sheep-wolf – Exploit MD5 Collisions For Malware Detection

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/ZBPMdkZzgOc/

sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures. and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and […]

The post…

Read the full post at darknet.org.uk

Copyright Troll Piracy ‘Witness’ Went Back to the Future – and Lost

Post Syndicated from Andy original https://torrentfreak.com/copyright-troll-piracy-witness-went-back-to-the-future-and-lost-170526/

Since the early 2000s, copyright trolls have been attempting to squeeze cash from pirating Internet users and fifteen years later the practice is still going strong.

While there’s little doubt that trolls catch some genuine infringers in their nets, the claim that actions are all about protecting copyrights is a shallow one. The aim is to turn piracy into profit and history has shown us that the bigger the operation, the more likely it is they’ll cut corners to cut costs.

The notorious Guardaley trolling operation is a prime example. After snaring the IP addresses of hundreds of thousands of Internet users, the company extracts cash settlements in the United States, Europe and beyond. It’s a project of industrial scale based on intimidation of alleged infringers. But, when those people fight back, the scary trolls suddenly become less so.

The latest case of Guardaley running for the hills comes courtesy of SJD from troll-watching site FightCopyrightTrolls, who reports on an attempt by Guardaley partner Criminal Productions to extract settlement from Zach Bethke, an alleged downloader of the Ryan Reynolds movie, Criminal.

On May 12, Bethke’s lawyer, J. Christopher Lynch, informed Criminal Productions’ lawyer David A. Lowe that Bethke is entirely innocent.

“Neither Mr. Bethke nor his girlfriend copied your client’s movie and they do not know who, if anyone, may have done so,” Lynch wrote.

“Mr. Bethke does not use BitTorrent. Prior to this lawsuit, Mr. Bethke had never heard of your client’s movie and he has no interest in it. If he did have any interest in it, he could have rented it for no marginal cost using his Netflix or Amazon Prime accounts.”

Lynch went on to request that Criminal Productions drop the case. Failing that, he said, things would probably get more complicated. As reported last year, Lynch and Lowe have been regularly locking horns over these cases, with Lynch largely coming out on top.

Part of Lynch’s strategy has been to shine light on Guardaley’s often shadowy operations. He previously noted that its investigators were not properly licensed to operate in the U.S. and the company had been found to put forward a fictitious witness, among other things.

In the past, these efforts to bring Guardaley out into the open have resulted in its clients’, which include several film companies, dropping cases. Lynch, it appears, wants that to happen again in Bethke’s case, noting in his letter that it’s “long past due for a judge to question the qualifications” of the company’s so-called technical experts.

In doing so he calls Guardaley’s evidence into account once more, noting inconsistencies in the way alleged infringements were supposedly “observed” by “foreign investigator[s], with a direct financial interest in the matter.”

One of Lynch’s findings is that the “observations” of two piracy investigators overlap each others’ monitoring periods in separate cases, while reportedly monitoring the same torrent hash.

“Both declarations cover the same ‘hash number’ of the movie, i.e. the same soak. This overlap seems impossible if we stick with the fictions of the Complaint and Motion for Expedited Discovery that the declarant ‘observed’ the defendant ‘infringing’,” Lynch notes.

While these are interesting points, the quality of evidence presented by Guardaley and Criminal Productions is really called into question following another revelation. Daniel Macek, an ‘observing’ investigator used in numerous Guardaley cases, apparently has a unique talent.

As seen from the image below, the alleged infringements relating to Mr. Bethke’s case were carried out between June 25 and 28, 2016.

However, the declaration (pdf) filed with the Court on witness Macek’s behalf was signed and dated either June 14 or 16, more than a week before the infringements allegedly took place.

Time-traveler? Lynch thinks not.

“How can a witness sign a declaration that he observed something BEFORE it happened?” he writes.

“Criminal Productions submitted four such Declarations of Mr. Macek that were executed BEFORE the dates of the accompanying typed up list of observations that Mr. Macek swore that he made.

“Unless Daniel Macek is also Marty McFly, it is impossible to execute a declaration claiming to observe something that has yet to happen.”

So what could explain this strange phenomenon? Lynch believes he’s got to the bottom of that one too.

