Tag Archives: adobe flash

Top 10 Most Obvious Hacks of All Time (v0.9)

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/07/top-10-most-obvious-hacks-of-all-time.html

For teaching hacking/cybersecurity, I thought I’d create of the most obvious hacks of all time. Not the best hacks, the most sophisticated hacks, or the hacks with the biggest impact, but the most obvious hacks — ones that even the least knowledgeable among us should be able to understand. Below I propose some hacks that fit this bill, though in no particular order.

The reason I’m writing this is that my niece wants me to teach her some hacking. I thought I’d start with the obvious stuff first.

Shared Passwords

If you use the same password for every website, and one of those websites gets hacked, then the hacker has your password for all your websites. The reason your Facebook account got hacked wasn’t because of anything Facebook did, but because you used the same email-address and password when creating an account on “beagleforums.com”, which got hacked last year.

I’ve heard people say “I’m sure, because I choose a complex password and use it everywhere”. No, this is the very worst thing you can do. Sure, you can the use the same password on all sites you don’t care much about, but for Facebook, your email account, and your bank, you should have a unique password, so that when other sites get hacked, your important sites are secure.

And yes, it’s okay to write down your passwords on paper.

Tools: HaveIBeenPwned.com

PIN encrypted PDFs

My accountant emails PDF statements encrypted with the last 4 digits of my Social Security Number. This is not encryption — a 4 digit number has only 10,000 combinations, and a hacker can guess all of them in seconds.
PIN numbers for ATM cards work because ATM machines are online, and the machine can reject your card after four guesses. PIN numbers don’t work for documents, because they are offline — the hacker has a copy of the document on their own machine, disconnected from the Internet, and can continue making bad guesses with no restrictions.
Passwords protecting documents must be long enough that even trillion upon trillion guesses are insufficient to guess.

Tools: Hashcat, John the Ripper

SQL and other injection

The lazy way of combining websites with databases is to combine user input with an SQL statement. This combines code with data, so the obvious consequence is that hackers can craft data to mess with the code.
No, this isn’t obvious to the general public, but it should be obvious to programmers. The moment you write code that adds unfiltered user-input to an SQL statement, the consequence should be obvious. Yet, “SQL injection” has remained one of the most effective hacks for the last 15 years because somehow programmers don’t understand the consequence.
CGI shell injection is a similar issue. Back in early days, when “CGI scripts” were a thing, it was really important, but these days, not so much, so I just included it with SQL. The consequence of executing shell code should’ve been obvious, but weirdly, it wasn’t. The IT guy at the company I worked for back in the late 1990s came to me and asked “this guy says we have a vulnerability, is he full of shit?”, and I had to answer “no, he’s right — obviously so”.

XSS (“Cross Site Scripting”) [*] is another injection issue, but this time at somebody’s web browser rather than a server. It works because websites will echo back what is sent to them. For example, if you search for Cross Site Scripting with the URL https://www.google.com/search?q=cross+site+scripting, then you’ll get a page back from the server that contains that string. If the string is JavaScript code rather than text, then some servers (thought not Google) send back the code in the page in a way that it’ll be executed. This is most often used to hack somebody’s account: you send them an email or tweet a link, and when they click on it, the JavaScript gives control of the account to the hacker.

Cross site injection issues like this should probably be their own category, but I’m including it here for now.

More: Wikipedia on SQL injection, Wikipedia on cross site scripting.
Tools: Burpsuite, SQLmap

Buffer overflows

In the C programming language, programmers first create a buffer, then read input into it. If input is long than the buffer, then it overflows. The extra bytes overwrite other parts of the program, letting the hacker run code.
Again, it’s not a thing the general public is expected to know about, but is instead something C programmers should be expected to understand. They should know that it’s up to them to check the length and stop reading input before it overflows the buffer, that there’s no language feature that takes care of this for them.
We are three decades after the first major buffer overflow exploits, so there is no excuse for C programmers not to understand this issue.

What makes particular obvious is the way they are wrapped in exploits, like in Metasploit. While the bug itself is obvious that it’s a bug, actually exploiting it can take some very non-obvious skill. However, once that exploit is written, any trained monkey can press a button and run the exploit. That’s where we get the insult “script kiddie” from — referring to wannabe-hackers who never learn enough to write their own exploits, but who spend a lot of time running the exploit scripts written by better hackers than they.

