Tag Archives: Other

Copyright Troll Piracy ‘Witness’ Went Back to the Future – and Lost

Post Syndicated from Andy original https://torrentfreak.com/copyright-troll-piracy-witness-went-back-to-the-future-and-lost-170526/

Since the early 2000s, copyright trolls have been attempting to squeeze cash from pirating Internet users and fifteen years later the practice is still going strong.

While there’s little doubt that trolls catch some genuine infringers in their nets, the claim that actions are all about protecting copyrights is a shallow one. The aim is to turn piracy into profit and history has shown us that the bigger the operation, the more likely it is they’ll cut corners to cut costs.

The notorious Guardaley trolling operation is a prime example. After snaring the IP addresses of hundreds of thousands of Internet users, the company extracts cash settlements in the United States, Europe and beyond. It’s a project of industrial scale based on intimidation of alleged infringers. But, when those people fight back, the scary trolls suddenly become less so.

The latest case of Guardaley running for the hills comes courtesy of SJD from troll-watching site FightCopyrightTrolls, who reports on an attempt by Guardaley partner Criminal Productions to extract settlement from Zach Bethke, an alleged downloader of the Ryan Reynolds movie, Criminal.

On May 12, Bethke’s lawyer, J. Christopher Lynch, informed Criminal Productions’ lawyer David A. Lowe that Bethke is entirely innocent.

“Neither Mr. Bethke nor his girlfriend copied your client’s movie and they do not know who, if anyone, may have done so,” Lynch wrote.

“Mr. Bethke does not use BitTorrent. Prior to this lawsuit, Mr. Bethke had never heard of your client’s movie and he has no interest in it. If he did have any interest in it, he could have rented it for no marginal cost using his Netflix or Amazon Prime accounts.”

Lynch went on to request that Criminal Productions drop the case. Failing that, he said, things would probably get more complicated. As reported last year, Lynch and Lowe have been regularly locking horns over these cases, with Lynch largely coming out on top.

Part of Lynch’s strategy has been to shine light on Guardaley’s often shadowy operations. He previously noted that its investigators were not properly licensed to operate in the U.S. and the company had been found to put forward a fictitious witness, among other things.

In the past, these efforts to bring Guardaley out into the open have resulted in its clients’, which include several film companies, dropping cases. Lynch, it appears, wants that to happen again in Bethke’s case, noting in his letter that it’s “long past due for a judge to question the qualifications” of the company’s so-called technical experts.

In doing so he calls Guardaley’s evidence into account once more, noting inconsistencies in the way alleged infringements were supposedly “observed” by “foreign investigator[s], with a direct financial interest in the matter.”

One of Lynch’s findings is that the “observations” of two piracy investigators overlap each others’ monitoring periods in separate cases, while reportedly monitoring the same torrent hash.

“Both declarations cover the same ‘hash number’ of the movie, i.e. the same soak. This overlap seems impossible if we stick with the fictions of the Complaint and Motion for Expedited Discovery that the declarant ‘observed’ the defendant ‘infringing’,” Lynch notes.

While these are interesting points, the quality of evidence presented by Guardaley and Criminal Productions is really called into question following another revelation. Daniel Macek, an ‘observing’ investigator used in numerous Guardaley cases, apparently has a unique talent.

As seen from the image below, the alleged infringements relating to Mr. Bethke’s case were carried out between June 25 and 28, 2016.

However, the declaration (pdf) filed with the Court on witness Macek’s behalf was signed and dated either June 14 or 16, more than a week before the infringements allegedly took place.

Time-traveler? Lynch thinks not.

“How can a witness sign a declaration that he observed something BEFORE it happened?” he writes.

“Criminal Productions submitted four such Declarations of Mr. Macek that were executed BEFORE the dates of the accompanying typed up list of observations that Mr. Macek swore that he made.

“Unless Daniel Macek is also Marty McFly, it is impossible to execute a declaration claiming to observe something that has yet to happen.”

So what could explain this strange phenomenon? Lynch believes he’s got to the bottom of that one too.

After comparing all four Macek declarations, he found that aside from the case numbers, the dates and signatures were identical. Instead of taking the issue of presenting evidence before the Court seriously, he believes Criminal Productions and partner Guardaley have been taking short cuts.

“From our review, it appears these metaphysical Macek declarations are not just temporally improper, they are also photocopies, including the signatures not separately executed,” he notes.

“We are astonished by your client’s foreign representatives’ apparent lack of respect for our federal judicial system. Use of duplicate signatures from a witness testifying to events that have yet to happen is on the same level of horror as the use of a fictitious witness and ‘his’ initials as a convenience to obtain subpoenas.”

Not entirely unexpectedly, five days later the case against Bethke and other defendants was voluntarily dismissed (pdf), indicating once again that like vampires, trolls do not like the light. Other lawyers defending similar cases globally should take note.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Raspberry Pi and CoderDojo join forces

Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/raspberry-pi-and-coderdojo-join-forces/

We’ve got some great news to share today: the Raspberry Pi Foundation is joining forces with the CoderDojo Foundation, in a merger that will give many more young people all over the world new opportunities to learn how to be creative with technology.

CoderDojo is a global network of coding clubs for kids from seven to 17. The first CoderDojo took place in July 2011 when James Whelton and Bill Liao decided to share their passion for computing by setting up a club at the National Software Centre in Cork. The idea was simple: provide a safe and social place for young people to acquire programming skills, learning from each other and supported by mentors.

Photo: a mentor helps a child at a CoderDojo

Since then, James and Bill have helped turn that idea into a movement that reaches across the whole world, with over 1,250 CoderDojos in 69 countries, regularly attended by over 35,000 young Ninjas.

Raspberry Pi and CoderDojo have each accomplished amazing things over the last six years. Now, we see an opportunity to do even more by joining forces. Bringing together Raspberry Pi, Code Club, and CoderDojo will create the largest global effort to get young people involved in computing and digital making. We have set ourselves an ambitious goal: to quadruple the number of CoderDojos worldwide, to 5,000, by the end of 2020.

Photo: children and teenagers work on laptops at a CoderDojo, while adults help

The enormous impact that CoderDojo has had so far is down to the CoderDojo Foundation team, and to the community of volunteers, businesses, and foundations who have contributed expertise, time, venues, and financial resources. We want to deepen those relationships and grow that community as we bring CoderDojo to more young people in future.

The CoderDojo Foundation will continue as an independent charity, based in Ireland. Nothing about CoderDojo’s brand or ethos is changing as a result of this merger. CoderDojos will continue to be platform-neutral, using whatever kit they need to help young people learn.

