Tag Archives: Other

EC2 Reserved Instance Update – Convertible RIs and Regional Benefit

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/ec2-reserved-instance-update-convertible-ris-and-regional-benefit/

We launched EC2 Reserved Instances almost eight years ago. The model that we originated in 2009 provides you with two separate benefits: capacity reservations and a significant discount on the use of specific instances in an Availability Zone. Over time, based on customer feedback, we have refined the model and made additional options available including Scheduled Reserved Instances, the ability to Modify Reserved Instances Reservations, and the ability to buy and sell Reserved Instances (RIs) on the Reserved Instance Marketplace.

Today we are enhancing the Reserved Instance model once again. Here’s what we are launching:

Regional Benefit -Many customers have told us that the discount is more important than the capacity reservation, and that they would be willing to trade it for increased flexibility. Starting today, you can choose to waive the capacity reservation associated with Standard RI, run your instance in any AZ in the Region, and have your RI discount automatically applied.

Convertible Reserved Instances -Convertible RIs give you even more flexibility and offer a significant discount (typically 45% compared to On-Demand). They allow you to change the instance family and other parameters associated with a Reserved Instance at any time. For example, you can convert C3 RIs to C4 RIs to take advantage of a newer instance type, or convert C4 RIs to M4 RIs if your application turns out to need more memory. You can also use Convertible RIs to take advantage of EC2 price reductions over time.

Let’s take a closer look…

Regional Benefit
Reserved Instances (either Standard or Convertible) can now be set to automatically apply across all Availability Zones in a region. The regional benefit automatically applies your RIs to instances across all Availability Zones in a region, broadening the application of your RI discounts. When this benefit is used, capacity is not reserved since the selection of an Availability Zone is required to provide a capacity reservation. In dynamic environments where you frequently launch, use, and then terminate instances this new benefit will expand your options and reduce the amount of time you spend seeking optimal alignment between your RIs and your instances. In horizontally scaled architectures using instances launched via Auto Scaling and connected via Elastic Load Balancing, this new benefit can be of considerable value.

After you click on Purchase Reserved Instances in the AWS Management Console, clicking on Search will display RI’s that have this new benefit:

You can check Only show offerings that reserve capacity if you want to shop for RIs that apply to a single Availability Zone and also reserve capacity:

Convertible RIs
Perhaps you, like many of our customers, purchase RIs to benefit from the best pricing for their workloads. However, if you don’t have a good understanding of your long-term requirements you may be able to make use of our new Convertible RI. If your needs change, you simply exchange your Convertible Reserved Instances for other ones. You can change into Convertible RIs that have a new instance type, operating system, or tenancy without resetting the term. Also, there’s no fee for making an exchange and you can do so as often as you like.

When you make the exchange, you must acquire new RIs that are of equal or greater value than those you started with; in some cases you’ll need to make a true-up payment in order to balance the books. The exchange process is based on the list value of each Convertible RI; this value is simply the sum of all payments you’ll make over the remaining term of the original RI.

You can shop for a Convertible RI by making sure that the Offering Class to Convertible before clicking on Search:

The Convertible RIs offer capacity assurance, are typically priced at a 45% discount when compared to On-Demand, and are available for all current EC2 instance types on a three year term. All three payment options (No Upfront, Partial Upfront, and All Upfront) are available.

Available Now
All of the purchasing and exchange options that I described above can be accessed from the AWS Management Console, AWS Command Line Interface (CLI), AWS Tools for Windows PowerShell, or the Reserved Instance APIs (DescribeReservedInstances, PurchaseReservedInstances, ModifyReservedInstances, and so forth).

Convertible RIs and the regional benefit are available in all public AWS Regions, excluding AWS GovCloud (US) and China (Beijing), which are coming soon.


Jeff;

 

‘Money Mule’ Gangs Turn to Bitcoin ATMs

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/09/money-mule-gangs-turn-to-bitcoin-atms/

Fraudsters who hack corporate bank accounts typically launder stolen funds by making deposits from the hacked company into accounts owned by “money mules,” willing or unwitting dupes recruited through work-at-home job scams. The mules usually are then asked to withdraw the funds in cash and wire the money to the scammers. Increasingly, however, the mules are being instructed to remit the stolen money via Bitcoin ATMs.

I recently heard from a reader in Canada who said she’d recently accepted a job as a customer service officer for a company called LunarBay. This company claims to be a software development firm, and told this reader they needed to hire people to help process payments for LunarBay’s clients.

LunarBay’s Web site — Lunarbay[dot]biz — claims the company has been in business for several years, and even references a legitimate business by the same name in the United Kingdom. But the domain name was registered only in late August 2016, and appears to have lifted all of its content from a legitimate Australian digital marketing firm called Bonfire.

The Canadian reader who contacted KrebsOnSecurity about this scam was offered $870 per week and a five percent commission on every transaction she handled. After providing her bank account information to get paid, she became suspicious when she received instructions on how to forward funds on the LunarBay.

The scammers told her to withdraw the money from her account by going into the bank itself — not from the ATM (mainly due to daily withdrawal limits at the ATM). They also sent her a QR code (pictured below) that she was instructed to save as an image on her smartphone. The crooks then proceeded to tell her the location of the nearest Bitcoin ATM:

a) The nearest Bitcoin ATM is located at: 6364 Rue Pascal, Montréal-Nord, QC H1G 1T6, Canada (Bitcoin ATM is located at Dépanneur Pascal 2003 convenience shop in Montreal).

b) You can find the instructions of how to make payment using Bitcoin ATM in this video

c) Please find the image attached to this message. This is a QR code – an unique identification number for a transaction. I ask you to save this image to your smartphone beforehand.

4. The payment must be processed within 3 hours. The Bitcoin rate is constantly changing in relation to CAD, USD and other currencies. That’s why the payment must be made during this time interval.

As the above Youtube video demonstrates, sending funds merely requires the user to scan a QR code shared by the intended recipient, and then insert cash into the Bitcoin ATM. Because Bitcoin is a non-refundable form of payment, once the money is sent the transaction cannot be reversed.

It’s not immediately clear why these thieves are avoiding tried-and-true methods of disbursing cash — like Western Union and MoneyGram — in favor of Bitcoin ATMs. I suppose it’s possible that the wire transfer companies are getting better at detecting and blocking suspicious transactions, but I doubt that’s the reason. More likely, sending cash via Bitcoin results in a more immediate payday for the scammers, and avoids the costs and hassle associated with hiring “far-end” mules to collect fraudulent wire transfers in the scammer’s home country.

The QR code used by the scammers at the fake LunarBay company.

The QR code used by the scammers at the fake LunarBay company.

It may seem difficult to believe that people might be gullible enough to get embroiled in such money laundering scams, but countless individuals do every day. The crooks operating this scam no doubt use multiple QR codes linked to many different Bitcoin addresses. The one given to the reader who contacted me links to this Bitcoin account, which has received a total of eight transactions over three days this past week totaling more than 6.3 Bitcoins — roughly $3,823 at current exchange rates.

Word to the wise: Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like Monster.com, Hotjobs.com and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

For more on the crucial role of money mules in facilitating cybercrime, check out these stories.

Welcome to the Newest AWS Community Heroes (Fall 2016)

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/welcome-to-the-newest-aws-community-heroes-fall-2016/

I would like to extend a very warm welcome to the newest AWS Community Heroes:

  • Cyrus Wong
  • Paul Duvall
  • Vit Niennattrakul
  • Habeeb Rahman
  • Francisco Edilton
  • Jeevan Dongre

The Heroes share their knowledge and demonstrate their enthusiasm for AWS via social media, blog posts, user groups, and workshops. Let’s take a look at their bios to learn more.

Cyrus Wong
Based in Hong Kong, Cyrus is a Data Scientist in the IT Department of the Hong Kong Institute of Vocational Education. He actively promotes the use of AWS at live events and via social media, and has received multiple awards for his AWS-powered Data Science and Machine Learning Projects.

