Posts tagged ‘Other’

Errata Security: CyberUL is a dumb idea

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Peiter “mudge” Zatko is leaving Google, asked by the White House to create a sort of a cyber “Underwriter Laboratories” (UL) for the government. UL is the organization that certifies electrical devices, so that they don’t short out and zap you to death. But here’s the thing: a CyberUL is a dumb idea. It’s the Vogon approach to the problem. It imagines that security comes from a moral weakness that could be solved by getting “serious” about the problem.

It’s not the hacking problem

According to data-breach reports, 95% of all attacks are simple things, like phishing, SQL injection, and bad passwords – nothing related to software quality. The other 5% is because victims are using old, unpatched software. When exploits are used, it’s overwhelmingly for software that has remained unpatched for a year.

In other words, CyberUL addresses less than 0.1% of real-world attacks.

It’s not the same quality problem

UL is about accidental failures in electronics. CyberUL would be about intentional attacks against software. These are unrelated issues. Stopping accidental failures is a solved problem in many fields. Stopping attacks is something nobody has solved in any field.

In other words, the UL model of accidents is totally unrelated to the cyber problem of attacks.

Security is a tradeoff

Security experts ignore the costs of fixing security. They assume that it due to moral weakness, and that getting tough is all that’s needed.

That’s not true. Improving security comes at great cost, in terms of price, functionality, or usability. Insecurity happens not because people are weak, but because the tradeoffs aren’t worth it. That’s why you have an iPhone, which can get hacked, instead of a 1980s era feature-phone that can do little more than make phone calls – you find the added risk worth the tradeoffs.

The premise of a CyberUL is that people are wrong, that more tradeoffs must be imposed against their will in order to improve cybersecurity, such as increasing the price, removing features, or making products hard to use.

Rules have a cost

Government already has the “Common Criteria” rules. They are all for obviously good things, like masking a password with **** when users type it in. But here’s the thing: while the actual criteria are easy and straightforward, it’s buried in layers of bureaucracy. It costs at least $1 million to get a product certified with Common Criteria.

OPM invested millions in dealing with similar bureaucratic regulations. It’s not that they had no security – it’s that their security people spent all their time with bureaucracy. They ignored basic problems like SQLi, phishing, bad passwords, and patches because compliance consumed all their budget and time.

Do you even government?

People believe that wise CyberUL administrators will define what’s right based on their own expertise. This is nonsense – rules will be designed according to whoever spends the most on lobbyists. It’s same thing that happens in every industry.

As soon as the White House starts a CyberUL, Oracle, Microsoft, and Cisco will show up offering to help. Whatever rules are created will be those that favor those three companies at the expensive of smaller companies.

Government doesn’t follow the rules, anyways

Government agencies don’t follow the rules anyway. There are so many impossibly onerous rules in government anyway that complaining and getting an exception is the norm. That’s why, for example, the Navy just gave Microsoft $20 million to continue to support WinXP – a 15 year old operating-system – which is otherwise against the rules.

Conclusion

A CyberUL is an absurd idea, being unrelated to the problem it purports to solve. The only reason people take it seriously is that they are secretly fascist at heart. They aren’t interested in solving the problem of cybersecurity, because that’s hard. Instead, they want to tell other people what to do, because that’s easy.

SQLi, phishing, bad passwords, and lack of patches are the Four Horseman of the cybersecurity apocalypse, not software quality. Unless you are addressing those four things, then you are doing essentially nothing to solve the problem.

LWN.net: Linux Foundation Announces R Consortium

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

The Linux Foundation has announced
the R Consortium. “The R language is used by statisticians, analysts and data scientists to unlock value from data. It is a free and open source programming language for statistical computing and provides an interactive environment for data analysis, modeling and visualization. The R Consortium will complement the work of the R Foundation, a nonprofit organization based in Austria that maintains the language. The R Consortium will focus on user outreach and other projects designed to assist the R user and developer communities.

Founding companies and organizations of the R Consortium include The R Foundation, Platinum members Microsoft and RStudio; Gold member TIBCO Software Inc.; and Silver members Alteryx, Google, HP, Mango Solutions, Ketchum Trading and Oracle.”

Raspberry Pi: Naturebytes wildlife cam kit

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: The wildlife cam kit has landed. If you’re a regular reader you’ll know we’ve been following the Naturebytes team’s work with great interest; we think there’s massive potential for bringing nature to life for kids and for adults with a bit of smart computing. Digital making for nature is here.

Naturebytes is a tiny organisation, but it’s made up of people whose work you’ll recognise if you follow Raspberry Pi projects closely; they’ve worked with bodies like the Horniman Museum, who have corals to examine; and with the Zoological Society of London (ZSL). Pis watching for rhino poachers in Kenya? Pis monitoring penguins in Antarctica? People on the Naturebytes team have worked on those projects, and have a huge amount of experience in wildlife observation with the Pi. They’ve also worked closely with educators and with kids on this Kickstarter offering, making sure that what they’re doing fits perfectly with what nature-lovers want. 

Today’s guest post is from Naturebytes’ Alasdair Davies. Good luck with the Kickstarter, folks: we’re incredibly excited about the potential of what you’re doing, and we think lots of other people will be too.

We made it! (quite literally). Two years after first being supported by the Raspberry Pi Foundation’s Education Fund and the awesome folk over at Nesta, we finally pressed the big red button and went into orbit by launching the Naturebytes Wildlife Cam Kit – now available via Kickstarter.
1
This is the kit that will fuel our digital making for nature vision – a community of Raspberry Pi enthusiasts using the Pi to help monitor, count, and conserve wildlife; and have a hell of a lot of fun learning how to code and hack their cam kits to do so much more – yes, you can even set it up to take chicken selfies.

We’ve designed it for a wide range of audiences, whether you’re a beginner, an educator, or a grandma who just wants to capture photos of the bird species in the garden and share them with her grandchildren – there’s something for everyone.

2

This was the final push for the small team of three over at Naturebytes HQ. A few badgers, 2,323 coffees, 24 foxes,  and a Real Time Clock later, we signed off the prototype cam kit last week, and are proud of what we’ve achieved thanks to the support of the Raspberry Pi Foundation that assisted us in getting there.

We also get the very privileged opportunity of appearing in this follow-up guest blog, and my, how things have changed since our first appearance back in September 2014. We thought we’d take you on a quick tour to show you what we’ve changed on the kit since then, and to share the lessons learnt during our R&D, before ending with a look at some of the creative activities people have suggested the kit be used for. Suggest your own in the comments, and please do share our Kickstarter far and wide so we can get the kits into the hands of as many people as possible.

Then and now – the case.

Our earlier prototype was slick and thin, with a perspex back. Once we exposed it to the savages of British weather, we soon had to lock down the hatches and toughen up the hinges to create the version you see today. The bird feeder arm was also reinforced and a clip on mechanism added for easy removal – just one of the lessons learnt when trialing and testing.

The final cam kit case:

3

The final cam kit features:

4

5
Schools and Resources

A great deal of our development time has focused on the creation of a useful website back end and resource packs for teacher and educators. For Naturebytes to be a success we knew from the start that we’d need to support teachers wishing to deliver activities, and it’s paramount to us that we get this right. In doing so, we tagged along with the Foundation’s Picademy to understand the needs of teachers and to create resources that will be both helpful and accessible.

Print your own

We’ve always wanted to make it as easy as possible for experienced digital makers to join in, so the necessary 3D print files will now be released as open source assets. For those with their own Pi, Pi cam and custom components, we’ve created a developer’s kit too that contains everything you need to finish a printed version of the cam kit (note – it won’t be waterproof if you 3D print it yourself).

6
You can get the Developer’s Kit on Kickstarter.

The Experience

7

Help us develop a fantastic experience for Naturebytes users. We hope to make a GUI and customised Raspbian OS to help users get the most from the cam kit.

It’s not much fun if you can’t share your wildlife sightings with others, so we’re looking at how to build an experience on the Pi itself. It will most likely be in the form of a Python GUI that boots at startup with a modified Raspbian OS to theme up the desktop. Our end goal is the creation of what we are calling “Fantastic Fox” – a simple-to-use Raspbian OS with pre-loaded software and activities together with a simple interface to submit your photos etc. This will be a community-driven build, so if you want to help with its, development please contact us and we’ll get you on board.

