locked out of your own possessions is not a side effect – it was the central point of the legislation and its core purpose.

As usual, the geeks who understood the deeper repercussions of this cried murder over the legislation at the time, and were summarily ignored by policymakers. Perhaps only now, when it becomes clear that it’s not just geek toys that are affected but everything in our everyday life, will more people become aware of how the copyright monopoly limits property rights.

This development, eroding property rights of everything, has been driven by the cartoon industry – by which I mean the copyright industry in general and Disney Corporation in particular.

It started with DRM, Digital Restriction Measures. Somebody thought it was both possible and a good idea to control how playback of video and audio could take place at people’s homes after they bought music and movies. (Imagine that translated to books, by the way, that publishers thought it possible to control how a book would be read – where, when and how.)

Digital Restriction Measures (DRM) were never about preventing copying, even though they were frequently presented as “copy protection”, mostly for PR purposes. They did absolutely nothing to prevent copying. They prevented playback. They controlled playback. They permitted or didn’t permit playback.

However, the technology didn’t work. The technology couldn’t work. It wasn’t broken at the technical level, or needed a little bit of improvement: it was broken at the conceptual level. It relied on the cartoon industry’s ability to prevent the owner of an object to tinker with their own property. (This is where tractors and cars come in.)

Obviously, if a computer is able to decode and decrypt a cartoon, then the owner of that computer is also able to instruct their own computer computer to decode and decrypt it (presumably a copy they bought and therefore also own), even against the cartoon industry’s desire for that possibility.

This is why DRM is broken at the conceptual level.

In this respect, there is no difference between a copy of a car or tractor – one of many identical sold objects off a production line – and a CD or DVD. You hold the receipt, you own it. The manufacturer doesn’t get to say what you do with your own property.

Or didn’t, at least.

The cartoon industry – copyright industry – realized that they needed to attack the core concept of the ability to hold property in order to prop up their crumbling copyright monopoly, and pushed for legislation that turned out as something called the DMCA in the US and the EUCD/InfoSoc in Europe. It “fixes” the conceptual problem with DRM by simply making it illegal to tinker with your own property when the original manufacturer, who sold the object to you, doesn’t want it tinkered with even after it’s been sold to you.

Yes, that’s a blatant intrusion into the very core concept of property rights. It also illustrates how the copyright monopoly, a governmentally-granted private monopoly, was always firmly in opposition to property rights (despite the copyright industry’s insistent attempts to reframe it as “property” for PR purposes, which is one of many lies from that cartoon industry).

As computers are spreading through society, into every aspect of our lives, so are the effects of the law that the copyright industry rammed through legislative corridors fifteen years ago.

John Deere claiming that farmers aren’t allowed to tinker with their tractors and other farming equipment is not an “unfortunate side effect” of copyright monopoly legislation. It was the core idea, all the time, to prevent owners of property to exercise their normal property rights. That was the only possible way the copyright monopoly was even slightly maintainable into a digital environment.

One has to ask whether it was, and continue to be, worth that price.

In any case, now that it’s not just geeks and nerds being affected by the cartoon industry’s wholesale slaughter of civil liberties but car owners and farmers and most ordinary people, one can hope that understanding of the fundamental idiocy of these laws can start to surface a little wider.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Experts Urge Canada to Stop Threatening Piracy Notices

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningDue to a recent change i Canada’s copyright law, ISPs are now required to forward copyright infringement notices to their customers.

As a result, hundreds of thousands of Internet subscribers have received warnings in their mailboxes since the start of the year, with some asking for cash settlements.

The so-called notice-and-notice system aims to reduce local piracy rates but this hasn’t been without controversy. From the start, copyright holders have taken advantage of the system to send subscribers settlement offers, or threaten them with inaccurate legal penalties.

Hoping to fix these ‘abuses’ copyright experts and advocacy groups have this week written a letter to Canada’s Minister of Industry, James Moore.

Signed by the University of Ottawa, OpenMedia, Project Gutenberg Canada, Consumers Council of Canada, Electronic Frontier Foundation and many others, the letter warns over abuse while proposing several changes.

“As we feared, copyright trolls have in fact taken advantage of the Notice and Notice system to ramp up their abusive practices in Canada,” the groups write to the Minister.

“We have seen notices claiming infringement of foreign law, misrepresenting the scope of damages recipients potentially face, omitting mention of defenses, and failing to identify the notice as a mere allegation of infringement.”

In the short-term the Minister should use his regulatory powers to correct abuses, the groups suggest. For example, notices should make clear that they represent an allegation, not a clear determination of infringement.

The popular settlement demands or offers, which can amount to hundreds of dollars per notice, should also be banned. In addition, notices should include a mention of copyright exceptions such as fair use.

The groups further propose various penalties for copyright holders. For example, senders of notices with false or misleading information should be held liable and punished appropriately.

In the long-term the letter recommends that the Government should adopt new legislation to tackle copyright trolls and various other forms of abuse.

“Canada requires a legislative response to the abusive and deceitful tactics of a minority of copyright owners and their agents. The emergence of a cottage industry of copyright trolls and their migration to Canada is just one example of how copyright can be abused,” the groups write.

“The next round of copyright reform must include a copyright misuse provision to curb such wrong-doing,” they add.

The full letter, which includes more recommendations, is available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Leaked Piracy Report Details Fascinating Camcording Investigations

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spyThis week the UK’s Federation Against Copyright Theft (FACT) released its latest report detailing the rewards presented to cinema workers who disrupt so-called movie “cammers”. FACT is the main group to release this kind of report and no equivalent is regularly made available from any other English speaking countries.

While the insight is useful to build a picture of “anti-camming” activity in the UK, FACT is obviously selective about the information it releases. While big successes receive maximum publicity, relative failures tend to be brushed under the carpet. Something else the group would like to keep a secret are presentations made to Sony Pictures in 2010, but thanks to a trove of leaked emails that is no longer possible.

The presentation begins with FACT stating that it’s the “best known and most respected industry enforcement body of its kind in the UK” and one that has forged “excellent relationships with “public enforcement agencies and within the criminal justice system”.

fact1

FACT goes on to give Sony several examples of situations in which it has been involved in information exercises sharing with the authorities. The exact details aren’t provided, but somewhat surprisingly FACT says they include murder, kidnap and large-scale missing persons investigations.

But perhaps of most interest are the details of how the group pursues those who illegally ‘cam’ and then distribute movies online. The presentation focuses on the “proven” leak of five movies in 2010, the total from UK cinemas for that year.

Vue Cinemas, North London

First up are ‘cams’ of Alice in Wonderland and Green Zone that originated from a Vue Cinema in North London. Noting that both movies had been recorded on their first day using an iPhone (one during a quiet showing, the other much more busy), the presentation offers infra-red photographic evidence of the suspect recording the movies.

Alice in Wonderland camming

fact-3

Green Zone camming

fact-2

Cineworld – Glasgow

The documentation behind this Scotland-based investigation is nothing short of fascinating. FACT determined that their suspect was the holder of a Cineworld Unlimited pass which at the time he had used 14 times.

On three occasions the suspect had viewed the movie Kick-Ass, including on the opening day. The ‘cammed’ copy that leaked online came from that viewing. The suspect also viewed Clash of the Titans, with a camcorded version later appearing online from that session. The man also attended three Iron Man 2 viewings at times which coincided with watermarks present on the online ‘cammed’ copies.

Working in collaboration with the cinema, FACT then obtained CCTV footage of the man approaching a cash desk.

fact-4

Putting it all together

The most interesting document in the entire presentation is without doubt FACT’s investigative chart. It places the holder of the Cineworld Unlimited pass together with a woman found as a friend on his Facebook page. Described as IC1 (police code for white/caucasian), FACT note that the pair attended the Cineworld Cinema together on at least one occasion.

The unnamed female is listed at a property in Glasgow and from there things begin to unravel. An IP address connected with that residence uploaded a copy of Kick-Ass which was later made available by an online release group. The leader of that group was found to have communicated with the unknown cammer of the movie but who FACT strongly suspected to be the man in the images taken at the cinema. He was later arrested and confessed to his crimes.

fact-5

The full document provides a fascinating insight into FACT’s operations, not only in camming mitigation but also in bringing down websites. Another notable chart shows the operations of an unnamed “video streaming” site.

fact-6

While no names are mentioned, a later edition of the same presentation blanks out key details, suggesting a level of sensitivity. However, after examining the chart it appears likely that it refers to Surf the Channel, the site previously run by Anton Vickerman.