Cyrus provides professional AWS training to students in Hong Kong, with an eye toward certification. One of his most popular blog posts is How to get all AWS Certifications in Asia, where he recommends watching the entire set of re:Invent videos at a 2.0 to 2.5x speedup!

You can connect with Cyrus on LinkedIn or at a meeting of the AWS Hong Kong User Group.

Paul Duvall
As co-founder and CTO of Stelligent (an AWS Advanced Consulting Partner), Paul has been using AWS to implement Continuous Delivery Systems since 2009.

Based in Northern Virginia, he’s an AWS Certified SysOps Administrator and and AWS Certified Solutions Architect, and has been designing, implementing, and managing software and systems for over 20 years. Paul has written over 30 articles on AWS, automation, and DevOps and is currently writing a book on Enterprise DevOps in AWS.

You can connect with Paul on LinkedIn, follow him on Twitter, or read his posts on the Stelligent Blog.

Vit Niennattrakul
Armed with a Ph.D. in time series data mining and passionate about machine learning, artificial intelligence, and natural language processing, Vit is a consummate entrepreneur who has already founded four companies including Dailitech, an AWS Consulting Partner. They focus on cloud migration and cloud-native applications, and have also created cloud-native solutions for their customers.

Shortly after starting to use AWS in 2013, Vit decided that it could help to drive innovation in Thailand. In order to make this happen, he founded the AWS User Group Thailand and has built it up to over 2,000 members.

 

Habeeb Rahman
Based in India, Habeeb is interested in cognitive science and leadership, and works on application delivery automation at Citrix. Before that, he helped to build AWS-powered SaaS infrastructure at Apigee, and held several engineering roles at Cable & Wireless.

After presenting at AWS community meetups and conferences, Habeen helped to organize the AWS User Group in Bangalore and is actively pursuing his goal of making it the best user group in India for peer learning.

You can connect with Habeeb on LinkedIn or follow him on Twitter.

Francisco Edilton
As a self-described “full-time geek,” Francisco likes to study topics related to cloud computing, and is also interested in the stock market, travel, and food. He brings over 15 years of network security and Linux server experience to the table, and is currently deepening his knowledge of AW by learning about serverless computing, and data science.

Francisco works for TDSIS, a Brazilian company that specializes in cloud architecture, software development, and network security, and helps customers of all sizes to make the move to the cloud. On the AWS side, Francisco organizes regular AWS Meetups in São Paulo, Brazil, writes blog posts, and posts code to his GitHub repo.

Jeevan Dongre
As a DevOps Engineer based in India, Jeevan has built his career around application development, e-commerce, and product development. His passions include automation, cloud computing, and the management of large-scale web applications.

Back in 2011, Jeevan and several other like-minded people formed the Bengaluru AWS User Group in order to share and develop AWS knowledge and skills. The group is still going strong and Jeevan expects it to become the premier group for peer-to-peer learning.

You can connect with Jeevan on LinkedIn or follow him on Twitter.

Welcome
Please join me in offering a warm welcome to our newest AWS Community Heroes!


Jeff;

First Annual Alexa Prize – $2.5 Million to Advance Conversational AI

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/first-annual-alexa-prize-2-5-million-to-advance-conversational-ai/

Every evening we ask Alexa for the time of sunset, subtract 10 minutes to account for the Olympic Mountains on the horizon, and plan our walk accordingly!

My family and my friends love the Amazon Echo in our kitchen! In the past we week have asked for jokes, inquired about the time of the impending sunset, played music, and checked on the time for the next Seattle Seahawks game. Many of our guests already know how to make requests of Alexa. The others learn after hearing an example or two, and quickly take charge.

While Alexa is pretty cool as-is, we are highly confident that it can be a lot cooler. We want our customers to be able to hold lengthy, meaningful conversations with their Alexa-powered devices. Imagine the day when Alexa is as fluent as LCARS, the computer in Star Trek!

Alexa Prize
In order to advance conversational Artificial Intelligence (AI) a reality, I am happy to announce the first annual Alexa Prize. This is an annual university competition aimed at advancing the field of conversational AI, with Amazon investing up to 2.5 million dollars in the first year.

Teams of university students (each led by a faculty sponsor) can use the Alexa Skills Kit (ASK) to build a “socialbot” that is able to converse with people about popular topics and news events. Participants will have access to a corpus of digital content from multiple sources including the Washington Post, which has agreed to make their corpus available to the students for non-commercial use.

Millions of Alexa customers will initiate conversations with the socialbots on topics ranging from celebrity gossip, scientific breakthroughs, sports, and technology (to name a few). After each conversation concludes Alexa users will provide feedback that will help the students to improve their socialbot. This feedback will also help Amazon to select the socialbots that will advance to the final phase.

Apply Now
Teams have until October 28, 2016 to apply. Up to 10 teams will be sponsored by Amazon and will receive a $100,000 stipend, Alexa-enabled devices, free AWS services, and support from the Alexa team; other teams may also be invited to participate.

On November 14, we’ll announce the selected teams and the competition will begin.

In November 2017, the competition will conclude at AWS re:Invent. At that time, the team behind the best-performing socialbot will be awarded a $500,000 prize, with an additional $1,000,000 awarded to their university if their socialbot achieves the grand challenge of conversing coherently and engagingly with humans for 20 minutes.

To learn more, read the Alexa Prize Rules , read the Alexa Prize FAQ, and visit the Alexa Prize page. This contest is governed by the Alexa Prize Rules.


Jeff;

The Cost of Cyberattacks Is Less than You Might Think

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/the_cost_of_cyb.html

Interesting research from Sasha Romanosky at RAND:

Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along. Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack. Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.

The result is that it often makes business sense to underspend on cybersecurity and just pay the costs of breaches:

Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company’s annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.

As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

He also noted that the effects of a data incident typically don’t have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn’t make a lot of sense to invest too much in cyber security.

What’s being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn’t really a problem, but instead that there is a significant market failure that governments need to address.

The 50 greatest Pi projects ever in The MagPi 50

Post Syndicated from Rob Zwetsloot original https://www.raspberrypi.org/blog/50-greatest-pi-projects-ever-magpi-50/

Rob from The MagPi here! We’re absolutely thrilled finally to be able to share with you The MagPi 50, our landmark issue with a super special feature on the 50 greatest Raspberry Pi projects of all time, the top 20 of which were voted on by you, the Raspberry Pi community.

The MagPi magazine issue 50: silver text on the cover reads "50 greatest Raspberry Pi projects"

The MagPi 50, out right this instant

As well as the thousands who voted, we had a panel of judges choosing the best projects in a few special categories. Eben Upton, the man behind Raspberry Pi, gave us his picks of software projects. Philip Colligan, CEO of the Raspberry Pi Foundation, carefully selected some incredible humanitarian projects. Liz Upton, Director of Communications/my boss, made some tough decisions in the young makers category. Finally, Michael Horne and Tim Richardson of CamJam and Pi Wars fame presided over the Pi robots.

No Title

No Description

Hopefully your favourite project made its way into the top 50! It was a hard task whittling it down to this number, and to be perfectly honest we could probably feature another 50 projects next month that are equally good. The Raspberry Pi community has done some incredible things over the last four years and change, and I’m immensely proud that we can share some of the outstanding work you folk have done in this issue.

No Title

No Description

But wait, there’s more! As well as our big community celebration, we also have our usual selection of excellent tutorials, news, and reviews. If the reveal of USB and Ethernet booting on Pi 3 piqued your interest a few weeks ago, we have a full eight-page guide on how you can do that yourself. We cover the #10MillionPi event at the Houses of Parliament in the news, along with some wonderful Raspberry Pi-powered tech that’s being used in the health industry.

Also, here’s Mike’s dancing skeleton from the Pi Bakery, in plenty of time for you to get your own spooky version ready for Halloween. We love it.