After comparing all four Macek declarations, he found that aside from the case numbers, the dates and signatures were identical. Instead of taking the issue of presenting evidence before the Court seriously, he believes Criminal Productions and partner Guardaley have been taking short cuts.

“From our review, it appears these metaphysical Macek declarations are not just temporally improper, they are also photocopies, including the signatures not separately executed,” he notes.

“We are astonished by your client’s foreign representatives’ apparent lack of respect for our federal judicial system. Use of duplicate signatures from a witness testifying to events that have yet to happen is on the same level of horror as the use of a fictitious witness and ‘his’ initials as a convenience to obtain subpoenas.”

Not entirely unexpectedly, five days later the case against Bethke and other defendants was voluntarily dismissed (pdf), indicating once again that like vampires, trolls do not like the light. Other lawyers defending similar cases globally should take note.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Raspberry Pi and CoderDojo join forces

Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/raspberry-pi-and-coderdojo-join-forces/

We’ve got some great news to share today: the Raspberry Pi Foundation is joining forces with the CoderDojo Foundation, in a merger that will give many more young people all over the world new opportunities to learn how to be creative with technology.

CoderDojo is a global network of coding clubs for kids from seven to 17. The first CoderDojo took place in July 2011 when James Whelton and Bill Liao decided to share their passion for computing by setting up a club at the National Software Centre in Cork. The idea was simple: provide a safe and social place for young people to acquire programming skills, learning from each other and supported by mentors.

Photo: a mentor helps a child at a CoderDojo

Since then, James and Bill have helped turn that idea into a movement that reaches across the whole world, with over 1,250 CoderDojos in 69 countries, regularly attended by over 35,000 young Ninjas.

Raspberry Pi and CoderDojo have each accomplished amazing things over the last six years. Now, we see an opportunity to do even more by joining forces. Bringing together Raspberry Pi, Code Club, and CoderDojo will create the largest global effort to get young people involved in computing and digital making. We have set ourselves an ambitious goal: to quadruple the number of CoderDojos worldwide, to 5,000, by the end of 2020.

Photo: children and teenagers work on laptops at a CoderDojo, while adults help

The enormous impact that CoderDojo has had so far is down to the CoderDojo Foundation team, and to the community of volunteers, businesses, and foundations who have contributed expertise, time, venues, and financial resources. We want to deepen those relationships and grow that community as we bring CoderDojo to more young people in future.

The CoderDojo Foundation will continue as an independent charity, based in Ireland. Nothing about CoderDojo’s brand or ethos is changing as a result of this merger. CoderDojos will continue to be platform-neutral, using whatever kit they need to help young people learn.

Photo: children concentrate intently on coding activities at a CoderDojo event

In technical terms, the Raspberry Pi Foundation is becoming a corporate member of the CoderDojo Foundation (which is a bit like being a shareholder, but without any financial interest). I will also join the board of the CoderDojo Foundation as a director. The merger is subject to approval by Irish regulators.

How will this work in practice? The two organisations will work together to advance our shared goals, using our respective assets and capabilities to get many more adults and young people involved in the CoderDojo movement. The Raspberry Pi Foundation will also provide practical, financial, and back-office support to the CoderDojo Foundation.

Last June, I attended the CoderDojo Coolest Projects event in Dublin, and was blown away by the amazing projects made by CoderDojo Ninjas from all over the world. From eight-year-olds who had written their first programs in Scratch to the teenagers who built a Raspberry Pi-powered hovercraft, it was clear that CoderDojo is already making a huge difference.

Photo: two girls wearing CoderDojo t-shirts present their Raspberry Pi-based hovercraft at CoderDojo Coolest Projects 2016

I am thrilled that we’re going to be working closely with the brilliant CoderDojo team, and I can’t wait to visit Coolest Projects again next month to meet all of the Ninjas and mentors who make CoderDojo possible.

If you want to find out more about CoderDojo and how you can get involved in helping the movement grow, go here.

The post Raspberry Pi and CoderDojo join forces appeared first on Raspberry Pi.

