Every
Linux fan should have at least one stuffed Tux, Linux's mascot, in
their home or office. Tux stuffies aren't as common as they once were,
but Linux PC vendor ZaReason still has a very nice snuggling Tux. 2) Linux hats and t-shirts
I have a drawer full of Linux trade-show t-shirts. But, if your friends didn't score an invite to Linux Plumbers or couldn't make it to LinuxCon, you can still dress them in penguin splendor with a hat or t-shirt from CafePress or Zazzle. You used to be able to get this kind of gear from ThinkGeek, but they're much more about Game of Thrones, Pokémon, and Harry Potter than they are about Debian, Ruby, or Apache. 3) xkcd books and shirts
Is there a Linux user or a tech geek of any sort out there who doesn't like the web comic xkcd? I don't think so! While they may read it religiously, they might not have an xkcd t-shirt. I particularly like the Linux cheat sheet shirt.
4) Linux license plates
What better way to tell the world your friend uses Linux than a Linux license plate or a Linux license plate frame. Your friend will need to get the first from their home state, but you can buy them a Linux frame from CafePress.
I
can't find anyone currently selling a Linux license plate suitable for
use in states that don't require you to use an official front plate.
Back in 2000, Compaq, now part of HP, offered a Linux license plate.
I've got one -- no it's not for sale -- but you might find one on eBay.
And now for some more serious gift ideas. 5) Linux Foundation membership
If your friend can't code, beta test, or write documentation but still wants to support Linux you can give the gift of membership in The Linux Foundation. Membership comes with some nice benefits. For $99, Individual Supporters get discounts to attend eligible Linux Foundation
events, take a certification exam or training course, or buy equipment
at employee purchase prices from Dell, HP, or Lenovo. They will also get
a Linux.com email address. 6) Linux PC
Does
your buddy need a new PC? Well they can simply turn any old computer
into a Linux PC with a Linux DVD or USB stick. You can also buy them a
ready-to-run Linux PC. There are several Linux PC companies; among the
best of these are Eight Virtues, EmperorLinux, LAC Portland, System76 and ZaReason.
The best Linux laptop available today comes from a company you already know: Dell. The Dell 2016 XPS 13 Developer Edition
is just what the developer partner wants for holiday season
programming. The XPS 13 comes with a high price-tag. The entry-level
version comes with 8GBs of RAM, a 128GB SSD, and an Intel HD Graphics
520 chipset, and runs for $949. Dell is offering holiday deals. 7) Open-source powered 3D printer
There are lots of 3D printers out there, but there's only one that meet the Open Source Hardware Association definition and has the Free Software Foundation's Respects Your Freedom certification blessing: The LulzBot Mini.
This is an auto-bed-leveling, auto-nozzle-cleaning printer that can
roll out up to 6"x6"x6.2" designs. At $1,250, you'll probably be buying
this for very close friends.
Tuesday, 10 January 2017
Microsoft tries to soothe regulators and critics with new privacy controls
Of all the body blows Microsoft has absorbed in the past 18 months over Windows 10, the criticisms of its privacy policies have to sting the most.
Last summer, the French National Data Protection Commission (CNIL) issued a formal notice against Microsoft, ordering that the company "stop collecting excessive data and tracking browsing by users without their consent."
The
CNIL found Microsoft's collection of diagnostic information (so-called
telemetry) acceptable but said that the default settings for Windows 10
go too far. The complaint singled out Microsoft's practice of collecting
information about app usage as "excessive."
A month later, the
Electronic Freedom Foundation took aim at Windows 10 with a signed
editorial criticizing the company for "disregarding user choice" and
sending "an unprecedented amount of usage data back to Microsoft...." As I noted at the time, EFF was especially critical of Microsoft's telemetry collection policies.
After
months of explaining and defending its policies, publicly and in
meetings with regulators, the company today announced that it's making a
series of privacy-related moves. Terry Myerson, who runs the Windows
and Devices Group, made the announcement in a blog post:
Many of you have asked for more
control over your data, a greater understanding of how data is
collected, and the benefits this brings for a more personalized
experience. Based on your feedback, we are launching two new experiences
to help ensure you are in control of your privacy.