Danse Macabre

Danse Macabre or Skeleton Dance is a project in the MagPi Magazine No.50 October 2016. It uses the spectrum board from The MagPi No. 46 June 2016 ( https://vimeo.com/167914646 ) , to make one to three skeletons dance to music.

You can grab The MagPi 50 in stores today: it’s in WHSmith, Tesco, Sainsbury’s, and Asda in the UK, and it will be in Micro Center and selected Barnes & Noble stores when it comes to America. You can also buy the print edition online from our store, and it’s available digitally on our Android and iOS app.

Get a free Pi Zero
Want to make sure you never miss an issue? Subscribe today and get a Pi Zero bundle featuring the new, camera-enabled Pi Zero, and a cable bundle that includes the camera adapter.

Free Pi Zeros and posters: what’s not to love about a MagPi subscription?

Free Creative Commons download
As always, you can download your copy of The MagPi completely free. Grab it straight from the issue page for The MagPi 50.

Don’t forget, though, that like sales of the Raspberry Pi itself, all proceeds from the print and digital editions of the magazine go to help the Foundation achieve its charitable goals. Help us democratise computing!

We hope you enjoy this issue. We’re off for a cup of tea. See you soon!

The post The 50 greatest Pi projects ever in The MagPi 50 appeared first on Raspberry Pi.

Coming in 2017 – New AWS Region in France

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/coming-in-2017-new-aws-region-in-france/

As cloud computing becomes the new normal for organizations all over the world and as our customer base becomes larger and more diverse, we will continue to build and launch additional AWS Regions.

Bonjour la France
I am happy to announce that we will be opening an AWS Region in Paris, France in 2017. The new Region will give AWS partners and customers the ability to run their workloads and store their data in France.

This will be the fourth AWS Region in Europe. We currently have two other Regions in Europe — EU (Ireland) and EU (Frankfurt) and an additional Region in the UK expected to launch in the coming months. Together, these Regions will provide our customers with a total of 10 Availability Zones (AZs) and allow them to architect highly fault tolerant applications while storing their data in the EU.

Today’s announcement means that our global infrastructure now comprises 35 Availability Zones across 13 geographic regions worldwide, with another five AWS Regions (and 12 Availability Zones) in France, Canada, China, Ohio, and the United Kingdom coming online throughout the next year (see the AWS Global Infrastructure page for more info).

As always, we are looking forward to serving new and existing French customers and working with partners across Europe. Of course, the new Region will also be open to existing AWS customers who would like to process and store data in France.

To learn more about the AWS France Region feel free to contact our team in Paris at aws-in-france@amazon.com.


A venir en 2017 – Une nouvelle région AWS en France

Je suis heureux d’annoncer que nous allons ouvrir une nouvelle région AWS à Paris, en France, en 2017. Cette nouvelle région offrira aux partenaires et clients AWS la possibilité de gérer leurs charges de travail et de stocker leurs données en France.

Cette Région sera la quatrième en Europe. Nous avons actuellement deux autres régions en Europe – EU (Irlande) et EU (Francfort) et une région supplémentaire ouvrira dans les prochains mois au Royaume-Uni. Cela portera à dix le total des Zones de Disponibilités (AZ) en Europe permettant aux clients de concevoir des applications tolérantes aux pannes et de stocker leurs données au sein de l’Union Européenne.

Cette annonce signifie que notre infrastructure globale comprend désormais 35 Zones de Disponibilités, réparties sur 13 régions dans le monde et que s’ajoute à cela l’ouverture l’année prochaine de cinq régions AWS (et 12 Zones de Disponibilités) en France, au Canada, en Chine, dans l’Ohio, et au Royaume-Uni (pour plus d’informations, visitez la page d’AWS Global Infrastructure).

Comme toujours, nous sommes impatients de répondre aux besoins de nos clients français, actuels et futurs, et de travailler avec nos partenaires en Europe. Bien entendu, cette nouvelle région sera également disponible pour tous les clients AWS souhaitant traiter et stocker leurs données en France.

Pour en savoir plus sur la région AWS en France, vous pouvez contacter nos équipes à Paris: aws-in-france@amazon.com.



Jeff;

Some technical notes on the PlayPen case

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/09/some-technical-notes-on-playpen-case.html

In March of 2015, the FBI took control of a Tor onion childporn website (“PlayPen”), then used an 0day exploit to upload malware to visitors’s computers, to identify them. There is some controversy over the warrant they used, and government mass hacking in general. However, much of the discussion misses some technical details, which I thought I’d discuss here.

IP address
In a post on the case, Orin Kerr claims:
retrieving IP addresses is clearly a search

He is wrong, at least, in the general case. Uploading malware to gather other things (hostname, username, MAC address) is clearly a search. But discovering the IP address is a different thing.
Today’s homes contain many devices behind a single router. The home has only one public IP address, that of the router. All the other devices have local IP addresses. The router then does network address translation (NAT) in order to convert outgoing traffic to all use the public IP address.
The FBI sought the public IP address of the NAT/router, not the local IP address of the perp’s computer. The malware (“NIT”) didn’t search the computer for the IP address. Instead the NIT generated network traffic, destined to the FBI’s computers. The FBI discovered the suspect’s public IP address by looking at their own computers.
Historically, there have been similar ways of getting this IP address (from a Tor hidden user) without “hacking”. In the past, Tor used to leak DNS lookups, which would often lead to the user’s ISP, or to the user’s IP address itself. Another technique would be to provide rich content files (like PDF) or video files that the user would have to be downloaded to view, and which then would contact the Internet (contacting the FBI’s computers) themselves bypassing Tor.
Since the Fourth Amendment is about where the search happens, and not what is discovered, it’s not a search to find the IP address in packets arriving at FBI servers. How the FBI discovered the IP address may be a search (running malware on the suspect’s computer), but the public IP address itself doesn’t necessarily mean a search happened.

Of course, uploading malware just to transmit packets to an FBI server, getting the IP address from the packets, it’s still problematic. It’s gotta be something that requires a warrant, even though it’s not precisely the malware searching the machine for its IP address.

In any event, if not for the IP address, then PlayPen searches still happened for the hostname, username, and MAC address. Imagine the FBI gets a search warrant, shows up at the suspect’s house, and finds no child porn. They then look at the WiFi router, and find that suspected MAC address is indeed connected. They then use other tools to find that the device with that MAC address is located in the neighbor’s house — who has been piggybacking off the WiFi.
It’s a pre-crime warrant (#MinorityReport)
The warrant allows the exploit/malware/search to be used whenever somebody logs in with a username and password.
The key thing here is that the warrant includes people who have not yet created an account on the server at the time the warrant is written. They will connect, create an account, log in, then start accessing the site.
In other words, the warrant includes people who have never committed a crime when the warrant was issued, but who first commit the crime after the warrant. It’s a pre-crime warrant. 
Sure, it’s possible in any warrant to catch pre-crime. For example, a warrant for a drug dealer may also catch a teenager making their first purchase of drugs. But this seems quantitatively different. It’s not targeting the known/suspected criminal — it’s targeting future criminals.
This could easily be solved by limiting the warrant to only accounts that have already been created on the server.
It’s more than an anticipatory warrant

People keep saying it’s an anticipatory warrant, as if this explains everything.

I’m not a lawyer, but even I can see that this explains only that the warrant anticipates future probable cause. “Anticipatory warrant” doesn’t explain that the warrant also anticipates future place to be searched. As far as I can tell, “anticipatory place” warrants don’t exist and are a clear violation of the Fourth Amendment. It makes it look like a “general warrant”, which the Fourth Amendment was designed to prevent.