Photo: children concentrate intently on coding activities at a CoderDojo event

In technical terms, the Raspberry Pi Foundation is becoming a corporate member of the CoderDojo Foundation (which is a bit like being a shareholder, but without any financial interest). I will also join the board of the CoderDojo Foundation as a director. The merger is subject to approval by Irish regulators.

How will this work in practice? The two organisations will work together to advance our shared goals, using our respective assets and capabilities to get many more adults and young people involved in the CoderDojo movement. The Raspberry Pi Foundation will also provide practical, financial, and back-office support to the CoderDojo Foundation.

Last June, I attended the CoderDojo Coolest Projects event in Dublin, and was blown away by the amazing projects made by CoderDojo Ninjas from all over the world. From eight-year-olds who had written their first programs in Scratch to the teenagers who built a Raspberry Pi-powered hovercraft, it was clear that CoderDojo is already making a huge difference.

Photo: two girls wearing CoderDojo t-shirts present their Raspberry Pi-based hovercraft at CoderDojo Coolest Projects 2016

I am thrilled that we’re going to be working closely with the brilliant CoderDojo team, and I can’t wait to visit Coolest Projects again next month to meet all of the Ninjas and mentors who make CoderDojo possible.

If you want to find out more about CoderDojo and how you can get involved in helping the movement grow, go here.

The post Raspberry Pi and CoderDojo join forces appeared first on Raspberry Pi.

The Licensing and Compliance Lab interviews AJ Jordon of gplenforced.org (FSF Blog)

Post Syndicated from jake original https://lwn.net/Articles/723828/rss

The Free Software Foundation’s blog is carrying an interview with AJ Jordon, who runs the gplenforced.org site to support GPL enforcement efforts and to help other projects indicate their support. “gplenforced.org is a small site I made that has exactly two purposes: host a badge suitable for embedding into a README file on GitLab or something, and provide some text with an easy and friendly explanation of GPL enforcement for that badge to link to.

Putting badges in READMEs has been pretty trendy for a while now — people add badges to indicate whether their test suite is passing, their dependencies are up-to-date, and what version is published in language package managers. gplenforced.org capitalizes on that trend to add the maintainer’s beliefs about license enforcement, too.”

Security and Human Behavior (SHB 2017)

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/security_and_hu_6.html

I’m in Cambridge University, at the tenth Workshop on Security and Human Behavior.

SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Ross Anderson, Alessandro Acquisti, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

The goal is maximum interaction and discussion. We do that by putting everyone on panels. There are eight six-person panels over the course of the two days. Everyone gets to talk for ten minutes about their work, and then there’s half an hour of questions and discussion. We also have lunches, dinners, and receptions — all designed so people from different disciplines talk to each other.

It’s the most intellectually stimulating conference of my year, and influences my thinking about security in many different ways.

This year’s schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, and ninth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.

I don’t think any of us imagined that this conference would be around this long.

Managing a Remote Workforce

Post Syndicated from Natalie C original https://www.backblaze.com/blog/managing-a-remote-workforce/

working in an airport
While Backblaze has customers all around the globe, the company itself is a pretty small enterprise with just over 50 employees. Many of those employees are actually remote. 75% of Backblaze employees work from the main Backblaze office (San Mateo), 15% are datacenter employees, and 10% working remotely full-time.

Many companies that were the pioneers with flexible work arrangements are now pulling back and asking their employees to report into an office. Why? Some part of that is due to not knowing how to manage these types of employees and belief that having an employee in the office, will improve work performance.

At Backblaze, we think that managing our diverse workforce is certainly a challenge… but, as the saying goes, the juice is worth the squeeze.

Communication is Key

When Backblaze first started, everyone worked out of the same room. Being 5’ away from someone tends to make communication easy (sometimes too easy). The first datacenter was just a few miles away, so if we needed to do something in it, we’d just hop in a car and drive over – calling co-workers from our cell-phones if we needed some help or guidance. Now, things have changed slightly and we use a lot of different tools to talk amongst ourselves.

It started with emails, then morphed into Gchat, then to Google Hangouts, and now we have a whole suite of communication tools. We use Hangouts and Slack to chat internally, Meet for video conferencing to bridge remote employees, , and good old fashioned telephones when the need arises. Tools like Trello, Redbooth, and Jira can help project manage as well – making sure that everyone stays on the same page.
For HR related needs, we use a variety of tools/perks to simplify employees lives whether they are at the office or at home enjoying time with their families. These tools include an Human Resource Information System (“HRIS”) called Namely, Expensify (expenses), Eshares (stock), Fond (perks) and Heal.

The most popular tool we use is Slack. Each department, location, product, and support group have their own Channel. We also have social channels where all the GIFs and news links live. Slack also has the added benefit of allowing us to limit what information is discussed where. For example, contract employees do not have access to channels that go beyond their scope and focus areas.

Solve for Culture, not Offsite v Onsite

One of the keys to managing a remote workforce is realizing that you’re solving for overall culture. It’s not about whether any group of employees are in office X or Y. The real question is: Are we creating an environment where we remove the friction from people performing their roles? There are follow-up questions like “do we have the right roles defined?” and “do we have people in roles where they will succeed?”. But by looking at managing our workforce from that point of view, it makes it easier to identify what tools and resources we need to be successful.

There’s no right way to manage remote employees. Every work environment is different and the culture, available technology, and financial capability affects how employees can interact. Backblaze went through a ton of iterations before we found the right tools for what we were trying to accomplish, and we’re constantly evolving and experimenting. But we have found some consistent patterns…

    • Nothing Beats Human Interaction

Even with all of the communication tools at our disposal, getting together in person is still the best way to get through projects and make sure everyone is on the same page. While having group meetings via Slack and Meet are great for planning, inevitably something will fall through the cracks or get lost in cyberspace due to poor connections. We combat this by having all of our remote employees come to the main office once every two months. When we hired our first remote engineers this was a once-a-month visit, but as we got more accustomed to working together and over the web, we scaled it back.

These visits allow our engineers to be in the office, be part of meetings that they’d otherwise miss, and meet any new employees we’ve hired. We think it’s important for people to know who they’re working with, and we love that everyone at Backblaze knows (or at least recognizes) each other. We also plan our company outings around these visits, and this brings about a great company culture since we get a chance to be out of the office together and interact socially – which is a lot more fun than interacting professionally.

    • Don’t Fear HR

When you have a small workforce, duties can sometimes be divided amongst a variety of people – even if those duties don’t pertain to their ‘day job’. Having a full-time HR person allowed folks to jettison some of their duties, and allowed them to get back to their primary job functions. It also allowed HR to handle delicate matters, many of which were amongst the most dreaded for folks who were covering some of the responsibilities.

