Security updates have been issued by Arch Linux (lib32-expat, webkit2gtk, and wireshark-cli), Debian (resiprocate), Fedora (java-1.8.0-openjdk, kernel, and open-vm-tools), openSUSE (containerd, docker, runc and gnu-efi, pesign, shim), Red Hat (tomcat), and Ubuntu (gdb, libiberty, and openjdk-8).
Post Syndicated from Ernesto original https://torrentfreak.com/police-confirms-extra-illegal-spying-on-kim-dotcom-170727/
Kim Dotcom has made headlines in the press again over the past week, but not for his own alleged misconduct.
Instead, there is a renewed focus on the unlawful surveillance practices of the Government Communications Security Bureau (GCSB).
During the months leading up to the raid, the GCSB carried out surveillance on Dotcom but failed to check his residency status. The outfit was not allowed to spy on its own residents and clearly crossed a line with its unlawful information gathering.
To find out what was collected, Dotcom asked the High Court for access to the surveilled information, but last week this request was denied. While this came as a disappointment, the court did reveal something else of interest.
As it turns out, the illegal spying on Dotcom didn’t stop on January 20, 2012, when Dotcom was arrested. Instead, it carried on for another two months, ending March 22, 2012.
Initially, some people thought that the High Court may have made a mistake in the timeline, but with pressure mounting, New Zealand police have now confirmed that this is not the case. The illegal spying did indeed continue for two more months.
“We’ve checked the file and can confirm that the dates you’ve highlighted were known to the Operation Grey team. They were considered as part of the investigation and decision-making about the outcome,” a police spokesman told NZ Herald.
While this is all news to the public, the police and others were well-aware of the additional spying. This raises a series of questions, which Megaupload’s founder would like to see answered.
“Does this mean that New Zealand Police knew that the GCSB affidavits were false? GCSB told the Courts under oath that the illegal spying ended two months earlier. Not in March but in January,” Dotcom says, commenting on the news.
The issue is more than a matter of oversight, Dotcom says, and he calls for a proper investigation where the people responsible will be held accountable.
“New Zealand Police investigated GCSB because of the illegal spying but nobody was ever charged with any crime. How is that possible if the Police knew that the GCSB lied to the New Zealand Courts? What else would we discover if we had a fair and open hearing instead of secret submissions in closed Court?
“The New Zealand Courts have been fooled by the GCSB and the Police. What’s next? What are the consequences?” Dotcom adds.
In recent years the Megaupload case has been a stumbling block for several politicians and the latest revelations have put Prime Minister Bill English under pressure. It’s clear that several high ranked officials would rather see Dotcom leave, but thus far the fiasco is more likely to help him stay.
Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/nBF_Xjl7rQw/
Cross-Site Request Forgery is a term you’ve properly heard in the context of web security or web hacking, but do you really know what it means? The OWASP definition is as follows: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re […]
The post All You Need…
Read the full post at darknet.org.uk
Hey folks, Rob from The MagPi here! It’s the last Thursday of the month, and that can only mean one thing: a brand-new The MagPi issue is out! In The MagPi 60, we’re bringing you the top troubleshooting tips for your Raspberry Pi, sourced directly from our amazing community.
The MagPi 60
Our feature-length guide covers snags you might encounter while using a Raspberry Pi, and it is written for newcomers and veterans alike! Do you hit a roadblock while booting up your Pi? Are you having trouble connecting it to a network? Don’t worry – in this issue you’ll find troubleshooting advice you can use to solve your problem. And, as always, if you’re still stuck, you can head over to the Raspberry Pi forums for help.
More than troubleshooting
That’s not all though – Issue 60 also includes a disc with Raspbian-x86! This version of Raspbian for PCs contains all the recent updates and additions, such as offline Scratch 2.0 and the new Thonny IDE. And – *drumroll* – the disc version can be installed to your PC or Mac. The last time we had a Raspbian disc on the cover, many of you requested an installable version, so here you are! There is an installation guide inside the mag, so you’ll be all set to get going.