Orin’s post includes some “unknown place” examples — but those specify something else in particular. A roving wiretap names a person, and the “place” is whatever phone they use. In contrast, this PlayPen warrant names no person. Orin thinks that the problem may be that more than one person is involved, but he is wrong. A warrant can (presumably) name multiple people, or you can have multiple warrants, one for each person. Instead, the problem here is that no person is named. It’s not “Rob’s computer”, it’s “the computer of whoever logs in”. Even if the warrant were ultimately for a single person, it’d still be problematic because the person is not identified.
Orin cites another case, where the FBI places a beeper into a package in order to track it. The place, in this case, is the package. Again, this is nowhere close to this case, where no specific/particular place is mentioned, only a type of place. 
This could easily have been resolved. Most accounts were created before the warrant was issued. The warrant could simply have listed all the usernames, saying the computers of those using these accounts are the places to search. It’s a long list of usernames (1,500?), but if you can’t include them all in a single warrant, in this day and age of automation, I’d imagine you could easily create 1,500 warrants.
It’s malware

As a techy, the name for what the FBI did is “hacking”, and the name for their software is “malware” not “NIT”. The definitions don’t change depending upon who’s doing it and for what purpose. That the FBI uses weasel words to distract from what it’s doing seems like a violation of some sort of principle.
Conclusion

I am not a lawyer, I am a revolutionary. I care less about precedent and more about how a Police State might abuse technology. That a warrant can be issued whose condition is similar “whoever logs into the server” seems like a scary potential for abuse. That a warrant can be designed to catch pre-crime seems even scarier, like science fiction. That a warrant might not be issued for something called “malware”, but would be issued for something called “NIT”, scares me the most.
This warrant could easily have been narrower. It could have listed all the existing account holders. It could’ve been even narrower, for account holders where the server logs prove they’ve already downloaded child porn.
Even then, we need to be worried about FBI mass hacking. I agree that FBI has good reason to keep the 0day secret, and that it’s not meaningful to the defense. But in general, I think courts should demand an overabundance of transparency — the police could be doing something nefarious, so the courts should demand transparency to prevent that.

Debian Project mourns the loss of Kristoffer H. Rose

Post Syndicated from ris original http://lwn.net/Articles/702123/rss

Ana Guerrero Lopez sadly reports that Kristoffer H. Rose died on September
17. “Kristoffer was a Debian contributor from the very early days of
the project, and the upstream author of several packages that are still in
the Debian archive nowadays, such as the LaTeX package Xy-pic and
FlexML. On his return to the project after several years’ absence, many of
us had the pleasure of meeting Kristoffer during DebConf15 in Heidelberg. The Debian Project honours his good work and strong dedication to Debian and Free Software. Kristoffer’s broad technical knowledge and his ability to share that knowledge with others will be missed. The contributions of Kristoffer will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others.

Kim Dotcom’s Extradition Appeal Concludes, Will He Get a “Fair Go”?

Post Syndicated from Ernesto original https://torrentfreak.com/kim-dotcoms-extradition-appeal-concludes-160928/

megaupload-logoLast December a New Zealand District Court ruled that Kim Dotcom and his colleagues can be sent to the United States to face criminal charges.

This decision was immediately appealed and over the past weeks there’s been a lengthy series of appeal hearings at New Zealand’s High Court.

Represented by a team of lawyers, Kim Dotcom and his fellow Megaupload defendants have argued that the New Zealand District Court failed to give them a fair hearing. The entire case was live-streamed on YouTube and earlier today the final arguments were presented.

Kim Dotcom’s defense lawyer Ron Mansfield repeated several claims that have been discussed over the past several weeks. He argues that the lower court made critical errors in its final ruling and that crucial evidence was overlooked or not considered at all.

One of the main arguments of the United States government is that Megaupload would only disable a URL when it received a takedown notice, not the underlying file. As a result of the deduplication technology it employed, this meant that the file could still be accessed under different URLs.

However, according to Dotcom’s defense, it was a standard practice in the Internet service provider industry to remove just the URL, something copyright holders were apparently well aware of.

“How can a copyright holder have been reasonably expecting Megaupload to take down files in response to takedown notices specifying URLs if the copyright holders knew that the prevailing industry practice was to prevent access by removing the URL, not the file,” Mansfield said.

“The use of deduplication technology by Internet service providers […] was not a secret. It was widespread within the industry and well-known both by the Internet service provider industry and the content industry,” he added.

While various stakeholders disagree on what services such as Megaupload are required to do under the DMCA, removing the URLs only was not something unique to Megaupload.

In addition, Mansfield previously cited the “Dancing Baby” case where it was held that copyright holders should consider fair use before requesting a takedown. This means that removing an underlying file down may be too broad, as fair use isn’t considered for all URLs.

Overall the defense believes that Megaupload and its employees enjoy safe harbor protection and can’t be held criminally liable for copyright infringement. As such, there is no extraditable offense.

Mr. Mansfield closes his argument by highlighting the unprecedented nature of this case, which has been ongoing for nearly five years.

“Today marks 1730 days since 20 January 2012, when the New Zealand police effectively dropped from the sky and conducted the search of Mr. Dotcom’s home. And at that point they then sought about arresting him. The officers were disguised, armed and left him and his family effectively bereft of assets and income,” Mansfield said.

Mr. Mansfield

mansfield

Mansfield describes the U.S. litigation strategy as an aggressive one and argues that the failure to accept and review critical evidence deprived Kim Dotcom of a fair trial.

“Sportsmanship in a court of law is called fairness and the United States conduct has in our submission both been unlawful and unreasonable and the tactics they have adopted have been unfair and prevented Mr. Dotcom and the other appellants from having the benefit of a fair hearing.”

“He simply has not had a fair go. And we do ask that your honor considers the submissions which have been presented, because, in effect, after that period of time, after 1730 days it would be the first time there is a meaningful judicial assessment of the facts and of the submissions presented,” Mansfield concluded.

While the primary hearings are over, there are still some smaller details to work out and it is expected to take several weeks before New Zealand High Court reaches a decision. However, Kim Dotcom is confident that he’s on the winning site and congratulated his lawyers.

“I like to thank my legal team for an excellent job. My 5 children will grow up around their father thanks to your brilliance. I’m grateful,” Dotcom posted on Twitter a few hours ago.

Whatever the outcome, it’s unlikely that the case will stop at the High Court. Given the gravity of the case, both the United States and the Megaupload defendants are likely to take it all the way to the Supreme Court if the decision doesn’t go their way.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Beware: Attribution & Politics

Post Syndicated from Elizabeth Wharton original http://blog.erratasec.com/2016/09/beware-attribution-politics.html

tl;dr – Digital location data can be inherently wrong and it can be spoofed. Blindly assuming that it is accurate can make an ass out of you on twitter and when regulating drones.    

Guest contributor and friend of Errata Security Elizabeth Wharton (@LawyerLiz) is an attorney and host of the technology-focused weekly radio show “Buzz Off with Lawyer Liz” on America’s Web Radio (listen live  each Wednesday, 2-3:00pm eastern; find  prior podcasts here or via iTunes – Lawyer Liz) This post is merely her musings and not legal advice.

Filtering through various campaign and debate analysis on social media, a tweet caught my eye. The message itself was not the concern and the underlying image has since been determined to be fake.  Rather, I was stopped by the140 character tweet’s absolute certainty that internet user location data is infallible.  The author presented a data map as proof without question, caveat, or other investigation.  Boom, mic drop – attribution!

According to the tweeting pundit, “Russian trollbots” are behind the #TrumpWon hashtag trending on Twitter.

The proof? The twitter post claims that the Trendsmap showed the initial hashtag tweets as originating from accounts located in Russia.  Within the first hour the tweet and accompanying map graphic was “liked” 1,400 times and retweeted 1,495 times. A gotcha moment because a pew-pew map showed that the #TrumpWon hashtag originated from Twitter accounts located in Russia.  Boom, mic drop – attribution!

Except, not so fast. First, Trendsmap has since clarified that the map and data in the tweet above are not theirs (the Washington Post details the faked data/map ).  Moreover, location data is tricky.  According to the Trendsmap FAQ page they use the location provided in a user’s profile and GeoIP provided by Google. Google’s GeoIP is crafted using a proprietary system and other databases such as MaxMind.  IP mapping is not an exact art.  Kashmir Hill, editor of Fusion’s Real Future, and David Maynor, delved into the issues and inaccuracies of IP mapping earlier this year.  Kashmir wrote extensively on their findings and how phantom IP addresses and MaxMind’s use of randomly selected default locations created digital hells for individuals all over the country –  Internet Mapping Glitch Turned Random Farm into Digital Hell.