What we’ve found in creating the full-time HR role for our remote workforce was that we finally had an expert on all HR-related things. This meant that we had someone who knew the laws of the land inside and out and could figure out how the different healthcare systems worked in the states where our employees reside (no small feat).

But Why Bother?

There is a principle question that we haven’t yet addressed: Why do we even have remote employees? This gets back to the idea of looking at the culture and environment first. At Backblaze, we look to hire the right person. There are costs to having remote employees, but if they are the right person for the role (when accounting for the “costs”), then that’s the right thing to do. Backblaze is performance driven, not based off of attendance and how long you stay at the office. I believe the you need a balance of both office work as well as remote to allow the employee to be most productive. But every company and setting is different; so experiments need to take place to figure out what would be the perfect blend for your team atmosphere.

The post Managing a Remote Workforce appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Pirate Site Pubfilm Taunts Hollywood With Domain Name Whac-A-Mole

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-site-pubfilm-taunts-hollywood-with-domain-name-whac-a-mole-170525/

In recent years, most large pirate sites have faced domain name issues of some kind, which can be quite frustrating.

Copyright holders realize that going after a website’s domain name is a good way to decrease its traffic. Eventually, the site owner might even give up entirely.

The major Hollywood studios might have had this in mind as one of their main goals when they filed a complaint against the pirate site Pubfilm earlier this year.

The lawsuit was kept sealed initially, to prevent Pubfilm’s operator from moving to a new domain preemptively, hoping that this would maximize the effect. This worked, as the site was taken by surprise when it lost its domain name through a court order. However, Pubfilm didn’t throw in the towel.

Soon after the pubfilm.com domain name was suspended, the site moved to pubfilm.ac. And that wasn’t all. Pubfilm also started to actively advertise its new domain through Google Adsense, something we had never witnessed before.

Fast forward a few weeks and Pubfilm is still around, and so is the lawsuit. While the Hollywood studios managed to have the new .ac and .io domains suspended, Pubfilm is still not backing off.

Instead, the pirate streaming site now has a series of alternative domain names people can use to access the site.

Pubfilm.is is the main domain name since yesterday, but the operator also has Pubfilm.ru, Pubfilm.eu and Pubfilm.su in hand. These alternatives are actively advertised on the website, so users know where to go if the current domain is suspended.

“Alternative domain names: PUBFILM.IS PUBFILM.EU PUBFILM.RU PUBFILM.SU. Any other domains are fake!!” a notice on the site reads.

The domain name whac-a-mole is reminiscent of a similar situation The Pirate Bay was in two years ago. At the time, the notorious torrent site rotated close to a dozen domain names, before going back to its original .org gTLD.

The difference with Pubfilm, however, is that Hollywood has a US court order which they can wave at registrars and registries. This makes it easier to have domains suspended, although that’s not guaranteed.

We expect that other pirate sites will keep a close eye on the current situation. Instead of crushing Pubfilm, MPAA’s lawsuit may turn into a field experiment to see what domain names are safe from a US court order, which is not something Hollywood hoped for.

To be continued.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Ransomware and the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/ransomware_and_.html

As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.

But it is a system that’s going to fail in the “Internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.

Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.

Like every other instance of product safety, this problem will never be solved without considerable government involvement.

For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It’ll be expensive, but it will go a long way toward improved security.

But it won’t be enough to focus only on the devices, because these things are going to be around and on the Internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they’re putting in place to last at least that long. I don’t want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.

No amount of regulation can force companies to maintain old products, and it certainly can’t prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.

Imagine this: The company that made your Internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it’s reinfected, is to throw it away and buy a new one.

Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.

None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule. Last week’s cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger. There’s a lot of good research into robust solutions, but the economic incentives are all misaligned. As politically untenable as it is, we need government to step in to create the market forces that will get us out of this mess.

This essay previously appeared in the New York Times. Yes, I know I’m repeating myself.

Facebook Bans Sale of Piracy-Enabling Products & Devices

Post Syndicated from Andy original https://torrentfreak.com/facebook-bans-sale-of-piracy-enabling-products-devices-170525/

Riding the crest of a wave made possible by the rise of Internet streaming, piracy-enabled set-top boxes and similar devices have been hitting the homes of millions around the globe.

Often given the broad title of ‘Kodi Boxes’ after the legal open source software that commonly comes pre-installed, these devices are regularly configured for piracy with the aid of third-party addons.

Easy to use, set-top devices have opened up piracy to a whole new audience, normalizing it during the process. It’s a problem now being grappled with by anti-piracy outfits in a number of ways, including putting pressure on services where the boxes are being sold.

Now there are signs that Facebook has decided – or more likely been persuaded – to ban the sale of these devices from its platform. The latest addition to its Commerce Policy carries a new rule (13) which targets infringing set-top boxes almost perfectly.

“Items, products or services sold on Facebook must comply with our Community Standards, as well as the Commerce Policies,” the page reads.

“Sale of the following is prohibited on Facebook: Products or items that facilitate or encourage unauthorized access to digital media.”

The move by Facebook follows similar overtures from Amazon back in March. In a change to its policies, the company said that devices that promote or facilitate infringement would not be tolerated.

“Products offered for sale on Amazon should not promote, suggest the facilitation of, or actively enable the infringement of or unauthorized access to digital media or other protected content,” Amazon said.

“Any streaming media player or other device that violates this policy is prohibited from sale on Amazon,” the company added.

The recent move by Facebook was welcomed by Federation Against Copyright Theft chief, Kieron Sharp.

“It is great to see Facebook follow the likes of Amazon and eBay in making changes to their policies to prohibit the sale of illicit streaming devices on their platforms,” Sharpe said.

“These days social media sites are more than just a place to share photos and comments with friends and family. Unfortunately, the fast-paced development of these sites are being exploited by opportunists for criminal activity which needs to be disrupted.”

The sale of infringing devices on social media does indeed pose a challenge to the likes of FACT.

While most piracy devices have traditionally needed an expert touch to configure and then sell, in 2017 almost anyone can buy a standard Android device and set it up for piracy in a matter of minutes. This means that every interested citizen is a potential seller and Facebook provides a perfect platform that people are already familiar with.

Nevertheless, recent rulings from the EU Court of Justice have clarified two key issues, both of which will help in the fight to reduce the availability of ‘pirate’ boxes, wherever they appear.

In April, the ECJ declared such devices illegal to sell while clarifying that users who stream pirate content to their homes are also breaking the law.