First, today we're launching a new web-based privacy dashboard
so you can see and control your activity data from Microsoft including
location, search, browsing and Cortana Notebook data across multiple
Microsoft services. Second, we're introducing in Windows 10 a new
privacy set up experience, simplifying Diagnostic data levels and
further reducing the data collected at the Basic level.
The
changes to Windows 10 will roll out initially in an upcoming Windows
Insider preview build, perhaps as soon as this week, and will reach the
general public with the release of the Windows 10 Creators Update this
spring.
I haven't seen these features in operation yet. The
descriptions in the remainder of this post are based on what Microsoft
says it plans to deliver. The broad outlines shouldn't change, but you
can expect the user experience to evolve before the final release, based
on feedback from Windows Insider Program participants and third
parties.
Unlike its predecessors, the Creators Update will not
arrive silently in the background. Instead, Microsoft plans to notify
Windows 10 users that the update is available and allow them to schedule
its installation. As part of the process of scheduling that upgrade,
users will have the opportunity to make "explicit choices" about privacy
settings in five categories.
This is the new privacy settings setup experience that
will arrive soon in a Windows Insider preview build, according to
Myerson:
via Microsoft
This
setup screen replaces the Express Settings in current Windows 10 public
releases, which requires multiple extra steps to adjust default
settings in a clean installation and offers no control over privacy
options during upgrades. (To make matters worse, some users have
reported that Windows 10 upgrades occasionally reset custom privacy
options to their default settings after an upgrade.)
The new
interface for setting privacy options also includes an explanation of
what happens if you turn any of those settings off or, in the case of
the Diagnostics setting, adjust it from Full to Basic.
via Microsoft
All
of those settings, along with more granular controls (such as setting
location permissions on a per-app basis) will also be available after
installation, under the Privacy heading in Settings.
The changes
to telemetry settings start with the renaming of the category itself,
from Diagnostic and Usage Data to just Diagnostics.
In all public
releases of Windows 10 so far, non-Enterprise editions allow users and
administrators to choose one of three levels to control telemetry
collection: Full, Enhanced, and Basic. The changes in the Creators
Update will eliminate the Enhanced level and also reduce the amount of
information collected when you slide that switch to Basic.
(In
Enterprise settings, administrators will continue to have an additional
Security option, which eliminates virtually all telemetry collection but
requires the deployment of an alternative update mechanism.)
In
an interview, Microsoft Corporate Vice President Michael Fortin told me
that the Enhanced level was "confusing," and "only a relatively modest
number of Windows 10 users were choosing it." Most people either leave
the default setting at Full or signal their preference for privacy by
switching to the lowest available telemetry option, Basic, he noted.
Effective
with this spring's Windows 10 feature update, telemetry information
collected at the Basic level will no longer include information about
app installation or usage. Instead, Myerson says, information collected
at that level will focus strictly on security and reliability, with
basic error reporting. That change should assuage some of the concerns
of the CNIL and other regulators as well as privacy critics like the
EFF.
The new Windows 10 settings are available in all installations, regardless of what type os account the user has signed in with.
The
privacy dashboard is a separate feature, designed to give users of
Microsoft services the opportunity to see and edit information that is
collected and stored in the cloud when they are signed in with a
Microsoft account.
According to Myerson, the new privacy dashboard (which will be available at https://account.microsoft.com/privacy)
will allow Microsoft customers, regardless of hardware platform or
operating system, to review and clear data such as browsing history,
search history, location activity, and Cortana's Notebook. (Note that
this data is associated with a Microsoft account and is not saved in the
cloud when the user browses without signing in.)
via Microsoft
Because
this dashboard is web-based, it's likely to evolve significantly over
time. In an interview, Myerson told me he expects his team to iterate on
that user experience in response to feedback. "What we're learning," he
said, "is that people don't always understand why something is being
collected and what are the implications of clearing it out. We will
continuously be improving."
On paper, Redmond can make a strong
case that it has an economic incentive to protect its users' privacy. As
I noted last summer, privacy should be a competitive advantage for
Microsoft, especially when comparing its policies and practices to those
of Google, whose entire business is built on collecting data from its
users and turning it into advertising profiles.
Most of
Microsoft's revenue comes from selling software licenses, cloud
services, and hardware. A significant share of that business is with
enterprise customers and government agencies that have a profound
interest in privacy and security. Indeed, Microsoft has earned generally
high marks for its handling of security and privacy issues in cloud
services such as Office 365 and Microsoft Azure.