On top of that, you’ll find our usual array of amazing tutorials, projects, and reviews. There’s a giant guitar, Siri voice control, Pi Zeros turned into wireless-connected USB drives, and even a review of a new robot kit. You won’t want to miss it!
How to get a copy
Grab your copy today in the UK from WHSmith, Sainsbury’s, Asda, and Tesco. Copies will be arriving very soon in US stores, including Barnes & Noble and Micro Center. You can also get the new issue online from our store, or digitally via our Android or iOS app. And don’t forget, there’s always the free PDF as well.
Subscribe for free goodies
Some of you have asked me about the goodies that we give out to subscribers. This is how it works: if you take out a twelve-month print subscription of The MagPi, you’ll get a Pi Zero W, Pi Zero case, and adapter cables absolutely free! This offer does not currently have an end date.
Alright, I think I’ve covered everything! So that’s it. I’ll see you next month.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/07/firing_a_locked.html
The Armatix IP1 “smart gun” can only be fired by someone who is wearing a special watch. Unfortunately, this security measure is easily hackable.
Post Syndicated from Andy original https://torrentfreak.com/premier-league-wins-new-stream-blocking-injunction-to-fight-piracy-170727/
Earlier this year the Premier League obtained a rather special High Court injunction to assist in its fight against illegal football match streaming.
Similar in its aims to earlier blocking orders that targeted torrent sites including The Pirate Bay, the injunction enabled the Premier League to act quickly, forcing local ISPs such as Sky, BT, and Virgin to block football streams in real-time.
Although public results varied, the English Premier League (EPL) reports that under the injunction it was able to block 5,000 server IP addresses that were streaming its content. That appears to have encouraged the organization to apply for another injunction for the upcoming 2017-18 season.
According to a statement published on the EPL site, that has now been granted.
“This blocking order is a game-changer in our efforts to tackle the supply and use of illicit streams of our content,” said Premier League Director of Legal Services, Kevin Plumb.
“It will allow us to quickly and effectively block and disrupt the illegal broadcast of Premier League football via any means, including so called ‘pre-loaded Kodi boxes’.”
Although the details of the new injunction are yet to be published by the High Court, the EPL indicates that the injunction is very similar to the one obtained previously, which targets overseas servers streaming Premier League matches into the UK.
Upon notice from the Premier League, ISPs including Sky, BT, Virgin Media, Plusnet, EE and TalkTalk are required to block IP addresses quickly as matches are being streamed, all without any direct intervention from the court.
“The protection of our copyright, and the investment made by our broadcast partners, is hugely important to the Premier League and the future health of English football,” the Premier League said.
The injunction itself lists the Internet service providers as defendants but it’s important to note that most have a vested interest in the injunction being put in place. Sky, BT and Virgin Media all screen Premier League matches in some way so there’s no surprise that none put up a fight when confronted by the football organization.
Indeed, several of the ISPs appeared to have assisted the EPL in some pretty intimate ways, even going as far as sharing a certain level of customer traffic data with the organization.
It will be interesting to see what effect the new blocking efforts will have on stream availability when the new season begins. Saturday afternoons, when matches take place around the country but are prohibited from being screened due to the blackout, should be the main focal point. As previously suggested, the EPL will probably enjoy more success than last season with experience under their belts.
Finally, tabloids in the UK have been giving the injunction their usual dramatic coverage but a special mention must go out to The Sun. In an article titled “Closing the Net“, the paper said that under the injunction, “BRITS who illegally stream Premier League football matches could have their internet connection shut off.”
The way things are worded it suggests that people who watch streams could be disconnected by their ISP. That is not the case.
- камиони, микробуси, тирове;
- каравани с по няколко велосипеда на гърба (ходи ни се на море пак!);
- всякакви пушещи стари дизеляци, които се опитваха да ни задушат – или поне да съсипят въздушния филтър на колата ни;
- военен конвой, който в продължение на 50 км по магистралата пълзеше с 35 км/ч и не пропускаше никого напред, никого – поне разгледахме отблизо разните бронетранспортьори, хъмвита, тежки картечници, военни линейки и цистерни…
А когато най-накрая стигнахме София – още с влизането се наложи да се влачим зад един тролей цели три спирки. Ей, скъсахме си нервите! Пък сме спокойни хора, дето не карат с превишена скорост, спазват правилата, не бързат да изпреварят всякого и всичко, а агресивността ни клони към нулата.