It’s unlikely that any end users will be punished (particularly to the ridiculous extent erroneously reported by some media), but it certainly helps to demonstrate illegality across the board when outfits like FACT are considering prosecutions.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

[$] New CPython workflow issues

Post Syndicated from jake original https://lwn.net/Articles/723418/rss

As part of a discussion in 2014 about where to host some of
the Python repositories,
Brett Cannon was delegated the task of determining where they should end
up. In early 2016, he decided that Python’s
code and
other repositories (e.g. PEPs) should land at GitHub;
at last year’s language
summit, he gave an overview of where things
stood with a few repositories that had made the conversion. Since that
time, the CPython
repository has made the switch and he wanted to discuss some of the
workflow issues surrounding that move at this year’s summit.

Was The Disney Movie ‘Hacking Ransom’ a Giant Hoax?

Post Syndicated from Andy original https://torrentfreak.com/was-the-disney-movie-hacking-ransom-a-giant-hoax-170524/

Last Monday, during a town hall meeting in New York, Disney CEO Bob Iger informed a group of ABC employees that hackers had stolen one of the company’s movies.

The hackers allegedly said they’d keep the leak private if Disney paid them a ransom. In response, Disney indicated that it had no intention of paying. Setting dangerous precedents in this area is unwise, the company no doubt figured.

After Hollywood Reporter broke the news, Deadline followed up with a report which further named the movie as ‘Pirates of the Caribbean: Dead Men Tell No Tales’, a fitting movie to parallel an emerging real-life swashbuckling plot, no doubt.

What the Deadline article didn’t do was offer any proof that Pirates 5 was the movie in question. Out of the blue, however, it did mention that a purported earlier leak of The Last Jedi had been revealed by “online chatter” to be a fake. Disney refused to comment.

Armed with this information, TF decided to have a dig around. Was Pirates 5 being discussed within release groups as being available, perhaps? Initially, our inquiries drew a complete blank but then out of the blue we found ourselves in conversation with the person claiming to be the Disney ‘hacker’.

“I can provide the original emails sent to Disney as well as some other unknown details,” he told us via encrypted mail.

We immediately asked several questions. Was the movie ‘Pirates 5’? How did he obtain the movie? How much did he try to extort from Disney? ‘EMH,’ as we’ll call him, quickly replied.

“It’s The Last Jedi. Bob Iger never made public the title of the film, Deadline was just going off and naming the next film on their release slate,” we were told. “We demanded 2BTC per month until September.”

TF was then given copies of correspondence that EMH had been having with numerous parties about the alleged leak. They included discussions with various release groups, a cyber-security expert, and Disney.

As seen in the screenshot, the email was purportedly sent to Disney on May 1. The Hollywood Reporter article, published two weeks later, noted the following;

“The Disney chief said the hackers demanded that a huge sum be paid in Bitcoin. They said they would release five minutes of the film at first, and then in 20-minute chunks until their financial demands are met,” HWR wrote.

While the email to Disney looked real enough, the proof of any leaked pudding is in the eating. We asked EMH how he had demonstrated to Disney that he actually has the movie in his possession. Had screenshots or clips been sent to the company? We were initially told they had not (plot twists were revealed instead) so this immediately raised suspicions.

Nevertheless, EMH then went on to suggest that release groups had shown interest in the copy and he proved that by forwarding his emails with them to TF.

“Make sure they know there is still work to be done on the CGI characters. There are little dots on their faces that are visible. And the colour grading on some scenes looks a little off,” EMH told one group, who said they understood.

“They all understand its not a completed workprint.. that is why they are sought after by buyers.. exclusive stuff nobody else has or can get,” they wrote back.

“That why they pay big $$$ for it.. a completed WP could b worth $25,000,” the group’s unedited response reads.

But despite all the emails and discussion, we were still struggling to see how EMH had shown to anyone that he really had The Last Jedi. We then learned, however, that screenshots had been sent to blogger Sam Braidley, a Cyber Security MSc and Computer Science BSc Graduate.

Since the information sent to us by EMH confirmed discussion had taken place with Braidley concerning the workprint, we contacted him directly to find out what he knew about the supposed Pirates 5 and/or The Last Jedi leak. He was very forthcoming.

“A user going by the username of ‘Darkness’ commented on my blog about having a leaked copy of The Last Jedi from a contact he knew from within Lucas Films. Of course, this garnered a lot of interest, although most were cynical of its authenticity,” Braidley explained.

The claim that ‘Darkness’ had obtained the copy from a contact within Lucas was certainly of interest ,since up to now the press narrative had been that Disney or one of its affiliates had been ‘hacked.’

After confirming that ‘Darkness’ used the same email as our “EMH,” we asked EMH again. Where had the movie been obtained from?

“Wasn’t hacked. Was given to me by a friend who works at a post production company owned by [Lucasfilm],” EMH said. After further prompting he reiterated: “As I told you, we obtained it from an employee.”

If they weren’t ringing loudly enough already, alarm bells were now well and truly clanging. Who would reveal where they’d obtained a super-hot leaked movie from when the ‘friend’ is only one step removed from the person attempting the extortion? Who would take such a massive risk?

Braidley wasn’t buying it either.

“I had my doubts following the recent [Orange is the New Black] leak from ‘The Dark Overlord,’ it seemed like someone trying to live off the back of its press success,” he said.

Braidley told TF that Darkness/EMH seemed keen for him to validate the release, as a member of a well-known release group didn’t believe that it was real, something TF confirmed with the member. A screenshot was duly sent over to Braidley for his seal of approval.

“The quality was very low and the scene couldn’t really show that it was in fact Star Wars, let alone The Last Jedi,” Braidley recalls, noting that other screenshots were considered not to be from the movie in question either.

Nevertheless, Darkness/EMH later told Braidley that another big release group had only declined to release the movie due to the possiblity of security watermarks being present in the workprint.

Since no groups had heard of a credible Pirates 5 leak, the claims that release groups were in discussion over the leaking of The Last Jedi intrigued us. So, through trusted sources and direct discussion with members, we tried to learn more.

While all groups admitted being involved or at least being aware of discussions taking place, none appeared to believe that a movie had been obtained from Disney, was being held for ransom, or would ever be leaked.

“Bullshit!” one told us. “Fake news,” said another.

With not even well-known release groups believing that leaks of The Last Jedi or Pirates 5 are anywhere on the horizon, that brought us full circle to the original statement by Disney chief Bob Iger claiming that a movie had been stolen.

What we do know for sure is that everything reported initially by Hollywood Reporter about a ransom demand matches up with statements made by Darkness/EMH to TorrentFreak, Braidley, and several release groups. We also know from copy emails obtained by TF that the discussions with the release groups took place well before HWR broke the story.

With Disney not commenting on the record to either HWR or Deadline (publications known to be Hollywood-friendly) it seemed unlikely that TF would succeed where they had failed.

So, without comprimising any of our sources, we gave a basic outline of our findings to a previously receptive Disney contact, in an effort to tie Darkness/EMH with the email address that he told us Disney already knew. Predictably, perhaps, we received no response.

