Tag Archives: Other

AWS Week in Review – October 17, 2016

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-week-in-review-october-17-2016/

Wow, a lot is happening in AWS-land these days! Today’s post included submissions from several dozen internal and external contributors, along with material from my RSS feeds, my inbox, and other things that come my way. To join in the fun, create (or find) some awesome AWS-related content and submit a pull request!


October 17


October 18


October 19


October 20


October 21


October 22


October 23

New & Notable Open Source

New SlideShare Presentations

Upcoming Events

New AWS Marketplace Listings

  • Application Development
    • Joomia 3.6.0 + Apache + MySQL + AMAZONLINUX AMI by MIRI Infotech Inc, sold by Miri Infotech.
    • LAMP 5 MariaDB and LAMP 7 MariaDB, sold by Jetware.
    • Secured Acquia Drupal on Windows 2008 R2, sold by Cognosys Inc.
    • Secured BugNet on Windows 2008 R2, sold by Cognosys Inc.
    • Secured CMS Gallery on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Kooboo CMS on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Lemoon on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Magento on Windows 2008 R2, sold by Cognosys Inc.
    • Secured MyCV on Windows 2012 R2<, sold by Cognosys Inc.
    • Secured nService on Windows 2012 R2, sold by Cognosys Inc.
    • Secured Orchard CMS on Windows 2008 R2, sold by Cognosys Inc.
  • Application Servers
    • Microsoft Dynamics NAV 2016 for Business, sold by Data Resolution.
    • Microsoft Dynamics GP 2015 for Business, sold by Data Resolution.
    • Microsoft Dynamics AX 2012 for Business, sold by Data Resolution.
    • Microsoft Dynamics SL 2015 for Business, sold by Data Resolution.
    • Redis 3.0, sold by Jetware.
  • Application Stacks
    • LAMP 5 Percona and LAMP 7 Percona, sold by Jetware.
    • MySQL 5.1, MySQL 5.6, and MySQL 5.7, sold by Jetware.
    • Percona Server for MySQL 5.7, sold by Jetware.
    • Perfect7 LAMP v1.1 Multi-PHP w/Security (HVM), sold by Archisoft.
    • Perfect7 LAMP v1.1 Multi-PHP Base (HVM), sold by Archisoft.
  • Content Management
    • DNN Platform 9 Sandbox – SQL 2016, IIS 8.5, .Net 4.6, W2K12R2, sold by Benjamin Hermann.
    • iBase 7, sold by iBase.
    • MediaWiki powered by Symetricore (Plus Edition), sold by Symetricore.
    • Secured CompositeC1 on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Dot Net CMS on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Gallery Server on Windows 2008 R2,sold by Cognosys Inc.
    • Secured Joomia on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Mayando on Windows 2008 R2, sold by Cognosys Inc.
    • Secured phpBB on Windows 2008 R2, sold by Cognosys Inc.
    • Secured Wiki Asp.net on Windows 2008 R2, sold by Cognosys Inc.
    • SharePoint 2016 Enterprise bYOL with paid support, sold by Data Resolution.
    • WordPress Powered by AMIMOTO (Auto-Scaling ready), sold by DigitalCube Co. Ltd.
  • Databases
    • MariaDB 5.5, 10.0, and 10.1, sold by Jetware.
    • Redis 3.2, sold by Jetware
  • Databases
    • MariaDB 5.5, 10.0, and 10.1, sold by Jetware.
    • Redis 3.2, sold by Jetware.
  • eCommerce
    • Secured AspxCommerce on Windows 2008 R2, sold by Cognosys Inc.
    • Secured BeYourMarket on Windows 2008 R2, sold by Cognosys Inc.
    • Secured DashComerce on Windows 2008 R2, sold by Cognosys Inc.
    • Vikrio, sold by Vikrio.
  • Issue & Bug Tracking
    • Redmine 2.6 and Redmine 3.3, sold by Jetware.
  • Monitoring
    • Memcached 1.4, sold by Jetware
  • Network Infrastructure
    • 500 Mbps Load Balancer with Commercial WAF Subscription, sold by KEMP Technologies.
  • Operating System
    • Ubuntu Desktop 16.04 LTS (HVM), sold by Netspectrum Inc.
  • Security
    • AlienVault USM (Unified Security Management) Anywhere, sold by AlienVault.
    • Armor Anywhere CORE, sold by Armor Defense.
    • Hillstone CloudEdge Virtual-Firewall Advanced Edition, sold by Hillstone Networks.
    • Negative SEO Monitoring, sold by SEO Defend.