Creative activities

This is where the community aspect of Naturebytes comes into play. As everyone’s starting with the same wildlife cam kit, whether you get the full complete kit from us or print your own, there are a number of activities to get you started. Here are just a few of the ones we love:

Participate in an official challenge

We’ll be hosting challenges for the whole community. Join us on a hedgehog hunt (photo hunt!) together with hundreds of others, and upload your sightings for the entire community to see. There will be hacking challenges to see who can keep their cams powered the longest, and even case modification design competitions too.

Identify another school’s species (from around the globe!)

Hook up a WiFi connection and you’ll be able to share your photos on the internet. This means that a school in Washington DC could pair up with a school in Rochdale and swap their photos once a day. An exciting opportunity to connect to other schools globally, and discover wildlife that you thought you may never encounter by peeking into the garden of school a long way away.

Build a better home (for wildlife)

It’s not just digital making that you can get your hands into. Why not build a garden residence for the species that you most want to attract, and use the camera to monitor if they moved in (or just visited to inspect)? A great family project, fuelled by the excitement of discovering that someone, or something, liked what you build for them.

Stamp the weather on it

There’s an official Raspberry Pi weather station that we love – in fact, we were one of the early beta testers and have always wanted to incorporate it into Naturebytes. A great activity would be connecting to the weather station to receive a snapshot of data and stamping that on to the JPEG of the photo your camera just created. Then you’ll have an accurate weather reading together with your photo!

Time-lapse a pond, tree or wild space

It’s fantastic to look through a year’s worth of photographic data within 60 seconds. Why not take a look at the species visiting your pond, tree or a wild space near you by setting up a time-lapse and comparing it with other Naturebytes users near you?

We’d love to hear your ideas for collaborative projects – please leave a note in the comments if you’ve got something to add!

 

The post Naturebytes wildlife cam kit appeared first on Raspberry Pi.

TorrentFreak: French Magazine Fined €10,000 For Encouraging Piracy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

download-keyboardLast summer the bimonthly computer magazine “Téléchargement,” French for “Download,” released an issue documenting the various ways people can pirate films, TV-shows, games and music on the Internet.

The cover featured a pirate skull and advertised “the best software and websites to download for free.”

The local music industry group SCPP was appalled by the controversial issue and decided to take legal action in response. According to the group’s CEO Marc Guez the magazine publishers had gone too far.

“A line had been crossed,” Guez told Next INpact. “This is a magazine which clearly and shamelessly incited piracy. That’s what prompted us to act.”

The music industry group highlighted what they believe were inciting passages. For example, it described torrent clients such as uTorrent and BitComet, noting that it’s easy to find infringing content through Google search.

“There’s no need to dive into the depths of the deep Web for pirate downloads, Google will make sure they’ll surface. With some clever keywords and in a handful of clicks you will fill your hard drives with joy and laughter,” it read.

“We offer an overview of the best torrent clients plus some tips and tricks to entertain you,” the magazine added.

Other passages of the magazine mentioned specific tips and websites where pirated content is available, mentioning how easy it is to download movies and music without paying for it.

SCPP took the magazine publisher to court claiming it had violated French copyright law. Specifically, they argued that the publisher willingly encouraged its readers to use software that’s predominantly used to share copyright infringing material.

Under French law it’s forbidden to “knowingly encourage” the use of software that’s clearly meant to infringe copyrights, with a maximum prison sentence of three years and a €300,000 fine.

The publisher contested the claims, noting that the magazine repeatedly emphasized that piracy is illegal. However, according to the court this was not enough.

Earlier this month the court of Nanterre handed down its verdict ruling that the publisher indeed went too far. The court issued a €10,000 fine, which is roughly the amount that was made through the sale of the magazine.

The music industry is happy with the outcome, noting that it’s the first time that a news outlet has been found guilty of inciting piracy under this section of copyright law. The ruling is final and can’t be appealed.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

lcamtuf's blog: Poland vs the United States: suburban sprawl

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog


[ This is the eighth entry in a short series of articles about Poland. To start from the beginning, click here. ]

If you live in any other western country, your perception of the United States is bound to be profoundly influenced by Hollywood. You may think you’re immune to it, but you are not: sure, you can sneer at the ridiculous plot holes or the gratuitous patriotism in American blockbusters – but the establishing shots of high-rise cityscapes of Manhattan or Los Angeles will be seared into your mind. These images will color your expectations and your understanding of the country in more ways than you may expect.

Because of this phenomenon, urban dwellers from Europe who come to visit the US may be in for a surprise: the country will probably feel a lot more rural than they would have thought. They will get to marvel the grand cities and the iconic skyscrapers; but chances are, this scenery will quickly morph not into the familiar urban jungle of massive apartment blocks seen throughout much of Europe, but into the endless suburban sprawl of single-family homes and strip malls.

For most Americans, this vast, low-density suburban landscape is the backdrop of their everyday lives. Take San Francisco: just 800,000 people live in the city proper. The San Francisco Bay Area, the home to 8 million residents and the location of the largest and most influential tech hub in the world, is nothing more than an enormous stretch of greenery peppered with detached homes, unassuming two-story office buildings, and roadside car dealerships. Heck, even New York City, by far the largest urban conglomeration in America, is just a blip on the radar compared to the colossal suburban sprawl that engulfs the region – stretching all the way from Massachusetts to Washington D.C.

The raw numbers paint a similar picture: in Poland, the average population density is around 125 people per square kilometer; in the more densely populated Germany, the figure is closer to 220. In comparison, with fewer than 35 people per km2, the United States comes out looking like a barren wasteland. The country has many expanses of untouched wilderness – and quite a few rural regions where the residents get by without as little as a postal address, a nearby fire station, a police department, or a hospital.

Awareness of the predominantly suburban and rural character of much of the US is vital to understanding some the national stereotypes that may seem bizarre or archaic to urban-dwelling Europeans. It certainly helps explain the limited availability of public transportation, or the residents’ love for rifles and gas-guzzling pickup trucks. The survivalist “prepper” culture, focused on self-sufficiency in the face of disaster, is another cultural phenomenon that although seemingly odd, is not just pure lunacy; in the past few decades, millions of Americans had to evacuate or dig in in response to hurricanes, wildfires, earthquakes, or floods.

The stark difference between urban and rural living can also make it easier to grasp some of the ideological clashes between the big-city liberal progressives and the traditionally conservative dwellers of the so-called “flyover states”. Sometimes, the conservatives are simply on the wrong side of history; but on some other occasions, the city-raised politicians, scholars, and journalists are too eager to paint the whole nation with the same brush. Take something as trivial as car efficiency standards: they will rub you one way if you take subway to the office and drive your compact car to the grocery store; and another if you ever needed to haul firewood or construction materials on the back of your Ford F-150.

TorrentFreak: Court Orders Namecheap to Identify Pirate Site Operator

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

namecheapLast month the long running lawsuit between the RIAA and Grooveshark came to an end. However, within days a new site was launched aiming to take its place.

The RIAA wasn’t happy with this development and quickly obtained a restraining order, preventing domain registrars and hosting companies from offering their services to the site.

In a response Namecheap quickly suspended the site’s account. However, the “new” Grooveshark then relocated elsewhere and as of today the RIAA is still in the dark as to the identity of the owner.

Hoping to track this person down the music labels recently filed a motion to conduct expedited discovery. This would allow them to order third party services to hand over all personal information they have on the site’s operator.

“Defendants have continued to operate the counterfeit Service, concealing their identities and using multiple infringing domain names registered through at least three different domain name registrars,” the RIAA’s lawyers wrote in their motion.

According to the RIAA, help from other services is needed as they have “no alternative methods” to find out who is operating the “revived” Grooveshark site.

Late last week New York District Court Judge Alison Nathan agreed with the music labels, granting the motion against Namecheap and several other service providers (pdf).

