Thursday, 16 November 2017
Wednesday, 11 January 2017
Eight great Linux gifts for the holiday season
xkcd
1) Tux2) Linux hats and t-shirts
I have a drawer full of Linux trade-show t-shirts. But, if your friends didn't score an invite to Linux Plumbers or couldn't make it to LinuxCon, you can still dress them in penguin splendor with a hat or t-shirt from CafePress or Zazzle. You used to be able to get this kind of gear from ThinkGeek, but they're much more about Game of Thrones, Pokémon, and Harry Potter than they are about Debian, Ruby, or Apache.
3) xkcd books and shirts
Is there a Linux user or a tech geek of any sort out there who doesn't like the web comic xkcd? I don't think so! While they may read it religiously, they might not have an xkcd t-shirt. I particularly like the Linux cheat sheet shirt.

I can't find anyone currently selling a Linux license plate suitable for use in states that don't require you to use an official front plate. Back in 2000, Compaq, now part of HP, offered a Linux license plate. I've got one -- no it's not for sale -- but you might find one on eBay.
And now for some more serious gift ideas.
5) Linux Foundation membership
If your friend can't code, beta test, or write documentation but still wants to support Linux you can give the gift of membership in The Linux Foundation. Membership comes with some nice benefits. For $99, Individual Supporters get discounts to attend eligible Linux Foundation events, take a certification exam or training course, or buy equipment at employee purchase prices from Dell, HP, or Lenovo. They will also get a Linux.com email address.
6) Linux PC
Does your buddy need a new PC? Well they can simply turn any old computer into a Linux PC with a Linux DVD or USB stick. You can also buy them a ready-to-run Linux PC. There are several Linux PC companies; among the best of these are Eight Virtues, EmperorLinux, LAC Portland, System76 and ZaReason.
The best Linux laptop available today comes from a company you already know: Dell. The Dell 2016 XPS 13 Developer Edition is just what the developer partner wants for holiday season programming. The XPS 13 comes with a high price-tag. The entry-level version comes with 8GBs of RAM, a 128GB SSD, and an Intel HD Graphics 520 chipset, and runs for $949. Dell is offering holiday deals.
7) Open-source powered 3D printer
There are lots of 3D printers out there, but there's only one that meet the Open Source Hardware Association definition and has the Free Software Foundation's Respects Your Freedom certification blessing: The LulzBot Mini. This is an auto-bed-leveling, auto-nozzle-cleaning printer that can roll out up to 6"x6"x6.2" designs. At $1,250, you'll probably be buying this for very close friends.
Tuesday, 10 January 2017
Microsoft tries to soothe regulators and critics with new privacy controls
Of all the body blows Microsoft has absorbed in the past 18 months over Windows 10, the criticisms of its privacy policies have to sting the most.
Last summer, the French National Data Protection Commission (CNIL) issued a formal notice against Microsoft, ordering that the company "stop collecting excessive data and tracking browsing by users without their consent."The CNIL found Microsoft's collection of diagnostic information (so-called telemetry) acceptable but said that the default settings for Windows 10 go too far. The complaint singled out Microsoft's practice of collecting information about app usage as "excessive."
A month later, the Electronic Freedom Foundation took aim at Windows 10 with a signed editorial criticizing the company for "disregarding user choice" and sending "an unprecedented amount of usage data back to Microsoft...." As I noted at the time, EFF was especially critical of Microsoft's telemetry collection policies.
After months of explaining and defending its policies, publicly and in meetings with regulators, the company today announced that it's making a series of privacy-related moves. Terry Myerson, who runs the Windows and Devices Group, made the announcement in a blog post:
Many of you have asked for more control over your data, a greater understanding of how data is collected, and the benefits this brings for a more personalized experience. Based on your feedback, we are launching two new experiences to help ensure you are in control of your privacy.The changes to Windows 10 will roll out initially in an upcoming Windows Insider preview build, perhaps as soon as this week, and will reach the general public with the release of the Windows 10 Creators Update this spring.
First, today we're launching a new web-based privacy dashboard so you can see and control your activity data from Microsoft including location, search, browsing and Cortana Notebook data across multiple Microsoft services. Second, we're introducing in Windows 10 a new privacy set up experience, simplifying Diagnostic data levels and further reducing the data collected at the Basic level.
I haven't seen these features in operation yet. The descriptions in the remainder of this post are based on what Microsoft says it plans to deliver. The broad outlines shouldn't change, but you can expect the user experience to evolve before the final release, based on feedback from Windows Insider Program participants and third parties.