More: Wikipedia on buffer overflow, Wikipedia on script kiddie,  “Smashing The Stack For Fun And Profit” — Phrack (1996)
Tools: bash, Metasploit

SendMail DEBUG command (historical)

The first popular email server in the 1980s was called “SendMail”. It had a feature whereby if you send a “DEBUG” command to it, it would execute any code following the command. The consequence of this was obvious — hackers could (and did) upload code to take control of the server. This was used in the Morris Worm of 1988. Most Internet machines of the day ran SendMail, so the worm spread fast infecting most machines.
This bug was mostly ignored at the time. It was thought of as a theoretical problem, that might only rarely be used to hack a system. Part of the motivation of the Morris Worm was to demonstrate that such problems was to demonstrate the consequences — consequences that should’ve been obvious but somehow were rejected by everyone.

More: Wikipedia on Morris Worm

Email Attachments/Links

I’m conflicted whether I should add this or not, because here’s the deal: you are supposed to click on attachments and links within emails. That’s what they are there for. The difference between good and bad attachments/links is not obvious. Indeed, easy-to-use email systems makes detecting the difference harder.
On the other hand, the consequences of bad attachments/links is obvious. That worms like ILOVEYOU spread so easily is because people trusted attachments coming from their friends, and ran them.
We have no solution to the problem of bad email attachments and links. Viruses and phishing are pervasive problems. Yet, we know why they exist.

Default and backdoor passwords

The Mirai botnet was caused by surveillance-cameras having default and backdoor passwords, and being exposed to the Internet without a firewall. The consequence should be obvious: people will discover the passwords and use them to take control of the bots.
Surveillance-cameras have the problem that they are usually exposed to the public, and can’t be reached without a ladder — often a really tall ladder. Therefore, you don’t want a button consumers can press to reset to factory defaults. You want a remote way to reset them. Therefore, they put backdoor passwords to do the reset. Such passwords are easy for hackers to reverse-engineer, and hence, take control of millions of cameras across the Internet.
The same reasoning applies to “default” passwords. Many users will not change the defaults, leaving a ton of devices hackers can hack.

Masscan and background radiation of the Internet

I’ve written a tool that can easily scan the entire Internet in a short period of time. It surprises people that this possible, but it obvious from the numbers. Internet addresses are only 32-bits long, or roughly 4 billion combinations. A fast Internet link can easily handle 1 million packets-per-second, so the entire Internet can be scanned in 4000 seconds, little more than an hour. It’s basic math.
Because it’s so easy, many people do it. If you monitor your Internet link, you’ll see a steady trickle of packets coming in from all over the Internet, especially Russia and China, from hackers scanning the Internet for things they can hack.
People’s reaction to this scanning is weirdly emotional, taking is personally, such as:
  1. Why are they hacking me? What did I do to them?
  2. Great! They are hacking me! That must mean I’m important!
  3. Grrr! How dare they?! How can I hack them back for some retribution!?

I find this odd, because obviously such scanning isn’t personal, the hackers have no idea who you are.

Tools: masscan, firewalls

Packet-sniffing, sidejacking

If you connect to the Starbucks WiFi, a hacker nearby can easily eavesdrop on your network traffic, because it’s not encrypted. Windows even warns you about this, in case you weren’t sure.

At DefCon, they have a “Wall of Sheep”, where they show passwords from people who logged onto stuff using the insecure “DefCon-Open” network. Calling them “sheep” for not grasping this basic fact that unencrypted traffic is unencrypted.

To be fair, it’s actually non-obvious to many people. Even if the WiFi itself is not encrypted, SSL traffic is. They expect their services to be encrypted, without them having to worry about it. And in fact, most are, especially Google, Facebook, Twitter, Apple, and other major services that won’t allow you to log in anymore without encryption.

But many services (especially old ones) may not be encrypted. Unless users check and verify them carefully, they’ll happily expose passwords.

What’s interesting about this was 10 years ago, when most services which only used SSL to encrypt the passwords, but then used unencrypted connections after that, using “cookies”. This allowed the cookies to be sniffed and stolen, allowing other people to share the login session. I used this on stage at BlackHat to connect to somebody’s GMail session. Google, and other major websites, fixed this soon after. But it should never have been a problem — because the sidejacking of cookies should have been obvious.

Tools: Wireshark, dsniff

Stuxnet LNK vulnerability

Again, this issue isn’t obvious to the public, but it should’ve been obvious to anybody who knew how Windows works.
When Windows loads a .dll, it first calls the function DllMain(). A Windows link file (.lnk) can load icons/graphics from the resources in a .dll file. It does this by loading the .dll file, thus calling DllMain. Thus, a hacker could put on a USB drive a .lnk file pointing to a .dll file, and thus, cause arbitrary code execution as soon as a user inserted a drive.
I say this is obvious because I did this, created .lnks that pointed to .dlls, but without hostile DllMain code. The consequence should’ve been obvious to me, but I totally missed the connection. We all missed the connection, for decades.