In addition to Namecheap the court filing specifically mentions the “proxy” provider Cloudflare, domain name registrar Dynadot and hosting provider Nodisto.

The RIAA expects that these organizations will have crucial information including payment details and IP-addresses. Thus far none of the third-party service providers have objected to the order, and it’s unlikely that they will.

Coincidentally, Namecheap launched a campaign last week urging its users to protest a new proposal that would put an end to private domain name registrations for some site owners. However, the company does not object to court orders and has complied with similar ones previously.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: Crooks Use Hacked Routers to Aid Cyberheists

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Cybercriminals have long relied on compromised Web sites to host malicious software for use in drive-by download attacks, but at least one crime gang is taking it a step further: New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware.

Ubiquity Networks airRouter

Ubiquity Networks airRouter

Dyre (a.k.a. “Dyreza”) is generally installed by a downloader Trojan that is flagged by most tools under the name “Upatre.” The latter is most often delivered via malicious e-mails containing a link which directs unsuspecting users to servers hosting malicious javascript or a basic redirection to a malicious payload. If the user clicks the malicious link, it may serve a bogus file — such as an invoice or bank statement — that if extracted and opened reaches out to an Upatre control server to download Dyre.

According to a recent in-depth report from Symantec, Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers. Dyre is often used to download additional malware on to the victim’s computer, and in many cases the victim machine is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat.

Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.

“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”

airos

Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.

In January 2015, KrebsOnSecurity broke the news that the botnet used to attack and briefly knock offline Microsoft’s Xbox and Sony Playstation’s networks relied entirely on hacked routers, all of which appeared to have been compromised remotely via telnet.

Whether you use a router from Ubiquiti or any other manufacturer, if you haven’t changed the default credentials on the device, it’s time to take care of that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be 192.168.1.1 or 192.168.0.1. This page lists the default internal address for most routers. If you have no luck there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.

TorrentFreak: Cloudflare Reveals Pirate Site Locations in an Instant

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

cloudflareFive years ago, discovering the physical location of almost any ‘pirate’ site was achievable in a matter of seconds using widely available online tools. All one needed was an IP address and a simple lookup.

As sites became more aware of the need for security, cloaking efforts became more commonplace. Smaller sites, private trackers in particular, began using tunnels and proxies to hide their true locations, hampering anti-piracy efforts in the process. Later these kinds of techniques were used on even the largest sites, The Pirate Bay for example.

In the meantime the services of a rising company called Cloudflare had begun to pique the interest of security-minded site owners. Designed to optimize the performance of sites while blocking various kinds of abuse, Cloudflare-enabled sites get to exchange their regular IP address for one operated by Cloudflare, a neat side-effect for a site wishing to remain in the shadows.

cloud-pir

Today, Cloudflare ‘protects’ dozens – perhaps hundreds – of ‘pirate’ sites. Some use Cloudflare for its anti-DDoS capabilities but all get to hide their real IP addresses from copyright holders. This has the potential to reduce the amount of DMCA notices and other complaints filtering through to their real hosts.

Surprisingly, however, belief persists in some quarters that Cloudflare is an impenetrable shield that allows ‘pirate’ sites to operate completely unhindered. In fact, nothing could be further from the truth.

In recent days a perfect example appeared in the shape of Sparvar (Sparrows), a Swedish torrent site that has been regularly hounded by anti-piracy outfit Rights Alliance. Sometime after moving to Canada in 2014, Sparvar began using the services of Cloudflare, which effectively cloaked the site’s true location from the world. Well, that was the theory.

According to an announcement from the site, Rights Alliance lawyer Henrik Pontén recently approached Cloudflare in an effort to uncover Sparvar’s email address and the true location of its servers. The discussions between Rights Alliance and Cloudflare were seen by Sparvar, which set alarm bells ringing.

“After seeing the conversations between Rights Alliance and server providers / CloudFlare we urge staff of other Swedish trackers to consider whether the risk they’re taking is really worth it,” site staff said.

“All that is required is an email to CloudFlare and then [anti-piracy companies] will have your IP address.”

As a result of this reveal, Sparvar is now offline. No site or user data has been compromised but it appears that the site felt it best to close down, at least for now.

spar-down

This obviously upset users of the site, some of whom emailed TorrentFreak to express disappointment at the way the situation was handled by Cloudflare. However, Cloudflare’s terms and conditions should leave no doubt as to how the company handles these kinds of complaints.

One clause in which Cloudflare reserves the right to investigate not only sites but also their operators, it’s made crystal clear what information may be given up to third parties.

“You acknowledge that CloudFlare may, at its own discretion, reveal the information about your web server to alleged copyright holders or other complainants who have filed complaints with us,” the company writes.

The situation is further underlined when Cloudflare receives DMCA notices from copyright holders and forwards an alert to a site using its services.

“We have provided the name of your hosting provider to the reporter. Additionally, we have forwarded this complaint to your hosting provider as well,” the site’s abuse team regular advises.

While Cloudflare itself tends not to take direct action against sites it receives complaints about, problems can mount if a copyright holder is persistent enough. Just recently Cloudflare was ordered by a U.S. court to discontinue services to a Grooveshark replacement. That site is yet to reappear.

Finally, Sparvar staff have some parting advice for other site operators hoping to use Cloudflare services without being uncovered.

“We hope that you do not have your servers directly behind CloudFlare which means a big security risk. We hope and believe that you are also running some kind of reverse proxy,” the site concludes.

At the time of publication, Henrik Pontén of Rights Alliance had not responded to our requests for comment.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Malwarebytes Offers Pirates Free “Amnesty” Keys

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

malwarebytes1Like most other popular software, Malwarebytes has many unauthorized users who use cracks or keygens to unlock the programs paid features.

Traditionally, Malwarebytes has taken a fairly lenient stance towards pirates. Two years ago the company started tracking down this group of users, asking them kindly not to steal the software.

Now, the San Jose company has a new surprise in store. A few days ago Malwarebytes began scanning for pirate and counterfeit keys, as part as an upgrade of its licensing system.

Those found to have used an “abused” key then get the “amnesty” option to upgrade their software for a year without any cost, replacing the pirate key with a legitimate one.

“Malwarebytes is offering a free replacement key for Malwarebytes Anti-Malware Premium customers who have been inconvenienced by piracy or abuse. This new key will be exclusive to you going forward,” the company explains on its website.

Malwarebytes free upgrade
malwarebytes

While the offer is certainly generous, it’s also a necessity because legitimate and pirate keys are often duplicates. This means that pirates and paid users have the same keys.

Going forward, Malwarebytes will use a more advanced license key algorithm which prevents this from happening. This means that it will be harder for pirates to get a free copy after their one year subscription expires.

Interestingly, those who choose the second “I purchased my key” option get a lifetime subscription at no cost.

Malwarebytes’ Bruce Harrison previously told TorrentFreak that they don’t plan to crack down too hard on pirates.

“Piracy is not really a huge problem for us in my opinion. There are a lot of people who simply won’t pay for our software and being aggressive against them won’t change that,” Harrison said.

Offering amnesty to pirates is in line with this stance. It certainly isn’t an aggressive move and could even trigger some to pay up when the free offer runs out.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Anti-Piracy Outfits Boost Numbers With Bogus Takedown Notices

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

boostFour years ago Google decided to publish detailed statistics of all the takedown notices it receives for its search engine.

Since then, the number of requests have skyrocketed. The increase in notices is partly the result of their public nature, with anti-piracy groups proudly revealing how many URLs they have removed.

Over the past several years TF has spoken to insiders on condition of anonymity, and several mentioned that this PR-angle is hurting the validity of the requests. Some anti-piracy outfits are more concerned with the volume of requests than their accuracy.

“There are a number of automated services sending endless duplicate DMCA Notices to Google,” said ‘Jack,’ the owner of a boutique takedown company.

These duplicate requests include many URLs which have been removed previously (e.g. 1, 2, 3). This means that they don’t add anything in terms of effectiveness. However, Google does add them to the overall statistics.

“Consequently, anti-piracy companies can make it look like they’re doing far more work than they actually are and thus improve their business development, sales or PR story,” Jack added.