Unlike its predecessors, the Creators Update will not arrive silently in the background. Instead, Microsoft plans to notify Windows 10 users that the update is available and allow them to schedule its installation. As part of the process of scheduling that upgrade, users will have the opportunity to make "explicit choices" about privacy settings in five categories.
The new interface for setting privacy options also includes an explanation of what happens if you turn any of those settings off or, in the case of the Diagnostics setting, adjust it from Full to Basic.
The changes to telemetry settings start with the renaming of the category itself, from Diagnostic and Usage Data to just Diagnostics.
In all public releases of Windows 10 so far, non-Enterprise editions allow users and administrators to choose one of three levels to control telemetry collection: Full, Enhanced, and Basic. The changes in the Creators Update will eliminate the Enhanced level and also reduce the amount of information collected when you slide that switch to Basic.
(In Enterprise settings, administrators will continue to have an additional Security option, which eliminates virtually all telemetry collection but requires the deployment of an alternative update mechanism.)
In an interview, Microsoft Corporate Vice President Michael Fortin told me that the Enhanced level was "confusing," and "only a relatively modest number of Windows 10 users were choosing it." Most people either leave the default setting at Full or signal their preference for privacy by switching to the lowest available telemetry option, Basic, he noted.
Effective with this spring's Windows 10 feature update, telemetry information collected at the Basic level will no longer include information about app installation or usage. Instead, Myerson says, information collected at that level will focus strictly on security and reliability, with basic error reporting. That change should assuage some of the concerns of the CNIL and other regulators as well as privacy critics like the EFF.
The new Windows 10 settings are available in all installations, regardless of what type os account the user has signed in with.
The privacy dashboard is a separate feature, designed to give users of Microsoft services the opportunity to see and edit information that is collected and stored in the cloud when they are signed in with a Microsoft account.
According to Myerson, the new privacy dashboard (which will be available at https://account.microsoft.com/privacy) will allow Microsoft customers, regardless of hardware platform or operating system, to review and clear data such as browsing history, search history, location activity, and Cortana's Notebook. (Note that this data is associated with a Microsoft account and is not saved in the cloud when the user browses without signing in.)
On paper, Redmond can make a strong case that it has an economic incentive to protect its users' privacy. As I noted last summer, privacy should be a competitive advantage for Microsoft, especially when comparing its policies and practices to those of Google, whose entire business is built on collecting data from its users and turning it into advertising profiles.
Most of Microsoft's revenue comes from selling software licenses, cloud services, and hardware. A significant share of that business is with enterprise customers and government agencies that have a profound interest in privacy and security. Indeed, Microsoft has earned generally high marks for its handling of security and privacy issues in cloud services such as Office 365 and Microsoft Azure.
Where things get somewhat murkier is with products and services aimed at consumers and small businesses. Without transparency over exactly what information is collected and how it's used, the company remains vulnerable to accusations that it's spying on customers.
As Google and Facebook have proven, the most effective way to monetize personal information is through online advertising. Microsoft once had dreams of being an advertising powerhouse, which occasionally led to struggles between product designers and ad sellers.
But the company abandoned that strategic goal five years ago when it wrote off the acquisition of aQuantive and scaled back its advertising ambitions after five years of struggling. Today, the company's advertising business is healthy but relatively small and mostly intended to monetize strategic assets such as its Bing and Cortana search tools.
In Microsoft's most recent quarter, search advertising and other forms of online ads accounted for only about 5 percent of total revenue. Contrast that with Google, which earns roughly 90 percent of its revenue from advertising and depends on collecting massive amounts of data to power the ads that pay for Google Search, Gmail, and other free products
Without Microsoft's investments in those technologies, Google's dominance in search would arguably be a monopoly.
Still, even that small-by-Redmond-standards online search advertising business brought in about $1.4 billion in revenue in its recent quarter, up 40 percent over the previous year. Microsoft's ad business might be tiny compared to its rivals, but it's big enough for regulators and privacy advocates to worry about whether the company's data collection is being driven by its ad business.
Myerson tells me that they've shared details about its data collection practices with large enterprise customers and regulators. "That dialog is taking place in every country where we do business," he said. "We believe users have a right to privacy and users should have control over their data."
For consumers and small businesses, the new privacy dashboard offers more control over online data, but you'll have to take Microsoft assurances on faith when it comes to telemetry.
I asked Myerson whether Microsoft would consider contracting with an outside group, such as the EFF, to audit its data collection policies and offer an independent report.