Considering the depth and presentation of the above investigations it will come as no surprise to most that many FACT investigators are former police officers. For the curious, the full document can be found here on Wikileaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: BitTorrent Inc. Lays Off Close to a Third of its Workforce

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

bittorrent-new-logoDuring the past few years BitTorrent Inc. has grown at a surprising rate, taking on increasing numbers of employees to fill various roles at the expanding company.

On Thursday, however, things took a turn for the worse. Rumors began to spread that BitTorrent Inc. had laid off dozens of staff in its biggest shake up since 2008, yet no official statement was forthcoming from the company.

Then on Friday two separate sources, at least one of whom was a former employee at the San Franciso-based company, revealed the scale of the layoffs.

“About 40-45 people in their US office just got laid off which represents a large percentage of the US workforce,” one of the sources revealed. Another described the cutting of “around a third” of an estimated 150 U.S.-based employees.

“The Ads team has been gutted as have several other groups – more development work is being sent to the BitTorrent team in Minsk. Only one person from senior management was let go, as is often the case in these types of things,” an insider told TF.

In comments to Buzzfeed, BitTorrent Inc. put a positive spin on events, describing the layoffs as a “realignment” of the business.

“We’ve recently realigned resources based on a regular evaluation of the business,” a spokesperson said. “Regrettably, this did include some employee departures. The business however, remains healthy, profitable and growing.”

A source close to the company painted a slightly different picture, however.

“The whole point is to save money and to try and return the company to profitability since it expanded its headcount way too fast and based on very unrealistic revenue projections. The morale, as you can imagine, is pretty low just now,” the source said.

One person presumed to be safe is Christian Averill, who was promoted to Vice President, Communications & Brand last month.

“My efforts will be focused on having our brands such as Bundle and Sync stand on their own and have a strong mind share in the market,” he said.

Averill’s promotion suggests that BitTorrent intends to continue efforts to put Sync and its content distribution deals front and center of its business. Meanwhile, its uTorrent and BitTorrent clients will continue to generate most of the company’s revenues.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Scammers Take Over New EZTV Domain Name

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

eztv-logo-smallEZTV, the go-to place for many torrenting TV fans, has suffered its fair share of troubles in recent months.

In January the group lost its .it domain name, which was then taken over by impostors in March.

The torrent distribution group meanwhile continued to operate from the new EZTV.ch domain name, but during the past few hours this new home also became compromised.

Instead of hosting official EZTV torrents the .CH domain now links to the same content as the ‘hijacked’ EZTV.it site. While there are plenty of TV-torrents available, these are sourced externally from RARBG.

And there are more signs pointing to a hostile takeover. Users are not able to login for example, and the scam warning that was previously listed on the .ch domain in gone as well. In addition the site now serves various ads including popunders.

TF reached out to ETZV’s Novaking to find out more about the apparent takeover, but we have yet to receive a reply.

Upon close inspection it appears that the domain name was taken over at the registrar level. The WHOIS information was updated and now lists the UK-based “EZCLOUD LIMITED” as owner, which is the same company that registered the .it domain.

Novaking informed TF a few weeks ago that the same happened to one of his other domains.

eztvdomain

The scammers who’ve taken over EZTV are looking to cash in from the site. EZCLOUD director Hernandez Dominguez Emmanuel previously said that he offered to partner with EZTV or sell the domain for a profit.

“The business proposal to Novaking was straightforward: he pays us a slightly bigger amount than we have paid at the auction or we somehow partnership by uniting both entities: eztv.it and eztv.ch and we will earn in the course of the next months by percentage of the ads revenues,” Emmanuel told TF.

Novaking rejected this proposal and blocked the .it domain from using official EZTV torrents. EZCLOUD did not give up, however, and now appears to have taken complete control of ETZV’s new domain as well.

Breaking news, more updates may follow

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

The Hacker Factor Blog: Great Googly Moogly!

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Google recently made another change to their pagerank algorithm. This time, they are ranking results based on the type of device querying it. What this means: a Google search from a desktop computer will return different results compared to the same search from a mobile device. If a web page is better formatted for a mobile device, then it will have a higher search result rank for searches made from mobile devices.

I understand Google’s desire to have web pages that look good on both desktop and mobile devices. However, shouldn’t the content, authoritativeness, and search topic be more important than whether the page looks pretty on a mobile device?

As a test, I searched Google for “is this picture fake”. The search results on my desktop computer was different than the results from my Android phone. In particular, the 2nd desktop result was completely gone on the mobile device, the FotoForensics FAQ was pushed down on the mobile device, TinEye was moved up on the mobile device, and other analysis services were completely removed from the mobile results.

In my non-algorithmic personal opinion, I think the desktop results returned more authoritative results and better matched the search query than the mobile device results.

Google’s Preference

Google announced that they were doing this change on February 26. They gave developers less than two months notice of this change.

While two months may be plenty of time for small developers to change their site layout, I suspect that most small developers never heard about this change. For larger organization, two months is barely enough time to have a meeting about having a meeting about scheduling a meeting to discuss a site redesign for mobile devices.

In other words: Google barely gave anyone notice, and did not give most sites time to act. This is synonymous with those security researchers who report vulnerabilities to vendors and then set arbitrarily short deadlines before going public. Short deadlines are not about doing the right thing; it’s about pushing an agenda.

Tools for the trade

On the plus side, Google provided a nice web tool for evaluating web sites. This allows site designers to see how their web pages look on a mobile device. (At least, how it will look according to Google.)

Google also provides a mobile guide that describes what Google thinks a good web page layout looks like. For example, you should use large fonts and only one column in the layout. Google also gives suggestions like using dynamic layout web pages (detect the screen and rearrange accordingly) and using separate servers (www.domain and m.domain): one for desktop users and one for mobile devices.

Google’s documentation emphasizes that this is really for smartphone users. They state that by “mobile devices“, they are only talking about smartphones and not tablets, feature phones, and other devices. (I always thought that a mobile device was anything you could use while being mobile…)

Little Time, Little Effort

One of my big irks about Google is that Google’s employees seem to forget that not every company is as big as Google or has as many resources as Google. Not everyone is Google. By giving developers very little time to make changes that better match Google’s preferred design, it just emphasizes how out of touch Google’s developers are with the rest of the world. The requirements decreed in their development guidelines also show an unrealistic view of the world. For example:

  • Google recommends using dynamic web pages for more flexibility. It also means much more testing and requires a larger testing environment. Testing is usually where someone notices that the site lacks usability.

    Google+ has a flexible interface — the number of columns varies based on the width of the browser window. But Google+ also has a horrible multi-column layout that cannot be disabled. And LinkedIn moved most of their billions of options into popups — now you cannot click on anything without it being covered by a popup window first.

    For my own sites, I do try to test with different browsers. Even if I think my site looks great on every mobile device I tested, that does not mean that it will look great on every mobile device. (I cannot test on everything.)

    Providing the same content to every device minimizes the development and testing efforts. It also simplifies the usability options.

  • Google suggests the option of maintaining two URLs or two separate site layouts — one for desktops and one for mobile devices. They overlook that this means twice the development effort, which translates into twice the development costs.
  • Maintaining two URLs also means double the amount of bot traffic indexing the site, double the load on the server, and double the network bandwidth. Right now, about 75% of the traffic to my site comes from bots indexing and mirroring (and attacking) my site. If I maintained two URLs to the same content with different formatting, I would be dividing the visitor load between the two sites (half go mobile and half go desktop), while doubling the bot traffic.
  • Google’s recommendations normalize the site layout. Everyone should use large text. Everyone should use one column for mobile displays, etc.

    Normalizing web site layouts goes against the purpose of HTML and basic web site design. Your web site should look the way that you want it to look. If you want small text, then you can use small text. If you want a wide layout, then you can use a wide layout. Every web site can look different. Just be aware that Google’s pagerank system now penalizes you for looking different and for expressing creativity.

  • Google’s online test for mobile devices does not take into account whether the device is held vertically or horizontally. My Android phone rotates the screen and makes the text larger when I hold it horizontally. According to Google, all mobile pages should be designed for a vertical screen.

Ironically, there has been a lot of effort by mobile web browser developers (not the web site, but the actual browser developers) to mitigate display issues in the browser. One tap zooms into the text and reflows it to fit the screen, another tap zooms out and reflows it again. And rotating the screen makes the browser display wider instead of taller. Google’s demand to normalize the layout really just means that Google has zero confidence in the mobile browser developers and a limited view on how users use mobile devices.

Moving targets

There’s one significant technical issue that is barely addressed by Google’s Mobile Developer Guide: how does a web site detect a mobile device?

According to Google, your code should look at the user-agent field for “Android” and “Mobile”. That may work well with newer Android smartphones, but it won’t help older devices or smartphones that don’t use those keywords. Also, there are plenty of non-smartphone devices that use these words. For example, Apple’s iPad tablet has a user-agent string that says “Mobile” in it.