Where things get
somewhat murkier is with products and services aimed at consumers and
small businesses. Without transparency over exactly what information is
collected and how it's used, the company remains vulnerable to
accusations that it's spying on customers.
As Google and Facebook
have proven, the most effective way to monetize personal information is
through online advertising. Microsoft once had dreams of being an
advertising powerhouse, which occasionally led to struggles between product designers and ad sellers.
But the company abandoned that strategic goal five years ago when it wrote off the acquisition of aQuantive
and scaled back its advertising ambitions after five years of
struggling. Today, the company's advertising business is healthy but
relatively small and mostly intended to monetize strategic assets such
as its Bing and Cortana search tools.
In Microsoft's most recent
quarter, search advertising and other forms of online ads accounted for
only about 5 percent of total revenue. Contrast that with Google, which
earns roughly 90 percent of its revenue from advertising and depends on
collecting massive amounts of data to power the ads that pay for Google
Search, Gmail, and other free products
Without Microsoft's investments in those technologies, Google's dominance in search would arguably be a monopoly.
Still,
even that small-by-Redmond-standards online search advertising business
brought in about $1.4 billion in revenue in its recent quarter, up 40
percent over the previous year. Microsoft's ad business might be tiny
compared to its rivals, but it's big enough for regulators and privacy
advocates to worry about whether the company's data collection is being
driven by its ad business.
Myerson tells me that they've shared
details about its data collection practices with large enterprise
customers and regulators. "That dialog is taking place in every country
where we do business," he said. "We believe users have a right to
privacy and users should have control over their data."
For
consumers and small businesses, the new privacy dashboard offers more
control over online data, but you'll have to take Microsoft assurances
on faith when it comes to telemetry.
I asked Myerson whether
Microsoft would consider contracting with an outside group, such as the
EFF, to audit its data collection policies and offer an independent
report.
"That's an interesting idea," he replied. "But various
countries are going farther than hiring an audit firm. They're passing
laws. We're making sure we're fully compliant with laws that affect
Windows users."
The P.A.S. web shell hacking tool used against the DNC is both out of date and commonly used by many hackers.Indeed, even though President Barack Obama has expelled Russian diplomats
over the cyber-attack, the JAR doesn't finger the Russian government.
Instead, it merely claimed there are technical indicators that Russian
intelligence Services (RIS) are attacking the US government and
political and private sector entities. This continued assault is called
Grizzly Steppe.
The primary method
used in Grizzly Steppe is spear phishing. In spear phishing, a very
common hacking approach, you receive messages, which look like they're
coming from a friend or co-worker. In Grizzly Steppe, if you click on
the message's content or follow a link, you infect your device with
Remote Access Tools (RATs) malware. From that, emails and other data are
syphoned to the attacker.
The JAR included "specific indicators
of compromise, including IP addresses and a PHP malware sample." But
what does this really prove? Wordfence, a WordPress
security company specializing in analyzing PHP malware, examined these
indicators and didn't find any hard evidence of Russian involvement.
Instead, Wordfence found the attack software was P.AS. 3.1.0,
an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is
more sophisticated. Its website claims it was written in the Ukraine.
Mark
Maunder, Wordfence's CEO, concluded that since the attacks were made
"several versions behind the most current version of P.A.S [sic] which
is 4.1.1b. One might reasonably expect Russian intelligence operatives
to develop their own tools or at least use current malicious tools from
outside sources."
True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers.
But it's "used by hundreds if not thousands of hackers, mostly
associated with Russia, but also throughout the rest of the world." In
short, just because the attackers used P.A.S., that's not enough
evidence to blame it on the Russian government.
Now, Graham
continued: "If they've got web server logs from multiple victims where
commands from those IP addresses went to this specific web shell, then
the attribution would be strong that all these attacks are by the same
actor." But that's not what we've been given.
Maunder and his crew also analyzed the Internet
Protocol (IP) addresses used in Grizzly Steppe. They found the IP
addresses that DHS provided "may have been used for an attack by a state
actor like Russia. But they don't appear to provide any association
with Russia. They are probably used by a wide range of other malicious
actors, especially the 15 percent of IP addresses that are Tor exit
nodes."