Whether the duplicate notices are intentional or just the result of a shoddy system will be hard to prove conclusively. But they do stand out, together with other dubious issues that boost the numbers.

Earlier this week the operator of popular MP3 search engine MP3Juices.is alerted us to an increasing number of fake notices, listing URLs that were never indexed by Google at all.

Instead of finding pages in Google’s search engine they list search terms such as the following from a recent takedown request:

http://mp3juices.is/search?q=Kay+One+Intro&hash=2accae5374d2477fnprt4f

These search pages are not indexed by Google, so can’t be removed. Also, MP3juices generates a unique hash for each search, but in the notices the same hash is used over and over again for different search terms.

This means that the search URLs are generated through a simple script instead of being the result of actual searches. In addition, the same keywords are used across different sites, as the image below shows.

musosearch1

“MUSO is the main offender, they’re sending dynamically generated (fake) URLs created by their poorly written script. They don’t even verify if the page exists,” MP3Juices informed TF.

In addition, and this is the case for many outfits, most notices sent to Google are not sent to the site which actually hosts or links to the content.

“Only a minority of the notices are directly sent to us, the vast majority are sent to Google even though we remove reported URLs quicker than Google does. We also replace the page with a message encouraging users to use Amazon MP3 as a legal alternative,” MP3Juices said.

MP3Juices is not happy with the bogus takedown notices and plans to report the false claims to Google, not least since Google uses the takedown numbers to downrank websites in its search results.

MUSO didn’t answer any of our specific questions regarding the non-existing pages and search results, but provided a generic statement.

“We analyse over 12 million pages of content daily, across thousands of different hosting, streaming, P2P or search sites,” a MUSO spokesperson said.

“We are focused on providing a fast, efficient and transparent solution, and we welcome correspondence with all sites with whom we work to remove content, including MP3Juices.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

SANS Internet Storm Center, InfoCON: green: The EICAR Test File, (Sun, Jun 28th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Im sure most of you are familiar with the EICAR (European Institute for Computer Antivirus Research) test file. Your anti-virus application should detect the EICAR test file the same way it detects malicious files. But it is a test file, so of course, the EICAR file is not malicious.

If you have doubts that an anti-virus application is working correctly, you use the EICAR test file. If the file is not detected, there is a problem.

If you have doubts that anti-virus alerts are properly delivered to your SIEM, you use the EICAR test file.

There are many examples where the EICAR test file comes in handy.

But using the EICAR test file has become more difficult over the years, because there are more and more security applications and devices that detect it. For example, downloading the EICAR test file in a corporate environment will often fail, because the anti-virus on your proxy will detect and block it.

Thats why I decided many years ago to create a program that writes the EICAR test file to disk when it is executed. The anti-virus program should not detect the EICAR test string inside my program (per the EICAR test file convention), but they should detect it when its written to disk. My program, EICARgen, worked fine for many years, but this has changed since a couple of years. Now many anti-virus programs detect EICARgen as a dropper (malware that writes its payload to disk).

I developed a new version: now when EICARgen is executed, nothing happens. It will only write the EICAR test file to disk when you pass it the proper argument: EICARgen write.

And now I come to the point of this diary entry. This new version of EICARgen is not only able to write the EICAR test file to disk, but also a couple of container files that contain the EICAR test file: a ZIP file, a PDF file and an Excel file. This is useful to test the settings of your anti-virus. For example, if your anti-virus is configured to scan the content of ZIP files, then you can use EICARgen to test this: EICARgen.exe zip eicar.zip.

I also have a video of EICARgen in action.

Please write a comment if you have other examples of file formats that you use when testing your anti-virus. Or if you have an idea for a file format to add to EICARgen.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

lcamtuf's blog: Poland vs the United States: friends & acquaintances

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog


[ This is the seventh entry in a short series of articles about Poland. To start from the beginning, click here. ]

Cultural stereotypes are a dangerous and corrosive thing. They teach us that Poles are a tribe of thieving simpletons; or that Americans are arrogant, violent, and obese. And that’s just the ethnicities that get off easy: the perception of blacks, Muslims, or European Jews can be far more vicious, often serving a pretext for violent hate crime.

At the same time, there is no denying that certain unique archetypes are etched into the fabric of every society. I’d also posit that when cultures come into contact with each other, there is an uncanny valley effect at play: the more similar the nations are, the easier it is for travelers to instinctively pick up the subtle variations – and to misread them as the personality quirks of the people they interact with.

For Poles who settle in the United States, the most striking contrast of this sort must be the persistence with which Americans want to engage in oddly personal small talk: you will be always greeted with “how are you?”, be it by the cashier at a grocery store, by your mailman, by the park ranger met at a trail, or by the waiter serving your food at a restaurant. The social expectation is to share short pleasantries or announce a brief piece of good news. But if your answer is overly specific or focuses on a negative event, you may be given quizzical looks and the conversation will stall.

To many of my compatriots, the exchange – lacking any apparent purpose – feels uncomfortable and insincere. I try not to look at it in a cynical way: the upbeat chit-chat, repeated over and over again, can probably make your day a bit better and a tad more fun. This constrained form of communication also provides something to build on the next time you see that person, even if every individual interaction is necessarily non-committal and brief.

Another explanation for the forced positivity may have to do with the pervasive can-do spirit at the core of the American culture. The national ethos of self-determination and unconstrained social mobility flies in the face of the daily struggles of disadvantaged citizens – but it remains a fundamental part of the cultural identity of the United States. The American Dream manifests itself everywhere, from the country songs of the Midwest to the high-tech entrepreneurship of the Silicon Valley. Your friends, coworkers, neighbors, and even complete strangers are there to support you when a calamity strikes – but dwelling on everyday mishaps is almost universally seen as a weakness that one needs to overcome in order to succeed in life.

In this regard, the Polish culture is strikingly different. After hundreds of years of political repression and foreign control, Poles have developed a colorful tradition of sarcastic humor and idle lamentation. This coping mechanism functions to this day: to a Pole, being asked about your day is seen as an invitation to air all the petty grievances; you wouldn’t expect a friend to smile, exclaim “I’m doing great!”, and move on. Complaining about politics or work is how you build rapport with your peers. In fact, being overly upbeat or talking about professional success or accomplishment is likely to be met with suspicion or scorn. If you’re a successful entrepreneur, you will probably open by complaining about your dealings with the Polish equivalent of the IRS.

In many ways, the Polish approach to chit-chat is more genuine and less rigid. At the same time, I feel that the negativity comes at a price; meeting a cranky clerk at a store sets the tone for the remainder of your day. The constant pessimism can also dampen some altruistic instincts: relatively few people in Poland get engaged in their communities or dedicate themselves to other forms of civic service. It is more accepted to just complain about the ways things are.

Interestingly, in the United States, the boundaries that govern the conversations with complete strangers also extend into the workplace. When interacting with casual acquaintances, sarcasm is seen as jarring, while petty grumbling is perceived as an off-putting and unproductive personality trait. Off-color humor, widely tolerated in Poland, is usually inappropriate in white collar environments; doubly so if it comes at the expense of women, immigrants, or other disadvantaged social groups.

Some Europeans characterize the workplace etiquette in the US as political correctness run amok. There are situations where political correctness can stifle free speech, but I don’t think it’s one of them; for most part, not hearing political rants or jokes about blondes or Jews just makes the world a bit better, even if the comments are uttered with no ill intent. Violating these rules will not necessarily get you in trouble, but in a culturally diverse society, it can make it harder to find new friends.


[ To proceed to the next article in the series, click here. ]

Krebs on Security: A Busy Week for Ne’er-Do-Well News

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and “swatting” attacks.

Ercan Findikoglu, posing with piles of cash.

Ercan Findikoglu, posing with piles of cash.

Prosecutors in New York had a big week. Appearing in the U.S. court system for the first time last week was Ercan “Segate” Findikoglu, a 33-year-old Turkish man who investigators say was the mastermind behind a series of Oceans 11-type ATM heists between 2011 and 2013 that netted thieves more than $55 million.