In fact, there is no single HTTP header that says “Hi! I’m a mobile device! Give me mobile content!” There’s a standard header for specifying supported document formats. There’s a standard header for specifying preferred language. But there is no standard for identifying a mobile device.

There is a great write-up called “How to Detect Mobile Devices“. It lists a bunch of different methods and the trade-offs between each.

For example, you can try to use JavaScript to render the page. This is good for most smartphones, but many feature-phones lack JavaScript support. The question also becomes: what should you detect? Screen size may be a good option, but otherwise there is no standard. This approach can also be problematic for indexing bots since it requires rendering JavaScript to see the layout. (Running JavaScript in a bot becomes a halting problem since the bot cannot predict when the code will finish rendering the page.)

Alternately, you can try to use custom style sheets. There’s a style sheet extension “@media” for specifying a different layout for mobile devices. Unfortunately, many mobile devices don’t support this extension. (Oh the irony!)

Usually people try to detect the mobile device on the server side. Every web browser sends a user-agent string that describes the browser and basic capabilities. For example:

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.3) Gecko/20150308 Firefox/31.9 PaleMoon/25.3.0

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4

Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG SM-T530NU Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36

Opera/9.80 (Android; Opera Mini/7.6.40234/36.1701; U; en) Presto/2.12.423 Version/12.16

The first sample user-agent string identifies the Pale Moon web browser (PaleMoon 25.3.0) on a 64-bit Windows 7 system (Windows NT 6.1; Win64). It says that it is compatible with Firefox 31 (Firefox/31.9) and supports the Gecko toolkit extension (Gecko/20150308). This is likely a desktop system.

The second sample identifies Mobile Safari 8.0 on an iPhone running iOS 8.1.2. This is a mobile device — because I known iPhones are mobile devices, and not because it says “Mobile”.

The third sample identifies the Android browser 1.5 on a Samsung SM-T530NU device running Android 4.4 (KitKat) and configured for English from the United States. It doesn’t say what it is, but I can look it up and determine that the SM-T530NU is a tablet.

The fourth and final example identifies Opera Mini, which is Opera for mobile devices. Other than looking up the browser type, nothing in the user-agent string tells me it is a mobile device.

The typical solution is to have the web site check the user-agent string for known parts. If it sees “Mobile” or “iPhone” then we can assume it is some kind of mobile device — but not necessarily a smartphone. The web site Detect Mobile Browsers offers code snippets for detecting mobile devices. Google’s documentation says to look for ‘Android’ and ‘Mobile’. Here’s the PHP code that Detect Mobile Browsers suggest using:

$useragent=$_SERVER[‘HTTP_USER_AGENT’];
if (preg_match(‘/(android|bbd+|meego).+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0|symbian|treo|up.(browser|link)|vodafone|wap|windows ce|xda|xiino/i’,$useragent)||preg_match(‘/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i’,substr($useragent,0,4))) { then… }

This is more than just detecting ‘Android’ and ‘Mobile’. If the user-agent string says Android or Meego or Mobile or Avantgo or Blackberry or Blazer or KDDI or Opera (with mini or mobi or mobile)… then it is probably a mobile device.

Of course, there are two big problems with this code. First, it has so many conditions that it is likely to have multiple false-positives (e.g., detecting a tablet or even a desktop as a mobile phone). In fact, we can see this this problem since the regular expression contains “kindle” — the Amazon Kindle is a tablet and not a smartphone. (And the Kindle user-agent string also includes the word ‘Android’ and may include the word ‘Mobile’.)

Second, this long chunk of code is a regular expression — a language describing a pattern to match. All regular expressions are slow to evaluate and more complicated expressions take more time. Unless you have unlimited resources (like Google) or have low web volume, then you probably do not want to run this code on every web page request.

If Google really wants to have every web site provide mobile-specific content, then perhaps they should push through a standard HTTP header for declaring a mobile device, tablet, and other types of devices. Right now, Google is forcing web sites to redesign for devices that they may not be able to detect.

(Of course, none of this handles the case where an anonymizer changes the user-agent setting, or where users change the user-agent value in their browser.)

Low Ranking Advice

Some of Google’s mobile site suggestions are good, but not limited to mobile devices. Enabling server compression and designing pages for fast loading benefit both desktop and mobile browsers.

I actually think that there may be a hidden motivation behind Google’s desire to force web site redesigns… The recommended layout — with large primary text, viewport window, and single column layout — is probably easier for Google to parse and index. In other words, Google wants every site to look the same so it will be easier for Google to index the content.

And then there is the entire anti-competitive edge. Google’s suggestion for detecting mobile devices (look for ‘Android’) excludes non-android devices like Apple’s iPhone. Looking for ‘Mobile’ misclassifies Apple’s iPad, potentially leading to a lesser user experience on Apple products. And Google wants you to make site changes so that your web pages work better with Googlebot. This effectively turns all web sites into Google-specific web sites.

Promoting aesthetics over content seems to go against the purpose of a search engine; users search for content and not styling. Normalizing content layout contracts the purpose of having configurable layouts. Giving developers less than two months to make major changes seems out of touch with reality. And requiring design choices that favor the dominant company’s strict views seems very anti-competitive to me.

Many web sites depend on search engines like Google for income — either directly through ads or indirectly through visibility. This recent change at Google will dramatically impact many web sites — sites with solid content but, according to Google, less desirable layouts. Moreover, it forces companies to comply with Google’s requirements or lose future revenue.

Google has a long history of questionable behavior. This includes multiple lawsuits against Google for anti-competitive behavior and privacy violations. However, each of these cases are debatable. In contrast, I think that this requirement for site layout compliance is the first time that the “do no evil” company has explicitly gone evil in a non-debatable way.

TorrentFreak: Pirate Bay Blockade Censors CloudFlare Customers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cloudflareLike any form of censorship web blockades can sometime lead to overblocking, targeting perfectly legitimate websites by mistake.

This is also happening in the UK where Sky’s blocking technology is inadvertently blocking sites that have nothing to do with piracy.

In addition to blocking domain names, Sky also blocks IP-addresses. This allows the site to stop https connections to The Pirate Bay and its proxies, but when IP-addresses are shared with random other sites they’re blocked too.

This is happening to various customers of the CDN service CloudFlare, which is used by many sites on the UK blocklist. Every now and then this causes legitimate sites to be blocked, such as CloudFlare customers who shared an IP-address with Pirate Bay proxy ilikerainbows.co.uk.

Although the domain is merely a redirect to ilikerainbows.co, it’s listed in Sky’s blocking system along with several CloudFlare IP-addresses. Recently, the CDN service received complaints from users about the issue and alerted the proxy owner.

“It has come to our attention that your website — ilikerainbows.co.uk — is causing CloudFlare IPs to be blocked by SkyB, an ISP located in the UK. This is impacting other CloudFlare customers,” CloudFlare wrote.

The CDN service asked the proxy site to resolve the matter with Sky, or else it would remove the site from the network after 24 hours.

“If this issue does not get resolved with SkyB though we will need to route your domain off CloudFlare’s network as it is currently impacting other CloudFlare customers due to these blocked IP addresses.”

cfemail

The operator of the “Rainbows” TPB proxy was surprised by Sky’s overbroad blocking techniques, but also by CloudFlare’s response. Would CloudFlare also kick out sites that are blocked in other countries where censorship is common?

“What do they do when Russia starts blocking sites under their system? Are they going to kick users off CloudFlare because there’s a Putin meme that the Russians don’t like?” Rainbows’ operator tells TF.

Instead of waiting for the domain to be switched off by CloudFlare he reverted it back to the domain registrar’s forwarding services. The main .co domain still uses CloudFlare’s services though, as does the official Pirate Bay site.

This is not the first time that CloudFlare customers have been blocked by mistake. Earlier this year the same thing happened to sites that shared an IP-address with The Pirate Bay. At the time we contacted Sky, who informed us that they do all they can to limit collateral damage.

“We have a process in place to monitor requested site blocks to limit the chances of inadvertently blocking sites, and in addition to this if we are advised by a site owner or Sky customer that a site is being inadvertently blocked we take the necessary steps to remove any unintended blocks,” a Sky spokeswoman said.

In addition to Sky we also contacted CloudFlare about the issue multiple times this year, but the company has yet to reply to our inquiries.

It’s clear though that despite cheers from copyright holders, website blocking is not all rainbows and unicorns. Without any significant change to Sky’s blocking setup, more of these inadvertent blocks are bound to happen in the future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Configure Your Dev Machine to Work From Anywhere (Part 3)

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jeff Cogswell. Original post: at Linux How-Tos and Linux Tutorials

In the previous articles, I talked about my mobile setup and how I’m able to continue working on the go. In this final installment, I’ll talk about how to install and configure the software I’m using. Most of what I’m talking about here is on the server side, because the Android and iPhone apps are pretty straightforward to configure.