DevOps Cafe Episode 71

Post Syndicated from DevOpsCafeAdmin original http://devopscafe.org/show/2017/5/25/devops-cafe-episode-71.html

Ordering Up Some Transformation

John and Damon pick Courtney Kissler’s brain on the techniques that enable her to be a hands-on technology leader with a track record for getting teams to find and fix what is getting in the way. 

 

 

 

  

Direct download

Follow John Willis on Twitter: @botchagalupe
Follow Damon Edwards on Twitter: @damonedwards 
Follow Courtney Kissler on Twitter: @ladyhock

Notes:

 

Please tweet or leave comments or questions below and we’ll read them on the show!

New Features for IAM Policy Summaries – Resource Summaries

Post Syndicated from Joy Chatterjee original https://aws.amazon.com/blogs/security/new-features-for-iam-policy-summaries-resource-summaries/

In March, we introduced policy summaries, which make it easier for you to understand the permissions in your AWS Identity and Access Management (IAM) policies. Today, we added three new features to policy summaries to improve the experience of understanding and troubleshooting your policies. First, we added resource summaries for you to see the resources defined in your policies. Second, you can now see which services and actions are implicitly denied by a policy. This allows you to see the remaining actions available for a service with limited access. Third, it is now easier for you to identify potential typos in your policies because you can now see which services and actions are unrecognized by IAM. Today, Tuesday, and Wednesday, I will demonstrate these three new features. In today’s post, I review resource summaries.

Resource summaries

Policy summaries now show you the resources defined in a policy. Previously, policy summaries displayed either All for all resources, the Amazon Resource Name (ARN) for one resource, or Multiple for multiple resources specified in the policy. Starting today, you can see the resource type, region, and account ID to summarize the list of resources defined for each action in a policy. Let’s review a policy summary that specifies multiple resources.

The following policy grants access to three Amazon S3 buckets with multiple conditions.

{
 "Version":"2012-10-17",
 "Statement":[
   {
     "Effect":"Allow",
     "Action":["s3:PutObject","s3:PutObjectAcl"],
     "Resource":["arn:aws:s3:::Apple_bucket"],
     "Condition":{"StringEquals":{"s3:x-amz-acl":["public-read"]}}
   },{
     "Effect":"Allow",
     "Action":["s3:PutObject","s3:PutObjectAcl"],
     "Resource":["arn:aws:s3:::Orange_bucket"],
     "Condition":{"StringEquals":{"s3:prefix":["custom", "test"]}}
   },{
     "Effect":"Allow",
     "Action":["s3:PutObject","s3:PutObjectAcl"],
     "Resource":["arn:aws:s3:::Purple_bucket"],
     "Condition":{"DateGreaterThan":{"aws:CurrentTime":"2016-10-31T05:00:00Z"}}
   }
 ]
}

The policy summary (see the following screenshot) shows Limited: Write, Permissions management actions for S3 on Multiple resources and request conditions. Limited means that some but not all of the actions in the Write and Permissions management are granted in the policy.

Screenshot of the policy summary

If I choose S3, I see that the actions defined in the policy grant access to multiple resources, as shown in the following screenshot. To see the resource summary, I can choose either PutObject or PutObjectAcl.

Screenshot showing that the actions defined in the policy grant access to multiple resources

I choose PutObjectAcl to see the resources and conditions defined in the policy for this S3 action. If the policy has one condition, I see it in the policy summary. I can view multiple conditions in the JSON.

Screenshot showing the resources and the conditions defined in the policy for this S3 action

As the preceding screenshot shows, the PutObjectAcl action has access to three S3 buckets with respective request conditions.

Summary

Policy summaries make it easy to view and understand the permissions and resources defined in a policy without having to view the associated JSON. To see policy summaries in your AWS account, sign in to the IAM console and navigate to any policy on the Policies page of the IAM console or the Permissions tab on a user’s page. On Tuesday, I will review the benefits of viewing the services and actions not granted in a policy.

If you have comments about this post, submit them in the “Comments” section below. If you have questions about or suggestions for this solution, start a new thread on the IAM forum.