Reliance on such mapping and location information as an absolute has tripped up law enforcement and is poised to trip up the drone industry. Certain lawmakers like to point to geofencing and other location applications as security and safety cure-all solutions. Sen. Schumer (D-N.Y.) previously included geofencing as a key element of his 2015 drone safety bill.  Geofencing as a safety measure was mentioned during Tuesday’s U.S. House Small Business Committee hearing on Commercial Drone Operations. With geofencing, the drone is programmed to prohibit operations above a certain height or to keep out of certain locations.  Attempt to fly in a prohibited area and the aircraft will automatically shut down.  Geofencing relies on location data, including geospatial data collected from a variety of sources.  As seen with GeoIP, data can be wrong.  Additionally, the data must be interpreted and analyzed by the aircraft’s software systems.  Aircraft systems are not built with security first, in some cases basic systems security measures have been completely overlooked.  With mandatory geofencing, wrong data or spoofed (hacked) data can ground the aircraft.

Location mapping is helpful, one data point among many.  Beware of attribution and laws predicated solely on information that can be inaccurate by design. One errant political tweet blaming Russian twitter users based on bad data may lead to a “Pants on Fire” fact check.  Even if initially correct, a bored 400lb hacker may have spoofed the data.

(post updated to add link to “Buzz Off with Lawyer Liz Show” website and pic per Rob’s request)

Malware Tries to Detect Test Environment

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/malware_tries_t.html

A new malware tries to detect if it’s running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they’re not there.

From a news article:

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found…looks for existing documents on targeted PCs.

If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.

uTorrent’s New Altruistic Mode Ensures You Give More Than You Take

Post Syndicated from Andy original https://torrentfreak.com/utorrent-altruistic-mode-ensures-you-give-more-than-you-take-160928/

utorrent-logo-newAs the name suggests, file-sharing is all about sharing. In the old days this would be achieved by having folders full of files that anyone could take. These days, with BitTorrent’s distributed nature, it’s more about sharing content and associated bandwidth.

With that in mind, good torrent etiquette dictates that one always shares at least as much as one downloads. So, if a file is 1GB in size, it’s accepted that the user should try to share 1GB back. This is known as a 1:1 ratio. Those who upload 2GB will achieve a 2:1 ratio and those aiming for 3:1 will need to upload 3GB to others.

Generally, the more people upload the healthier the swarm, so with that in mind BitTorrent Inc. has just introduced an interesting feature to new builds of their uTorrent and BitTorrent clients. It’s called Altruistic Mode and manages to be both straightforward and somewhat confusing.

Essentially, Altruistic Mode is aimed at users who want to absolutely guarantee that they are always maintaining a 2:1 ratio (2GB uploaded for every 1GB downloaded). At first view one might think that the same goal could be achieved by downloading 1GB and letting the client seed 2GB back. However, that relies on others joining the swarm later and as mentioned earlier, Altruistic Mode wants to guarantee a 2:1 ratio, not just aim for one.

So how is this achieved? Well, in normal situations torrent clients always upload as much as they can anyway, so Altruistic Mode achieves its goals by downloading less.

The initially confusing end result here is that people who enable Altruistic Mode could find that due to their client’s insistence on maintaining a 2:1 ratio, the torrent they’re downloading might never complete. It is called Altruistic Mode for a reason and when seen in that light, the importance of a finished download places second to a healthy swarm.

altruistic-mode

BitTorrent creator Bram Cohen says that the effects of Altruistic Mode on a torrent will depend on how that torrent would behave in the same swarm in regular ‘download’ mode.

– If Download Mode would upload at a greater than 2:1 ratio then an Altruistic Mode peer will have very similar behavior.

– If Download Mode would upload at a ratio between 2:1 and 1:1 then Altruistic Mode will upload less and download a lot less than Download Mode would, resulting in a 2:1 upload to download ratio.

– If Download Mode would upload at a ratio of less than 1:1 then Altruistic Mode will do very little uploading or downloading.

“The precise definition of Altruistic Mode is that it initially downloads two pieces and after that, every time it uploads two pieces worth of data it downloads one more,” Cohen explains.

“This is a simple and reliable strategy for making sure that you never get much worse than a 2:1 ratio. It results in all the behaviors described above, which do have some technical caveats….but the essential message is right in every case.”

Cohen says that a 2:1 ratio was considered a logical choice, particularly given that a 3:1 ratio or higher has the potential to impose severe restrictions on some swarms. Ironically, if too many people decide to act selflessly and turn the feature on in the same swarm, everyone’s download may never complete.

“Going for a higher number [than 2:1] could also cause swarms to no longer have a complete copy of the file if too many peers are in Altruistic Mode, which would harm not just the one peer in Altruistic Mode but other peers as well,” Cohen explains.

“Because of this, we feel that a 2:1 ratio is a sweet spot and aren’t offering any user configuration options for it. You may get ratios of greater than 2:1 in Altruistic Mode, but in those cases you could have used regular Download Mode and gotten the same results.”

For those not familiar with how BitTorrent works (and certainly many casual users), Altruistic Mode is a bit of a head-scratcher, to say the least. And, given the prospect that a download might never complete with it switched on, it seems unlikely that swarms will be inundated with clients using the mode.

Nevertheless, it’s an interesting addition to the uTorrent and Mainline BitTorrent clients and described as “an experiment” that could be further developed.

“If this goes well we may roll out another feature in the future where a peer starts out in Altruistic Mode and later switches to regular Download Mode, which would not change the upload ratio significantly but would help other peers download faster at the beginning, so peers who want to get a complete file eventually but aren’t in a rush can allow other peers who care about getting it sooner to finish first,” Cohen concludes.

Altruistic Mode is available in uTorrent 3.4.9 and above, and BitTorrent 7.9.9 and above. It is turned off by default but can be unlocked in Preferences/BitTorrent and then activated for individual torrents.

More information can be found here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Introducing PIXEL

Post Syndicated from Simon Long original https://www.raspberrypi.org/blog/introducing-pixel/

It was just over two years ago when I walked into Pi Towers for the first time. I only had the vaguest idea of what I was going to be doing, but on the first day Eben and I sat down and played with the Raspbian desktop for half an hour, then he asked me “do you think you can make it better?”

origdesk

Bear in mind that at this point I’d barely ever used Linux or Xwindows, never mind made any changes to them, so when I answered “hmmm – I think so”, it was with rather more confidence than I actually felt. It was obvious that there was a lot that could be done in terms of making it a better experience for the user, and I spent many years working in user interface design in previous jobs. But I had no idea where to start in terms of changing Raspbian. I clearly had a bit of a learning curve in front of me…

Well, that was two years ago, and I’ve learnt an awful lot since then. It’s actually surprisingly easy to hack about with the LXDE desktop once you get your head around what all the bits do, and since then I’ve been slowly chipping away at the bits that I felt would most benefit from tweaking. Stuff has slowly been becoming more and more like my original concept for the desktop; with the latest changes, I think the desktop has reached the point where it’s a complete product in its own right and should have its own name. So today, we’re announcing the release of the PIXEL desktop, which will ship with the Foundation’s Raspbian image from now on.

newdesk

PIXEL?

One of the things I said (at least partly in jest) to my colleagues in those first few weeks was that I’d quite like to rename the desktop environment once it was a bit more Pi-specific, and I had the name “pixel” in my mind about two weeks in. It was a nice reminder of my days learning to program in BASIC on the Sinclair ZX81; nowadays, everything from your TV to your phone has pixels on it, but back then it was a uniquely “computer-y” word and concept. I also like crosswords and word games, and once it occurred to me that “pixel” could be made up from the initials of words like Pi and Xwindows, the name stuck in my head and never quite went away. So PIXEL it is, which now officially stands for “Pi Improved Xwindows Environment, Lightweight”.