At this point one has to wonder. If no credible evidence of a leak has been made available and the threats to leak the movie haven’t been followed through on, what was the point of the whole affair?

Money appears to have been the motive, but it seems likely that none will be changing hands. But would someone really bluff the leaking of a movie to a company like Disney in order to get a ‘ransom’ payment or scam a release group out of a few dollars? Perhaps.

Braidley informs TF that Darkness/EMH recently claimed that he’d had the copy of The Last Jedi since March but never had any intention of leaking it. He did, however, need money for a personal matter involving a family relative.

With this in mind, we asked Darkness/EMH why he’d failed to carry through with his threats to leak the movie, bit by bit, as his email to Disney claimed. He said there was never any intention of leaking the movie “until we are sure it wont be traced back” but “if the right group comes forward and meets our strict standards then the leak could come as soon as 2-3 weeks.”

With that now seeming increasingly unlikely (but hey, you never know), this might be the final chapter in what turns out to be the famous hacking of Disney that never was. Or, just maybe, undisclosed aces remain up sleeves.

“Just got another comment on my blog from [Darkness],” Braidley told TF this week. “He now claims that the Emoji movie has been leaked and is being held to ransom.”

Simultaneously he was telling TF the same thing. ‘Hacking’ announcement from Sony coming soon? Stay tuned…..

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Pi Who Loved Me

Post Syndicated from Alex Bate original https://www.raspberrypi.org/blog/be-james-bond/

Fancy yourself as James Bond? In honour of English treasure Roger Moore, we think it’s high time we all became a little more MI5 and a little less MIDoneYet?

James Bond GIF

It’s been a while and M is worried you’re a little…rusty. Best head back to training: go see Q. He has everything you need to get back in shape, both physically and mentally, for the challenges ahead!

Training Camp

Q here, good to have you back.

James Bond Q

First thing’s first: we need to work on your skills and get you ready for your next assignment. Let’s start with your reaction times. This skill is critical in getting you prepared for stealthy situations and averting detection.

Head into my office and grab a Raspberry Pi, LED, and a button to build your own Python Quick Reaction Game. Not only will it help you brush up on your quick thinking, it’ll also teach you how to wire a circuit, use variables, and gather information. This could be key in getting you out of some sticky situations further down the line if you find yourself without one of my gadgets.

James Bond Q

Though speaking of…have you seen our See Like a Bat echolocation device? I’m rather proud of it, even if I do say so myself. Now, even in the darkest of times, you can find your way through any building or maze.

Gathering Intel

We’ll need you to gather some important information for us. But what can you do to make sure no one steals your secret intel? We need you to build a Secret Agent Chat Generator to encrypt information. Once you have completed it, send the information to M via this Morse Code Visual Radio.

Do do this, you’ll need a Morse Code Key. You can find them online or at your local war museum, though they may not care for your taking theirs. But we’re spies. And spies are experts in taking forbidden artefacts. After all, this is what your Laser Tripwire training was for. Oh, you haven’t completed it yet?

James Bond GIF

Well, get to it. Time’s a-wasting!

Locks and Detection

You’re done? Good. Back to the intel.

Until you can find a Morse Code Key, why not hide the information in this Sense HAT Puzzle Box. It’s a wonderful tool to help you learn how to create loops and use conditional statements and functions to create ‘locks’.

You’ll also need to…wait…did you hear that? Someone is listening in, I’m sure of it. Check the Parent Detector to see who is trying to spy on us.

Surveillance

James Bond GIF

Are they gone? Good. Phew, that was a close one. We can’t be so careless in the future. Let’s set up a Raspberry Pi Zero Time-Lapse Camera for constant surveillance of the training camp. You could also attach the camera to your glasses. No one will notice, and you’ll be able to record images of your missions – vital for debriefing.

James Bond seal of approval

Right. That’s all from me. Report back to M for your mission. And remember, this blog post will self-destruct in five…wait, wrong franchise.

Good luck!

Roger Moore GIF

Puns

Other Raspberry Pi/James Bond puns include:

  • Live and Let Pi
  • MoonBaker
  • GoldenPi – Starring Pi-s Brosnan
  • Pifall
  • You Only Live Pi-ce
  • Tomorrow Never Pis
  • Pi Another Day
  • Pi-monds Are Forever
  • For Your Pis Only

Any more?

The post The Pi Who Loved Me appeared first on Raspberry Pi.

No, ExtraTorrent Has Not Been Resurrected

Post Syndicated from Ernesto original https://torrentfreak.com/no-extratorrent-has-not-been-resurected-170524/

Last week the torrent community entered a state of shock when another major torrent site closed its doors.

Having served torrents to the masses for over a decade, ExtraTorrent decided to throw in the towel, without providing any detail or an apparent motive.

The only strong message sent out by ExtraTorrent’s operator was to “stay away from fake ExtraTorrent websites and clones.”

Fast forward a few days and the first copycats have indeed appeared online. While this was expected, it’s always disappointing to see “news” sites including the likes of Forbes and The Inquirer are giving them exposure without doing thorough research.

“We are a group of uploaders and admins from ExtraTorrent. As you know, SAM from ExtraTorrent pulled the plug yesterday and took all data offline under pressure from authorities. We were in deep shock and have been working hard to get it back online with all previous data,” the email, sent out to several news outlets read.

What followed was a flurry of ‘ExtraTorrent is back’ articles and thanks to those, a lot of people now think that Extratorrent.cd is a true resurrection operated by the site’s former staffers and fans.

However, aside from its appearance, the site has absolutely nothing to do with ET.

The site is an imposter operated by the same people who also launched Kickass.cd when KAT went offline last summer. In fact, the content on both sites doesn’t come from the defunct sites they try to replace, but from The Pirate Bay.

Yes indeed, ExtraTorrent.cd is nothing more than a Pirate Bay mirror with an ExtraTorrent skin.

There are several signs clearly showing that the torrents come from The Pirate Bay. Most easy to spot, perhaps, is a comparison of search results which are identical on both sites.

Chaparall seach on Extratorrent.cd

The ExtraTorrent “resurrection” even lists TPB’s oldest active torrent from March 2004, which was apparently uploaded long before the original ExtraTorrent was launched.

Chaparall search on TPB

TorrentFreak is in touch with proper ex-staffers of ExtraTorrent who agree that the site is indeed a copycat. Some ex-staffers are considering the launch of a new ET version, just like the KAT admins did in the past, but if that happens, it will take a lot more time.

“At the moment we are all figuring out how to go about getting it back up and running in a proper fashion, but as you can imagine there a lot of obstacles and arguments, lol,” ex-ET admin Soup informed us.