– Joy

The Licensing and Compliance Lab interviews AJ Jordon of gplenforced.org (FSF Blog)

Post Syndicated from jake original https://lwn.net/Articles/723828/rss

The Free Software Foundation’s blog is carrying an interview with AJ Jordon, who runs the gplenforced.org site to support GPL enforcement efforts and to help other projects indicate their support. “gplenforced.org is a small site I made that has exactly two purposes: host a badge suitable for embedding into a README file on GitLab or something, and provide some text with an easy and friendly explanation of GPL enforcement for that badge to link to.

Putting badges in READMEs has been pretty trendy for a while now — people add badges to indicate whether their test suite is passing, their dependencies are up-to-date, and what version is published in language package managers. gplenforced.org capitalizes on that trend to add the maintainer’s beliefs about license enforcement, too.”

Amazon QuickSight Now Supports Federated Single Sign-On Using SAML 2.0

Post Syndicated from Jose Kunnackal original https://aws.amazon.com/blogs/big-data/amazon-quicksight-now-supports-federated-single-sign-on-using-saml-2-0/

Since launch, Amazon QuickSight has enabled business users to quickly and easily analyze data from a wide variety of data sources with superfast visualization capabilities enabled by SPICE (Superfast, Parallel, In-memory Calculation Engine). When setting up Amazon QuickSight access for business users, administrators have a choice of authentication mechanisms. These include Amazon QuickSight–specific credentials, AWS credentials, or in the case of Amazon QuickSight Enterprise Edition, existing Microsoft Active Directory credentials. Although each of these mechanisms provides a reliable, secure authentication process, they all require end users to input their credentials every time users log in to Amazon QuickSight. In addition, the invitation model for user onboarding currently in place today requires administrators to add users to Amazon QuickSight accounts either via email invitations or via AD-group membership, which can contribute to delays in user provisioning.

Today, we are happy to announce two new features that will make user authentication and provisioning simpler – Federated Single-Sign-On (SSO) and just-in-time (JIT) user creation.

Federated Single Sign-On

Federated SSO authentication to web applications (including the AWS Management Console) and Software-as-a-Service products has become increasingly popular, because Federated SSO lets organizations consolidate end-user authentication to external applications.

Traditionally, SSO involves the use of a centralized identity store (such as Active Directory or LDAP) to authenticate the user against applications within a corporate network. The growing popularity of SaaS and web applications created the need to authenticate users outside corporate networks. Federated SSO makes this scenario possible. It provides a mechanism for external applications to direct authentication requests to the centralized identity store and receive an authentication token back with the response and validity. SAML is the most common protocol used as a basis for Federated SSO capabilities today.

With Federated SSO in place, business users sign in to their Identity Provider portals with existing credentials and access QuickSight with a single click, without having to enter any QuickSight-specific passwords or account names. This makes it simple for users to access Amazon QuickSight for data analysis needs.

Federated SSO also enables administrators to impose additional security requirements for Amazon QuickSight access (through the identity provider portal) depending on details such as where the user is accessing from or what device is used for access. This access control lets administrators comply with corporate policies regarding data access and also enforce additional security for sensitive data handling in Amazon QuickSight.

Setting up federated authentication in Amazon QuickSight is straightforward. You follow the same sequence of steps you would to setup federated access for the AWS Management Console and then setup redirection to ensure that users land directly on Amazon QuickSight.

Let’s take a look at how this works. The following diagram illustrates the authentication flow between Amazon QuickSight and a third-party identity provider with Federated SSO in place with SAML 2.0.

  1. The Amazon QuickSight user browses to the organization’s identity provider portal, and authenticates using existing credentials.
  2. The federation service requests user authentication from the organization’s identity store, based on credentials provided.
  3. The identity store authenticates the user, and returns the authentication response to the federation service.
  4. The federation service posts the SAML assertion to the user’s browser.
  5. The user’s browser posts the SAML assertion to the AWS Sign-In SAML endpoint. AWS Sign-In processes the SAML request, authenticates the user, and forwards the authentication token to Amazon QuickSight.
  6. Amazon QuickSight uses the authentication token from AWS Sign-In, and authorizes user access.