According to prosecutors, Findikoglu organized the so-called “ATM cashouts” by hacking into networks of several credit and debit card payment processors. With each processor, the intruders were able to simultaneously lift the daily withdrawal limits on numerous prepaid accounts and dramatically increase the account balances on those cards to allow ATM withdrawals far in excess of the legitimate card balances.

The cards were then cloned and sent to dozens of co-conspirators around the globe, who used the cards at ATMs to withdraw millions in cash in the span of just a few hours. Investigators say these attacks are known in the cybercrime underground as “unlimited operations” because the manipulation of withdrawal limits lets the crooks steal literally unlimited amounts of cash until the operation is shut down.

Two of the attacks attributed to Findikoglu and his alleged associates were first reported on this blog, including a February 2011 attack against Fidelity National Information Services (FIS), and a $5 million heist in late 2012 involving a card network in India. The most brazen and lucrative heist, a nearly $40 million cashout against the Bank of Muscat in Oman, was covered in a May 2013 New York Times piece, which concludes with a vignette about the violent murder of alleged accomplice in the scheme.

Also in New York, a Manhattan federal judge sentenced the co-creator of the “Blackshades” Trojan to nearly five years in prison after pleading guilty to helping hundreds of people use and spread the malware. Twenty-five year old Swedish national Alexander Yucel was ordered to forfeit $200,000 and relinquish all of the computer equipment he used in commission of his crimes.

As detailed in this May 2014 piece, Blackshades Users Had It Coming, the malware was sophisticated but marketed mainly on English language cybecrime forums to young men who probably would have a hard time hacking their way out of a paper back, let alone into someone’s computer. Initially sold via PayPal for just $40, Blackshades offered users a way to remotely spy on victims, and even included tools and tutorials to help users infect victim PCs. Many of Yucel’s customers also have been rounded up by law enforcement here in the U.S. an abroad.

Matthew Tollis

Matthew Tollis

In a small victory for people fed up with so-called “swatting” — the act of calling in a fake hostage or bomb threat to emergency services with the intention of prompting a heavily-armed police response to a specific address — 22-year-old Connecticut resident Matthew Tollis pleaded guilty last week to multiple swatting incidents. (In an unrelated incident in 2013, this reporter was the victim of swatting, which resulted in our home being surrounded by a dozen or so police and Yours Truly being handcuffed in front of the whole neighborhood).

Tollis admitted belonging to a group that called itself “TeAM CrucifiX or Die,” a loose-knit cadre of young Microsoft XBox and swatting enthusiasts which later renamed itself the “ISIS Gang.” Interestingly, these past few weeks have seen the prosecution of another alleged ISIS Gang member — 17-year-old Finnish miscreant who goes by the nicknames “Ryan” and “Zeekill.” Ryan, whose real name is Julius Kivimaki, was one of several individuals who claimed to be involved in the Lizard Squad attacks that brought down the XBox and Sony Playstation networks in December 2014.

Kivimaki is being prosecuted in Finland for multiple alleged offenses, including payment fraud, money laundering and telecommunications harassment. Under Finnish law, Kivimaki cannot be extradited, but prosecutors there are seeking at least two to three years of jail time for the young man, who will turn 18 in August.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

Finally, investigators with Europol announced the arrest of five individuals in Ukraine who are suspected of developing, exploiting and distributing the ZeuS and SpyEye malware — well known banking Trojans that have been used to steal hundreds of millions of dollars from consumers and small businesses.

According to Europol, each cybercriminal in the group had their specialty, but that the group as a whole specialized in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.

“On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities,” Europol said. “This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks

The Europol statement on the action is otherwise light on details, but says the group is suspected of using Zeus and SpyEye malware to steal at least EUR 2 million from banks and their customers.

Darknet - The Darkside: BTCrawler – Bluetooth Diagnostic & Discovery Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

BTCrawler is an application used to to discover Bluetooth devices and the services they provide, it is useful if you wish to know which Bluetooth enabled devices are in your proximity for debugging, spying, curiosity or any other purpose. With this program you’ll be even able to find every service provided by those devices and […]

The…

Read the full post at darknet.org.uk

TorrentFreak: Sci-Hub Tears Down Academia’s “Illegal” Copyright Paywalls

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

sci-hubWith a net income of more than $1 billion Elsevier is one of the largest academic publishers in the world.

The company has the rights to many academic publications where scientists publish their latest breakthroughs. Most of these journals are locked behind paywalls, which makes it impossible for less fortunate researchers to access them.

Sci-Hub.org is one of the main sites that circumvents this artificial barrier. Founded by Alexandra Elbakyan, a researcher born and graduated in Kazakhstan, its main goal is to provide the less privileged with access to science and knowledge.

The service is nothing like the average pirate site. It wasn’t started to share the latest Hollywood blockbusters, but to gain access to critical knowledge that researchers require to do their work.

“When I was working on my research project, I found out that all research papers I needed for work were paywalled. I was a student in Kazakhstan at the time and our university was not subscribed to anything,” Alexandra tells TF.

After Googling for a while Alexandra stumbled upon various tools and services to bypass the paywalls. With her newly gained knowledge, she then started participating in online forums where other researchers requested papers.

When she noticed how grateful others were for the papers she shared, Alexandra decided to automate the process by developing software that could allow anyone to search for and access papers. That’s when Sci-Hub was born, back in 2011.

“The software immediately became popular among Russian researchers. There was no big idea behind the project, like ‘make all information free’ or something like that. We just needed to read all these papers to do our research,” Alexandra.

“Now, the goal is to collect all research papers ever published, and make them free,” she adds.

Of course Alexandra knew that the website could lead to legal trouble. In that regard, the lawsuit filed by Elsevier doesn’t come as a surprise. However, she is more than willing to fight for the right to access knowledge, as others did before her.

“Thanks to Elsevier’s lawsuit, I got past the point of no return. At this time I either have to prove we have the full right to do this or risk being executed like other ‘pirates’,” she says, naming Aaron Swartz as an example.

“If Elsevier manages to shut down our projects or force them into the darknet, that will demonstrate an important idea: that the public does not have the right to knowledge. We have to win over Elsevier and other publishers and show that what these commercial companies are doing is fundamentally wrong.”

The idea that a commercial outfit can exploit the work of researchers, who themselves are often not paid for their contributions, and hide it from large parts of the academic world, is something she does not accept.

“Everyone should have access to knowledge regardless of their income or affiliation. And that’s absolutely legal. Also the idea that knowledge can be a private property of some commercial company sounds absolutely weird to me.”

Most research institutions in Russia, in developing countries and even in the U.S. and Europe can’t afford expensive subscriptions. This means that they can’t access crucial research, including biomedical research such as cancer studies.

Elsevier’s ScienceDirect paywall
sciencedirect

So aside from the public at large, Sci-Hub is also an essential tool for academics. In fact, some researchers use the site to access their own publications, because these are also locked behind a paywall.

“The funniest thing I was told multiple times by researchers is that they have to download their own published articles from Sci-Hub. Even authors do not have access to their own work,” Alexandra says.

Instead of seeing herself as the offender, Alexandra believes that the major academic publishers are the ones who are wrong.

“I think Elsevier’s business model is itself illegal,” she says, pointing to article 27 of the UN declaration on human rights which reads that “everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits.”

The paywalls of Elsevier and other publishers violate this right, she believes. The same article 27 also allows authors to protect their works, but the publishers are not the ‘authors,’ they merely exploit the copyrights.

Alexandra insists that her website is legal and hopes that future changes in copyright law will reflect this. As for the Elsevier lawsuit, she’s not afraid to fight for her rights and already offers a public confession right here.

“I developed the Sci-Hub.org website where anyone can download paywalled research papers by request. Also I uploaded at least half of more than 41 million paywalled papers to the LibGen database and worked actively to create mirrors of it.

“I am not afraid to say this, because when you do the right thing, why should you hide it?” she concludes.

Note: Sci-Hub is temporarily using the sci-hub.club domain name. The .org will be operational again next week.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Can BitTorrent Be Better With Bitcoin?