Social Engineering and Tech Support [* * *]

After posting this, many people have pointed out “social engineering”, especially of “tech support”. This probably should be up near #1 in terms of obviousness.

The classic example of social engineering is when you call tech support and tell them you’ve lost your password, and they reset it for you with minimum of questions proving who you are. For example, you set the volume on your computer really loud and play the sound of a crying baby in the background and appear to be a bit frazzled and incoherent, which explains why you aren’t answering the questions they are asking. They, understanding your predicament as a new parent, will go the extra mile in helping you, resetting “your” password.

One of the interesting consequences is how it affects domain names (DNS). It’s quite easy in many cases to call up the registrar and convince them to transfer a domain name. This has been used in lots of hacks. It’s really hard to defend against. If a registrar charges only $9/year for a domain name, then it really can’t afford to provide very good tech support — or very secure tech support — to prevent this sort of hack.

Social engineering is such a huge problem, and obvious problem, that it’s outside the scope of this document. Just google it to find example after example.

A related issue that perhaps deserves it’s own section is OSINT [*], or “open-source intelligence”, where you gather public information about a target. For example, on the day the bank manager is out on vacation (which you got from their Facebook post) you show up and claim to be a bank auditor, and are shown into their office where you grab their backup tapes. (We’ve actually done this).

More: Wikipedia on Social Engineering, Wikipedia on OSINT, “How I Won the Defcon Social Engineering CTF” — blogpost (2011), “Questioning 42: Where’s the Engineering in Social Engineering of Namespace Compromises” — BSidesLV talk (2016)

Blue-boxes (historical) [*]

Telephones historically used what we call “in-band signaling”. That’s why when you dial on an old phone, it makes sounds — those sounds are sent no differently than the way your voice is sent. Thus, it was possible to make tone generators to do things other than simply dial calls. Early hackers (in the 1970s) would make tone-generators called “blue-boxes” and “black-boxes” to make free long distance calls, for example.

These days, “signaling” and “voice” are digitized, then sent as separate channels or “bands”. This is call “out-of-band signaling”. You can’t trick the phone system by generating tones. When your iPhone makes sounds when you dial, it’s entirely for you benefit and has nothing to do with how it signals the cell tower to make a call.

Early hackers, like the founders of Apple, are famous for having started their careers making such “boxes” for tricking the phone system. The problem was obvious back in the day, which is why as the phone system moves from analog to digital, the problem was fixed.

More: Wikipedia on blue box, Wikipedia article on Steve Wozniak.

Thumb drives in parking lots [*]

A simple trick is to put a virus on a USB flash drive, and drop it in a parking lot. Somebody is bound to notice it, stick it in their computer, and open the file.

This can be extended with tricks. For example, you can put a file labeled “third-quarter-salaries.xlsx” on the drive that required macros to be run in order to open. It’s irresistible to other employees who want to know what their peers are being paid, so they’ll bypass any warning prompts in order to see the data.

Another example is to go online and get custom USB sticks made printed with the logo of the target company, making them seem more trustworthy.

We also did a trick of taking an Adobe Flash game “Punch the Monkey” and replaced the monkey with a logo of a competitor of our target. They now only played the game (infecting themselves with our virus), but gave to others inside the company to play, infecting others, including the CEO.

Thumb drives like this have been used in many incidents, such as Russians hacking military headquarters in Afghanistan. It’s really hard to defend against.

More: “Computer Virus Hits U.S. Military Base in Afghanistan” — USNews (2008), “The Return of the Worm That Ate The Pentagon” — Wired (2011), DoD Bans Flash Drives — Stripes (2008)

Googling [*]

Search engines like Google will index your website — your entire website. Frequently companies put things on their website without much protection because they are nearly impossible for users to find. But Google finds them, then indexes them, causing them to pop up with innocent searches.
There are books written on “Google hacking” explaining what search terms to look for, like “not for public release”, in order to find such documents.

More: Wikipedia entry on Google Hacking, “Google Hacking” book.