Ама ако може да не ни се случва подобен път повече, моля!
Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/07/slowloris-all-things.html
At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB — SMBloris. I thought I’d write up some comments.
The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely. Moreover, this also consumes a lot of CPU resources — every time Slowloris dribbles a few more bytes on the TCP connection is forces the CPU to walk through a lot of data structures to handle those bytes.
The thing about Slowloris is that it’s not specific to HTTP. It’s a principle that affects pretty much every service that listens on the Internet. For example, on Linux servers running NFS, you can exploit the RPC fragmentation feature in order to force the server to allocate all the memory in a box waiting for fragments that never arrive.
SMBloris does the same thing for SMB. It’s an easy attack to carry out in general, the only question is how much resources are required on the attacker’s side. That’s probably what this talk is about, causing the maximum consequences on the server with minimal resources on the attacker’s machine, thus allowing a Raspberry Pi to tie up all the resources on even the largest enterprise server.
According to the ThreatPost article, the attack was created looking at the NSA ETERNALBLUE exploit. That exploit works by causing the server to allocate memory chunks from fragmented requests. How to build a Slowloris exploit from this is then straightforward — just continue executing the first part of the ETERNALBLUE exploit, with larger chunks. I say “straightforward”, but of course, the researchers have probably discovered some additional clever tricks.
Samba, the SMB rewrite for non-Windows systems, probably falls victim to related problems. Maybe not this particular attack that affects Windows, but almost certainly something else. If not SMB, then the DCE-RPC service on top of it.
Microsoft has said they aren’t going to fix the SMBloris bug, and for good reason: it might be unfixable. Sure, there’s probably some kludge that fixes this specific script, but would still leave the system vulnerable to slight variations. The same reasoning applies to other services — Slowloris is an inherent problem in all Internet services and is not something easily addressed without re-writing the service from the ground up to specifically deal with the problem.
The best answer to Slowloris is the “langsec” discipline, which counsels us to separate “parsing” input from “processing” it. Most services combine the two, partially processing partial input. This should be changed to fully validate input consuming the least resources possible, before processing it. In other words, services should have a light-weight front-end that consumes the least resources possible, waiting for the request to complete, before it then forwards the request to the rest of the system.
On July 21, Savoir-faire
Linux (SFL) announced
the release of version 1.0 of its Ring
communication tool. It is a cross-platform (Linux, Android, macOS,
and Windows) program for secure text, audio, and video communication.
Beyond that, though, it is part of the GNU
project and is licensed under the GPLv3. Given the announcement, it
seemed like a quick trial was in order. While it looks like it has great
promise, Ring 1.0 falls a bit short of expectations.
Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/new-high-resolution-custom-metrics-and-alarms-for-amazon-cloudwatch/
Amazon CloudWatch has been an important part of AWS since early 2009! Launched as part of a three-pack that also included Auto Scaling and Elastic Load Balancing, CloudWatch has evolved into a very powerful monitoring service for AWS resources and the applications that you run on the AWS Cloud. CloudWatch custom metrics (launched way back in 2011) allow you to store business and application metrics in CloudWatch, view them in graphs, and initiate actions based on CloudWatch Alarms. Needless to say, we have made many enhancements to CloudWatch over the years! Some of the most recent include Extended Metrics Retention (and a User Interface Update), Dashboards, API/CloudFormation Support for Dashboards, and Alarms on Dashboards.
Originally, metrics were stored at five minute intervals; this was reduced to one minute (also known as Detailed Monitoring) in response to customer requests way back in 2010. This was a welcome change, but now it is time to do better. Our customers are streaming video, running flash sales, deploying code tens or hundreds of times per day, and running applications that scale in and out very quickly as conditions change. In all of these situations, a minute is simply too coarse of an interval. Important, transient spikes can be missed; disparate (yet related) events are difficult to correlate across time, and the MTTR (mean time to repair) when something breaks is too high.