In short, Maunder continued in a FAQ, the data in the
DHS/FBI Grizzly Steppe report contained "'indicators of compromise'
(IOCs) [sic] which you can think of as footprints that hackers left
behind. The IOC's in the report are tools that are freely available and
IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report."
Others beside Wordfence found the JAR less than convincing. Robert M. Lee, CEO of the security company Dragos, wrote: "This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations.
It is my opinion and speculation that there were some really good
government analysts and operators contributing to this data and then
report reviews, leadership approval processes, and sanitation processes
stripped out most of the value and left behind a very confusing report
trying to cover too much while saying too little."
In short, maybe
it was the Russians behind the attacks on the DNC and other US
organizations, but neither the source code nor the network analysis
we've been shown so far strongly supports this conclusion. Trump refuses to admit that Russia had any influence on the election, so we can expect little further information to come from the US government on the attacks once he's inaugurated. True, Trump promises to reveal insider information about Russian hacking. However, since Trump won't listen to intelligence briefings and minimal security experts on his staff, it's hard to imagine what "insider information" he could possibly possess.
This is, after all, a man whose closest computer expert appears to be his 10-year-old son.
Perhaps he''ll reveal that Russian president Vladimir Putin told him
that Russia didn't do it? Or, that, there were never any attacks and
that the FBI and DHS are in cahoots with that nasty woman to ruin his victory? Who knows.
Sarcasm
aside, the US and its organizations recently have been subjected to
multiple cyber-attacks. These assaults must be treated seriously. We
need a more thorough investigation of who is behind them.
Monday, 9 January 2017
Google Cloud brought down due to human failure
Due to an engineering error last Monday, portions of the Google Cloud lost customer
manually connected a new peering link, bypassing the system of
automatic checks that validate such links when proper procedures are
followed.
connectivity last Monday for approximately 70 minutes after Google network engineers
The error made the europe-west1 region Google Compute
Engine unreachable from a subset of destinations, primarily in Eastern
Europe and the Middle East. The issue was strictly with the network, not
affecting Compute Engine instances in the same region in other
locations. Traffic strictly within the Google network was also
unaffected.
The problem was caused by the addition of a new link
to a global peer with whom Google was already connected. The engineers
brought the link up manually, not realizing that the link would
advertise far more capacity than was actually available. Network systems
automatically routed traffic to the new, seemingly high capacity link,
and four minutes after the link was created it was saturated and started
dropping the majority of the network traffic routed through the link.
The
process was done manually because the automation that would normally
have handled the link and its associated safety checks was down,
according to Google, due to an unrelated failure. This automation is
expected to protect the network from problems such as the one that
happened for one hour. Due to the automation issue, the problem was not
discovered for 61 minutes because the post-activation checks that would
normally have been performed during that hour were not available and the
problem was discovered when the normal system monitoring took over.To prevent this specific problem from recurring Google is changing the
operations policy and no longer allowing these links to be brought up
manually. In the future, the automation system needs to be fully
operational before additional links will be added.
If you're not a fan of tablets and soft or tethered keyboards, a forthcoming seven-inch PC
could be the answer.
The maker of the GPD WIN, a 5.5-inch Windows 10 handheld game console released last year, is planning to launch a tablet-sized laptop, dubbed 'Pocket', which will run Windows or Ubuntu.
Shenzhen-based GPD says the forthcoming laptop will live up to its
name, being small enough to stuff into its owner's pocket, QWERTY
keyboard and all.
Where the GPD WIN was a game console that could
work as a PC, the Pocket is aimed at people who want a really tiny,
fully-fledged laptop.
The device will feature a QWERTY keyboard
layout, including a trackpoint cursor controller that's wedged between
the spacebar and left-click and right-click buttons.
The company touted the laptop on its user forum last week
with an image of the device and a description that reveals it will
feature a seven-inch touchscreen with Gorilla Glass 3, an aluminum body,
a 7,000mAh battery, 4GB RAM, and 128GB storage. According to Liliputing,
the Pocket's processor will be an Intel Atom x7-Z8700 Cherry Trail.
GPD's image also shows ports for USB type-C, a standard USB, and HDMI,
as well as a spot for a headphone jack.