"That's an interesting idea," he replied. "But various countries are going farther than hiring an audit firm. They're passing laws. We're making sure we're fully compliant with laws that affect Windows users."
Networking
e.
More security news
The JAR included "specific indicators of compromise, including IP addresses and a PHP malware sample." But what does this really prove? Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn't find any hard evidence of Russian involvement.
Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.
Mark Maunder, Wordfence's CEO, concluded that since the attacks were made "several versions behind the most current version of P.A.S [sic] which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources."
True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers. But it's "used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world." In short, just because the attackers used P.A.S., that's not enough evidence to blame it on the Russian government.
Now, Graham continued: "If they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor." But that's not what we've been given.
In short, Maunder continued in a FAQ, the data in the DHS/FBI Grizzly Steppe report contained "'indicators of compromise' (IOCs) [sic] which you can think of as footprints that hackers left behind. The IOC's in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report."
Others beside Wordfence found the JAR less than convincing. Robert M. Lee, CEO of the security company Dragos, wrote: "This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations. It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little."
In short, maybe it was the Russians behind the attacks on the DNC and other US organizations, but neither the source code nor the network analysis we've been shown so far strongly supports this conclusion.
Trump refuses to admit that Russia had any influence on the election, so we can expect little further information to come from the US government on the attacks once he's inaugurated. True, Trump promises to reveal insider information about Russian hacking. However, since Trump won't listen to intelligence briefings and minimal security experts on his staff, it's hard to imagine what "insider information" he could possibly possess.
This is, after all, a man whose closest computer expert appears to be his 10-year-old son. Perhaps he''ll reveal that Russian president Vladimir Putin told him that Russia didn't do it? Or, that, there were never any attacks and that the FBI and DHS are in cahoots with that nasty woman to ruin his victory? Who knows.
Sarcasm aside, the US and its organizations recently have been subjected to multiple cyber-attacks. These assaults must be treated seriously. We need a more thorough investigation of who is behind them.
Monday, 9 January 2017
Google Cloud brought down due to human failure
Due to an engineering error last Monday, portions of the Google Cloud lost customer
manually connected a new peering link, bypassing the system of automatic checks that validate such links when proper procedures are followed.
connectivity last Monday for approximately 70 minutes after Google network engineers
The error made the europe-west1 region Google Compute Engine unreachable from a subset of destinations, primarily in Eastern Europe and the Middle East. The issue was strictly with the network, not affecting Compute Engine instances in the same region in other locations. Traffic strictly within the Google network was also unaffected.The problem was caused by the addition of a new link to a global peer with whom Google was already connected. The engineers brought the link up manually, not realizing that the link would advertise far more capacity than was actually available. Network systems automatically routed traffic to the new, seemingly high capacity link, and four minutes after the link was created it was saturated and started dropping the majority of the network traffic routed through the link.
The process was done manually because the automation that would normally have handled the link and its associated safety checks was down, according to Google, due to an unrelated failure. This automation is expected to protect the network from problems such as the one that happened for one hour. Due to the automation issue, the problem was not discovered for 61 minutes because the post-activation checks that would normally have been performed during that hour were not available and the problem was discovered when the normal system monitoring took over.To prevent this specific problem from recurring Google is changing the operations policy and no longer allowing these links to be brought up manually. In the future, the automation system needs to be fully operational before additional links will be added.
If you're not a fan of tablets and soft or tethered keyboards, a forthcoming seven-inch PC
could be the answer.
The maker of the GPD WIN, a 5.5-inch Windows 10 handheld game console released last year, is planning to launch a tablet-sized laptop, dubbed 'Pocket', which will run Windows or Ubuntu.
Shenzhen-based GPD says the forthcoming laptop will live up to its name, being small enough to stuff into its owner's pocket, QWERTY keyboard and all.
Where the GPD WIN was a game console that could work as a PC, the Pocket is aimed at people who want a really tiny, fully-fledged laptop.
The device will feature a QWERTY keyboard layout, including a trackpoint cursor controller that's wedged between the spacebar and left-click and right-click buttons.
The company touted the laptop on its user forum last week with an image of the device and a description that reveals it will feature a seven-inch touchscreen with Gorilla Glass 3, an aluminum body, a 7,000mAh battery, 4GB RAM, and 128GB storage.
According to Liliputing, the Pocket's processor will be an Intel Atom x7-Z8700 Cherry Trail. GPD's image also shows ports for USB type-C, a standard USB, and HDMI, as well as a spot for a headphone jack.
GPD fan Ton-chi-ki has published additional images and details about the device apparently from an email sent to enthusiasts by GPD.