URL editing [*]

At the top of every browser is what’s called the “URL”. You can change it. Thus, if you see a URL that looks like this:

http://www.example.com/documents?id=138493

Then you can edit it to see the next document on the server:

http://www.example.com/documents?id=138494

The owner of the website may think they are secure, because nothing points to this document, so the Google search won’t find it. But that doesn’t stop a user from manually editing the URL.
An example of this is a big Fortune 500 company that posts the quarterly results to the website an hour before the official announcement. Simply editing the URL from previous financial announcements allows hackers to find the document, then buy/sell the stock as appropriate in order to make a lot of money.
Another example is the classic case of Andrew “Weev” Auernheimer who did this trick in order to download the account email addresses of early owners of the iPad, including movie stars and members of the Obama administration. It’s an interesting legal case because on one hand, techies consider this so obvious as to not be “hacking”. On the other hand, non-techies, especially judges and prosecutors, believe this to be obviously “hacking”.

DDoS, spoofing, and amplification [*]

For decades now, online gamers have figured out an easy way to win: just flood the opponent with Internet traffic, slowing their network connection. This is called a DoS, which stands for “Denial of Service”. DoSing game competitors is often a teenager’s first foray into hacking.
A variant of this is when you hack a bunch of other machines on the Internet, then command them to flood your target. (The hacked machines are often called a “botnet”, a network of robot computers). This is called DDoS, or “Distributed DoS”. At this point, it gets quite serious, as instead of competitive gamers hackers can take down entire businesses. Extortion scams, DDoSing websites then demanding payment to stop, is a common way hackers earn money.
Another form of DDoS is “amplification”. Sometimes when you send a packet to a machine on the Internet it’ll respond with a much larger response, either a very large packet or many packets. The hacker can then send a packet to many of these sites, “spoofing” or forging the IP address of the victim. This causes all those sites to then flood the victim with traffic. Thus, with a small amount of outbound traffic, the hacker can flood the inbound traffic of the victim.
This is one of those things that has worked for 20 years, because it’s so obvious teenagers can do it, yet there is no obvious solution. President Trump’s executive order of cyberspace specifically demanded that his government come up with a report on how to address this, but it’s unlikely that they’ll come up with any useful strategy.

More: Wikipedia on DDoS, Wikipedia on Spoofing

Conclusion

Tweet me (@ErrataRob) your obvious hacks, so I can add them to the list.

How To Back Up Your Flickr Library

Post Syndicated from Peter Cohen original https://www.backblaze.com/blog/how-to-backup-your-flickr-library/

Flickr and cloud backup image

UPDATE May 17, 2018:  On April 20, Flickr announced that is being acquired by the image hosting and sharing service SmugMug. At that time, Flickr users were told that they have until May 25, 2018, to either accept the new terms of service from SmugMug or download their photo files from Flickr and close their accounts. Here is an excerpt from the email that was sent to Flickr users:

We think you are going to love Flickr under SmugMug ownership, but you can choose to not have your Flickr account and data transferred to SmugMug until May 25, 2018. If you want to keep your Flickr account and data from being transferred, you must go to your Flickr account to download the photos and videos you want to keep, then delete your account from your Account Settings by May 25, 2018.

If you do not delete your account by May 25, 2018, your Flickr account and data will transfer to SmugMug and will be governed by SmugMug’s Terms and Privacy Policy.

We wanted to let our readers know of this change, and also help them download their photos if they wish to do so. To that end, we’ve updated a post we published a little over a year ago with instructions on how to download your photos from Flickr. It’s a good idea to have a backup of your photos on Flickr whether or not you plan to continue with the service.

To read more:

You can read Peter’s updated post from March 21, 2017, How to Back Up Your Flickr Library, below.

— Editor

Flickr is a popular photo blogging service used by pro and amateur photographers alike. Flickr helps you archive your photos in the cloud and share them publicly with others. What happens when Flickr is the only place you can find your photos, though?

I hadn’t thought that much of that contingency. I’ve been a Flickr user since the pre-Yahoo days — 2004. I recently took stock of all the photos I’d uploaded to Flickr and realized something unsettling: I didn’t have some of these images on my Mac. It’s been 13 years and probably half a dozen computers since then, so I wasn’t surprised that some photos had fallen through the cracks.

I decided to be better safe than sorry. I set out to backup my entire Flickr library to make sure I had everything. And I’m here to pass along what I learned.

Flickr’s Camera Roll and Album Download Options

Most of Flickr’s workflow — and most of their supported apps — focus on getting images into Flickr, not out of Flickr. That doesn’t mean you can’t download images from Flickr, but it isn’t straightforward.

You can download photos directly from Flickr using their Camera Roll view, which organizes all your photos by the date they were taken. This is Flickr’s file-management interface, letting you select photos for whichever use you wish. Once you’ve selected the photos you want using the check boxes, Flickr will create a ZIP file that you can download. You are limited to 500 photos at a time, so this could take a number of repetitions if you have a lot of photos.