New High-Resolution Metrics
Today we are adding support for high-resolution custom metrics, with plans to add support for AWS services over time. Your applications can now publish metrics to CloudWatch with 1-second resolution. You can watch the metrics scroll across your screen seconds after they are published and you can set up high-resolution CloudWatch Alarms that evaluate as frequently as every 10 seconds.
Imagine alarming when available memory gets low. This is often a transient condition that can be hard to catch with infrequent samples. With high-resolution metrics, you can see, detect (via an alarm), and act on it within seconds:
In this case the alarm on the right would not fire, and you would not know about the issue.
Publishing High-Resolution Metrics
You can publish high-resolution metrics in two different ways:
- API – The
PutMetricDatafunction now accepts an optional
StorageResolutionparameter. Set this parameter to 1 to publish high-resolution metrics; omit it (or set it to 60) to publish at standard 1-minute resolution.
- collectd plugin – The CloudWatch plugin for collectd has been updated to support collection and publication of high-resolution metrics. You will need to set the
enable_high_definition_metricsparameter in the config file for the plugin.
CloudWatch metrics are rolled up over time; resolution effectively decreases as the metrics age. Here’s the schedule:
- 1 second metrics are available for 3 hours.
- 60 second metrics are available for 15 days.
- 5 minute metrics are available for 63 days.
- 1 hour metrics are available for 455 days (15 months).
When you call
GetMetricStatistics you can specify a period of 1, 5, 10, 30 or any multiple of 60 seconds for high-resolution metrics. You can specify any multiple of 60 seconds for standard metrics.
A Quick Demo
I grabbed my nearest EC2 instance, installed the latest version of collectd and the Python plugin:
Then I downloaded the setup script for the plugin, made it executable, and ran it:
$ wget https://raw.githubusercontent.com/awslabs/collectd-cloudwatch/master/src/setup.py $ chmod a+x setup.py $ sudo ./setup.py
I had already created a suitable IAM Role and added it to my instance; it was automatically detected during setup. I was asked to enable the high resolution metrics:
collectd started running and publishing metrics within seconds. I opened up the CloudWatch Console to take a look:
Then I zoomed in to see the metrics in detail:
I also created an alarm that will check the memory.percent.used metric at 10 second intervals. This will make it easier for me to detect situations where a lot of memory is being used for a short period of time:
As was already the case, you can store 10 metrics at no charge every month; see the CloudWatch Pricing page for more information. Pricing for high-resolution metrics is identical to that for standard resolution metrics, with volume tiers that allow you to realize savings (on a per-metric) basis when you use more metrics. High-resolution alarms are priced at $0.30 per alarm per month.
Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/now-available-three-new-aws-specialty-training-courses/
AWS Training allows you to learn from the experts so you can advance your knowledge with practical skills and get more out of the AWS Cloud. Today I am happy to announce that three of our most popular training bootcamps (a staple at AWS re:Invent and AWS Global Summits) are becoming part of our permanent instructor-led training portfolio:
- Building a Serverless Data Lake – Teaches you how to design, build, and operate a serverless data lake solution with AWS services.
- Secrets to Successful Cloud Transformations – Teaches you how to select the right strategy, people, migration plan, and financial management methodology needed when moving your workloads to the cloud. Does not require advanced technical expertise.
- Running Container-Enabled Microservices on AWS – Teaches you how to manage and scale container-enabled applications by using Amazon EC2 Container Service (ECS).
These one-day courses are intended for individuals who would like to dive deeper into a specialized topic with an expert trainer.
You can explore our complete course catalog, and you can search for a public class near you within the AWS Training and Certification Portal. You can also request a private onsite training session for your team by contacting us.
to add Flatpak as an option for
distributing desktop applications in Fedora 27 has recently made an
appearance. It is meant as an experiment
of sorts to see how well Flatpak and RPM will play together—and to fix any
There is a view that containers are the future, on the desktop as well as
the server; Flatpaks would provide Fedora one possible path toward that future.