Federated SSO using SAML 2.0 is now available for Amazon QuickSight Standard Edition, with support for Enterprise Edition coming shortly. You can enable federated access by using any identity provider compliant with SAML 2.0. These identity providers include Microsoft Active Directory Federation Services, Okta, Ping Identity, and Shibboleth. To set up your Amazon QuickSight account for Federated SSO, follow the guidance here.

Just-in-time user creation

With this release, we are also launching a new permissions-based user provisioning model in Amazon QuickSight. Administrators can use the existing AWS permissions management mechanisms in place to enable Amazon QuickSight permissions for their users. Once these required permissions are in place, users can onboard themselves to QuickSight without any additional administrator intervention. This approach simplifies user provisioning and enables onboarding of thousands of users by simply granting the right permissions.

Administrators can choose to assign either of the permissions below, which will result in the user being able to sign up to QuickSight either as a user or an administrator.

quicksight:CreateUser
quicksight:CreateAdmin

If you have an AWS account that is already signed up for QuickSight, and you would like to add yourself as a new user, add one of the permissions above and access https://quicksight.aws.amazon.com.

You will see a screen that requests your email address. Once you provide this, you will be added to the QuickSight account as a user or administrator, as specified by your permissions!

Switch to a Federated SSO user: If you are already an Amazon QuickSight Standard Edition user using authentication based on user name and password, and you want to switch to using Federated SSO, follow these steps:

  1. Sign in using the Federated SSO option to the AWS Management console as you do today. Ensure that you have the permissions for QuickSight user/admin creation assigned to you.
  2. Access https://quicksight.aws.amazon.com.
  3. Provide your email address, and sign up for Amazon QuickSight as an Amazon QuickSight user or admin.
  4. Delete the existing Amazon QuickSight user that you no longer want to use.
  5. Assign resources and data to the new role-based user from step 1. (Amazon QuickSight will prompt you to do this when you delete a user. For more information, see Deleting a User Account.)
  6. Continue as the new, role-based user.

Learn more

To learn more about these capabilities and start using them with your identity provider, see [Managing-SSO-user-guide-topic] in the Amazon QuickSight User Guide.

Stay engaged

If you have questions and suggestions, you can post them on the Amazon QuickSight Discussion Forum.

Not an Amazon QuickSight user?

See the Amazon Quicksight page to get started for free.

 

 

Devuan Jessie 1.0.0 stable LTS

Post Syndicated from ris original https://lwn.net/Articles/723807/rss

The Devuan project set out to create a systemd-less Debian, and now Devuan
Jessie 1.0.0 Stable has been released.
There have been no significant bug reports since Devuan Jessie
RC2 was announced only three weeks ago and the list of release
critical bugs is now empty. So finally Devuan Jessie Stable is
ready for release! As promised, this will also be a
Long-Term-Support (LTS) release. Our team will participate in
providing patches, security updates, and release upgrades beyond
the planned lifespan of Debian Jessie.

Security and Human Behavior (SHB 2017)

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/security_and_hu_6.html

I’m in Cambridge University, at the tenth Workshop on Security and Human Behavior.

SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Ross Anderson, Alessandro Acquisti, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

The goal is maximum interaction and discussion. We do that by putting everyone on panels. There are eight six-person panels over the course of the two days. Everyone gets to talk for ten minutes about their work, and then there’s half an hour of questions and discussion. We also have lunches, dinners, and receptions — all designed so people from different disciplines talk to each other.

It’s the most intellectually stimulating conference of my year, and influences my thinking about security in many different ways.

This year’s schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, and ninth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.

I don’t think any of us imagined that this conference would be around this long.

Managing a Remote Workforce

Post Syndicated from Natalie C original https://www.backblaze.com/blog/managing-a-remote-workforce/

working in an airport
While Backblaze has customers all around the globe, the company itself is a pretty small enterprise with just over 50 employees. Many of those employees are actually remote. 75% of Backblaze employees work from the main Backblaze office (San Mateo), 15% are datacenter employees, and 10% working remotely full-time.

Many companies that were the pioneers with flexible work arrangements are now pulling back and asking their employees to report into an office. Why? Some part of that is due to not knowing how to manage these types of employees and belief that having an employee in the office, will improve work performance.

At Backblaze, we think that managing our diverse workforce is certainly a challenge… but, as the saying goes, the juice is worth the squeeze.