Help Wanted

Stay tuned for next week! In the meantime, follow me on Twitter and subscribe to the RSS feed.

The Linux Foundation Technical Advisory Board election

Post Syndicated from corbet original http://lwn.net/Articles/704407/rss

The Linux Foundation’s Technical
Advisory Board
provides the development community (primarily the kernel
development community) with a voice in the Foundation’s decision-making
process. Among other things, the TAB chair holds a seat on the
Foundation’s board of directors. The next TAB election will be held on
November 2 at the Kernel Summit in Santa Fe, NM; five TAB members (½
of the total) will be selected there. The nomination process is open until
voting begins; anybody interested in serving on the TAB is encouraged to
throw their hat into the ring.

BPI Reports Quarter Billion ‘Pirate’ Links to Google, Ask UK Govt. For Help

Post Syndicated from Ernesto original https://torrentfreak.com/bpi-reports-quarter-billion-pirate-links-to-google-ask-uk-govt-for-help-161024/

googlepiratebayDespite the growing availability of legal music services in many countries, record labels are facing a constant stream of pirated music.

In an attempt to prevent these infringements, BPI and other music industry groups send millions of takedown notices to Internet services every month.

Although several major search engines are targeted, most of these requests are directed at Google. The numbers are quite staggering, and over the past few hours UK music industry group BPI hit a new milestone.

BPI just crossed the mark of 250,000,000 reported links, and is currently adding nearly three million new ones every week.

The majority of these allegedly copyright infringing URLs have been removed from Google’s search results. While this usually happens in a matter of hours, the music group believes that more should be done to address the underlying problem.

“Consumers are still too often directed towards the online black market when they search online for entertainment, rather than to legal services that reward artists and creators,” BPI Chief Executive Geoff Taylor informs TorrentFreak.

“The fact the BPI alone has now sent a quarter of a billion notices to Google to remove search results directing consumers to illegal copies of music – and almost as many again to Bing – demonstrates that there is a major problem underlying the UK digital economy,” he adds.

Copyright holder groups and search engines have organized several roundtable discussions in an attempt to find new solutions, but thus far without a satisfactory result for both sides.

In recent years Google has introduced a variety of tweaks and changes to the way its search engine operates. It downranks sites for which it receives a lot of takedown requests, for example. Similarly, it actively promotes legal content in search results.

However, BPI and other rightsholders would like search engines to go even further, by delisting pirate sites in their entirety or making sure that pirated content can’t simply reappear under a new URL.

Google is not willing to go this far, as it may lead to over-blocking and other problems, which has brought both camps to a stalemate.

BPI hopes that the UK Government can help to break this impasse. Lawmakers are currently working on a new and revised version of the Digital Economy Bill which could be used to address the search issue, by demanding a proactive stance from Google, Bing and others.

“The Digital Economy Bill which is before Parliament represents a real opportunity for Government to back the creative businesses that provide millions of UK jobs, by insisting that search engines put in place an effective Code of Practice to address this problem,” Taylor says.

While the search issue has been brought up in the recent discussions in parliament, there is no search engine related language in the current form of the bill. So for now, BPI has to keep adding to the quarter billion URLs they have targeted already, onto the next milestone.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Top 10 Most Pirated Movies of The Week – 10/24/16

Post Syndicated from Ernesto original https://torrentfreak.com/top-10-pirated-movies-week-102416/

suicidesquadThis week we have two newcomers in our chart.

Suicide Squad is the most downloaded movie for the third week in a row.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are Web-DL/Webrip/HDRip/BDrip/DVDrip unless stated otherwise.

RSS feed for the weekly movie download chart.

Ranking (last week) Movie IMDb Rating / Trailer
1 (1) Suicide Squad 6.7 / trailer
2 (…) Bad Moms 6.5 / trailer
3 (2) Don’t Breathe 7.5 / trailer
4 (…) Sausage Party 6.7 / trailer
5 (4) Star Trek Beyond 7.4 / trailer
6 (3) Lights Out 6.6 / trailer
7 (6) Mechanic: Resurrection 5.8 / trailer
8 (9) Independence Day: Resurgence 5.4 / trailer
9 (10) The Infiltrator 7.2 / trailer
10 (7) Captain America: Civil War 8.1 / trailer

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.