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

bitcoinTo millions of users around the world, BitTorrent is a beautiful thing. Not only does it enable the worldwide sharing of any kind of media, but the manner in which it does so is a stroke of pure genius.

Utilizing the bandwidth of all participants in its ‘swarms’, BitTorrent pools the resources of many to provide a streamlined downloading experience for all. It’s both complex and simplicity itself, a rare quality indeed.

BitTorrent’s success as a protocol is tied to its low barrier to entry, since anyone with a computer and Internet connection can participate. Above and beyond that no actual money is needed to obtain content. However, the nature of the system means that it’s not entirely free, since users ‘donate’ their bandwidth to others in order to keep a swarm going.

Millions of users are extremely happy with this setup but a proposal from developer Bedeho Mender could see money being brought into the equation.

Bedeho is the founder of JoyStream, a forthcoming BitTorrent client that tries to improve BitTorrent by allowing peer-to-peer Bitcoin payments in exchange for bandwidth – or content, whichever way one prefers to look at it.

To the torrenting masses, that probably sounds a bit like a tax on air. BitTorrent’s growth has stemmed from the fact that millions of people are happy to share for free. Is it possible that by introducing money things are going to improve? Bedeho thinks so.

“BitTorrent has many strengths, but I would say people are often not sharing for free, e.g. in private communities which have far higher quality service. In that context one is required to adhere to strict and cumbersome rules about contributing to maintain ratios, and this makes the system work much better,” Bedeho tells TorrentFreak.

“JoyStream is just an open version of that very same insight, except that you now are not forced to seed to maintain your ratio, something which is not practical for everyone. The key is therefore not money, the key is incentives to supply enough bandwidth. Money is just one of many means to try to achieve this, just like we do with other goods.”

The idea behind JoyStream is simple. If you have some spare bandwidth and content that people want, you can sell access to that content through the JoyStream client. The more common that content the less likely it is that you’ll be able to charge a premium price for it. Rare material, on the other hand, might be worth someone blowing a few fractions of a bitcoin on.

In very basic terms, if the user tells it to, JoyStream will wind back its upload speed to zero and only open up it up again when someone pays.

One of the claims Bedeho makes about JoyStream is that higher download speeds will be available in this kind of system. The idea is that if seeds are getting paid, they will stick around longer and offer up more bandwidth, a bit like a user on a private torrent site trying to improve his ratio.

“All paid bandwidth comes from other peers which are paid to supply it. If you do not wish to pay to download, then you would just be using the regular BitTorrent tit-for-tat exchange procedure as is today, and JoyStream also supports that,” Behedo explains.

“With JoyStream it may turn out that people will opt to leave their computer on to earn back whatever they have spent when buying before, so it just becomes a closed loop system. That way you wouldn’t even be spending any Bitcoins in total, over time. In such a scenario, you should still expect the quality of the open BitTorrent system to be as good, if not better, than in private communities.”

While earning money for seeding will be attractive to some, will the idea of being in a pay-to-download-faster swarm be off-putting to others? What if JoyStream took off overnight and became a significant player in most swarms?

“Just like in regular BitTorrent, if no one has a full copy of the file and is willing to seed, then the swarm would get stuck for a while. However, since there is compensation, that is much less likely to happen with JoyStream type peers, precisely because those with a full download will not always leave right away, as is common today,” Behedo adds.

While the overall idea certainly provides food for thought, there will undoubtedly be file-sharing traditionalists shuddering not only at the mere thought of file-selling, but also at the prospect of being denied bandwidth at the hands of someone with more bitcoins to spare.

Finally (and just to throw fuel on the fire) when JoyStream is out of alpha it should work on private trackers too….

“I do not know how the torrent community will react in total, but since it is an open system, you are free to use or not use it, and I do expect there will be private communities which will ban it, and that is totally fine with me. That is what an open system like BitTorrent/Bitcoin is all about,” Behedo concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Bradley M. Kuhn's Blog ( bkuhn ): John Oliver Falls For Software Patent Trade Association Messaging

This post was syndicated from: Bradley M. Kuhn's Blog ( bkuhn ) and was written by: Bradley M. Kuhn. Original post: at Bradley M. Kuhn's Blog ( bkuhn )

I’ve been otherwise impressed with John Oliver and his ability
on Last Week Tonight to find key issues that don’t have
enough attention and give reasonably good information about them in an
entertaining way — I
even lauded
Oliver’s discussion of non-profit organizational corruption last
year
. I suppose that’s why I’m particularly sad (as I caught up
last weekend on an old episode) to find that
John Oliver
basically fell for the large patent holders’ pro-software-patent rhetoric on
so-called “software patents”
.

In short, Oliver mimics the trade association and for-profit software
industry rhetoric of software patent reform rather than abolition
— because trolls are the only problem
. I hope the worlds’
largest software patent holders send Oliver’s writing staff a nice gift
basket, as such might be the only thing that would signal to them that they
fell into this PR trap. Although, it’s admittedly slightly unfair to blame
Oliver and his writers; the situation is subtle.

Indeed, someone not particularly versed in the situation can easily fall
for this manipulation. It’s just so easy to criticize non-practicing
entities. Plus, the idea that the sole inventor might get funded
on Shark Tank has a certain appeal, and fits a USAmerican
sensibility of personal capitalistic success. Thus, the first-order
conclusion is often, as Oliver’s piece concludes, maybe if we got rid of
trolls, things wouldn’t be so bad
.

And then there’s also the focus on the patent quality issue; it’s easy to
convince the public that higher quality patents will make it ok to restrict
software sharing and improvement with patents. It’s great rhetoric for a
pro-patent entities to generate outrage among the technology-using public
by pointing to, say, an example of a patent that reads on every Android
application and telling a few jokes about patent quality. In fact, at
nearly every FLOSS conference I’ve gone to in the last year, OIN has
sponsored a speaker to talk about that very issue. The jokes at such talks
aren’t as good as John Oliver’s, but they still get laughs and
technologists upset about patent quality and trolls — but through
carefully cultural engineering, not about software
patents themselves.

In fact, I don’t think I’ve seen a for-profit industry and its trade
associations do so well at public outrage distraction since the “tort
reform” battles of the 1980s and 1990s, which were produced in part
by George H. W. Bush’s
beloved
M.C. Rove
himself. I really encourage those who want to understand of how the
anti-troll messaging manipulation works to study how and why
the tort
reform issue
played out the way it did. (As I mentioned on
the Free as in
Freedom
audcast, Episode
0x13
, the
documentary film Hot Coffee
is a good resource for
that.)

I’ve literally been laughed at publicly by OIN representatives when I
point out that IBM, Microsoft, and other practicing entities do
software patent shake-downs, too — just like the trolls. They’re
part of a well-trained and well-funded (by trade associations and
companies) PR machine out there in our community to convince us that trolls
and so-called “poor patent quality” are the only problems.
Yet, nary a year has gone in my adult life where I don’t see a some
incident where a so-called legitimate, non-obvious software patent causes
serious trouble for a Free Software project.
From RSA, to the codec
patents,
to Microsoft
FAT patent shakedowns
, to
IBM’s
shakedown of the Hercules open source project
,
to exfat
— and that’s just a few choice examples from the public tip of the
practicing entity shakedown iceberg. IMO, the practicing entities are just
trolls with more expensive suits and proprietary software licenses for
sale. We should politically oppose the companies and trade associations
that bolster them — and call for an end to software patents.

Schneier on Security: Other GCHQ News from Snowden

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There are two other Snowden stories this week about GCHQ: one about its hacking practices, and the other about its propaganda and psychology research. The second is particularly disturbing:

While some of the unit’s activities are focused on the claimed areas, JTRIG also appears to be intimately involved in traditional law enforcement areas and U.K.-specific activity, as previously unpublished documents demonstrate. An August 2009 JTRIG memo entitled “Operational Highlights” boasts of “GCHQ’s first serious crime effects operation” against a website that was identifying police informants and members of a witness protection program. Another operation investigated an Internet forum allegedly “used to facilitate and execute online fraud.” The document also describes GCHQ advice provided :to assist the UK negotiating team on climate change.”