So, for now, there is no real resurrection. ExtraTorrent.cd sells itself as much more than it is, as it did with Kickass.cd. While the site doesn’t have any malicious intent, aside from luring old ET members under false pretenses, people have the right to know what it really is.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

MariaDB 10.2 GA released with several advanced features

Post Syndicated from Michael "Monty" Widenius original http://monty-says.blogspot.com/2017/05/mariadb-102-ga-released-with-several.html

MariaDB 10.2.6 GA is now released. It’s a release where we have concentrated on adding new advanced features to MariaDB

The most noteworthy ones are:

  • Windows Functions gives you the ability to do advanced calculation over a sliding window.
  • Common table expressions allows you to do more complex SQL statements without having to do explicit temporary tables.
  • We finally have a DEFAULT clause that can take expressions and also CHECK CONSTRAINT.
  • Multiple triggers for the same event. This is important for anyone trying to use tools, like pt-online-schema-change, which requires multiple triggers for the same table.
  • A new storage engine, MyRocks, that gives you high compression of your data without sacrificing speed. It has been developed in cooperation with Facebook and MariaDB to allow you to handle more data with less resources.
  • flashback, a feature that can rollback instances/databases/tables to an old snapshot. The version in MariaDB 10.2 is DML only. In MariaDB 10.3 we will also allow rollback over DML (like DROP TABLE).
  • Compression of events in the binary log.
  • JSON functions added. In 10.2.7 we will also add support for CREATE TABLE … (a JSON).

A few smaller but still noteworthy new features:

  • Connection setup was made faster by moving creation of THD to a new thread. This, in addition with better thread caching, can give a connection speedup for up to 85 % in some cases.
  • Table cache can automatically partition itself as needed to reduce the contention.
  • NO PAD collations, which means that end space are significant in comparisons.
  • InnoDB is now the default storage engine. Until MariaDB 10.1, MariaDB used the XtraDB storage engine as default. XtraDB in 10.2 is not up to date with the latest features of InnoDB and cannot be used. The main reason for this change is that most of the important features of XtraDB are nowadays implemented in InnoDB . As the MariaDB team is doing a lot more InnoDB development than ever before, we can’t anymore manage updating two almost identical engines. The InnoDB version in MariaDB contains the best features of MySQL InnoDB and XtraDB and a lot more. As the InnoDB on disk format is identical to XtraDB’s this will not cause any problems when upgrading to MariaDB 10.2
  • The old GPL client library is gone; now MariaDB Server comes with the LGPL Connector/C client library.

There are a lot of other new features, performance enhancements and variables in MariaDB 10.2 for you to explore!

I am happy to see that a lot of the new features have come from the MariadB community! (Note to myself; This list doesn’t include all contributors to MariadB 10.2, needs to be update.)

Thanks a lot to everyone that has contributed to MariaDB!

Amazon EC2 Container Service – Launch Recap, Customer Stories, and Code

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-ec2-container-service-launch-recap-customer-stories-and-code/

Today seems like a good time to recap some of the features that we have added to Amazon EC2 Container Service over the last year or so, and to share some customer success stories and code with you! The service makes it easy for you to run any number of Docker containers across a managed cluster of EC2 instances, with full console, API, CloudFormation, CLI, and PowerShell support. You can store your Linux and Windows Docker images in the EC2 Container Registry for easy access.

Launch Recap
Let’s start by taking a look at some of the newest ECS features and some helpful how-to blog posts that will show you how to use them:

Application Load Balancing – We added support for the application load balancer last year. This high-performance load balancing option runs at the application level and allows you to define content-based routing rules. It provides support for dynamic ports and can be shared across multiple services, making it easier for you to run microservices in containers. To learn more, read about Service Load Balancing.

IAM Roles for Tasks – You can secure your infrastructure by assigning IAM roles to ECS tasks. This allows you to grant permissions on a fine-grained, per-task basis, customizing the permissions to the needs of each task. Read IAM Roles for Tasks to learn more.

Service Auto Scaling – You can define scaling policies that scale your services (tasks) up and down in response to changes in demand. You set the desired minimum and maximum number of tasks, create one or more scaling policies, and Service Auto Scaling will take care of the rest. The documentation for Service Auto Scaling will help you to make use of this feature.

Blox – Scheduling, in a container-based environment, is the process of assigning tasks to instances. ECS gives you three options: automated (via the built-in Service Scheduler), manual (via the RunTask function), and custom (via a scheduler that you provide). Blox is an open source scheduler that supports a one-task-per-host model, with room to accommodate other models in the future. It monitors the state of the cluster and is well-suited to running monitoring agents, log collectors, and other daemon-style tasks.

Windows – We launched ECS with support for Linux containers and followed up with support for running Windows Server 2016 Base with Containers.

Container Instance Draining – From time to time you may need to remove an instance from a running cluster in order to scale the cluster down or to perform a system update. Earlier this year we added a set of lifecycle hooks that allow you to better manage the state of the instances. Read the blog post How to Automate Container Instance Draining in Amazon ECS to see how to use the lifecycle hooks and a Lambda function to automate the process of draining existing work from an instance while preventing new work from being scheduled for it.

CI/CD Pipeline with Code* – Containers simplify software deployment and are an ideal target for a CI/CD (Continuous Integration / Continuous Deployment) pipeline. The post Continuous Deployment to Amazon ECS using AWS CodePipeline, AWS CodeBuild, Amazon ECR, and AWS CloudFormation shows you how to build and operate a CI/CD pipeline using multiple AWS services.

CloudWatch Logs Integration – This launch gave you the ability to configure the containers that run your tasks to send log information to CloudWatch Logs for centralized storage and analysis. You simply install the Amazon ECS Container Agent and enable the awslogs log driver.

CloudWatch Events – ECS generates CloudWatch Events when the state of a task or a container instance changes. These events allow you to monitor the state of the cluster using a Lambda function. To learn how to capture the events and store them in an Elasticsearch cluster, read Monitor Cluster State with Amazon ECS Event Stream.

Task Placement Policies – This launch provided you with fine-grained control over the placement of tasks on container instances within clusters. It allows you to construct policies that include cluster constraints, custom constraints (location, instance type, AMI, and attribute), placement strategies (spread or bin pack) and to use them without writing any code. Read Introducing Amazon ECS Task Placement Policies to see how to do this!

EC2 Container Service in Action
Many of our customers from large enterprises to hot startups and across all industries, such as financial services, hospitality, and consumer electronics, are using Amazon ECS to run their microservices applications in production. Companies such as Capital One, Expedia, Okta, Riot Games, and Viacom rely on Amazon ECS.