Before we begin, however, I want to mention that this setup I’ve been describing really isn’t for production machines. This should only be limited to development and test machines. Also, there are many different ways to work remotely, and this is only one possibility. In general, you really can’t beat a good command-line tool and SSH access. But in some cases, that didn’t really work for me. I needed more; I needed a full Chrome JavaScript debugger, and I needed better word processing than was available on my Android tablets.

Here, then, is how I configured the software. Note, however, that I’m not writing this as a complete tutorial, simply because that would take too much space. Instead, I’m providing overviews, and assuming you know the basics and can google to find the details. We’ll take this step by step.

Spin up your server

First, we spin up the server on a host. There are several hosting companies; I’ve used Amazon Web Services, Rackspace, and DigitalOcean. My own personal preference for the operating system is Ubuntu Linux with LXDE. LXDE is a full desktop environment that includes the OpenBox window manager. I personally like OpenBox because of its simplicity while maintaining visual appeal. And LXDE is nice because, as its name suggests (Lightweight X11 Desktop Environment), it’s lightweight. However, many different environments and window managers will work. (I tried a couple tiling window managers such as i3, and those worked pretty well too.)

The usual order of installation goes like this: You use the hosting company’s website to spin up the server, and you provide a key file that will be used for logging into the server. You can usually use your own key that you generate, or have the service generate a key for you, in which case you download the key and save it. Typically when you provide a key, the server will automatically be configured to log in only using SSH with the key file. However, if not, you’ll want to follow disable password logins.

Connect to the server

The next step is to actually log into the server through an SSH command line and first set up a user for yourself that isn’t root, and then set up the desktop environment. You can log in from your desktop Linux, but if you like, this is a good chance to try out logging in from an Android or iOS tablet. I use JuiceSSH; a lot of people like ConnectBot. And there are others. But whichever you get, make sure it allows you to log in using a key file. (Key files can be created with or without a password. Also make sure the app you use allows you to use whichever key file type you created–password or no password.)

Copy your key file to your tablet. The best way is to connect the tablet to your computer, and transfer the file. However, if you want a quick and easy way to do it, you can email it. But be aware that you’re sending the private key file through an email system that other people could potentially access. It’s your call whether you want to do that. Either way, get the file installed on the tablet, and then configure the SSH app to log in using the key file, using the app’s instructions.

Then using the app, connect to your server. You’ll need the username, even though you’re using a key file (the server needs to know who you’re logging in as with the key file, after all); AWS typically uses “ubuntu” for the username for Ubuntu installations; others simply give you the root user. For AWS, to do the installation you’ll need to type sudo before each command since you’re not logged in as root, but won’t be asked for a password when running sudo. On other cloud hosts you can run the commands without sudo since you’re logged in as root.

Oh and by the way, because we don’t yet have a desktop environment, you’ll be typing commands to install the software. If you’re not familiar with the package installation tools, now is a chance to learn about them. For Debian-based systems (including Ubuntu), you’ll use apt-get. Other systems use yum, which is a command-line interface to the RPM package manager.

Install LXDE

From the command-line, it’s time to set up LXDE, or whichever desktop you prefer. One thing to bear in mind is that while you can run something big like Cinnamon, ask yourself if you really need it. Cinnamon is big and cumbersome. I use it on my desktop, but not on my hosted servers, opting instead for more lightweight desktops like LXDE. And if you’re familiar with desktops such as Cinnamon, LXDE will feel very similar.

There are lots of instructions online for installing LXDE or other desktops, and so I won’t reiterate the details here. DigitalOcean has a fantastic blog with instructions for installing a similar desktop, XFCE.

Install a VNC server

Then you need to install a VNC server. Instead of using TightVNC, which a lot of people suggest, I recommend vnc4server because it allows for easy resolution changes, as I’ll describe shortly.

While setting up the VNC server, you’ll create a VNC username. You can just use a username and password for VNC, and from there you’re able to connect from a VNC client app to the system. However, the connection won’t be secure. Instead, you’ll want to connect through what’s called an SSH tunnel. The SSH tunnel is basically an SSH session into the server that is used for passing connections that would otherwise go directly over the internet.

When you connect to a server over the Internet, you use a protocol and a port. VNC usually uses 5900 or 5901 for the port. But with an SSH tunnel, the SSH app listens on a port on the same local device, such as 5900 or 5901. Then the VNC app, instead of connecting to the remote server, connects locally to the SSH app. The SSH app, in turn, passes all the data on to the remote system. So the SSH serves as a go-between. But because it’s SSH, all the data is secure.

So the key is setting up a tunnel on your tablet. Some VNC apps can create the tunnel; others can’t and you need to use a separate app. JuiceSSH can create a tunnel, which you can use from other apps. My preferred VNC app, Remotix, on the other hand, can do the tunnel itself for you. It’s your choice how you do it, but you’ll want to set it up.

The app will have instructions for the tunnel. In the case of JuiceSSH, you specify the server you’re connecting to and the port, such as 5900 or 5901. Then you also specify the local port number the tunnel will be listening on. You can use any available port, but I’ll usually use the same port as the remote one. If I’m connecting to 5901 on the remote, I’ll have JuiceSSH also listen on 5901. That makes it easier to keep straight. Then you’ll open up your VNC app, and instead of connecting to a remote server, you connect to the port on the same tablet. For the server you just use 127.0.0.1, which is the IP address of the device itself. So to re-iterate:

  1. JuiceSSH connects, for example, to 5901 on the remote host. Meanwhile, it opens up 5901 on the local device.
  2. The VNC app connects to 5901 on the local device. It doesn’t need to know anything about what remote server it’s connecting to.

But some VNC apps don’t need another app to do the tunneling, and instead provide the tunnel themselves. Remotix can do this; if you set up your app to do so, make sure you understand that you’re still tunneling. You provide the information needed for the SSH tunnel, including the key file and username. Then Remotix does the rest for you.

Once you get the VNC app going, you’ll be in. You should see a desktop open with the LXDE logo in the background. Next, you’ll want to go ahead and configure the VNC client to your liking; I prefer to control the mouse using drags that simulate a trackpad; other people like to control the mouse by tapping exactly where you want to click. Remotix and several other apps let you choose either configuration.

Configuring the Desktop

Now let’s configure the desktop. One issue I had was getting the desktop to look good on my 10-inch tablet. This involved configuring the look and feel by clicking the taskbar menu < Preferences < Customize Look and Feel (or run from the command line lxappearance).

lxappearance

I also used OpenBox’s own configuration tool by clicking the taskbar menu < Preferences < OpenBox Configuration Manager (or runobconf).

obconf

My larger tablet’s screen isn’t huge at 10 inches, so I configured the menu bars and buttons and such to be somewhat large for a comfortable view. One issue is the tablet has such a high resolution that if I used the maximum resolution, everything was tiny. As such, I needed to be able to change resolutions based on the work I was doing, as well as based on which tablet I was using. This involved configuring the VNC server, though, not LXDE and OpenBox. So let’s look at that.

In order to change resolution on the fly, you need a program that can manage the RandR extensions, such as xrandr. But the TightVNC server that seems popular doesn’t work with RandR. Instead, I found the vvnc4server program works with xrandr, which is why I recommend using it instead. When you configure vnc4server, you’ll want to provide the different resolutions in the command’s -geometry option. Here’s an init.d service configuration file that does just that. (I modified this based on one I found on DigitalOcean’s blog.)

#!/bin/bash
PATH="$PATH:/usr/bin/"
export USER="jeff"
OPTIONS="-depth 16 -geometry 1920x1125 -geometry 1240x1920 -geometry 2560x1500 -geometry 1920x1080 -geometry 1774x1040 -geometry 1440x843 -geometry 1280x1120 -geometry 1280x1024 -geometry 1280x750 -geometry 1200x1100 -geometry 1024x768 -geometry 800x600 :1"
. /lib/lsb/init-functions
case "$1" in
start)
log_action_begin_msg "Starting vncserver for user '${USER}' on localhost:${DISPLAY}"
su ${USER} -c "/usr/bin/vnc4server ${OPTIONS}"
;;
stop)
log_action_begin_msg "Stoping vncserver for user '${USER}' on localhost:${DISPLAY}"
su ${USER} -c "/usr/bin/vnc4server -kill :1"
;;
restart)
$0 stop
$0 start
;;
esac
exit 0

The key here is the OPTIONS line with all the -geometry options. These will show up when you run xrandr from the command line:

xrandr.png

You can use your VNC login to modify the file in the init.d directory (and indeed I did, using the editor called scite). But then after making these changes, you’ll need to restart the VNC service just this one time, since you’re changing its service settings. Doing so will end your current VNC session, and it might not restart correctly. So you might need to log in through JuiceSSH to restart the VNC server. Then you can log back in with the VNC server. (You also might need to restart the SSH tunnel.) After you do, you’ll be able to configure the resolution. And from then on, you can change the resolution on the fly without restarting the VNC server.