Particularly revealing is a fascinating 42-page document from 2011 detailing JTRIG’s activities. It provides the most comprehensive and sweeping insight to date into the scope of this unit’s extreme methods. Entitled “Behavioral Science Support for JTRIG’s Effects and Online HUMINT [Human Intelligence] Operations,” it describes the types of targets on which the unit focuses, the psychological and behavioral research it commissions and exploits, and its future organizational aspirations. It is authored by a psychologist, Mandeep K. Dhami.

Among other things, the document lays out the tactics the agency uses to manipulate public opinion, its scientific and psychological research into how human thinking and behavior can be influenced, and the broad range of targets that are traditionally the province of law enforcement rather than intelligence agencies.

TorrentFreak: Played.to Operator Admits Guilt in Expendables 3 Leak

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

expendablesLast summer LionsGate suffered a major setback when a high quality leak of the unreleased Expendables 3 film appeared online.

Fearing a massive loss in revenue, the movie studio sued the operators of several websites that allegedly failed to remove the infringing files.

Over the past several months there has been little progress in the case, but yesterday LionsGate announced that it reached a settlement (pdf) with one of the accused site operators.

In a new filing at the California district court, Jerome Gillan, the operator of video hosting site Played.to, admits to willful copyright infringement for his role in the controversial leak.

While the video hosting service has nothing to do with the original leak, Gillian played a role by hosting copies of the film and allowing users to watch these through embedded streams.

In addition, the Played.to operator admits that he failed to process or respond to takedown notices before the lawsuit was filed. As a result, he is liable for the resulting infringements under the DMCA.

According to the proposed judgment which has been agreed by both parties, Gillan takes full responsibility by admitting to all claims the movie studio brought against him.

“Gillan has willfully infringed Lions Gate’s copyright in the Film directly, contributorily and vicariously and is liable for all of the causes of action that Lions Gate has asserted against him in this action,” the proposed consent judgment reads.

Together both parties inform the court that they’ve reached a confidential settlement. According to the agreement Gillan has accepted financial and other obligations to resolve Lions Gate’s claims, but how much he has to pay is not disclosed.

In addition, Played.to and its operator are prohibited from “hosting, linking to, distributing, reproducing, performing, selling, offering for sale, making available for download, streaming or making any other use of any copy or copies of the Film.”

The proposed judgment only applies to Played.to, the claims against other websites including the torrent search engine Limetorrents.cc remain unsettled.

At the time of writing the Played.to website is still online. The site has lost a lot of traffic in recent months but is still widely used to host videos.

Previously the UK police also arrested several people who allegedly leaked the Expendables 3 movie online, but thus far the true source of the leak remains unknown.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

LWN.net: Ardour 4.1 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real “Save As” option (with the old option being renamed to “Snapshot (& switch to new version)”), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. “This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.

We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month.”

Schneier on Security: Yet Another Leaker — with the NSA’s French Intercepts

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Wikileaks has published some NSA SIGINT documents describing intercepted French government communications. This seems not be from the Snowden documents. It could be one of the other NSA leakers, or it could be someone else entirely.

As leaks go, this isn’t much. As I’ve said before, spying on foreign leaders is the kind of thing we want the NSA to do. I’m sure French Intelligence does the same to us.

TorrentFreak: Piracy Concerns May Soon Kill Domain Name Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

whoisguardIn recent months copyright holders have been increasingly pushing for changes in the domain name industry.

Groups such as the MPAA and RIAA, for example, want registrars to suspend domain names of clearly infringing websites.

While this is unlikely to happen on a broad scale in the near future, a new ICANN proposal may put an end to private domain name registrations for some websites.

A new proposal (pdf) will no longer allow ‘commercial’ sites, which could include all domain names that run advertisements, to hide their personal details through so-called WHOIS protections services.

This change is backed by copyright holder groups including the MPAA, who previously argued that it will help them to hold the operators of illegal sites responsible.

“Without accurate WHOIS data, there can be no accountability, and without accountability it can be difficult to investigate and remedy issues when individuals or organizations use the Internet in illegal or inappropriate ways,” MPAA’s Alex Deacon said recently.

“Ensuring this data is accurate is important not only to the MPAA and our members, but also to everyone who uses the Internet every day.”

On the other side of the spectrum, the proposal has ignited protests from privacy advocates and key players in the domain name industry.

Digital rights group EFF points out that copyright holders can already expose the operators of alleged infringers quite easily by obtaining a DMCA subpoena. This is something the RIAA has done already on a few occasions.

EFF further warns that the new rules will expose the personal details of many people who have done nothing wrong, but may have good reasons not to have their address listed publicly.

“The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” EFF’s Mitch Stoltz writes.

Namecheap, one of the largest domain registrars, also jumped in and sent a mass-mailing to all their customers urging them to tell ICANN not to adopt the new proposal.

“No WHOIS privacy provider wants their service to be used to conceal illegal activity, and the vast majority of domain owners are not criminals. Using a WHOIS privacy service is no more suspicious than having an unlisted phone number,” Namecheap CEO Richard Kirkendall notes

“These new proposed rules would wreak havoc on our right to privacy online. ICANN is moving quickly, so we should too – contact them today and tell them to respect our privacy,” he adds.

ICANN is currently accepting comments from the public and Namecheap is encouraging its customers to use the Respect Our Privacy campaign site to protest the proposed changes.

Of course, Namecheap has more to worry about than the privacy of its users alone. The company itself operates the Whoisguard service and earns a lot of revenue through these private registrations.

Thus far most of the responses received by ICANN have come in through the special campaign site, arguing against the proposal. The commenting period closes in two weeks followed by an official report. After that, the ICANN board will still have to vote on whether or not the changes will be implemented.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: Why Backblaze Bought a Porn Site

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

redacted-blackblaze

What’s in a Domain Name?

When Brian Wilson (our CTO) co-founded Backblaze, he already had a website called www.codeblaze.com (it was designed in the early 2000s by Casey Jones, who co-founded and designs all things Backblaze). That site had a variety of uses, but the main reason for it was that Brian needed a website so he could get hired as an individual and not through an agency for a job he had back in the day. Why Codeblaze?

…I formed a company named “Codeblaze” in 2001. In that era, all single word URLs were gone, so I spent about 30 minutes figuring out the word “blaze” was not used much, and I was going to write software “code”, and Codeblaze.com was not taken, good enough…

Thus started the “blaze” convention. After co-founding Mailfrontier, Brian went on to start working on an online backup project in 2007, that project would later become Backblaze. Why Backblaze?

Same thought process – “back” for “backup your computer” and “blaze” because it has a connotation of fast (and I thought it was funny), so “Backblaze.com” was born.

Sure, it sounds like a fine name, and most of us here are quite fond of it, but if you ask our CTO Brian:

We still consider the name to be a mistake. It READS Ok, but on the phone or verbally it is a mess. Something about the alliteration of the “l”.

He’s right. When you say “Backblaze” over the phone or in person, more often than not, if the person is transcribing the conversation or writing down the name, they’ll ask you to repeat it. Or you’ll mispronounce it yourself. In fact, our Marketing team goes through vigorous training to make sure we don’t accidentally say “Backbalze”, “Backblasè”, or more recently “Blackmaize”:

The name is great, but it just doesn’t roll off the tongue as easily as we would like, which once led to one very peculiar problem.

The Unexpected Problem

A few years back, we started noticing folks on social media giggling and saying they’d just gone to what they thought was our site but didn’t quite find the backup service they were expecting. Additionally, people were saying that they couldn’t reach our website because their corporate firewalls were blocking access. We also started getting some emails, asking us why we would post such lewd images to a website that should have presumably been about online backup. We decided to investigate.

It turns out the culprit here was the website “blackblaze.com”, which sounds innocent enough, but unfortunately, this particular site redirected to a “chocolate city”. “That sounds like they make delicious desserts”, you might be thinking. Well, it’s not. In fact it was quite the lascivious website. And when people went there, they weren’t treated to information about online backup, but instead to information about things that we can’t really mention with a straight face, because they aren’t safe for work or this blog. Below is a screenshot of that website from the Internet Archive:

Blackblaze_720

The problem started getting worse once people started hearing about Backblaze on podcasts and as verbal word of mouth started spreading. People were mis-hearing Backblaze and going to Blackblaze. Not great.