Post Syndicated from Eevee original https://eev.ee/blog/2016/10/23/inktober/

Inktober is an ancient and hallowed art tradition, dating all the way back to sometime, when it was started by someone. The idea is simple: draw something in ink every day. Real ink. You know. On paper.

I tried this last year. I quit after four days. Probably because I tried to do it without pencil sketches, and I’m really not very good at drawing things correctly the first time. I’d hoped that forcing myself to do it would spark some improvement, but all it really produced was half a week of frustration and bad artwork.

This year, I was convinced to try again without unnecessarily handicapping myself, so I did that. Three weeks and more than forty ink drawings later, here are some thoughts.

Some background

I’ve been drawing seriously since the beginning of 2015. I spent the first few months working primarily in pencil, until I was gifted a hand-me-down tablet in March; almost everything has been digital since then.

I’ve been fairly lax about learning to use color effectively — I have enough trouble just producing a sketch I like, so I’ve mostly been trying to improve there. Doesn’t feel worth the effort to color a sketch I’m not really happy with, and by the time I’m really happy with it, I’m itching to draw something else. Whoops. Until I get quicker or find some mental workaround, monochrome ink is a good direction to try.

I have an ongoing “daily” pokémon series, so I’ve been continuing that in ink. (Everyone else seems to be using some list of single-word prompts, but I didn’t even know about that until after I’d started, so, whoops.)

I’ve got a few things I want to get better at:

  • Detailing, whatever that means. Part of the problem is that I’m not sure what it means. My art is fairly simple and cartoony, and I know it’s possible to be more detailed without doing realistic shading, but I don’t have a grasp of how to think about that.

  • Better edges, which mostly means line weight. I mentally categorize this as a form of scale, which also includes tips like “don’t let parallel lines get too close together” and “don’t draw one or two very small details”.

  • Better backgrounds and environments. Or, let’s be honest, any backgrounds and environments — I draw an awful lot of single characters floating in an empty white void. My fixed-size canvas presents an obvious and simple challenge: fill the page!

  • More interesting poses, and relatedly, getting a better hang of anatomy. I started drawing the pokémon series partly for this reason: a great many pokémon have really unusual shapes I’ve tried drawing before. Dealing with weird anatomy and trying to map it to my existing understanding should hopefully flex some visualization muscles.

  • Lighting, probably? I’m aware that things not facing a light source are in shadow, but my understanding doesn’t extend very far beyond that. How does light affect a large outdoor area? How can you represent the complexity of light and shadow with only a single pen? Art, especially cartoony art, has an entire vocabulary of subtle indicators of shadow and volume that I don’t know much about.

Let’s see what exactly I’ve learned.

Analog materials are very different

I’ve drawn plenty of pencil sketches on paper, and I’ve done a few watercolors, but I’ve never done this volume of “serious” art on paper before.

All my inks so far are in a 3.5” × 5” sketchbook. I’ll run out of pages in a few days, at which point I’ll finish up the month in a bigger sketchbook. It’s been a mixed blessing: I have less page to fill, but details are smaller and more fiddly, so mistakes are more obvious. I also don’t have much room for error with the composition.

I started out drawing with a small black Faber–Castell “PITT artist pen”. Around day five, I borrowed C3 and C7 (light and dark cool greys) Copic sketch markers from Mel; later I got a C5 as well. A few days ago I bought a Lamy Safari fountain pen with Noodler’s Heart of Darkness ink.

Both the FC pen and the fountain pen are ultimately still pens, but they have some interesting differences in edge cases. Used very lightly at an extreme angle, the FC pen produces very scratchy-looking lines… sometimes. Sometimes it does nothing instead, and you must precariously tilt the pen until you find the magical angle, hoping you don’t suddenly get a solid line where you didn’t want it. The Lamy has been much more consistent: it’s a little more willing to draw thinner lines than it’s intended for, and it hasn’t created any unpleasant surprises. The Lamy feels much smoother overall, like it flows, which is appropriate since that’s how fountain pens work.

Markers are interesting. The last “serious” art I did on paper was watercolor, which is pretty fun — I can water a color down however much I want, and if I’m lucky and fast, I can push color around on the paper a bit before it dries. Markers, ah, not so much. Copics are supposed to be blendable, but I’ve yet to figure out how to make that happen. It might be that my sketchbook’s paper is too thin, but the ink seems to dry within seconds, too fast for me to switch markers and do much of anything. For the same reason, I have to color an area by… “flood-filling”? I can’t let the edge of the colored area dry, or when I go back to extend that edge, I’ll be putting down a second layer of ink and create an obvious dark band. I’ve learned to keep the edge wet as much as possible.