To change resolutions without having to restart the VNC server, just type:

xrandr -s 1

Replace 1 with the number for the resolution you want. This way you can change the resolution without restarting the VNC server.

Server Concerns

After everything is configured, you’re free to use the software you’re familiar with. The only catch is that hosts charge a good bit for servers that have plenty of RAM and disk space. As such, you might be limited on what you can run based on the amount of RAM and cores. Still, I’ve found that with just 2GB of RAM and 2 cores, with Ubuntu and LXDE, I’m able to have open Chrome with a few pages, LibreOffice with a couple documents open, Geany for my code editing, and my own server software running under node.js for testing, and mysql server. Occasionally if I get too many Chrome tabs open, the system will suddenly slow way down and I have to shut down tabs to free up more memory. Sometimes I run MySQL Workbench and it can bog things down a bit too, but it isn’t bad if I close up LibreOffice and leave only one or two Chrome tabs open. But in general, for most of my work, I have no problems at all.

And on top of that, if I do need more horsepower, I can spin up a bigger server with 4GB or 8GB and four cores or eight cores. But that gets costly and so I don’t do it for too many hours.

Multiple Screens

For fun, I did manage to get two screens going on a single desktop, one on my bigger 10-inch ASUS transformer tablet, and one on my smaller Nexus 7 all from my Linux server running on a public cloud host, complete with a single mouse moving between the two screens. To accomplish this, I started two VNC sessions, one from each tablet, and then from the one with the mouse and keyboard, I ran:

x2x -east -to :1

This basically connected the single mouse and keyboard to both displays. It was a fun experiment, but in my case, provided little practical value because it wasn’t like a true dual-display on a desktop computer. I couldn’t move slide windows between the displays, and the Chrome browser won’t open under more than one X display. In my case, for web development, I wanted to be able to open up the Chrome browser on one tablet, and then the Chrome JavaScript debug window on the other, but that didn’t work out.

Instead, what I found more useful was to have an SSH command-line shell on the smaller tablet, and that’s where I would run my node.js server code, which was printing out debug information. Then on the other I would have the browser running. That way I can glance back and forth without switching between windows on the single VNC login on the bigger tablet.

Back to Security

I can’t understate the importance of making sure you have your security set up and that you understand how the security works and what the ramifications are. I highly recommend using SSH with a keyfile login only, and no password logins allowed. And treat this as a development or test machine; don’t put customer data on the machine that could open you up to lawsuits in the event the machine gets compromised.

Instead, for production machines, allocate your production servers using all the best practices laid out by your own IT department security rules, and the host’s own rules. One issue I hit is my development machine needs to log into git, which requires a private key. My development machine is hosted, which means that private key is stored on a hosted server. That may or may not be a good idea in your case; you and your team will need to decide whether to do it. In my case, I decided I could afford the risk because the code I’m accessing is mostly open-source and there’s little private intellectual property involved. So if somebody broke into my development machine, they would have access to the source code for a small but non-vital project I’m working on, and drafts of these articles–no private or intellectual data.

Web Developers and A Pesky Thing Called Windows

Before I wrap this up, I want to present a topic for discussion. Over the past few years I’ve noticed that a lot of individual web developers use a setup quite similar to what I’m describing. In a lot of cases they use Windows instead of Linux, but the idea is the same regardless of operating system. But where they differ from what I’m describing is they host their entire customer websites and customer data on that one machine, and there is no tunneling; instead, they just type in a password. That is not what I’m advocating here. If you are doing this, please reconsider. (I personally know at least three private web developers who do this.)

Regardless of operating systems, take some time to understand the ramifications here. First, by logging in with a full desktop environment, you’re possibly slowing down your machine for your dev work. And if you mess something up and have to reboot, during that time your clients’ websites aren’t available during that time. Are you using replication? Are you using private networking? Are you running MySQL or some other database on the same machine instead of using virtual private networking? Entire books could (and have been) written on such topics and what the best practices are. Learn about replication; learn about virtual private networking and how to shield your database servers from outside traffic; and so on. And most importantly consider the security issues. Are you hosting customer data in a site that could easily be compromised? That could spell L-A-W-S-U-I-T. And that brings me to my conclusion for this series.

Concluding Remarks

Some commenters on the previous articles have brought up some valid points; one even used the phrase “playing.” While I really am doing development work, I’m definitely not doing this on production machines. If I were, that would indeed be playing and not be a legitimate use for a production machine. Use SSH for the production machines, and pick an editor to use and learn it. (I like vim, personally.) And keep the customer data on a server that is accessible only from a virtual private network. Read this to learn more.

Learn how to set up and configure SSH. And if you don’t understand all this, then please, practice and learn it. There are a million web sites out there to teach this stuff, including linux.com. But if you do understand and can minimize the risk, then, you really can get some work done from nearly anywhere. My work has become far more productive. If I want to run to a coffee shop and do some work, I can, without having to take a laptop along. Times are good! Learn the rules, follow the best practices, and be productive.

See the previous tutorials:

How to Set Up Your Linux Dev Station to Work From Anywhere

Choosing Software to Work Remotely from Your Linux Dev Station

Linux How-Tos and Linux Tutorials: Build Your Own Linux Distro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

There are hundreds of actively maintained Linux distributions. They come in all shapes, sizes and configurations. Yet there’s none like the one you’re currently running on your computer. That’s because you’ve probably customised it to the hilt – you’ve spent numerous hours adding and removing apps and tweaking aspects of the distro to suit your workflow.

Wouldn’t it be great if you could convert your perfectly set up system into a live distro? You could carry it with you on a flash drive or even install it on other computers you use.

 

Read more at LinuxVoice.

TorrentFreak: Pirate Bay’s Peter Sunde Kills NSA-Proof Messenger App

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

hemlis-logoDuring the summer of 2013 the Internet was abuzz with the revelations of Edward Snowden. The PRISM scandal exploded and suddenly everyone had confirmation that everything they do online can be stored and monitored on a staggering scale.

As a direct result of this massive privacy breach, people around the world became motivated to fight back against what has developed into one of the biggest technology scandals of recent times.

One of those groups consisted of former Pirate Bay spokesman Peter Sunde, who together with friends and Flattr allies Linus Olsson and Leif Högberg began working on Hemlis, a messaging app for both iOS and Android. The aim of the game was for Hemlis (‘secret’ in Swedish) to provide absolute secrecy, with only the sender and recipient able to read messages – not middle men like prying governments.

“People act differently if they think someone is listening in to their conversation. That’s what Stasi taught us for instance. It’s one of many reasons why privacy is so vital,” Sunde told TF at the time.

But with hundreds of news articles behind them and the two-year anniversary of the project’s birth just around the corner, the Hemlis team have now delivered the ultimate in bad news.

“Lately we have been awfully quiet. The reasons are many, sad and non important right now. They have though made this project drag along and that made us understand a thing we feared for quite a while but neglected to accept. New messengers fail miserably,” the team said in a statement.

“Each new attempt has made us understand that our goal of creating a mass market messenger just based on the fact that it is private, secure and beautiful, is not nearly enough. As the only reason we are doing this is to give you viable huge scale alternative to the existing systems there is really only one thing to do at this stage. Accept our current roadmap and goals as defunct.”

While there were many reasons for the project to succeed, the challenges faced by the Hemlis team proved insurmountable.

At least initially, financing wasn’t a problem, with around $150,000 raised via a short crowd-funding campaign. Then disaster struck when around $30,000 disappeared after a bitcoin wallet was stolen from Hemlis’ bitcoin supplier. Keeping up with the budgets of the competition also took its toll.

“We decided to hire some people to help us out with the things we are not experts in. The process was slow and hit with lots of realizations that certain things would not work. The ideas were too complex and sometimes just too expensive,” Peter Sunde explains.

“We had a lot of money, but far away [from] the same amount (we’re talking millions or billions) that our competitors had access to… They’ve had more progress and financial support so they could speed up their process to the level that they’re now really good. Better than our messaging app could become right now. Ok, they’re missing on features but they have the ability and cash to resolve those issues. And our goal was always to ensure that the everyday users would be protected.”