The Solution

Faced with this embarrassing problem our CEO Gleb reached out to the webmaster of Blackblaze. A lot of times, all you have to do is ask. Similar to how he worked with other backup companies to stop bidding against each other on Google Adwords, the webmaster was willing to part with the Blackblaze domain for just $1,500. Was it worth $1,500 to make sure that people trying to find us did in fact get to the right place? Absolutely. And that URL still sends some traffic our way to this day. Plus, we’ve even made that same error on our when naming images, like: https://www.backblaze.com/pics/Online_backup_blackblaze_infographic.png. See? Even we weren’t immune.

Takeaways

Why write about this? Well, we get a kick out of having bought a porn site once, but really we wanted to give a word of advice as well. When starting a company it’s important not only to have a good product, but also to think about how people find your site.

It’s tricky. Of course the perfect URL may not be available, or your company name might be too long to fit comfortably in the confines of an address bar. Whatever the case, choosing a name and how to spell it is very important. Whichever name you choose, think about how folks will be able to find you. If your URL is frgt.com, will folks know where to go if they hear “friget.com”? At a time when the majority of web traffic comes from external links, it’s easy to forget that words of mouth is still an important traffic driver. It might seem like a fairly small thing to consider when founding a company, but believe us, it’s important!

The post Why Backblaze Bought a Porn Site appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

SANS Internet Storm Center, InfoCON: green: Web security subtleties and exploitation of combined vulnerabilities, (Thu, Jun 25th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application (and, indeed, it does not hurt a penetration testers ego when such a vulnerability is identified :)

However, I strongly push towards reporting of every single vulnerability, no matter how harmless it might appear (and my penetration team coworkers sometimes complain about this, but lets prove them wrong).

Here well take a look at how two seemingly low risk vulnerabilities can be combined into a more dangerous one.

Accepting parameters in GET and POST requests

When processing parameters/responses received from the client, most of the todays web applications rely on POST HTTP requests. This is a preferred way of sending client-related input/output from the browser since it will not be visible in web servers (or proxys) logs. One of the tests I normally do is to check if the application accepts same parameters in GET HTTP requests. Lets take a look at this.

The official”>POST /page HTTP/1.1
Host: my.example.local
“>parameter=value”>GET /page?parameter=valuesecret=secret_value HTTP/1.1
Host: my.example.local
(other headers)

If this worked it means that the tested web application (the tested page/script) accepts parameters from any request. While this by itself is not really a security vulnerability, it is not a perfect way for receiving and processing parameters as we will see below. Additionally, keep in mind that this makes an attackers job a bit easier instead of working with POST HTTP requests he can simply put everything into GET HTTP request (yeah, it works for the defenders as well since well see what he put into the request).

A seemingly harmless XSS vulnerability

While further testing this application we found an XSS vulnerability. For sake of simplicity lets say its an anonymous application that has no login forms. However, since the application depends on a certain workflow, and since the XSS vulnerability was found in the 3rd step of the workflow, it does require a valid session cookie (aJSESSIONID cookie).

What does this mean? It means that the attacker cannot exploit the XSS vulnerability: if the request to the vulnerable page is made without a valid JSESSIONID cookie, the application simply redirects the user to the front page (the first step of the workflow). Even if the victim now again clicked on the malicious link, it still wouldnt work because the tested application checks the workflow phase/step and if it is not correct again simply redirects the user to the front page.

Ahh, such a disappointment after finding a very nice XSS vulnerability: the attacker can really exploit only himself and thats no fun at all. Or is there another way?

Taking this a bit further

Remember how we figured out that the application accepts parameters in both GET and POST HTTP requests above?
Let”>Cookie: JSESSIONID=560308266F93351159D8D20732C637FA

Since the cookie is normally sent as part of a header, the attacker cannot get the victims browser to set the cookie for the target web application, at least not without exploiting another vulnerability such as an XSS vulnerability but remember that we cannot exploit it without a valid cookie. Catch 22 isnt it?

But, let”>GET /page?JSESSIONID=560308266F93351159D8D20732C637FAmeter=valuesecret=secret_value HTTP/1.1
Host: my.example.local
(other headers)

Bingo! This worked the tested web application happily took and parsed all submitted parameters, even the JSESSIONID parameter that should be normally delivered as a cookie. The developers probably wanted to be as flexible as possible.

Combining the vulnerabilities into an exploit

So, the attacker can now deploy the following attack:

  • Create a new session where he navigates to the required screen. The application now knows that the JSESSIONID cookie that was given to the attacker relates to a session that is at the vulnerable screen.
  • Create a malicious URL that exploits the XSS vulnerability. Append the JSESSIONID parameter that contains the attackers cookie value to the malicious URL. This URL will work because the vulnerable web application will verify the session state and see that the user is accessing a valid screen in the workflow.
  • Send the malicious URL to the victim, wait and profit.

Finally, last thing to discuss is maybe what we exploit with the XSS vulnerability in the first place: typically the attacker tries to steal cookies in order to gain access to the victims session. Since here sessions are irrelevant, the attacker will not use XSS to steal cookies but instead to change what the web page displays to the victim. This can be used for all sorts of phishing exploits and, depending on the URL and context of the attack, can be even more devastating than stealing the sessions.


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: UK Authorities Launch Facebook Piracy Crackdown

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Due to their prevalence among citizens of the UK, Facebook accounts have grown out to become much more than just a place to manage social lives. For some they’re providing a great way to distribute infringing content and this hasn’t gone unnoticed by the authorities.

Over the past several weeks enforcement officers have raided a dozen separate locations and are still involved in 22 investigations as part of a Facebook crackdown across England, Wales and Northern Ireland.

Operated by the National Trading Standards eCrime Team alongside the National Markets Group (with members the BPI, Federation against Copyright Theft and the Alliance for Intellectual Property Theft) Operation Jasper is manned by officers from police and government agencies and is reportedly the largest operation of its type. It is targeted at “criminals” who exploit social media to commit “copyright theft” and sell “dangerous and counterfeit” goods.

In the past several weeks officers say they have raided 12 addresses although at this stage there are no reports of any arrests. Facebook itself has also been hit, with 4,300 listings and 20 profiles removed. Authorities say they have sent more than 200 warning letters and 24 cease and desist letters to those they accuse of infringement offenses carried out on Facebook.

In addition to the usual counterfeit items such as t-shirts, tablets and mobile phones, ‘pirate’ Android ‘streaming’ boxes were targeted yet again. Earlier this month police and trading standards raided addresses in the north of England in search of the movie and TV show streaming devices, making at least one arrest in the process.

This time around, however, officers appear to have another string to their enforcement bow. While noting that the Android boxes in question do indeed allow the illegal streaming of movies and sports channels, authorities say they also being targeted because they are supplied with ‘unsafe’ mains chargers.

Lord Toby Harris, Chair of National Trading Standards, said that his officers have taken important action, especially against those who believe they can operate anonymously online.

“Operation Jasper has struck an important psychological blow against criminals who believe they can operate with impunity on social media platforms without getting caught,” Harris said.

“It shows we can track them down, enter their homes, seize their goods and computers and arrest and prosecute them, even if they are operating anonymously online. I commend the National Trading Standards e-Crime team and all other parties involved in this operation.”

Nick Boles, Minister at the Department for Business, Innovation and Skills said that consumers need to be wary of consuming pirate content.

“Counterfeiting and piracy of trademarked and copyrighted materials harms legitimate businesses, threatens jobs and pose a real danger to consumers. That’s why we are taking strong action to stop these criminals through the Government’s funding of the National Trading Standards E-Crime Team,” Boles said.

According to the government’s latest IP Crime Report, social media has become the “channel of choice” for online ‘pirate’ activity. In the past several months several of the leading torrent sites have had issues with their Facebook accounts. The Pirate Bay’s account was shuttered in December 2014 and in May and June 2015, ExtraTorrent and RARBG had their accounts suspended on copyright infringement grounds.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.