On the plus side, going over dry ink in the same color will darken it, and I’ve squeezed several different shades of gray out of just the light marker. The brush tip can be angled in several different ways to make different shapes; I’ve managed a grassy background and a fur texture just by holding the marker differently. Marker ink does bleed very slightly, but it tends to stop at pen ink, a feature I’ve wanted in digital art for at least a century. I can also kinda make strokes that fade out by moving the marker quickly and lifting it off the paper as I go; surely there are more clever things to be done here, but I’ve yet to figure them out.

The drawing of bergmite above was done as the light marker started to run dry, which is not a problem I was expecting. The marker still worked, but not very well. The strokes on the cave wall in the background aren’t a deliberate effect; those are the strokes the marker was making, and I tried to use them as best I could. I didn’t have the medium marker yet, and the dark marker is very dark — almost black. I’d already started laying down marker, so I couldn’t very well finish the picture with just the pen, and I had to improvise.

Ink is permanent

Well. Obviously.

I have to be pretty careful about what I draw, which creates a bit of a conflict. If I make smooth, confident strokes, I’m likely to fuck them up, and I can’t undo and try again. If I make a lot of short strokes, I get those tell-tale amateurish scratchy lines. If I trace my sketch very carefully and my hand isn’t perfectly steady, the resulting line will be visibly shaky.

I probably exacerbated the shaky lines with my choice of relatively small paper; there’s no buffer between those tiny wobbles and the smallest level of detail in the drawing itself. I can’t always even see where my tiny sketch is going, because my big fat fingers are in the way.

I’ve also had the problem that my sketch is such a mess that I can’t tell where a line is supposed to be going… until I’ve drawn it and it’s obviously wrong. Again, small paper exacerbates this by compressing sketches.

Since I can’t fix mistakes, I’ve had to be a little creative about papering over them.

  • I did one ink with very stark contrast: shadows were completely filled with ink, highlights were bare paper. No shading, hatching, or other middle ground. I’d been meaning to try the approach anyway, but I finally did it after making three or four glaring mistakes. In the final work, they’re all hidden in shadow, so you can’t really tell anything ever went wrong.

  • I’ve managed to disguise several mistakes of the “curved this line too early” variety just by adding some more parallel strokes and pretending I intended to hatch it all along.

  • One of the things I’ve been trying to figure out is varying line weight, and one way to vary it is to make edges thicker when in shadows. A clever hack has emerged here.

    You see, it’s much easier for me to draw an upwards arc than a downwards arc. (I think this is fairly universal?) I can of course just rotate the paper, but if I’m drawing a cylinder, it’s pretty obvious when the top was drawn with a slight bias in one direction and the bottom was drawn with a slight bias in the other direction.

    My lifehack is to draw the top and bottom with the paper oriented the same way, then gradually thicken the bottom, “carving” it into the right shape as I go. I can make a lot of small adjustments and still end up with a single smooth line that looks more or less deliberate.

  • As a last resort… leave it and hope no one notices. That’s what I did for the floatzel above, who has a big fat extra stroke across their lower stomach. It’s in one of the least interesting parts of the picture, though, so it doesn’t really stand out, even though it’s on one of the lightest surfaces.

Ink takes a while

Ink drawings feel like they’ve consumed my entire month. Sketching and then lining means drawing everything twice. Using physical ink means I have to nail the sketch — but I’m used to digital, where I can sketch sloppily and then fixing up lines as I go. I also can’t rearrange the sketch, move it around on the paper if I started in the wrong place, or even erase precisely, so I’ve had to be much more careful and thoughtful even with pencil. That’s a good thing — I don’t put nearly enough conscious thought into what I’m drawing — but it definitely takes longer. In a few thorny cases I’ve even resorted to doing a very loose digital sketch, then drawing the pencil sketch based off of that.

All told, each one takes maybe two hours, and I’ve been doing two at a time… but wait, that’s still only four hours, right? How are they taking most of a day?

I suspect a bunch of factors are costing me more time than expected. If I can’t think of a scene idea, I’ll dawdle on Twitter for a while. Two “serious” attempts in a medium I’m not used to can be a little draining and require a refractory period. Fragments of time between or around two larger tasks are, of course, lost forever. And I guess there’s that whole thing where I spent half the month waking up in the middle of the night for no reason and then being exhausted by late evening.