Flickr Camera Roll View screenshot

The download UI once you’ve met your photo selections:

Flickr Camera Roll options

You also can download Flickr Albums. Like the limit for the camera roll, you are limited to the number of photos you can download. In the case of albums, the limit is 5,000 files from albums at a time.

Flickr’s download albums selection dialog:

Flickr download albums

Guidelines from Flickr’s download help page:

screenshot of Flickr's download options

Third-party apps

Some third-party app makers have tapped into Flickr’s API to create various import and export services and apps.

Bulkr is one such app. The app, free to download, lets you download images from your Flickr library with the touch of a button. It’s dependent on Adobe Flash and requires Adobe AIR. Some features are unavailable unless you pay for the “Pro” version ($29).

Bulkr screenshot

Flickr downloadr is another free app that lets you download your Flickr library. It also works on Mac, Windows and Linux systems. No license encumbrances to download extra content — it’s released as open source.

Flickr Downloadr screenshot

I’ve tried them both on my library of over 8,000 images. In either case, I just set up the apps and let them run — they took a while, a couple of hours to grab everything. So if you’re working with a large archive of Flickr images, I’d recommend setting aside some time when you can leave your computer running.

What To Do With Your Flickr Images

You’ve downloaded the images to your local hard drive. What next? Catalog what you have. Both Macs and PCs include such software. The apps for each platform are both called “Photos.” They have the benefit of being free, built-in, and well-supported using existing tools and workflows.

If the Photos apps included with your computer don’t suit you, there are other commercial app options. Adobe Photoshop Lightroom is one of the more popular options that work with both Macs and Windows PCs. It’s included with Adobe’s $9.99 per month Creative Cloud Photography subscription (bundled with Photoshop), or you can buy it separately for $149.

Archive Your Backup

Now that you’ve downloaded all of your Flickr images, make sure they’re safe by backing them up. Back them up locally using Time Machine (on the Mac), Windows Backup or whatever means you prefer.

Even though you’ve gotten the images from the cloud by downloading them from Flickr, it’d be a good idea to store a backup copy offsite just in case. That’s keeping with the guidelines of the 3-2-1 Backup Strategy — a solid way to make sure that nothing bad can happen to your data.

Backblaze Backup and Backblaze B2 Cloud Storage are both great options, of course, for backing up and archiving your media, but the main thing is to make sure your photos are safe and sound. If anything happens to your computer or your local backup, you’ll still have a copy of those precious memories stored securely.

Need more tips on how to back up your computer? Check out our Computer Backup Guide for more details.

The post How To Back Up Your Flickr Library appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

PIXEL for PC and Mac

Post Syndicated from Eben Upton original https://www.raspberrypi.org/blog/pixel-pc-mac/

Our vision in establishing the Raspberry Pi Foundation was that everyone should be able to afford their own programmable general-purpose computer. The intention has always been that the Raspberry Pi should be a full-featured desktop computer at a $35 price point. In support of this, and in parallel with our hardware development efforts, we’ve made substantial investments in our software stack. These culminated in the launch of PIXEL in September 2016.

PIXEL represents our best guess as to what the majority of users are looking for in a desktop environment: a clean, modern user interface; a curated suite of productivity software and programming tools, both free and proprietary; and the Chromium web browser with useful plugins, including Adobe Flash, preinstalled. And all of this is built on top of Debian, providing instant access to thousands of free applications.

Put simply, it’s the GNU/Linux we would want to use.

The PIXEL desktop on Raspberry Pi

Back in the summer, we asked ourselves one simple question: if we like PIXEL so much, why ask people to buy Raspberry Pi hardware in order to run it? There is a massive installed base of PC and Mac hardware out there, which can run x86 Debian just fine. Could we do something for the owners of those machines?

So, after three months of hard work from Simon and Serge, we have a Christmas treat for you: an experimental version of Debian+PIXEL for x86 platforms. Simply download the image, burn it onto a DVD or flash it onto a USB stick, and boot straight into the familiar PIXEL desktop environment on your PC or Mac. Or go out and buy this month’s issue of The MagPi magazine, in stores tomorrow, which has this rather stylish bootable DVD on the cover.

Our first ever covermount

You’ll find all the applications you’re used to, with the exception of Minecraft and Wolfram Mathematica (we don’t have a licence to put those on any machine that’s not a Raspberry Pi). Because we’re using the venerable i386 architecture variant it should run even on vintage machines like my ThinkPad X40, provided they have at least 512MB of RAM.