Communication is Key

When Backblaze first started, everyone worked out of the same room. Being 5’ away from someone tends to make communication easy (sometimes too easy). The first datacenter was just a few miles away, so if we needed to do something in it, we’d just hop in a car and drive over – calling co-workers from our cell-phones if we needed some help or guidance. Now, things have changed slightly and we use a lot of different tools to talk amongst ourselves.

It started with emails, then morphed into Gchat, then to Google Hangouts, and now we have a whole suite of communication tools. We use Hangouts and Slack to chat internally, Meet for video conferencing to bridge remote employees, , and good old fashioned telephones when the need arises. Tools like Trello, Redbooth, and Jira can help project manage as well – making sure that everyone stays on the same page.
For HR related needs, we use a variety of tools/perks to simplify employees lives whether they are at the office or at home enjoying time with their families. These tools include an Human Resource Information System (“HRIS”) called Namely, Expensify (expenses), Eshares (stock), Fond (perks) and Heal.

The most popular tool we use is Slack. Each department, location, product, and support group have their own Channel. We also have social channels where all the GIFs and news links live. Slack also has the added benefit of allowing us to limit what information is discussed where. For example, contract employees do not have access to channels that go beyond their scope and focus areas.

Solve for Culture, not Offsite v Onsite

One of the keys to managing a remote workforce is realizing that you’re solving for overall culture. It’s not about whether any group of employees are in office X or Y. The real question is: Are we creating an environment where we remove the friction from people performing their roles? There are follow-up questions like “do we have the right roles defined?” and “do we have people in roles where they will succeed?”. But by looking at managing our workforce from that point of view, it makes it easier to identify what tools and resources we need to be successful.

There’s no right way to manage remote employees. Every work environment is different and the culture, available technology, and financial capability affects how employees can interact. Backblaze went through a ton of iterations before we found the right tools for what we were trying to accomplish, and we’re constantly evolving and experimenting. But we have found some consistent patterns…

    • Nothing Beats Human Interaction

Even with all of the communication tools at our disposal, getting together in person is still the best way to get through projects and make sure everyone is on the same page. While having group meetings via Slack and Meet are great for planning, inevitably something will fall through the cracks or get lost in cyberspace due to poor connections. We combat this by having all of our remote employees come to the main office once every two months. When we hired our first remote engineers this was a once-a-month visit, but as we got more accustomed to working together and over the web, we scaled it back.

These visits allow our engineers to be in the office, be part of meetings that they’d otherwise miss, and meet any new employees we’ve hired. We think it’s important for people to know who they’re working with, and we love that everyone at Backblaze knows (or at least recognizes) each other. We also plan our company outings around these visits, and this brings about a great company culture since we get a chance to be out of the office together and interact socially – which is a lot more fun than interacting professionally.

    • Don’t Fear HR

When you have a small workforce, duties can sometimes be divided amongst a variety of people – even if those duties don’t pertain to their ‘day job’. Having a full-time HR person allowed folks to jettison some of their duties, and allowed them to get back to their primary job functions. It also allowed HR to handle delicate matters, many of which were amongst the most dreaded for folks who were covering some of the responsibilities.

What we’ve found in creating the full-time HR role for our remote workforce was that we finally had an expert on all HR-related things. This meant that we had someone who knew the laws of the land inside and out and could figure out how the different healthcare systems worked in the states where our employees reside (no small feat).

But Why Bother?

There is a principle question that we haven’t yet addressed: Why do we even have remote employees? This gets back to the idea of looking at the culture and environment first. At Backblaze, we look to hire the right person. There are costs to having remote employees, but if they are the right person for the role (when accounting for the “costs”), then that’s the right thing to do. Backblaze is performance driven, not based off of attendance and how long you stay at the office. I believe the you need a balance of both office work as well as remote to allow the employee to be most productive. But every company and setting is different; so experiments need to take place to figure out what would be the perfect blend for your team atmosphere.

The post Managing a Remote Workforce appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Pirate Site Pubfilm Taunts Hollywood With Domain Name Whac-A-Mole

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-site-pubfilm-taunts-hollywood-with-domain-name-whac-a-mole-170525/

In recent years, most large pirate sites have faced domain name issues of some kind, which can be quite frustrating.