As with the GPD Win handheld gaming console, GPD is planning to launch the Pocket through an Indiegogo campaign that's scheduled to go live in February, according to Ton-chi-ki.
GPD hasn't revealed pricing or release dates yet. The GPD Win was available for $330 in its Indiegogo campaign, which raised over $700,000 from nearly 2,300 backers.
There's something that's been bugging me all day.
On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government's website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer found the leaky web portal by using Google to search government websites for words like "social security," which anyone can do with relative ease. He found one listed web address, ending in a number, which pointed to a PDF file purporting to be a medical marijuana dispensary application. Altering the number in the web address let anyone view different applications.
The first reports came in.
Around the time we published, the site had been taken down to "limit the vulnerability," according to spokesperson Martha Framsted.
Framsted said in a phone call Wednesday that it was "aware of the leak" from the security researcher via multiple reporters, including those from CSO Online and The Daily Dot, and would release a statement later in the day.
In our brief conversation, Framsted said that the state's IT staff had pulled the website offline in order to prevent the data from leaking further. There wasn't a hint of accusation -- clearly, this was a system that wasn't working properly.
Then, headlines began to turn from "leak" and "exposed", to "hacked" and "breached" later in the day.
What happened? Nevada's official statement reversed its rhetoric entirely and began blaming the leak on a "cyberattack." The statement said that industry employee information had been "stolen," adding that the incident had been "referred to law enforcement agencies for further investigation."
On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government's website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer found the leaky web portal by using Google to search government websites for words like "social security," which anyone can do with relative ease. He found one listed web address, ending in a number, which pointed to a PDF file purporting to be a medical marijuana dispensary application. Altering the number in the web address let anyone view different applications.
The first reports came in.
- CSO Online: "Agent applications for Nevada's medical marijuana program exposed"
- The Daily Dot: "Medical marijuana portal exposes thousands of Social Security numbers"
- ZDNet: "Nevada leaks thousands of medical marijuana dispensary applications"
Around the time we published, the site had been taken down to "limit the vulnerability," according to spokesperson Martha Framsted.
Framsted said in a phone call Wednesday that it was "aware of the leak" from the security researcher via multiple reporters, including those from CSO Online and The Daily Dot, and would release a statement later in the day.
In our brief conversation, Framsted said that the state's IT staff had pulled the website offline in order to prevent the data from leaking further. There wasn't a hint of accusation -- clearly, this was a system that wasn't working properly.
What happened? Nevada's official statement reversed its rhetoric entirely and began blaming the leak on a "cyberattack." The statement said that industry employee information had been "stolen," adding that the incident had been "referred to law enforcement agencies for further investigation."
The cost of ransomware reached close to $1 billion in 2016, and it's not hard to see why.
The malware family, which targets everything from Windows to Mac machines, executes
procedures to encrypt files and disks before demanding a ransom payment in return for keys to decrypt and unlock compromised machines.
However, it is not only the general public which is being targeted with everything from hospitals to schools and businesses now in the firing line.
As the prospect of losing valuable content on computer systems or facing widespread disruption to business operations is often too much to bear, many will simply give up and give in, paying the fee and unfortunately contributing to the cybercriminal's operations.
However, paying up does not guarantee that victims will get their files back, no matter how low or high the payment demand.
This week, ESET researchers discovered that a Linux variant of KillDisk, linked to attacks against core infrastructure system in Ukraine in 2015, is now being used against fresh Ukrainian financial targets.
The ransomware demands a huge amount of money, but there is no underwritten protocol for decryption keys to be released once payment is made.
Distributed through phishing campaigns targeting both Windows and Linux, once downloaded, the ransomware throws up a holding page referring to the Mr. Robot television show while files are being encrypted, the research team said in a blog post.
Unsurprisingly, no-one has paid up yet, nor should they, ever.
"This new variant renders Linux machines unbootable, after encrypting files and requesting a large ransom," ESET says. "But even if victims do reach deep into their pockets, the probability that the attackers will decrypt the files is small."
Files are encrypted using Triple-DES applied to 4096-byte file blocks and each file is encrypted using different sets of 64-bit encryption keys. However, the ransomware does not store encryption keys either locally or through a command-and-control (C&C) server, which means that affected systems after reboot are unbootable, and paying the ransom is pointless.
"It is important to note -- that paying the ransom demanded for the recovery of encrypted files is a waste of time and money," the team said. "Let us emphasize that -- the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware.
Subscribe to:
Posts (Atom)
Italian pizza
in the name of allah thank you