The finest laptop ever made, made finer

Why do we think this is worth doing? Two reasons:

  • A school can now run PIXEL on its existing installed base of PCs, just as a student can run PIXEL on her Raspberry Pi at home. She can move back and forth between her computing class or after-school club and home, using exactly the same productivity software and programming tools, in exactly the same desktop environment. There is no learning curve, and no need to tweak her schoolwork to run on two subtly different operating systems.
  • And bringing PIXEL to the PC and Mac keeps us honest. We don’t just want to create the best desktop environment for the Raspberry Pi: we want to create the best desktop environment, period. We know we’re not there yet, but by running PIXEL alongside Windows, Mac OS, and the established desktop GNU/Linux distros, we can more easily see where our weak points are, and work to fix them.

Remember that this is a prototype rather then a final release version. Due to the wide variety of PC and Mac hardware out there, there are likely to be minor issues on some hardware configurations. If we decide that this is something we want to commit to in the long run, we will do our best to address these as they come up. You can help us here – please let us know how you get on in the comments below!

Instructions

Download the image, and either burn it to a DVD or write it to a USB stick. For the latter, we recommend Etcher.

Etcher from resin.io

Insert the DVD or USB stick into your PC or Mac, and turn it on. On a PC, you will generally need to enable booting from optical drive or USB stick in the BIOS, and you will have to ensure that the optical drive or USB stick is ahead of all other drives in the boot order. On a Mac, you’ll need to hold down C during boot*.

If you’ve done that correctly, you will be greeted by a boot screen.

Boot screen

Here you can hit escape to access the boot menu, or do nothing to boot through to the desktop.

Spot the difference: the PIXEL desktop on a PC

* We are aware of an issue on some modern Macs (including, annoyingly, mine – but not Liz’s), where the machine fails to identify the image as bootable. We’ll release an updated image once we’ve got to the bottom of the issue.

Persistence

If you are running from DVD, any files you create, or modifications you make to the system, will of course be lost when you power off the machine. If you are running from a USB stick, the system will by default use any spare space on the device to create a persistence partition, which allows files to persist between sessions. The boot menu provides options to run with or without persistence, or to erase any persistence partition that has been created, allowing you to roll back to a clean install at any time.

Boot menu

Disclaimer

One of the great benefits of the Raspberry Pi is that it is a low-consequence environment for messing about: if you trash your SD card you can just flash another one. This is not always true of your PC or Mac. Consider backing up your system before trying this image.

Raspberry Pi can accept no liability for any loss of data or damage to computer systems from using the image.

The post PIXEL for PC and Mac appeared first on Raspberry Pi.

How To Reclaim Lost Hard Disk Space

Post Syndicated from Peter Cohen original https://www.backblaze.com/blog/free-up-disk-space/

hard-drive-full

Running out of disk space? You’re not the only one. We’ve all been there. You try to save a file or install a new app and get a message telling you there isn’t enough space. Here are five common mistakes that cost us extra hard drive space we don’t need to waste – and what to do about them.

Runaway Caches

Apps and the operating system often write data to temporary files which aren’t always cleaned up in the most efficient manner. To fix the problem, often all you have to do is to restart the computer. I’ve done this before and all of a sudden found a few extra gigabytes available. Enough to figure out what else is taking up space so I can remove it.

Disk Cleanup

If restarting doesn’t fix it, there are various techniques you can use to flush cache files. It depends on what OS is installed. In macOS, for example, you can navigate to the /Library directory, then empty the Caches subdirectory manually. Windows users can use the Disk Cleanup app, which is built in. There are also third-party utilities that can help, such as CleanMyMac 3 from MacPaw and CCleaner for Windows from Piriform.

Too Many Duplicate Files

Before you get started, make sure you have a full and complete backup of your hard drive!

If you routinely copy files between directories you may inadvertently be leaving duplicate files that can choke your hard disk. Make sure to compare the files to make sure you’re not deleting a later version that may contain essential revisions.

This is another area where having a good utility can save the day. In addition to the ones I just mentioned, there’s Duplicate Cleaner for Windows and Gemini for Mac from MacPaw.

Unused Apps

How many times have you installed an app that you don’t end up using? Individual apps – and the many files needed to get them to work properly – can occupy hundreds of megabytes, even gigabytes. That’s space you can use for more important stuff.

Take a close look at your Applications folder and see if there’s unused junk you can safely delete. If the app comes from a service like the Windows Store or Mac App Store, you should be able to download it again for free if and when you actually need it. Apps you’ve acquired through other means – DVD installers or from third-party stores whose policies may differ – may need their own archive. Make sure that you have a backup in case you need to restore. Also make sure you have registration or activation data stored in a safe place. You’ll need it if you reinstall the app.