Copyright holders realize that going after a website’s domain name is a good way to decrease its traffic. Eventually, the site owner might even give up entirely.

The major Hollywood studios might have had this in mind as one of their main goals when they filed a complaint against the pirate site Pubfilm earlier this year.

The lawsuit was kept sealed initially, to prevent Pubfilm’s operator from moving to a new domain preemptively, hoping that this would maximize the effect. This worked, as the site was taken by surprise when it lost its domain name through a court order. However, Pubfilm didn’t throw in the towel.

Soon after the pubfilm.com domain name was suspended, the site moved to pubfilm.ac. And that wasn’t all. Pubfilm also started to actively advertise its new domain through Google Adsense, something we had never witnessed before.

Fast forward a few weeks and Pubfilm is still around, and so is the lawsuit. While the Hollywood studios managed to have the new .ac and .io domains suspended, Pubfilm is still not backing off.

Instead, the pirate streaming site now has a series of alternative domain names people can use to access the site.

Pubfilm.is is the main domain name since yesterday, but the operator also has Pubfilm.ru, Pubfilm.eu and Pubfilm.su in hand. These alternatives are actively advertised on the website, so users know where to go if the current domain is suspended.

“Alternative domain names: PUBFILM.IS PUBFILM.EU PUBFILM.RU PUBFILM.SU. Any other domains are fake!!” a notice on the site reads.

The domain name whac-a-mole is reminiscent of a similar situation The Pirate Bay was in two years ago. At the time, the notorious torrent site rotated close to a dozen domain names, before going back to its original .org gTLD.

The difference with Pubfilm, however, is that Hollywood has a US court order which they can wave at registrars and registries. This makes it easier to have domains suspended, although that’s not guaranteed.

We expect that other pirate sites will keep a close eye on the current situation. Instead of crushing Pubfilm, MPAA’s lawsuit may turn into a field experiment to see what domain names are safe from a US court order, which is not something Hollywood hoped for.

To be continued.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Ransomware and the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/ransomware_and_.html

As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.

But it is a system that’s going to fail in the “Internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.

Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.

Like every other instance of product safety, this problem will never be solved without considerable government involvement.

For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It’ll be expensive, but it will go a long way toward improved security.

But it won’t be enough to focus only on the devices, because these things are going to be around and on the Internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they’re putting in place to last at least that long. I don’t want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.

No amount of regulation can force companies to maintain old products, and it certainly can’t prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.

Imagine this: The company that made your Internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it’s reinfected, is to throw it away and buy a new one.

Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.

None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule. Last week’s cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger. There’s a lot of good research into robust solutions, but the economic incentives are all misaligned. As politically untenable as it is, we need government to step in to create the market forces that will get us out of this mess.

This essay previously appeared in the New York Times. Yes, I know I’m repeating myself.

Make with Minecraft Pi in The MagPi 58

Post Syndicated from Rob Zwetsloot original https://www.raspberrypi.org/blog/magpi-58/

Hey folks, Rob here! What a busy month it’s been at The MagPi HQ. While we’ve been replying to your tweets, answering questions on YouTube and fiddling with our AIY Voice Project kits, we’ve managed to put together a whole new magazine for you, with issue 58 of the official Raspberry Pi magazine out in stores today.

The front cover of The MagPi 58

The MagPi 58 features our latest Minecraft Pi hacks!

Minecraft Pi

The MagPi 58 is all about making with Minecraft Pi. We’ve got cool projects and hacks that let you take a selfie and display it in the Minecraft world, play music with Steve jumping on a giant piano, and use special cards to switch skins in an instant. It’s the perfect supplement to our Hacking and Making in Minecraft book!

AIY Voice Projects

It’s been great to see everyone getting excited over the last issue of the magazine, and we love seeing your pictures and videos of your AIY Voice projects. In this issue we’ve included loads of ideas to keep you going with the AIY Projects kit. Don’t forget to send us what you’ve made on Twitter!