What’s new?

The latest set of changes are almost entirely to do with the appearance of the desktop; there are some functional changes and a few new applications, about which more below, but this is mostly about making things look nicer.

The first thing you’ll notice on rebooting is that the trail of cryptic boot messages has (mostly) gone, replaced by a splash screen. One feature which has frequently been requested is an obvious version number for our Raspbian image, and this can now be seen at the bottom-right of the splash image. We’ll update this whenever we release a new version of the image, so it should hopefully be slightly easier to know exactly what version you’re running in future.

splash

I should mention that the code for the splash screen has been carefully written and tested, and should not slow down the Pi’s boot process; the time to go from powering on to the desktop appearing is identical, whether the splash is shown or not.

Desktop pictures

Once the desktop appears, the first thing you’ll notice is the rather stunning background image. We’re very fortunate in that Greg Annandale, one of the Foundation’s developers, is also a very talented (and very well-travelled) photographer, and he has kindly allowed us to use some of his work as desktop pictures for PIXEL. There are 16 images to choose from; you can find them in /usr/share/pixel-wallpaper/, and you can use the Appearance Settings application to choose which one you prefer. Do have a look through them, as Greg’s work is well worth seeing! If you’re curious, the EXIF data in each image will tell you where it was taken.

desk2

desk3

desk1

Icons

You’ll also notice that the icons on the taskbar, menu, and file manager have had a makeover. Sam Alder and Alex Carter, the guys responsible for all the cartoons and graphics you see on our website, have been sweating blood over these for the last few months, with Eben providing a watchful eye to make sure every pixel was exactly the right colour! We wanted something that looked businesslike enough to be appropriate for those people who use the Pi desktop for serious work, but with just a touch of playfulness, and Sam and Alex did a great job. (Some of the icons you don’t see immediately are even nicer; it’s almost worth installing some education or engineering applications just so those categories appear in the menu…)

menu

Speaking of icons, the default is now not to show icons in individual application menus. These always made menus look a bit crowded, and didn’t really offer any improvement in usability, not least because it wasn’t always that obvious what the icon was supposed to represent… The menus look cleaner and more readable as a result, since the lack of visual clutter now makes them easier to use.

Finally on the subject of icons, in the past if your Pi was working particularly hard, you might have noticed some yellow and red squares appearing in the top-right corner of the screen, which were indications of overtemperature or undervoltage. These have now been replaced with some new symbols that make it a bit more obvious what’s actually happening; there’s a lightning bolt for undervoltage, and a thermometer for overtemperature.

Windows

If you open a window, you’ll see that the window frame design has now changed significantly. The old window design always looked a bit dated compared to what Apple and Microsoft are now shipping, so I was keen to update it. Windows now have a subtle curve on the corners, a cleaner title bar with new close / minimise / maximise icons, and a much thinner frame. One reason the frame was quite thick on the old windows was so that the grab handles for resizing were big enough to find with the mouse. To avoid this problem, the grab handles now extend slightly outside the window; if you hold the mouse pointer just outside the window which has focus, you’ll see the pointer change to show the handle.

window

Fonts

Steve Jobs said that one thing he was insistent on about the Macintosh was that its typography was good, and it’s true that using the right fonts makes a big difference. We’ve been using the Roboto font in the desktop for the last couple of years; it’s a nice-looking modern font, and it hasn’t changed for this release. However, we have made it look better in PIXEL by including the Infinality font rendering package. This is a library of tweaks and customisations that optimises how fonts are mapped to pixels on the screen; the effect is quite subtle, but it does give a noticeable improvement in some places.

Login

Most people have their Pi set up to automatically log in when the desktop starts, as this is the default setting for a new install. For those who prefer to log in manually each time, the login screen has been redesigned to visually match the rest of the desktop; you now see the login box (known as the “greeter”) over your chosen desktop design, with a seamless transition from greeter to desktop.

login

Wireless power switching

One request we have had in the past is to be able to shut off WiFi and/or Bluetooth completely, particularly on Pi 3. There are now options in the WiFi and Bluetooth menus to turn off the relevant devices. These work on the Pi 3’s onboard wireless hardware; they should also work on most external WiFi and Bluetooth dongles.

You can also now disconnect from an associated wireless access point by clicking on its entry in the WiFi menu.

New applications

There are a couple of new applications now included in the image.

RealVNC have ported their VNC server and viewer applications to Pi, and they are now integrated with the system. To enable the server, select the option on the Interfaces tab in Raspberry Pi Configuration; you’ll see the VNC menu appear on the taskbar, and you can then log in to your Pi and control it remotely from a VNC viewer.

The RealVNC viewer is also included – you can find it from the Internet section of the Applications menu – and it allows you to control other RealVNC clients, including other Pis. Have a look here on RealVNC’s site for more information.

vnc

Please note that if you already use xrdp to remotely access your Pi, this conflicts with the RealVNC server, so you shouldn’t install both at once. If you’re updating an existing image, don’t run the sudo apt-get install realvnc-vnc-server line in the instructions below. If you want to use xrdp on a clean image, first uninstall the RealVNC server with sudo apt-get purge realvnc-vnc-server before installing xrdp. (If the above paragraph means nothing to you, then you probably aren’t using xrdp, so you don’t have to worry about any of it!)

Also included is the new SenseHAT emulator, which was described in a blog post a couple of weeks ago; have a look here for all the details.

sensehat

Updates

There are updates for a number of the built-in applications; these are mostly tweaks and bug fixes, but there have been improvements made to Scratch and Node-RED.

One more thing…

We’ve been shipping the Epiphany web browser for the last couple of years, but it’s now starting to show its age. So for this release (and with many thanks to Gustav Hansen from the forums for his invaluable help with this), we’re including an initial release of Chromium for the Pi. This uses the Pi’s hardware to accelerate playback of streaming video content.

chromium

We’ve preinstalled a couple of extensions; the uBlock Origin adblocker should hopefully keep intrusive adverts from slowing down your browsing experience, and the h264ify extension forces YouTube to serve videos in a format which can be accelerated by the Pi’s hardware.

Chromium is a much more demanding piece of software than Epiphany, but it runs well on Pi 2 and Pi 3; it can struggle slightly on the Pi 1 and Pi Zero, but it’s still usable. (Epiphany is still installed in case you find it useful; launch it from the command line by typing “epiphany-browser”.)

How do I get it?

The Raspbian + PIXEL image is available from the Downloads page on our website now.

To update an existing Jessie image, type the following at the command line:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -y rpi-chromium-mods
sudo apt-get install -y python-sense-emu python3-sense-emu
sudo apt-get install -y python-sense-emu-doc realvnc-vnc-viewer

and then reboot.

If you don’t use xrdp and would like to use the RealVNC server to remotely access your Pi, type the following:

sudo apt-get install -y realvnc-vnc-server

As always, your feedback on the new release is very welcome; feel free to let us know what you think in the comments or on the forums.

The post Introducing PIXEL appeared first on Raspberry Pi.

AWS Week in Review – September 19, 2016

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-week-in-review-september-19-2016/

Eighteen (18) external and internal contributors worked together to create this edition of the AWS Week in Review. If you would like to join the party (with the possibility of a free lunch at re:Invent), please visit the AWS Week in Review on GitHub.

Monday

September 19

Tuesday

September 20

Wednesday

September 21

Thursday

September 22

Friday

September 23

Saturday

September 24

Sunday

September 25

New & Notable Open Source

  • ecs-refarch-cloudformation is reference architecture for deploying Microservices with Amazon ECS, AWS CloudFormation (YAML), and an Application Load Balancer.
  • rclone syncs files and directories to and from S3 and many other cloud storage providers.
  • Syncany is an open source cloud storage and filesharing application.
  • chalice-transmogrify is an AWS Lambda Python Microservice that transforms arbitrary XML/RSS to JSON.
  • amp-validator is a serverless AMP HTML Validator Microservice for AWS Lambda.
  • ecs-pilot is a simple tool for managing AWS ECS.
  • vman is an object version manager for AWS S3 buckets.
  • aws-codedeploy-linux is a demo of how to use CodeDeploy and CodePipeline with AWS.
  • autospotting is a tool for automatically replacing EC2 instances in AWS AutoScaling groups with compatible instances requested on the EC2 Spot Market.
  • shep is a framework for building APIs using AWS API Gateway and Lambda.