The proposal sparked a huge thread on the Fedora devel
mailing list; while the proposal itself doesn’t really change much for
those uninterested in Flatpaks, some are concerned with where Fedora
packaging might be headed once the experiment ends.
Post Syndicated from Andy original https://torrentfreak.com/google-challenges-canadas-global-blocking-injunction-in-the-us-170726/
Despite being what courts have described as an “innocent bystander”, Google has found itself at the heart of a potentially damaging intellectual property case. Running since 2014, Equustek Solutions Inc. v. Jack saw Canadian entities battle over stolen intellectual property.
Equustek Solutions claimed that Google’s search results helped to send visitors to Datalink websites operated by the defendants (former Equustek employees) who were selling unlawful products. Google voluntarily removed links to the sites from its Google.ca (Canada) results but Equustek wanted more, and soon got it.
A court in British Columbia, the Court of Appeal, and then the Supreme Court of Canada all agreed that Google should remove links to the sites on a global basis, by definition beyond Canada’s borders.
When court rulings encroach on potentially opposing legal systems overseas, difficulties are bound to arise. Google raised concerns that the decision would conflict with U.S. law, but the Supreme Court described the issues as “theoretical” and left it up to the U.S. to solve the problem.
In response, Google filed for an injunction at the US District Court for Northern California this week, arguing that the Canadian decision violates important U.S. legislation.
“Google now turns to this Court, asking it to declare that the rights established by the First Amendment and the Communications Decency Act are not merely theoretical,” Google wrote.
“The Canadian order is repugnant to those rights, and the order violates principles of international comity, particularly since the Canadian plaintiffs never established any violation of their rights under U.S. law.
“Pursuant to well-established United States law, Google seeks a declaratory judgment that the Canadian court’s order cannot be enforced in the United States and an order enjoining that enforcement.”
According to Google, Internet search results are fully protected speech under the First Amendment, and because the Canadian decision is directed to a specific speaker (Google) and is content-specific, it must come under scrutiny.
Google insists that the websites to be censored are already a matter of public record and Equustek has not shown that it has no alternative remedies to hand other than to censor Google’s results outside of Canada.
“Equustek has not sought similar delisting injunctions against the world’s other search engines, such as Bing or Yahoo,” Google writes, noting that action hasn’t been taken against regular websites carrying links either.
Google also suggests that Equustek could have taken action against Datalink’s registrars and webhosts, which have the ability to delete the actual sites in question. With the websites gone the search de-indexing battle would be moot, but for reasons unknown, Equustek has chosen a different battle.
Describing the Canadian order as one of “convenience,” Google criticizes the effort to deal with a Canadian legal problem on a global basis, adding that “no one country should purport to control the global internet.”
In closing, Google asks the court to declare the Canadian Order unenforceable in the United States on the basis it violates the the First Amendment, the Communications Decency Act, and public policy surrounding enforceability of foreign judgments.
“The Canadian Order purports to place the Canadian court in the position of
supervising the law enforcement activities of a foreign sovereign nation (the United States) against the United States’ own citizens on American soil. Because the Canadian courts ignored principles of international comity, corrective action by this Court is required,” Google concludes.
Post Syndicated from Sara Snedeker original https://aws.amazon.com/blogs/big-data/new-aws-training-building-a-serverless-data-lake/
AWS Training allows you to learn from the experts so that you can advance your knowledge with practical skills and get more out of the AWS Cloud. We are adding one of our most popular event boot camps, Building a Serverless Data Lake, to our permanent instructor-led training portfolio.
This one-day course is designed to teach you how to design, build, and operate a serverless data lake solution with AWS services. We cover topics such as ingesting data from any data source at large scale, storing the data securely and durably, enabling the capability to use the right tool to process large volumes of data, and understanding the options available for analyzing the data in near-real time.
This course is intended for solution architects, big data developers, data architects and analysts, and other hands-on data analysis practitioners.
system call is arguably one of the strangest
offered by the Linux kernel. It expensively emulates an operation that can be
performed by a single unprivileged barrier instruction, using an invocation
of the kernel’s read-copy-update (RCU) machinery — all in the name of
performance. But, it would seem, membarrier() is not fast enough,
causing users to fall back to complex and brittle tricks. An attempt to
fix the problem is now under discussion, but not everybody is convinced
that the cure is better than the disease.