GPD fan Ton-chi-ki has published additional images and details about the device apparently from an email sent to enthusiasts by GPD. According to Ton-chi-ki, the Pocket's screen will have a
1,920 x 1,080-pixel resolution and the device will support Windows 10
or Ubuntu 16.04 LTS, as well as Wi-Fi and Bluetooth. Typing on a
keyboard that's crammed into a seven-inch device could prove difficult,
but possibly no worse than using an attached keyboard on a tablet.
As with the GPD Win handheld gaming console,
GPD is planning to launch the Pocket through an Indiegogo campaign
that's scheduled to go live in February, according to Ton-chi-ki.
GPD
hasn't revealed pricing or release dates yet. The GPD Win was available
for $330 in its Indiegogo campaign, which raised over $700,000 from
nearly 2,300 backers.
There's something that's been bugging me all day.
On
Wednesday, security researcher Justin Shafer reached out to a handful of
security reporters after he found that Nevada state government's
website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer
found the leaky web portal by using Google to search government
websites for words like "social security," which anyone can do with
relative ease. He found one listed web address, ending in a number,
which pointed to a PDF file purporting to be a medical marijuana
dispensary application. Altering the number in the web address let
anyone view different applications.
The first reports came in.
CSO Online: "Agent applications for Nevada's medical marijuana program exposed"
The Daily Dot: "Medical marijuana portal exposes thousands of Social Security numbers"
ZDNet: "Nevada leaks thousands of medical marijuana dispensary applications"
See the common thread? The leak was Nevada's fault. No systems were hacked or breached.
Around
the time we published, the site had been taken down to "limit the
vulnerability," according to spokesperson Martha Framsted.
Framsted said in a phone call Wednesday that it was "aware of the
leak" from the security researcher via multiple reporters, including
those from CSO Online and The Daily Dot, and would release a statement
later in the day.
In our brief conversation, Framsted said that
the state's IT staff had pulled the website offline in order to prevent
the data from leaking further. There wasn't a hint of accusation --
clearly, this was a system that wasn't working properly. Then, headlines began to turn from "leak" and "exposed", to "hacked" and "breached" later in the day.
What happened? Nevada's official statement
reversed its rhetoric entirely and began blaming the leak on a
"cyberattack." The statement said that industry employee information had
been "stolen," adding that the incident had been "referred to law
enforcement agencies for further investigation."
The cost of ransomware reached close to $1 billion in 2016, and it's not hard to see why.
The malware family, which targets everything from Windows
to Mac machines, executes
procedures to encrypt files and disks before
demanding a ransom payment in return for keys to decrypt and unlock
compromised machines.
However, it is not only the general public which is being targeted with everything from hospitals to schools and businesses now in the firing line.
As the prospect of losing valuable content on computer systems or
facing widespread disruption to business operations is often too much to
bear, many will simply give up and give in, paying the fee and
unfortunately contributing to the cybercriminal's operations.
However, paying up does not guarantee that victims will get their files back, no matter how low or high the payment demand.
This week, ESET researchers discovered that a Linux variant of KillDisk, linked to attacks against core infrastructure system in Ukraine in 2015, is now being used against fresh Ukrainian financial targets.
The ransomware demands a huge amount of money, but there is no
underwritten protocol for decryption keys to be released once payment is
made.
Distributed through phishing campaigns targeting both
Windows and Linux, once downloaded, the ransomware throws up a holding
page referring to the Mr. Robot television show while files are being encrypted, the research team said in a blog post. A message then begins with "we are so sorry..." before demanding a laughable 222 Bitcoin ($247,000).
Unsurprisingly, no-one has paid up yet, nor should they, ever.
"This new variant renders Linux machines unbootable, after
encrypting files and requesting a large ransom," ESET says. "But even if
victims do reach deep into their pockets, the probability that the
attackers will decrypt the files is small."
Files are
encrypted using Triple-DES applied to 4096-byte file blocks and each
file is encrypted using different sets of 64-bit encryption keys.
However, the ransomware does not store encryption keys either locally or
through a command-and-control (C&C) server, which means that
affected systems after reboot are unbootable, and paying the ransom is
pointless.
"It is important to note -- that paying the ransom
demanded for the recovery of encrypted files is a waste of time and
money," the team said. "Let us emphasize that -- the cyber criminals
behind this KillDisk variant cannot supply their victims with the
decryption keys to recover their files, despite those victims paying the
extremely large sum demanded by this ransomware.