Occasionally I’ve experimented with some approach that turns out to be incredibly tedious and time-consuming, like the early Gardevoir above. You would not believe how long that damn grass took. Or maybe you would, if you’d ever tried similar. Even the much lazier tree-covered mountain in the background seemed to take a while. And this is on a fairly small canvas!

I’m feeling a bit exhausted with ink work at this point, which is not the best place to be after buying a bunch of ink supplies. I definitely want to do more of it in the future, but maybe not daily. I also miss being able to undo. Sweet, sweet undo.

Precision is difficult, and I am bad at planning

These turn out to be largely the same problem.

I’m not a particularly patient person, so I like to jump from the sketch into the inking as soon as possible. Sometimes this means I overlook some details. Here’s that whole “not consciously thinking enough” thing again. Consider, in the above image,

  • The two buildings at the top right are next to each other, yet the angles of their roofs suggest they’re facing in slightly different directions, which doesn’t make a lot of sense for artificial structures.

  • The path leading from the dock doesn’t quite make sense, and the general scale of the start of the dock versus the shrubs and trees is nonsense. The trees themselves are pretty cool, but it looks like I plopped them down individually without really having a full coherent plan going in. Which is exactly what happened.

    Imagining spaces in enough detail to draw them is tough, and not something I’ve really had to do much before. It’s ultimately the same problem I have with game level design, though, so hopefully a breakthrough in one will help me with the other.

  • Phantump’s left eye has a clear white edge showing the depth of the hole in the trunk, but the right eye’s edge was mostly lost to some errant strokes and subsequent attempts to fix them. Also, even the left margin is nowhere near as thick as the trunk’s bottom edge.

  • The crosshatched top of phantump’s head blends into the noisy grassy background. The fix for this is to leave a thin white edge around the top of the head. I think I intended to do this, then completely forgot about it as I was drawing the grass. I suppose I’m not used to reasoning about negative space; I can’t mark or indicate it in any way, nor erase the ink if I later realize I laid down too much.

  • The pupils don’t quite match, but I’d already carved them down a good bit. Negative space problem again. Highlights on dark areas have been a recurring problem all month, especially with markers.

I have no idea how people make beautifully precise inkwork. At the same time, I’ve long had the suspicion that I worry too much about precision and should be a lot looser. I’m missing something here, and I don’t know what it is.

What even is pokémon anatomy

This is a wigglytuff. Wigglytuffs are tall blobs with ears.

I had such a hard time sketching this. (Probably why I rushed the background.)

It turns out that if you draw a wigglytuff even slightly off, the result is a tall blob with ears rather than a wigglytuff. That makes no sense, especially given that wigglytuffs are balloons. Surely, the shape shouldn’t be such a strong part of the wigglytuff identity, and yet it is.

Maybe half of the pokémon I’ve drawn have had some anatomical surprise, even ones I thought I was familiar with. Aerodactyl and huntail have a really pronounced lower jaw. Palpitoad has no arms at all. Pelipper is 70% mouth. Zangoose seems like a straightforward mammal at first glance, but the legs and body and head are all kind of a single blob. Numerous pokémon have no distinct neck, or no distinct shoulders, or a very round abdomen with legs kind of arbitrarily attached somewhere.

Progress, maybe

I don’t know what precisely I’ve gotten out of this experience. I can’t measure artistic progress from one day to the next. I do feel like I’ve gleaned some things, but they seem to be very abstract things. I’m out of the total beginner weeds and solidly into the intermediate hell of just picking up hundreds of little things no one really talks about. All I can do is cross my fingers and push forwards.

The crowd favorite so far is this mega rayquaza, which is kinda funny to me because I don’t feel like I did anything special here. I just copied a bunch of fiddly details. It looks cool, but it felt more like rote work than a struggle to do a new thing.

My own favorite is this much simpler qwilfish. It’s the culmination of several attempts to draw water that I liked, and it came out the best by far. The highlight is also definitely the best I’ve drawn this month. Interesting how that works out.

The rest are on on Tumblr, or in this single Twitter thread.

Weekly roundup: Inktober 3: Tokyo Drift

Post Syndicated from Eevee original https://eev.ee/dev/2016/10/23/weekly-roundup-inktober-3-tokyo-drift/

I see a light at the end of the tunnel… it’s… it’s the end of Inktober! I’m so close…

  • art: More ink drawings of Pokémon. I got a fountain pen and am still getting used to it. I did a little doodling in the lost sketchbooks I found last week.