Issue 57 of The MagPi, showing the Google AIY Voice Projects Kit

Show us what you’ve made with your AIY Voice Projects Kit

The best of the rest in The MagPi 58

We’ve also got our usual selection of reviews, tutorials, and projects. This includes guides to making file servers and electronic instruments, along with our review of Adafruit’s Joy Bonnet handheld gaming kit.

A page from The MagPi 58 showing information on 'Getting Started with GUIs'

You can get started with GUIs in The MagPi 58

You can grab the latest issue in stores in the UK right now, from WHSmith, Sainsburys, Asda, and Tesco. Copies will be arriving very soon in US stores, including Barnes & Noble and Micro Center. You can also get a copy online from our store, or digitally via our Android or iOS app. Don’t forget, there’s always the free PDF as well.

We hope you enjoy the issue! Now if you’ll excuse us, we need a nap after all the excitement!

The post Make with Minecraft Pi in The MagPi 58 appeared first on Raspberry Pi.

Facebook Bans Sale of Piracy-Enabling Products & Devices

Post Syndicated from Andy original https://torrentfreak.com/facebook-bans-sale-of-piracy-enabling-products-devices-170525/

Riding the crest of a wave made possible by the rise of Internet streaming, piracy-enabled set-top boxes and similar devices have been hitting the homes of millions around the globe.

Often given the broad title of ‘Kodi Boxes’ after the legal open source software that commonly comes pre-installed, these devices are regularly configured for piracy with the aid of third-party addons.

Easy to use, set-top devices have opened up piracy to a whole new audience, normalizing it during the process. It’s a problem now being grappled with by anti-piracy outfits in a number of ways, including putting pressure on services where the boxes are being sold.

Now there are signs that Facebook has decided – or more likely been persuaded – to ban the sale of these devices from its platform. The latest addition to its Commerce Policy carries a new rule (13) which targets infringing set-top boxes almost perfectly.

“Items, products or services sold on Facebook must comply with our Community Standards, as well as the Commerce Policies,” the page reads.

“Sale of the following is prohibited on Facebook: Products or items that facilitate or encourage unauthorized access to digital media.”

The move by Facebook follows similar overtures from Amazon back in March. In a change to its policies, the company said that devices that promote or facilitate infringement would not be tolerated.

“Products offered for sale on Amazon should not promote, suggest the facilitation of, or actively enable the infringement of or unauthorized access to digital media or other protected content,” Amazon said.

“Any streaming media player or other device that violates this policy is prohibited from sale on Amazon,” the company added.

The recent move by Facebook was welcomed by Federation Against Copyright Theft chief, Kieron Sharp.

“It is great to see Facebook follow the likes of Amazon and eBay in making changes to their policies to prohibit the sale of illicit streaming devices on their platforms,” Sharpe said.

“These days social media sites are more than just a place to share photos and comments with friends and family. Unfortunately, the fast-paced development of these sites are being exploited by opportunists for criminal activity which needs to be disrupted.”

The sale of infringing devices on social media does indeed pose a challenge to the likes of FACT.

While most piracy devices have traditionally needed an expert touch to configure and then sell, in 2017 almost anyone can buy a standard Android device and set it up for piracy in a matter of minutes. This means that every interested citizen is a potential seller and Facebook provides a perfect platform that people are already familiar with.

Nevertheless, recent rulings from the EU Court of Justice have clarified two key issues, both of which will help in the fight to reduce the availability of ‘pirate’ boxes, wherever they appear.

In April, the ECJ declared such devices illegal to sell while clarifying that users who stream pirate content to their homes are also breaking the law.

It’s unlikely that any end users will be punished (particularly to the ridiculous extent erroneously reported by some media), but it certainly helps to demonstrate illegality across the board when outfits like FACT are considering prosecutions.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

[$] Progress on the Gilectomy

Post Syndicated from jake original https://lwn.net/Articles/723514/rss

At the 2016 Python Language Summit, Larry Hastings introduced Gilectomy, his project to remove
the global interpreter lock (GIL) from CPython. The GIL serializes access
to the Python interpreter, so it severely limits the performance of
multi-threaded Python programs. At the 2017 summit, Hastings was back to
update attendees on the progress he has made and where Gilectomy is headed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close