Mapbox is a platform for designing and publishing custom maps. The company uses ECS to power their entire batch processing architecture to collect and process over 100 million miles of sensor data per day that they use for powering their maps. They also optimize their batch processing architecture on ECS using Spot Instances. The Mapbox platform powers over 5,000 apps and reaches more than 200 million users each month. Its backend runs on ECS allowing it to serve more than 1.3 billion requests per day. To learn more about their recent migration to ECS, read their recent blog post, We Switched to Amazon ECS, and You Won’t Believe What Happened Next.

Travel company Expedia designed their backends with a microservices architecture. With the popularization of Docker, they decided they would like to adopt Docker for its faster deployments and environment portability. They chose to use ECS to orchestrate all their containers because it had great integration with the AWS platform, everything from ALB to IAM roles to VPC integration. This made ECS very easy to use with their existing AWS infrastructure. ECS really reduced the heavy lifting of deploying and running containerized applications. Expedia runs 75% of all apps on AWS in ECS allowing it to process 4 billion requests per hour. Read Kuldeep Chowhan‘s blog post, How Expedia Runs Hundreds of Applications in Production Using Amazon ECS to learn more.

Realtor.com provides home buyers and sellers with a comprehensive database of properties that are currently for sale. Their move to AWS and ECS has helped them to support business growth that now numbers 50 million unique monthly users who drive up to 250,000 requests per second at peak times. ECS has helped them to deploy their code more quickly while increasing utilization of their cloud infrastructure. Read the Realtor.com Case Study to learn more about how they use ECS, Kinesis, and other AWS services.

Instacart talks about how they use ECS to power their same-day grocery delivery service:

Capital One talks about how they use ECS to automate their operations and their infrastructure management:

Code
Clever developers are using ECS as a base for their own work. For example:

Rack is an open source PaaS (Platform as a Service). It focuses on infrastructure automation, runs in an isolated VPC, and uses a single-tenant build service for security.

Empire is also an open source PaaS. It provides a Heroku-like workflow and is targeted at small and medium sized startups, with an emphasis on microservices.

Cloud Container Cluster Visualizer (c3vis) helps to visualize resource utilization within ECS clusters:

Stay Tuned
We have plenty of new features in the works for ECS, so stay tuned!

Jeff;

 

LibreOffice leverages Google’s OSS-Fuzz to improve quality of office suite

Post Syndicated from ris original https://lwn.net/Articles/723566/rss

The Document Foundation looks at the progress made in improving the quality
and reliability of LibreOffice’s source code by using Google’s OSS-Fuzz.
Developers have used the continuous and
automated fuzzing process, which often catches issues just hours after they
appear in the upstream code repository, to solve bugs – and potential
security issues – before the next binary release.

LibreOffice is the first free office suite in the marketplace to leverage
Google’s OSS-Fuzz. The service, which is associated with other source code
scanning tools such as Coverity, has been integrated into LibreOffice’s
security processes – under Red Hat’s leadership – to significantly improve
the quality of the source code.”

Hughes: Updating Logitech Hardware on Linux

Post Syndicated from corbet original https://lwn.net/Articles/723527/rss

Richard Hughes describes
his work
to address the MouseJack
vulnerability
in Logitech (and other) receivers. This vulnerability allows an
attacker to pair new devices with the receiver with no user interaction or
awareness, and, thus, take over the machine. “This makes
sitting in a café quite a dangerous thing to do when any affected hardware
is inserted, which for the unifying dongle is quite likely as it’s
explicitly designed to remain in an empty USB socket.

Logitech has provided firmware updates, but not for “unsupported” platforms
like Linux. Hughes has filled that gap by getting documentation and a
fixed firmware image from Logitech and adding support for these devices to
fwupd. He is now looking for testers to ensure that the whole thing works
across all devices. This is important work that is well worth supporting.

Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users, Researchers Warn

Post Syndicated from Ernesto original https://torrentfreak.com/malicious-subtitles-threaten-kodi-vlc-and-popcorn-time-users-researchers-warn-170523/

Online streaming is booming, and applications such as Kodi, Popcorn Time and VLC have millions of daily users.

Some of these use pirated videos, often in combination with subtitles provided by third-party repositories.

While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users.

Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” they write.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In a demonstration video, using Popcorn Time, the researchers show how easy it is to compromise the system of a potential victim.

A demo of the subtitles vulnerability

XBMC Foundation’s Project lead Martijn Kaijser informs TorrentFreak that the Kodi team is aware of the situation, which they will address soon. “We will release 17.2 which will have the fix this week,” he told us.

VLC’s VideoLAN addressed the issue as well, and doesn’t expect that it is still exploitable.

“The VLC bug is not exploitable. The first big issue was fixed in 2.2.5. There are 2 other small issues, that will be fixed in 2.2.6,” VideoLAN informed us.

The team behind PopcornTime.sh applied a fix several months ago after the researchers approached them, TorrentFreak is informed. The Popcorn Time team trusts their subtitle provider OpenSubtitles but says that it now sanitizes malicious subtitle files, also those that are added by users.

The same applies to the Butter project, which is closely related to Popcorn Time. Butter was not contacted by Check Point but their fix is visible in a GitHub commit from February.

“None of the Butter Project developers were contacted by the research group. We’d love to have them talk to us if our code is still vulnerable. To the extent of our research it is not, but we’d like the ‘responsible disclosure’ terms to actually mean something,” The Butter project informs TorrentFreak.

Finally, another fork Popcorn-Time.to, also informed us that they are not affected by the reported vulnerability.

The Check Point researchers expect that other applications may also be affected. They do not disclose any technical details at this point, nor do they state which of the applications successfully addressed the vulnerability.

“Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point,” the researchers state.

More updates will be added if more information becomes available. For now, however, people who regularly use subtitle files should remain vigilant.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Future of Ransomware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/the_future_of_r.html

Ransomware isn’t new, but it’s increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It’s extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it’s a profitable one.

The ransomware that has affected systems in more than 150 countries recently, WannaCry, made press headlines last week, but it doesn’t seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: It’s based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA’s code was, in turn, stolen by an unknown hacker group called Shadow Brokers ­ widely believed by the security community to be the Russians ­ in 2014 and released to the public in April.

Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organizations that don’t regularly patch their systems. This allowed whoever wrote WannaCry ­– it could be anyone from a lone individual to an organized crime syndicate — to use it to infect computers and extort users.

The lessons for users are obvious: Keep your system patches up to date and regularly backup your data. This isn’t just good advice to defend against ransomware, but good advice in general. But it’s becoming obsolete.

Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.

It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.

This isn’t just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you’ll get the message on the smartphone app you control it from.

Hackers don’t even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets Internet-enabled Samsung smart televisions.

Even worse, the usual solutions won’t work with these embedded systems. You have no way to back up your refrigerator’s software, and it’s unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.

These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer.