  • devops: I upgraded koiru (machine that runs my IRC and some other small things) by, uh, two entire Ubuntu LTS releases, then spent hours fixing all the obscure stuff that broke. Later I also fixed Munin, despite not really ever looking at the graphs, because I like graphs.

  • blog: More note-taking and… pivoting? for a special post. Wrote and published a post about word-wrapping dialogue boxes in games. Wrote about half of a post about Inktober, which I should be publishing tonight, I hope?

  • doom: I spent a couple hours dinking around with a secret MAP31 idea I had.

I am so behind on writing that I might die.

Politifact: Yes we can fact check Kaine’s email

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html

This Politifact post muddles over whether the Wikileaks leaked emails have been doctored, specifically the one about Tim Kaine being picked a year ago. The post is wrong — we can verify this email and most of the rest.

In order to bloc spam, emails nowadays contain a form of digital signatures that verify their authenticity. This is automatic, it happens on most modern email systems, without users being aware of it.

This means we can indeed validate most of the Wikileaks leaked DNC/Clinton/Podesta emails. There are many ways to do this, but the easiest is to install the popular Thunderbird email app along with the DKIM Verifier addon. Then go to the Wikileaks site and download the raw source of the email https://wikileaks.org/podesta-emails/emailid/2986.

As you see in the screenshot below, the DKIM signature verifies as true.

If somebody doctored the email, such as changing the date, then the signature would not verify. I try this in the email below, changing the date from 2015 to 2016. This causes the signature to fail.

There are some ways to forge DKIM-signed emails, specifically if the sender uses short keys. When short keys are used, hackers can “crack” them, and sign fraudulent emails. This doesn’t apply to GMail, which uses strong 2048 bit keys, as demonstrated in the following screenshot. (No, the average person isn’t supposed to understand this screen shot, but experts can).

What this means is that the only way this email could’ve been doctored is if there has been an enormous, nation-state level hack of Google to steal their signing key. It’s possible, of course, but extraordinarily improbable. It’s conspiracy-theory level thinking. Google GMail has logs of which emails went through its systems — if there was a nation-state attack able to forge them, Google would know, and they’d be telling us. (For one thing, they’d be forcing password resets on all our accounts).

Since DKIM verifies this email and most of the others, we conclude that Kaine is “pants on fire” lying about this specific email, and “mostly untrue” in his claim that the Wikileaks emails have been doctored.

On the other hand, Wikileaks only shows us some of the emails. We don’t see context. We don’t see other staffers certain it’s going to be somebody else for VP. We don’t see related email discusses that cast this one in a different light. So of course whether this (verified) email means they’d firmly chosen Kaine is “mostly unproven”. The purpose of this document isn’t diagnosing what the emails mean, only the claims by Hillary’s people that these emails have been “doctored”.

As a side note, I offer a 1-BTC (one bit coin, ~$600 at today’s exchange rate) bounty to anybody who can prove me wrong. If you can doctor the above email, then you win the bounty. Some rules apply (i.e. it needs to be a real doctored email, not a trick). I offer this bounty because already people are trying to cast doubt on whether DKIM works, without offering any evidence. Put up or shut up.

iKeepSafe Inadvertently Gives Students a Valuable Lesson in Creators’ Rights

Post Syndicated from Andy original https://torrentfreak.com/ikeepsafe-inadvertently-gives-students-a-valuable-lesson-in-creators-rights-161023/

Children and students of all kinds are some of the most valuable assets to society. After all, they’re literally the future of the planet. As a result, hundreds of groups around the world dedicate themselves to protecting their interests, from general welfare and healthcare to Internet safety.

One of the groups dedicated to the latter is the Internet Keep Safe Coalition (iKeepSafe), an alliance of policy leaders, educators, law enforcement and technology experts.

iKeepSafe has launched a new initiative in partnership with pro-copyright/anti-piracy group Creative Future called the Contribute to Creativity Challenge.

“We know that when students are given the opportunity to be creative, they not only learn to make conscious choices about sharing their creative work, but they also understand the value of respecting the rights of other creators,” iKeepSafe says.

The challenge is a competition which requires students to submit electronic projects that center around the importance of behaving well online, such as respecting copyright and related rights.