But financial and technical issues aside, personal issues also played a big part in the project’s demise.

“In the middle of it all one of our team members got a kid and had to focus on that of course. I personally had other issues as I got kidnapped by the Swedish government and locked up for my work with another project – The Pirate Bay. In the middle of the kidnapping, my father died,” Sunde explains.

“I had no way of working on anything, and I’ve had a hard time with how I personally need to handle things. This project – as well as the other projects I’m involved in – were hit massively by my absence. And they still are, since I have not been able to get 100% on my feet yet. I’m getting there but just as with other things, it takes a lot of time.”

A few weeks ago Sunde said the team took a step back to assess its position. While decent apps for both iOS and Android exist semi-completed, Hemlis is far from a market-ready product. More time and money would be need to be pumped in for it to succeed.

“We decided that we could go two ways. We could ask for more money (a lot), either from the community or some investors. Or we could close down. Since we already got money from the community with way too little to show back from the expectations that felt wrong,” Sunde explains.

“And we don’t think that it would be a good idea to ask investors for money since we’d lose control over the project. So in the end, closing it down felt like the least bad thing to do.”

While many supporters of the project are supportive of the brave decision to close Hemlis down, others have been more critical. Some, having pumped money into the project and received nothing, are downright angry. Nevertheless, one of the big takeaways is that in some shape or form, Heml.is will be handed back to its backers.

“We’ll release the usable parts of the code as free software with the most free license we can. It belongs to the community (and the community paid for it),” Sunde says, adding that there may be other ways to achieve similar aims.

“I’m personally trying to influence people and politicians to make sure we don’t need systems like Heml.is. We should be protected by the governments instead of trying to protect ourselves from them. It’s a multi-angle attack needed, technology, political work and transparency,” Sunde concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Install a Debian 7 (Wheezy) Minimal Server

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Falko Timme. Original post: at Linux How-Tos and Linux Tutorials

This tutorial shows how to install a Debian 7 (Wheezy) minimal server. The purpose of this guide is to provide a minimal Debian setup that can be used as basis for our other tutorials here at howtoforge.

Read more at HowtoForge

LWN.net: Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Ars Technica reports on a wpa_supplicant bug that might leave Linux and other systems open to remote code execution.
That’s because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information ‘is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,’ [Google security team member Jouni] Malinen wrote, and the code ‘was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.’

TorrentFreak: Hollywood Anti-Piracy Initiative Requires a VPN Outside the U.S.

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

At the same time as the Hollywood studios complain endlessly about piracy, the counter argument that they simply haven’t done enough to make content available legally online persists.

Without a similarly complex system of release windowing and geo-restriction, the music industry has largely overcome those obstacles. Meanwhile, however, Hollywood appears largely hamstrung by its own business model, leaving itself open to criticism that it hasn’t done enough to provide legal alternatives to torrent and streaming sites.

In an attempt to dispel claims that content simply isn’t available, the MPAA came up with WhereToWatch, a searchable database listing where movies and TV-shows can be watched legally. Due to poor coding the site initially proved impossible for Google and Bing to index, a situation that has improved somewhat since last November.

Yesterday during a speech at CinemaCon, MPAA chief Chris Dodd again urged theater owners and customers alike to spread the word that in order in to protect the industry and its workers, consumers need to access content from legal resources.

“That’s why we at the MPAA created WhereToWatch.com – a one-stop shop, guiding your audiences to content quickly, simply, and – most importantly – legally. And if what they’re looking for is online, WhereToWatch.com will show which sites and at what prices that film is available,” Dodd said.

“On a broader level, this effort is also a crucial recognition of the changing technological landscape, and the need to continue evolving to meet the demands of our consumers,” he continued.

“That will mean finding new ways to enable audiences to see movies where and how they want, while maintaining the magic and unrivaled appeal of the theater-going experience that has been this industry’s driving force for well over a century.”

But while recognizing that consumers should be able to see content at a time and place of their choosing – a major complaint that has persisted for well over a decade – consumers wanting to find out where to watch that content legally are also faced with a dilemma.

Since its triumphant launch in November last year, the operators of WheretoWatch have now chosen to give it the same treatment that Hollywood bestows on its movies – by geo-restricting it.

wheretowatch

For the hundreds of millions of citizens outside the United States who are also expected to consume film and TV content legally, the above message is nothing less than they’ve come to expect. Free and equal access to content is not something the major studios and their distributors are good at, and that is now reflected by the very resource that former senator Dodd spent so long championing yesterday.

But never fear. Thanks to the wonders of tunneling technology, last evening TF was able to find a VPN exit node in Seattle that enabled us to sneak past the MPAA guard dogs. Once on WhereToWatch.com we were able to search for a number of films and find out where we could obtain them legally. The irony was headache inducing.

Overall it’s a ridiculous situation. The music industry largely managed to solve these issues years ago but for as long as users are forced to jump through hoops to obtain or even learn about the availability of legal content (not to mention waiting for extended periods, Australian style), piracy will persist.

And when other MPAA strategies such as site-blocking and “three strikes” systems are already being exported to all corners of the globe at huge expense, one has to wonder why the obvious solution isn’t being taken first.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: Usually Red Backblaze Going Green

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

3 electric cars charging.

It’s Earth Day! While Backblaze tends to make everything red (like our storage pods), we do have a bit of a green streak in us as well. Over the last few years Backblaze employees have amassed quite an assortment of electric and plug-in hybrid vehicles. All told, 25% of the employees in our San Mateo headquarters drive a pure electric or electric plug-in vehicle. Here’s the list of what they’re driving:

  • Nissan Leaf
  • EV Smart
  • Chevy Spark EV
  • Fiat Electric
  • Chevy Volt
  • Toyota Prius plug-in

To accommodate our growing fleet of electric vehicles we decided to provide charging ports for them, so that employees could charge up their cars while they are at the office. Unfortunately, the Backblaze office is located in an area with minimal parking, and we only had one spot assigned to us. Nearly everyone else parks in paid city parking garages near the office, none of these city garages have an electric charging station – shame on you San Mateo.

Over the last two years we negotiated with our neighbors and started renting out two additional parking spots near our office, but they weren’t side by side. It took some finagling, but we were able to play musical chairs and secure three spots together all next to our office.

Once we were able to get those few parking spots together, we started on another project, putting in charging stations for the three spots that we had accumulated.

We experimented with a few different ones, but decided on the Bosch Power Max system, though we also kept a slightly smaller Leviton charger. These work like champions and are usually quick enough to charge most of our pure EV cars within 4 hours. Sometimes we swap cars in the middle of the day to let everyone get a sip of electricity for the commute home.

Backblaze electric charger

Helping Out

Given the lack of local electric charging stations, we decided to let other electric car enthusiasts use our stations during off hours (nights and weekends). We do ask that anyone who uses one of the charging stations (including us) to fill out one of the forms below. That way, if someone wanted to use the charger, and someone came back and needed the spot, they would be able to contact them quickly. This works great on the weekends when some of our employees tend to come in for some quiet work time. There are usually one or two cars charging at all times.

A Backblaze charger contact form.

Planning for Growth

As Backblaze keeps growing we know we’ll continue to have parking woes for those folks who drive to the office. We do have a number of employees who carpool or take public transportation to the office, but in our little section of California the car is still king, so we were thinking of getting some hydraulic lifts like the ones below, to increase our parkability. We’re sure the neighbors won’t mind at all.

A 3-car car lift.

The post Usually Red Backblaze Going Green appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Schneier on Security: “Hinky” in Action

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Beyond Fear I wrote about trained officials recognizing “hinky” and how it differs from profiling:

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car’s trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by U.S. customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” More questioning — there was no one else crossing the border, so two other agents got involved — and more hinky behavior. Ressam’s car was eventually searched, and he was finally discovered and captured. It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But the system worked. The reason there wasn’t a bombing at LAX around Christmas in 1999 was because a knowledgeable person was in charge of security and paying attention.

I wrote about this again in 2007:

The key difference is expertise. People trained to be alert for something hinky will do much better than any profiler, but people who have no idea what to look for will do no better than random.

Here’s another story from last year:

On April 28, 2014, Yusuf showed up alone at the Minneapolis Passport Agency and applied for an expedited passport. He wanted to go “sightseeing” in Istanbul, where he was planning to meet someone he recently connected with on Facebook, he allegedly told the passport specialist.

“It’s a guy, just a friend,”he told the specialist, according to court documents.

But when the specialist pressed him for more information about his “friend” in Istanbul and his plans while there, Yusuf couldn’t offer any details, the documents allege.

“[He] became visibly nervous, more soft-spoken, and began to avoid eye contact,” the documents say. “Yusuf did not appear excited or happy to be traveling to Turkey for vacation.”