Games are particularly egregious hard disk space waste offenders. Some games will grab dozens of gigabytes of space, especially if they have lots of levels or high-res artwork. What’s more, game management applications like Steam hide the game files from view. That can make it difficult to figure out how much space is used.

Dragging the app icon into the Trash may not delete all of the app. Many apps include an uninstaller utility, which you should use when given the choice. Some app developers offer custom uninstallers you can download from their website. Apps can leave a trail of supporting files and caches in hidden spots on your hard drive. These files can be hard to track down without an uninstaller tool. Some app makers also include step-by-step instructions for removing their app.

DaisyDisk disk measurement

Again, disk maintenance utilities can come in handy here. As a Mac user, I’ve found a utility called DaisyDisk to be particularly helpful when it comes down to tracking disk space waste.

A Full Trash Can/Recycle Bin

Is your Trash Can or Recycle Bin overflowing? Maybe it’s time to empty it! You might be surprised how many files you “delete” only to find out that they aren’t deleted at all. Putting a file in the trash marks it for deletion, but unless you have your system set to automatically empty the trash when it hits a certain size threshold or when the files inside reach a certain age, it’s possible to waste gigabytes on files you simply don’t need anymore.

Full Trash on computer

This also applies to applications that may queue up content for deletion without actually deleting the files. Some apps will move files marked for deletion to an in-app trash folder until they reach a size or age threshold. Depending on the app, these files can add up quick. So fire up your most used apps and see if they’re taking up space you could reclaim!

A Chunky Downloads Folder

If your computer is set to automatically download files to a specific folder, check that folder. You might be surprised by how much stuff is in there. This is especially true if you’ve downloaded app or utility installers that you’ve forgotten about, like Adobe Flash updates.

Before You Make Any Changes, Back Up!

Before you get started, make sure you have a full and complete backup of your hard drive! The last thing you want to do is to erase something in a momentary fit of pique only to discover that it’s your only copy.

To that end, we’re big believers in the “triple backup” – have three copies of your data, the “live” version on your computer’s hard disk, a local backup copy, and an offsite copy (using Backblaze, or another cloud service).

That way, no matter what changes you make, you’ll be able to restore files in a jiffy if you need to.

Have questions I didn’t cover? Fire ’em off in the comments!

The post How To Reclaim Lost Hard Disk Space appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Moving Beyond Flash: The Yahoo HTML5 Video Player – Streaming Media Magazine

Post Syndicated from davglass original https://yahooeng.tumblr.com/post/150727511601

Moving Beyond Flash: The Yahoo HTML5 Video Player – Streaming Media Magazine:

Adobe Flash, once the de-facto standard for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is moving toward HTML5 for video playback.

Smedberg: Reducing Adobe Flash Usage in Firefox

Post Syndicated from corbet original http://lwn.net/Articles/694972/rss

Benjamin Smedberg writes
that the Firefox browser will soon start taking a more active approach to
the elimination of Flash content. “Starting in August, Firefox will
block certain Flash content that is not essential to the user experience,
while continuing to support legacy Flash content. These and future changes
will bring Firefox users enhanced security, improved battery life, faster
page load, and better browser responsiveness.

Apple Will Not Patch Windows QuickTime Vulnerabilities

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/lM6RnHy8nlQ/

Much like Adobe Flash, QuickTime from Apple is a bit of a relic some pretty serious, remote code execution type Windows QuickTime Vulnerabilities were recently discovered by Trend Micro. Apple has officially stated that they won’t be fixing them and the official line on this, is to uninstall QuickTime. I guess a lot of people […]

The post…

Read the full post at darknet.org.uk

Denouncing vs. Advocating: In Defense of the Occasional Denouncement

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2009/10/11/denouncing-v-advocating.html

For the last decade, I’ve regularly seen complaints when we harder-core
software freedom advocates spend some time criticizing proprietary
software in addition to our normal work preserving, protecting and
promoting software freedom. While I think entire campaigns focused on
criticism are warranted in only extreme cases, I do believe that
denouncement of certain threatening proprietary technologies is a
necessary part of the software freedom movement, when done sparingly.

Denouncements are, of course, negative, and in general, negative
tactics are never as valuable as positive ones. Negative campaigns
alienate some people, and it’s always better to talk about the advantages
of software freedom than focus on the negative of proprietary
software.

The place where negative campaigns that denounce are simply necessary,
in my view, is when the practice either (a) will somehow completely
impeded the creation of FLOSS or (b) has become, or is becoming,
widespread among people who are otherwise supportive of software
freedom.