Security updates have been issued by Debian (bind9, icedove, openjdk-8, qemu, and rkhunter), Fedora (krb5, libmwaw, perl-XML-LibXML, qemu, subversion, and webkitgtk4), Mageia (cinnamon-settings-daemon, graphite2, gsoap, libquicktime, and wireshark), openSUSE (catdoc, gsoap, jasper, and Wireshark), and Ubuntu (linux-aws, linux-gke and ruby1.9.1, ruby2.0, ruby2.3).
Post Syndicated from Janina Ander original https://www.raspberrypi.org/blog/landmine-c-turtle/
In an effort to create a robot that can teach itself to navigate different terrains, scientists at Arizona State University have built C-Turtle, a Raspberry Pi-powered autonomous cardboard robot with turtle flippers. This is excellent news for people who live in areas with landmines: C-Turtle is a great alternative to current landmine-clearing robots, since it is much cheaper, and much easier to assemble.
Why turtle flippers?
As any user of Python will tell you*, turtles are amazing. Moreover, as the evolutionary biologist of the C-Turtle team, Andrew Jansen, will tell you, considering their bulk** turtles move very well on land with the help of their flippers. Consequently, the team tried out prototypes with cardboard flippers imitating the shape of turtle flippers. Then they compared their performance to that of prototypes with rectangular or oval ‘flippers’. And 157 million years of evolution*** won out: the robots with turtle flippers were best at moving forward.
If it walks like a C-Turtle…
But the scientists didn’t just slap turtle flippers on their robot and then tell it to move like a turtle! Instead, they implemented machine learning algorithms on the Pi Zero that serves as C-Turtle’s brain, and then simply let the robot do its thing. Left to its own devices, it used the reward and punishment mechanisms of its algorithms to learn the most optimal way of propelling itself forward. And lo and behold, C-Turtle taught itself to move just like a live turtle does!
This is “Robotic C-Turtle” by ASU Now on Vimeo, the home for high quality videos and the people who love them.
Landmine clearance with C-Turtle
Robots currently used to clear landmines are very expensive, since they are built to withstand multiple mine explosions. Conversely, the total cost of C-Turtle comes to about $70 (~£50) – that’s cheap enough to make it disposable. It is also more easily assembled, it doesn’t need to be remotely controlled, and it can learn to navigate new terrains. All this makes it perfect for clearing minefields.
Meet C-Turtle, the landmine detecting robot. VIDEO https://t.co/Kjc6WxRC8I
C-Turtles in space?****
The researchers hope that robots similar to C-Turtle can used for space exploration. They found that the C-Turtle prototypes that had performed very well in the sandpits in their lab didn’t really do as well when they were released in actual desert conditions. By analogy, robots optimized for simulated planetary conditions might not actually perform well on-site. The ASU scientists imagine that C-Turtle materials and a laser cutter for the cardboard body could be carried on board a Mars mission. Then Martian C-Turtle design could be optimized after landing, and the robot could teach itself how best to navigate real Martian terrain.
Congrats to Assistant Professors Heni Ben Amor and Daniel Aukes, and to the rest of the C-Turtle team, on their achievement! We at Pi Towers are proud that our little computer is part of this amazing project.
* Check out our Turtley amazing resource to find out why!
** At a length of 7ft, leatherback sea turtles can weigh 1,500lb!
*** That’s right: turtles survived the extinction of the dinosaurs!
**** Is anyone else thinking of Great A’Tuin right now? Anyone? Just me? Oh well.
Leap 42.3 is now available. “After basing openSUSE Leap on SLE
(SUSE Linux Enterprise) and adding more source code to Leap 42.2 from SLE
12, Leap 42.3 adds even more packages from SLE 12 SP 3 and synchronizes
several common packages. The shared codebase allows for openSUSE Leap 42.3
to receive enhanced maintenance and bug fixes from both the openSUSE
community and SUSE engineers.” There is quite a bit of new stuff in
this release; see this
page for some details.