In fact, the passport specialist “found his interaction with Yusuf so unusual that he contacted his supervisor who, in turn, alerted the FBI to Yusuf’s travel,” according to the court documents.

This is what works. Not profiling. Not bulk surveillance. Not defending against any particular tactics or targets. In the end, this is what keeps us safe.

TorrentFreak: Court: Google Can See Emails About MPAA’s Secret ‘SOPA Revival’

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mailgIn backroom meetings the MPAA and Mississippi State Attorney General Jim Hood discussed a plan to bring website blocking and search engine filtering back to the table after the controversial SOPA law failed to pass.

The plan, dubbed “Project Goliath,” became public through various emails that were released during the Sony Pictures leaks. In a response Google said that it was “deeply concerned” about the developments.

To counter the looming threat Google filed a complaint against Hood last December, asking the court to prevent Hood from enforcing a subpoena that addresses Google’s failure to take down or block access to illegal content, including pirate sites.

This resulted in a victory for Google with District Court Judge Henry Wingate putting the subpoena on hold. At the same time Google requested additional details from the Attorney General on his discussions with Hollywood.

During an oral hearing earlier this month Google requested various documents including an email conversation between MPAA’s Senior Vice President State Legislative Affairs Vans Stevenson and the Attorney General.

In addition, Google asked for copies of Word files titled Google can take action, Google must change its behavior, Google’s illegal conduct, CDA, and any documents gathered in response to a request previously submitted by Techdirt’s Mike Masnick .

After a careful review District Court Judge Henry Wingate sided with Google, ordering Attorney General Hood to hand over the requested information before the end of the month.

Judge Wingate’s order
hoodorder

The documents will help Google to get to the bottom of the censorship efforts and to determine what role the MPAA played and what its contributions were.

Various emails that leaked after the Sony hack already revealed that the MPAA’s long-standing law firm Jenner & Block had drafted a subpoena and other communication the Attorney General could use against Google.

Many of the “Project Goliath” emails and documents are readily available after Wikileaks released them late last week, but nearly all details had already been made public after the leaks first surfaced.

Interestingly, in one email the MPAA’s Vans Stevenson linked to a New York Times piece on how lobbyists court State Attorneys to advance their political agendas.

“FYI, first is a series of articles,” Stevenson wrote to several high level executives involved, not knowing that a follow-up would include “Project Goliath.”

Perhaps fittingly, New York Times’ journalist Eric Lipton won a Pulitzer prize for the series yesterday, for reporting “how the influence of lobbyists can sway congressional leaders and state attorneys general, slanting justice toward the wealthy and connected.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Hacking Airplanes

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some “Die Hard” reboot, but it’s actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes.

It’s certainly possible, but in the scheme of Internet risks I worry about, it’s not very high. I’m more worried about the more pedestrian attacks against more common Internet-connected devices. I’m more worried, for example, about a multination cyber arms race that stockpiles capabilities such as this, and prioritizes attack over defense in an effort to gain relative advantage. I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states. And I worry about a future a decade from now if these problems aren’t addressed.

First, the airplanes. The problem the GAO identifies is one computer security experts have talked about for years. Newer planes such as the Boeing 787 Dreamliner and the Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections. The risk is that a hacker sitting in the back of the plane, or even one on the ground, could use the Wi-Fi connection to hack into the avionics and then remotely fly the plane.

The report doesn’t explain how someone could do this, and there are currently no known vulnerabilities that a hacker could exploit. But all systems are vulnerable–we simply don’t have the engineering expertise to design and build perfectly secure computers and networks–so of course we believe this kind of attack is theoretically possible.

Previous planes had separate networks, which is much more secure.

As terrifying as this movie-plot threat is–and it has been the plot of several recent works of fiction–this is just one example of an increasingly critical problem: As the computers already critical to running our infrastructure become connected, our vulnerability to cyberattack grows. We’ve already seen vulnerabilities in baby monitors, cars, medical equipment and all sorts of other Internet-connected devices. In February, Toyota recalled 1.9 million Prius cars because of a software vulnerability. Expect similar vulnerabilities in our smart thermostats, smart light bulbs and everything else connected to the smart power grid. The Internet of Things will bring computers into every aspect of our life and society. Those computers will be on the network and will be vulnerable to attack.

And because they’ll all be networked together, a vulnerability in one device will affect the security of everything else. Right now, a vulnerability in your home router can compromise the security of your entire home network. A vulnerability in your Internet-enabled refrigerator can reportedly be used as a launching pad for further attacks.

Future attacks will be exactly like what’s happening on the Internet today with your computer and smartphones, only they will be with everything. It’s all one network, and it’s all critical infrastructure.

Some of these attacks will require sufficient budget and organization to limit them to nation-state aggressors. But that’s hardly comforting. North Korea is last year believed to have launched a massive cyberattack against Sony Pictures. Last month, China used a cyberweapon called the “Great Cannon” against the website GitHub. In 2010, the U.S. and Israeli governments launched a sophisticated cyberweapon called Stuxnet against the Iranian Natanz nuclear power plant; it used a series of vulnerabilities to cripple centrifuges critical for separating nuclear material. In fact, the United States has done more to weaponize the Internet than any other country.

Governments only have a fleeting advantage over everyone else, though. Today’s top-secret National Security Agency programs become tomorrow’s Ph.D. theses and the next day’s hacker’s tools. So while remotely hacking the 787 Dreamliner’s avionics might be well beyond the capabilities of anyone except Boeing engineers today, that’s not going to be true forever.

What this all means is that we have to start thinking about the security of the Internet of Things–whether the issue in question is today’s airplanes or tomorrow’s smart clothing. We can’t repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet.

This is going to require both significant research and major commitments by companies. It’s also going to require legislation mandating certain levels of security on devices connecting to the Internet, and at network providers that make the Internet work. This isn’t something the market can solve on its own, because there are just too many incentives to ignore security and hope that someone else will solve it.

As a nation, we need to prioritize defense over offense. Right now, the NSA and U.S. Cyber Command have a strong interest in keeping the Internet insecure so they can better eavesdrop on and attack our enemies. But this prioritization cuts both ways: We can’t leave others’ networks vulnerable without also leaving our own vulnerable. And as one of the most networked countries on the planet, we are highly vulnerable to attack. It would be better to focus the NSA’s mission on defense and harden our infrastructure against attack.

Remember the GAO’s nightmare scenario: A hacker on the ground exploits a vulnerability in the airplane’s Wi-Fi system to gain access to the airplane’s network. Then he exploits a vulnerability in the firewall that separates the passengers’ network from the avionics to gain access to the flight controls. Then he uses other vulnerabilities both to lock the pilots out of the cockpit controls and take control of the plane himself.

It’s a scenario made possible by insecure computers and insecure networks. And while it might take a government-led secret project on the order of Stuxnet to pull it off today, that won’t always be true.

Of course, this particular movie-plot threat might never become a real one. But it is almost certain that some equally unlikely scenario will. I just hope we have enough security expertise to deal with whatever it ends up being.

This essay originally appeared on CNN.com.

EDITED TO ADD: News articles.

The Hacker Factor Blog: There’s No Fool Like an April Fool

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I stopped celebrating “April Fools Day” many years ago. There’s always someone pulling an unfunny joke, someone trying to hide the fact that they fell for it, and someone who doesn’t get the joke — taking it way too seriously. And most of the gags I’ve seen really haven’t been funny. Moreover, people seem to be doing gags all the time; April Fools day just isn’t special anymore.

In the last two weeks, I have seen three computer security articles where people have just behaved like idiots. In one case, it’s the vendors. In another case, it’s the security researcher. And in the third case, it was law enforcement. With these news reports, I find it hard to believe that it isn’t April 1st.

Car Hacking

There are some things that people in the security community have known for years but have not been made public yet. The reason is usually that experts are working (or trying to work) with vendors to fix the problems. The bigger the problem, the longer it may take to fix. Whispers among small groups of people with the knowledge may go on for years before some problems are resolved. In many cases, the fixes are performed quietly since a public announcement will only benefit the bad guys during a slow roll-out. These are usually the cases where informing the public will educate criminals, without any viable solution for the public.

However, sometimes the vendors become non-responsive. That’s when vulnerabilities with no solution are often made public.

Earlier this month, news outlets reported on an upcoming security presentation about car hacking. Keep in mind, talks on car hacking have been going on for a decade. In this latest exploit, the attacker only needs a $20 amplifier that can fit in your hand to unlock your keyless-entry car. (Funny… the same exploit was discussed two years ago, when it only cost $5.)

Attacks against this keyless entry system have ranged from cracking the weak cryptography (2006) to record and playback attacks (2010).