New SlideShare Presentations

New Customer Success Stories

  • NetSeer significantly reduces costs, improves the reliability of its real-time ad-bidding cluster, and delivers 100-millisecond response times using AWS. The company offers online solutions that help advertisers and publishers match search queries and web content to relevant ads. NetSeer runs its bidding cluster on AWS, taking advantage of Amazon EC2 Spot Fleet Instances.
  • New York Public Library revamped its fractured IT environment—which had older technology and legacy computing—to a modernized platform on AWS. The New York Public Library has been a provider of free books, information, ideas, and education for more than 17 million patrons a year. Using Amazon EC2, Elastic Load Balancer, Amazon RDS and Auto Scaling, NYPL is able to build scalable, repeatable systems quickly at a fraction of the cost.
  • MakerBot uses AWS to understand what its customers need, and to go to market faster with new and innovative products. MakerBot is a desktop 3-D printing company with more than 100 thousand customers using its 3-D printers. MakerBot uses Matillion ETL for Amazon Redshift to process data from a variety of sources in a fast and cost-effective way.
  • University of Maryland, College Park uses the AWS cloud to create a stable, secure and modern technical environment for its students and staff while ensuring compliance. The University of Maryland is a public research university located in the city of College Park, Maryland, and is the flagship institution of the University System of Maryland. The university uses AWS to migrate all of their datacenters to the cloud, as well as Amazon WorkSpaces to give students access to software anytime, anywhere and with any device.

Upcoming Events

Help Wanted

Stay tuned for next week! In the meantime, follow me on Twitter and subscribe to the RSS feed.

AWS Hot Startups – September 2016

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-hot-startups-september-2016/

Tina Barr is back with this month’s hot startups on AWS!


Jeff;


It’s officially fall so warm up that hot cider and check out this month’s great AWS-powered startups:

  • Funding Circle – The leading online marketplace for business loans.
  • Karhoo – A ride comparison app.
  • nearbuy – Connecting customers and local merchants across India.

Funding Circle (UK)
Funding Circle is one of the world’s leading direct lending platforms for business loans, where people and organizations can invest in successful small businesses. The platform was established in 2010 by co-founders Samir Desai, James Meekings, and Andrew Mullinger as a direct response to the noncompetitive lending market that exists in the UK. Funding Circle’s goal was to create the infrastructure – similar to a stock exchange or bond market – where any investor could lend to small businesses. With Funding Circle, individuals, financial institutions, and even governments can lend to creditworthy small businesses using an online direct lending platform. Since its inception, Funding Circle has raised $300M in equity capital from the same investors that backed Facebook, Twitter, and Sky. The platform expanded to the US market in October 2013 and launched across Continental Europe in October 2015.

Funding Circle has given businesses the ability to apply online for loans much faster than they could through traditional routes due in part to the absence of high overhead branch costs and legacy IT issues. Their investors include more than 50,000 individuals, the Government-backed British Business Bank, the European Investment Bank, and many local councils and large financial institutions. To date, more than £1.4 billion has been lent through the platform to nearly 16,000 small businesses in the UK alone. Funding Circle’s growth has led independent experts to predict that it will see strong growth in the UK business lending market within a decade. The platform has also made a huge impact in the UK economy – boosting it by £2.7 billion, creating up to 40,000 new jobs, and helping to build more than 2,000 new homes.

As a regulated business, Funding Circle needs separate infrastructure in multiple geographies. AWS provides similar services across all of Funding Circle’s territories. They use the full AWS stack from the top, with Amazon Route 53 directing traffic across global Amazon EC2 instances, to data analytics with Amazon Redshift.

Check out this short video to learn more about how Funding Circle works!

Karhoo (New York)
Daniel Ishag, founder and CEO of Karhoo, found himself in a situation many of us have probably been in. He was in a hotel in California using an app to call a cab from one of the big on-demand services. The driver cancelled. Daniel tried three or four different companies and again, they all cancelled. The very next day he was booking a flight when he saw all of the ways in which travel companies clearly presented airline choices for travelers. Daniel realized that there was great potential to translate this to ground transportation – specifically with taxis and licensed private hire. Within 48 hours of this realization, he was on his way to Bombay to prototype the product.

Karhoo is the global cab comparison and booking app that provides passengers with more choices each time they book a ride. By connecting directly to the fleet dispatch system of established black cab, minicab, and executive car operators, the app allows passengers to choose the ride they want, at the right price with no surge pricing. The vendor-neutral platform also gives passengers the ability to pre-book their rides days or months in advance. With over 500,000 cars on the platform, Karhoo is changing the landscape of the on-demand transport industry.

In order to build a scalable business, Karhoo uses AWS to implement many independent integration projects, run an operation that is data-driven, and experiment with tools and technologies without committing to heavy costs. They utilize Amazon S3 for storage and Amazon EC2, Amazon Redshift, and Amazon RDS for operation. Karhoo also uses Amazon EMR, Amazon ElastiCache, and Amazon SES and is looking into future products such as a mobile device testing farm.

Check out Karhoo’s blog to keep up with their latest news!

nearbuy (India)
nearbuy is India’s first hyper-local online platform that gives consumers and local merchants a place to discover and interact with each other. They help consumers find some of the best deals in food, beauty, health, hotels, and more in over 30 cities in India. Here’s how to use them:

  • Explore options and deals at restaurants, spas, gyms, movies, hotels and more around you.
  • Buy easily and securely, using credit/debit cards, net-banking, or wallets.
  • Enjoy the service by simply showing your voucher on the nearbuy app (iOS and Android).

After continuously observing the amount of time people were spending on their mobile phones, six passionate individuals decided to build a product that allowed for all goods and services in India to be purchased online. nearbuy has been able to make the time gap between purchase and consumption almost instant, make experiences more relevant by offering them at the user’s current location, and allow services such as appointments and payments to be made from the app itself. The nearbuy team is currently charting a path to define how services can and will be bought online in India.

nearbuy chose AWS in order to reduce its time to market while aggressively scaling their operations. They leverage Amazon EC2 heavily and were one of the few companies in the region running their  entire production load on EC2. The container-based approach has not only helped nearbuy significantly reduce its infrastructure cost, but has also enabled them to implement CI+CD (Continuous Integration / Continuous Deployment), which has reduced time to ship exponentially.

Stay connected to nearbuy by following them at https://medium.com/@nearbuy.

Tina Barr

Inside Arizona’s Pump Skimmer Scourge

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/09/inside-arizonas-pump-skimmer-scourge/

Crooks who deploy skimming devices made to steal payment card details from fuel station pumps don’t just target filling stations at random: They tend to focus on those that neglect to deploy various tools designed to minimize such scams, including security cameras, non-standard pump locks and tamper-proof security tape. But don’t take my word for it: Here’s a look at fuel station compromises in 2016 as documented by the state of Arizona, which has seen a dramatic spike in fuel skimming attacks over the past year.

KrebsOnSecurity examined nearly nine months worth of pump skimming incidents in Arizona, where officials say they’ve documented more skimming attacks in the month of August 2016 alone than in all of 2015 combined.

With each incident, the Arizona Department of Agriculture’s Weights and Measures Services Division files a report detailing whether victim fuel station owners had observed industry best practices leading up to the hacks. As we can see from the interactive story map KrebsOnSecurity created below, the vast majority of compromised filling stations failed to deploy security cameras, and/or tamper-evident seals on the pumps.