I can think quickly of two historical examples of the first type: UCITA
and DRM. UCITA was a State/Commonwealth-level law in the USA that was
proposed to make local laws more consistent regarding software
distribution. Because the implications were so bad
for software freedom (details of which are beyond scope of this post but
can be learned at the link)
, and because it was so unlikely that we
could get the UCITA drafts changed, it was necessary to publicly denounce
the law and hope that it didn’t pass. (Fortunately, it only ever passed
in my home state of Maryland and in Virginia. I am still, probably
pointlessly, careful never to distribute software when I visit my
hometown. 🙂

DRM, for its part, posed an even greater threat to software freedom
because its widespread adoption would require proprietarization of all
software that touched any television, movie, music, or book media. There
was also a concerted widespread pro-DRM campaign from USA corporations.
Therefore, grassroots campaigns denouncing DRM are extremely necessary
even despite that they are primarily negative in operation.

The second common need for denouncement when use of a proprietary
software package has become acceptable in the software freedom community.
The most common examples are usually specific proprietary software
programs that have become (or seem about to become) “all but
standard” part of the toolset for Free Software developers and
advocates.

Historically, this category included Java, and that’s why there were
anti-Java campaigns in the Free Software community that ran concurrently
with Free Software Java development efforts. The need for the former is
now gone, of course, because the latter efforts were so successful and we
have a fully FaiF Java system. Similarly, denouncement of Bitkeeper was
historically necessary, but is also now moot because of the advent and
widespread popularity of Mercurial, Git, and Bazaar.

Today, there are still a few proprietary programs that quickly rose to
ranks of “must install on my GNU/Linux system” for all but the
hardest-core Free Software advocates. The key examples are Adobe Flash
and Skype. Indeed, much to my chagrin, nearly all of my co-workers at
SFLC insist on using Adobe Flash, and nearly every Free Software developer
I meet at conferences uses it too. And, despite excellent VoIP technology
available as Free Software, Skype has sadly become widely used in our
community as well.

When a proprietary system becomes as pervasive in our community as
these have (or looks like it might), it’s absolutely time for
denouncement. It’s often very easy to forget that we’re relying more and
more heavily on proprietary software. When a proprietary system
effectively becomes the “default” for use on software freedom
systems, it means fewer people will be inspired to write a
replacement. (BTW, contribute to Gnash!) It means that Free Software
advocates will, in direct contradiction of their primary mission, start to
advocate that users install that proprietary software, because it
seems to make the FaiF platform “more useful”.

Hopefully, by now, most of us in the software freedom community agree
that proprietary software is a long term trap that we want to avoid.
However, in the short term, there is always some new shiny thing.
Something that appeals to our prurient desire for software that
“does something cool”. Something that just seems so
convenient that we convince ourselves we cannot live without it, so we
install it. Over time, short term becomes the long term, and suddenly we
have gaping holes in the Free Software infrastructure that only the very
few notice because the rest just install the proprietary thing. For
example, how many of us bother to install Linux Libre,
even long enough to at least know which of our hardware
components needs proprietary software? Even I have to admit I don’t do
this, and probably should.

An old adage of software development is that software is always better
if the developers of it actually have to use the thing from day to day.
If we agree that our goal is ultimately convincing everyone to run only
Free Software (and for that Free Software to fit their needs), then we
have to trailblaze by avoiding running proprietary software ourselves. If
you do run proprietary software, I hope you won’t celebrate the fact or
encourage others to do so. Skype is particularly insidious here, because
it’s a community application. Encouraging people to call you on Skype is
the same as emailing someone a Microsoft Word document: it’s encouraging
someone to install a proprietary application just to work with you.

Finally, I think the only answer to the FLOSS community
celebrating the arrival of some new proprietary program for
GNU/Linux is to denounce it, as a counterbalance to the fervor that such
an announcement causes. My podcast co-host Karen
often calls me the canary in the software coalmine because I am
usually the first to notice something that is bad for the advancement of
software freedom before anyone else does. In playing this role, I often
end up denouncing a few things here and there, although I can still count
on my two hands the times I’ve done so. I agree that advocacy should be
the norm, but the occasional denouncement is also a necessary part of the
picture.

(Note: this blog is part of an ongoing public discussion of a software
program that is not too popular yet, but was heralded widely as a win for
Free Software in the USA. I didn’t mention it by name mainly because I
don’t want to give it more press than it’s already gotten, as it is one of
this programs that is becoming a standard GNU/Linux user
application (at least in the USA), but hasn’t yet risen to the level of
ubiquity of the other examples I give above. Here’s to hoping that it
doesn’t.)