What happens when the company that made our smart washing machine — or just the computer part — goes out of business, or otherwise decides that they can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.

That won’t happen with low-cost IoT devices.

Those devices are built on the cheap, and the companies that make them don’t have the dedicated teams of security engineers ready to craft and distribute security patches. The economics of the IoT doesn’t allow for it. Even worse, many of these devices aren’t patchable. Remember last fall when the Mirai botnet infected hundreds of thousands of Internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the Internet? Most of those devices couldn’t be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.

Solutions aren’t easy and they’re not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical IoT devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop.

I know this all sounds politically impossible right now, but we simply cannot live in a future where everything — from the things we own to our nation’s infrastructure ­– can be held for ransom by criminals again and again.

This essay previously appeared in the Washington Post.

Reddit’s Piracy Sub-Reddit Reopens After Mutiny Shutdown

Post Syndicated from Andy original https://torrentfreak.com/reddits-piracy-sub-reddit-reopens-after-mutiny-shutdown-170523/

For millions of people, Reddit is one of the most popular sources of news online. Arguably, though, the site’s real value lies with its users.

Like any community, Reddit user comments can range from the brilliantly informed to the deliberately destructive. But, more often than not, the weight of the crowd tends to get to the truth, sometimes with the help of the site’s moderators.

Each section of Reddit (known as a ‘sub-Reddit’), is dedicated to a particular topic and is controlled by a team of moderators. While mileage can vary, moderators tend to do a good job and are often relied upon to settle disputes and hold errant users to the rules.

Last night in /r/piracy (a sub-Reddit with close to 100,000 subscribers) one moderator went rogue, which resulted in the sub-Reddit being shut down.

According to one of the moderators now in charge of /r/piracy, a now-former moderator by the name of Samewhiterabbits committed a sin by using the sub-Reddit to further his own agenda. ‘Dysgraphical’ says that the problems started when Samewhiterabbits began heavily spamming the ‘sub’ with links to his own streaming website projects.

Apparently, this has been going on for some time, with Samewhiterabbits standing accused of launching, promoting and spamming websites that have the same names as existing and/or defunct platforms, but claiming them to be the real deal.

“Samewhiterabbits is using r/Piracy as a platform to spam his monetized website forks which he claims as official,” Dysgraphical said in a statement.

“This isn’t recent activity but rather his model. He capitalizes from streaming sites that were shutdown and spams his new domain(s) as the new home for the aforementioned streaming site.

“This moderator explicitly deletes competing stream sites and uses alternative account(s) to spam his monetized stream sites. It is not only blatant spam, but censorship as well.”

After another post appeared promoting ‘popular streaming sites’ that the /r/piracy team as a whole had no hand in, moderators including Dysgraphical and TheWalkingTroll stepped in to sort out the problem.

They were met with resistance, with Samewhiterabbit – who still had moderator powers – taking several popular threads ‘hostage’ and stopping the rest of the mod team from ending the wave of misleading spam.

“He has held several threads hostage by locking/removing them to censor any critique or mention of his shady wrongdoings. With limited moderation privileges, the most we can do at the moment is delete his threads,” Dysgraphical reported last night.

While sorting out the problem, /r/piracy was shutdown or, more accurately, made ‘private’. Then, in order to move forward, the moderators applied for more power (known as ‘permissions’ in forum speak) to remove the errant mod from the team.

To achieve that, an application was made to Reddit’s admins (those at the top of the site) who responded extremely quickly to help sort out the mess.

“A few of us now have full permissions. Thankfully the admins were rather quick in their response (given they can take several days) and we got this sorted quickly,” Dysgraphical reports.

Once that power was in the right hands, justice was served in the manner determined by the rest of the team. A few hours ago, Samewhiterabbits was reported banned from /r/piracy and everything started to get back to normal.

While online ‘drama’ like this predates the Internet, this particular situation does highlight the importance of having responsible moderators on any discussion platform. There is often an assumption that these figures are in authority because they can be trusted, but that is not necessarily so.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Hello World issue 2: celebrating ten years of Scratch

Post Syndicated from Carrie Anne Philbin original https://www.raspberrypi.org/blog/hello-world-issue-2/

We are very excited to announce that issue 2 of Hello World is out today! Hello World is our magazine about computing and digital making, written by educators, for educators. It  is a collaboration between the Raspberry Pi Foundation and Computing at School, part of the British Computing Society.

We’ve been extremely fortunate to be granted an exclusive interview with Mitch Resnick, Leader of the Scratch Team at MIT, and it’s in the latest issue. All around the world, educators and enthusiasts are celebrating ten years of Scratch, MIT’s block-based programming language. Scratch has helped millions of people to learn the building blocks of computer programming through play, and is our go-to tool at Code Clubs everywhere.

Cover of issue 2 of hello world magazine

A magazine by educators, for educators.

This packed edition of Hello World also includes news, features, lesson activities, research and opinions from Computing At School Master Teachers, Raspberry Pi Certified Educators, academics, informal learning leaders and brilliant classroom teachers. Highlights (for me) include:

  • A round-up of digital making research from Oliver Quinlan
  • Safeguarding children online by Penny Patterson
  • Embracing chaos inside and outside the classroom with Code Club’s Rik Cross, Raspberry Jam-maker-in-chief Ben Nuttall, Raspberry Pi Certified Educator Sway Grantham, and CPD trainer Alan O’Donohoe
  • How MicroPython on the Micro:bit is inspiring a generation, by Nicholas Tollervey
  • Incredibly useful lesson activities on programming graphical user interfaces (GUI) with guizero, simulating logic gates in Minecraft, and introducing variables through story telling.
  • Exploring computing and gender through Girls Who Code, Cyber First Girls, the BCSLovelace Colloqium, and Computing At School’s #include initiative
  • A review of browser based IDEs

Get your copy

Hello World is available as a free Creative Commons download for anyone around the world who is interested in Computer Science and digital making education. Grab the latest issue straight from the Hello World website.

Thanks to the very generous support of our sponsors BT, we are able to offer a free printed version of the magazine to serving educators in the UK. It’s for teachers, Code Club volunteers, teaching assistants, teacher trainers, and others who help children and young people learn about computing and digital making. Remember to subscribe to receive your free copy, posted directly to your home.

Get involved

Are you an educator? Then Hello World needs you! As a magazine for educators by educators, we want to hear about your experiences in teaching technology. If you hear a little niggling voice in your head say “I’m just a teacher, why would my contributions be useful to anyone else?” stop immediately. We want to hear from you, because you are amazing!

Get in touch: contact@helloworld.cc with your ideas, and we can help get them published.

 

The post Hello World issue 2: celebrating ten years of Scratch appeared first on Raspberry Pi.