Fewer still had changed the factory-default locks on their pumps, meaning thieves armed with a handful of master keys were free to unlock the pumps and install skimming devices at will.

These security report cards for fuel station owners aren’t complete assessments by any means. Some contain scant details about the above-mentioned precautionary measures, while other reports painstakingly document such information — complete with multiple photos of the skimming devices. Regardless, the data available show a clear trend of fraudsters targeting owners and operators that flout basic security best practices.

Indeed, the data assembled here suggests that skimmer thieves favor off-brand filling stations and target pumps furthest from the station/closest to the street. Also, all but three of the 35 incidents included in this report targeted fuel dispensers made by one manufacturer: Gilbarco — probably because the skimmer thieves responsible were armed with a master key for Gilbarco pumps.

In only one documented skimming incident did the station owner report having used non-standard pump locks. In some cases, the same filling station was hit with separate skimming attacks just a few months apart.

A portion of the incident report for the Bluetooth skimmers found at a gas station in Phoenix on Sept. 6, 2016

A portion of the incident report for the Bluetooth skimmers found at a gas station in Phoenix on Sept. 6, 2016

Investigators also appear to be increasingly finding pump skimmers that employ Bluetooth wireless technology. Bluetooth-based skimmers allow thieves to collect stolen card data merely by pulling up to a pump and downloading it with a Bluetooth-enabled laptop or mobile device (as opposed to taking the risk of re-opening the pumps to retrieve the siphoned card data).

A review of the locations of the skimmed stations suggests that skimmer scammers prefer poorly secured stations that are quite close to a major highway, no doubt so that they get away from the station relatively quickly after the skimmers are planted. It’s unclear whether the skimming attacks documented here are the work of one or multiple scammers or gangs, but the activity pretty clearly shows a focus on stations directly off the main arteries from Phoenix on down to Tuscon.

az-skimline

In some of the images in the slideshow above, it may be difficult to readily tell among the jumble of wires which bit is the skimmer. When in doubt, look for an area wrapped in black or grey colored electrical tape, which seems to be found in nearly all of these pump skimming attacks.

Arizona is almost certainly a microcosm of pump skimming activity going on nationally. Last year, KrebsOnSecurity ran an in-depth piece profiling a U.S. Secret Service task force that’s been battling a surge in pump skimming scams perpetrated by organized crime gangs in and around Los Angeles. Other stories on pump skimmers can be found in this search link.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

I realize that the project above — made with the free StoryMap tool from Northwestern University’s Knight Lab — may be difficult to view comfortably within the confines of this blog. Here’s a direct link to the full map and timeline.

Now Available – Amazon Linux AMI 2016.09

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/now-available-amazon-linux-ami-2016-09/

My colleague Sean Kelly is part of the team that produces the Amazon Linux AMI. He shared the guest post below in order to introduce you to the newest version!


Jeff;


The Amazon Linux AMI is a supported and maintained Linux image for use on Amazon EC2.

We offer new major versions of the Amazon Linux AMI after a public testing phase that includes one or more Release Candidates. The Release Candidates are announced in the EC2 forum and we welcome feedback on them.

Launching 2016.09 Today
Today we launching the 2016.09 Amazon Linux AMI, which is supported in all regions and on all current-generation EC2 instance types. The Amazon Linux AMI supports both HVM and PV modes, as well as both EBS-backed and Instance Store-backed AMIs.

You can launch this new version of the AMI in the usual ways. You can also upgrade an existing EC2 instance by running the following commands:

$ sudo yum clean all
$ sudo yum update

And then rebooting the instance.

New Features
The Amazon Linux AMI’s roadmap is driven in large part by customer requests. We’ve added a number of features in this release in response to these requests and to keep our existing feature set up-to-date:

Nginx 1.10 – Based on numerous customer requests, the Amazon Linux AMI 2016.09 repositories include the latest stable Nginx 1.10 release. You can install or upgrade to the latest version with sudo yum install nginx.

PostgreSQL 9.5 – Many customers have asked for PostgreSQL 9.5, and it is now available as a separate package from our other PostgreSQL offerings. PostgreSQL 9.5 is available via sudo yum install postgresql95.

Python 3.5Python 3.5, the latest in the Python 3.x series, has been integrated with our existing Python experience and is now available in the Amazon Linux AMI repositories. This includes the associated virtualenv and pip packages, which can be used to install and manage dependencies. The default python version for /usr/bin/python can be managed via alternatives, just like our existing Python packages. Python 3.5 and the associated pip and virtualenv packages can be installed via sudo yum install python35 python35-virtualenv python35-pip.

Amazon SSM Agent – The Amazon SSM Agent allows you to use Run Command in order to configure and run scripts on your EC2 instances and is now available in the Amazon Linux 2016.09 repositories (read Remotely Manage Your Instances to learn more). Install the agent by running sudo yum install amazon-ssm-agent and start it with sudo /sbin/start amazon-ssm-agent.

Learn More
To learn more about all of the new features of the new Amazon Linux AMI, take a look at the release notes.

Sean Kelly, Amazon Linux AMI Team

PS – If you would like to work on future versions of the Amazon Linux AMI, check out our Linux jobs!

 

Cloudflare: We Can’t Shut Down Pirate Sites

Post Syndicated from Ernesto original https://torrentfreak.com/cloudflare-we-cant-stop-pirate-sites-160927/

cloudflareAs one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe.

This includes thousands of “pirate” sites, including The Pirate Bay, who rely on the U.S. based company to keep server loads down.

Copyright holders are generally not happy that Cloudflare is doing business with these sites. While most stop at complaining, adult entertainment outfit ALS Scan took the matter to court.

In a complaint filed at a California federal court two months ago, the company accused the CDN service of various counts of copyright and trademark infringement. ALS listed several copyright-infringing websites Cloudflare does business with, but which it allegedly failed to terminate as clients.

Yesterday, Cloudflare responded to the allegations (pdf), arguing that ALS Scan has no legal grounds to come after them. For this reason, they say the entire case should be dismissed.

Among other things, Cloudflare argues that they are not liable for contributory copyright infringement. Even if it wanted to, it couldn’t take any measures to effectively stop pirate sites from operating.

“CloudFlare is not the operator of the allegedly infringing sites but is merely one of the many intermediaries across the internet that provide automated CDN services, which result in the websites in question loading a bit faster than they would if they did not utilize CDN services.”

If Cloudflare terminated the accounts of allegedly infringing websites, the sites themselves would still continue to exist. It would just require a simple DNS reconfiguration to continue their operation.

“Indeed, there are no measures of any kind that CloudFlare could take to prevent this alleged infringement, because the termination of CloudFlare’s CDN services would have no impact on the existence and ability of these allegedly infringing websites to continue to operate,” Cloudflare writes.

As such, the company argues that it’s not “materially contributing” to any of the alleged copyright infringements.

This role puts Cloudflare on par with other third party service providers such as domain registrars and advertisers. The question of whether these services can be held liable for pirate sites is at the heart of this case.

The CDN provider further stresses that the claims for contributory copyright infringement also fail under the under the “inducement” theory.

Under the Grokster ruling, inducement would require an intentional form of advertising or messaging where the public is encouraged to infringe. This is not the case here, the company argues.

“Here, ALS has pleaded no facts regarding such a theory. Instead, ALS makes only conclusory allegations using the term inducement, devoid of any factual support,” Cloudflare writes.

“For instance, ALS Scan does not plead (as it must) facts sufficient to allege that CloudFlare solicited, advertised, promoted or rewarded acts of direct infringement by others, or that CloudFlare was created for the purpose of facilitating mass copyright infringement.”

In addition to the above, Cloudflare says that ALS fails to state proper claims other forms of copyright and trademark infringement, asking the court to dismiss the case.

Advertising network JuicyAds, which is also named in the suit, requested the same earlier this month. All parties will have a chance to defend their positions in a court hearing, after which the court will have to decide how to continue.

With theoretical damages that can run to dozens of millions of dollars and well as broad liability implications, it’s expected to become a heated fight.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.