So here’s the exploit (as detailed by various news outlets)… New keyless-entry cars just require the key near the car in order to unlock. What’s really happening is that the car is constantly sending out a cryptographic challenge over a wireless frequency to the key. The car uses a low power radio signal, so the key has to be very close to hear the challenge. If the key is near enough (usually within a few inches) then it hears the challenge, issues a response, and the car unlocks.

In this latest attack (which is actually from 2013), an amplifier just replays the car’s query louder. Rather than needing the key within a few inches, it can be a few hundred feet away and it will still respond. The amplifier hears the whispered response from the distant key and repeats it so the car can hear it. In the radio community, this is a basic radio repeater — it is technology that has been around for about a century. There’s no need for decryption and no interfering with the signal; the signal is just made louder so it has a larger range.

There comes a point when vendors fail to fix a problem and it must be made public. This usually happens when bad guys are actively using the exploit. Making these details public won’t help bad guys since they already know about it. But public disclosure will inform force legal repercussions onto the vendors.

In this case, the bad guys clearly know about this. Back in 2013, police announced that they were stumped by some car thefts. They included a video where the criminals walk up to the car, hold a small device in their hand, and the car unlocks. This happened outside a residence, where we can assume the key was probably less than a hundred feet from the car. (If the car doesn’t unlock, then the key is probably too far away to hear the amplified signal.)

When I first heard of the car break-ins (in 2013) I started asking around. The exploit had been known to some people in the security community for over a year. They had been trying to get the vendors to address the problem. It is no surprise to me that someone would make the details public years later, since vendors are still rolling out the same keyless entry system in even more vehicles.

Airplane Hacking

While I may be critical of them, I have a lot of respect for the Electronic Frontier Foundation. They stand up for computer security researchers, challenge governments and corporations that violate our digital freedoms, and advise us on ways to stay safe online. However, sometimes I question the battles that the EFF is willing to fight…

Last week, security researcher Chris Roberts was detained by the FBI. He had been planning on speaking at the upcoming RSA conference on airplane insecurity (how to hack airplanes while sitting in coach). Last week, the FBI visited Roberts. They confiscated his equipment but eventually release him. However, that wasn’t the end of it…

On his way to the conference, United Airlines refused to let him board the plane. Roberts was lucky to get on a different airline in order to make it to the conference. According to the EFF:

Our client, Chris Roberts, a founder of the security intelligence firm One World Labs, found himself detained by the FBI earlier this week after tweeting about airplane network security during a United Airlines flight. When Roberts landed in Syracuse, he was questioned by the FBI, which ultimately seized a number of his electronic devices. EFF attorneys now represent Roberts, and we’re working to get his devices back promptly. But unfortunately last week’s tweet and FBI action isn’t the end of the story.

Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.

Reading the report from the EFF, one would think that the FBI and United Airlines were trying to stop the presentation, hinder his freedom of speech, and enforce security by obscurity. However, the EFF left out one major detail: Roberts had tweeted a threat to the airlines.

https://twitter.com/Sidragon1/status/588433855184375808

In this tweet, Roberts explicitly listed attacks he could do on the airplane.

Keep in mind, talking about how to make bombs in an airport, how to shoot up a school, or how to take down an airplane before getting on a plane is still plotting to kill people. Even if said as a joke (not funny) or if he had no real intent.

I’m not an attorney, but it should be obvious that Freedom of Speech does not give you the freedom to cause panic or harm. As ruled in Schenck v. United States (249 U.S. 47, 1919), the First Amendment does not allow you to cause panic by shouting fire in a crowded theater. Tweeting about ways to take down an airplane that you are about to board seems no different to me.

Chris Roberts even knew that these actions were likely illegal, as he tweeted in follow-ups:

Frankly, I’m surprised that the FBI let him go. And I don’t blame United Airlines for exercising their right to refuse service to someone who threatened the safety of their airline.

Do I think the airlines have a security problem that needs to be addressed? Definitely. Do I think that the airline manufacturers and network providers (e.g., Boeing and Cisco) are intentionally ignoring the problem? Yes. Do I think Chris Roberts should give his presentation? Absolutely. But I also think Roberts was a dumb-ass for tweeting his “joke”.

In the case of Roberts, I doubt that anyone would have interfered with him if he did not tweet his joke. I’m looking forward to hearing how the EFF plans to defend this type of threatening speech that was clearly intended to cause panic.

Felony for an 8th Grader

Less than two weeks ago, the Tampa Bay Times reported on an eighth-grader at Paul R. Smith Middle School in Holiday, Florida. The kid had used the teacher’s computer and pulled a prank; he “changed the background image on a teacher’s computer to one showing two men kissing.” The kid was charged with “offense against a computer system and unauthorized access, a felony.”

(Note: Even though news articles repeatedly mention his name, I’m not naming the kid here because he is a minor.)

The article even quotes Sheriff Chris Nocco: “Even though some might say this is just a teenage prank, who knows what this teenager might have done.” To this, I feel that I need to personally respond to the sheriff…

Dear Sheriff Nocco:

Changing a background picture is not the same as stealing cars or threatening to take down airplanes. It’s a prank and nobody got hurt — except the kid, who is probably scarred for life. If you do not see the difference between changing a background picture and the threats dreamed up by your wild imagination, then you need to take some technology courses. And if you cannot see the difference between a prank and a threat, then you need to choose a new occupation.

The article mentions a lot of details about this case. I hope that the kid’s attorney is focusing on these items:

  • The article says that the kid “logged onto the school’s network on March 31 using an administrative-level password without permission.” If he had the password, then he had permission. He did not hack the system; he used it as it was designed.
  • The article says that this happened on March 31 and that the teacher was out that day. This means that the teacher would see it the next day, on April 1st (April Fools Day). This goes along with it being a harmless prank.
  • “One of the computers [the kid] accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said [the kid] did not view or tamper with those files.” If the kid did not attempt to access, view, or tamper with those files, then this clearly goes toward the kid’s intent as a prank and not anything malicious.
  • The kid was interviewed at his home and mentioned that ‘students would often log into the administrative account to screen-share with their friends’. (I’m quoting the Tampa Bay Times and not the kid’s actual words.) This shows that using the administrative account was common practice and acceptable behavior. If it wasn’t acceptable, then the administrators would have stopped this behavior before the kid changed the background.
  • The Tampa Bay Times noted that the kid discovered the password by watching the teacher type it in. The purpose of a classroom is for a teacher to show students new concepts. If the teacher showed any student how to login, then the child clearly learned well in this classroom environment.
  • The most startling part is where the Tampa Bay Times wrote, “It was a well-known trick … because the password was easy to remember: a teacher’s last name.” *sigh* At least the password wasn’t “abcde” — like some voting machines in Virginia. If someone intentionally chooses a weak password, then it implies that someone thinks that the system does not need to be secured. Simple patterns (“abcde”, “12345”, etc.), common words (“password”), and personal names have topped the lists of bad password choices for decades.

If the kid gets a felony for this, then the teach should get life. I’m not an attorney and I can easily see that the teachers (both the regular teacher and the substitute) should be charged with Contributing to the Delinquency of a Minor, Attractive Nuisance, and Child Neglect. In particular, the child was left alone with the teacher’s computer after being shown how to login to it. I’m sure an attorney could come up with even more charges.

The EFF pointed out some of these issues in their own report. The EFF describes the Florida law as using “overbroad and insensible language” and being applied arbitrarily. They also point out that the “school had terrible operational security where weak passwords, teachers entering passwords in front of students, and students regularly using teacher credentials, was prevalent.”

The news article ends with a warning from Sheriff Nocco: “If information comes back to us and we get evidence (that other kids have done it), they’re going to face the same consequences.”

In my opinion, Sheriff Nocco is an idiot. You don’t charge an inquisitive child with a felony for a harmless prank. The child should get off with nothing more than a reprimand. And if he is this creative and this tech savvy, then he should be placed in an environment that nurtures and directs his talents toward a beneficial outcome. (Why not have the kids suggest how to strengthen the school’s computer security, since clearly the teacher’s do not know.) In contrast, the teacher and the school should face heavy repercussions for failing to provide a safe environment for these children, failing to secure their computer systems, and failing to provide adequate guidance. And Sheriff Nocco should take an early retirement before being he gets charged with something more serious, like restricting the child’s creative outlet (a First Amendment violation).

Not Joking

It is long after April 1st, but we still have people acting like idiots. Car vendors should have acted upon these exploits when they learned of the risks. Security researchers should not make jokes about technologies that put life in danger. And law officers should not treat pranks as felonies. On the Internet, everyday seems like April Fools Day.