“To participate, each entrant will need to submit an electronic project educating others about the importance of being an ethical, responsible online digital citizen,” iKeepSafe notes.

“The submissions will be judged according to the judging rubric and the winning entries will each receive a $75 Amazon gift card for books or classroom supplies.”

For those submitting entries the exercise of considering what makes a good digital citizen should be an enlightening one. Indeed, the creative process itself should also be enjoyable and educational, further sweetened by the prospect of a few bucks should the entry be a winner.

But for those young creators getting involved, there’s another equally valuable lesson to be learned from this exercise, even at the tender age of 12.

It’s quite likely that some participating students will be considering getting involved in the business of content creation, whether that’s in the music, movie, TV, or publishing sectors. With that in mind, they should consider the terms and conditions of any contracts entered into. This competition is a great place to start.

The Contribute to Creativity Challenge has five pages of T&Cs (pdf). They include rules that submitted content cannot infringe other people’s intellectual property rights or condone any illegal activities, which is fair enough.

However, since this is all about being creative and respecting creators’ rights, we took a look at what rights these young creators will have over their content after it’s submitted to the competition and what uses it will be put to thereafter.

“By entering the Competition, each Entrant hereby grants to Promoter and their assigns, licensees and designees a non-exclusive, irrevocable, perpetual license to use, copy, publish, and publicly display the Entry and all elements of the Entry (including, but not limited to, the Entrant’s name, city and country, biographical information, statements, voice, photograph and other likeness (unless prohibited by law)) in whole or in part,” the conditions read.

Of course, some kind of license is required if the competition operators are to be able to do anything with the entries. However, it also means that whether the entrant likes it or not (or even understands the legal jargon), their submitted work can be published along with their photographs until the end of time by iKeepSafe, “in any and all media either now known or not currently known, in perpetuity throughout the universe for all purposes.”

In perpetuity. Universe. All purposes. And, just to be clear, “without notification and without compensation of any kind to Entrant or any third party.” (emphasis ours)

Of course, there will be many students who will relish the thought of their projects gaining some publicity since that could really help their profile. However, it seems likely from the conditions of the competition that what iKeepSafe really wants is free material for upcoming campaigns.

“The Promoter shall have the right, without limitation, to reproduce, alter, amend, edit, publish, modify, crop and use each Entry in connection with commercials, advertisements and promotions related to the Promoter, the sale of Promoter’s products, the Competition and any other competition sponsored by Promoter, in any and all media, now or hereafter known, including but not limited to, all forms of television distribution, theatrical advertisements, radio, the Internet, newspapers, magazines and billboards,” the conditions read.

The eagle-eyed will have noticed that student entrants grant iKeepSafe a non-exclusive license, which usually means that they are also free to exploit their works themselves, a luxury that an exclusive license does not offer. While that’s a good thing, a subsequent clause could conceivably muddy the waters.

“Entrant agrees not to release any publicity or other materials on their own or through someone else regarding his or her participation in the Competition without the prior consent of the Promoter, which it may withhold in its sole discretion,” it reads.

Just to be absolutely clear, there’s no suggestion that iKeepSafe are leading students down a dark path here, since their overall goal of promoting ethical behavior online is a noble one. That being said, would it really hurt to properly compensate student creators featured in subsequent campaigns that will largely exist to help businesses?

After all, the message here is about being ethical, and with Creative Future on board – which represents rightsholders worth billions of dollars – there’s more than a little bit of cash lying around to properly compensate these young creators.

Perhaps the key lesson for students and other creators to be aware of at this early stage is that some companies and organizations will be prepared to exploit their creative work while giving little or indeed absolutely nothing back.

Today it’s a harmless school project competition entry on ethics, but in a few years time it could be something worth millions, ask George Michael.

Finally, if being ethical and responsible really is the goal, perhaps students and competition operators alike should consider a much less restrictive Creative Commons license.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pirate Party On Course For Historic Election Win in Iceland

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-party-on-course-for-historic-election-win-in-iceland-161023/

pirate-iceFounded in 2006 by Rick Falkvinge, the Pirate party movement has scored some significant victories over the years.

The greatest success is the continuing presence in the European Parliament, but in Iceland the local Pirate Party is writing history as well.

Iceland’s Pirates have a great track record already, with three members in the national Parliament. However, more may join in the future as the party has added many new supporters in recent months.

With elections just a week away the tension is growing. The Pirates have been leading the polls for most of the year and are currently neck-and-neck with the Social Democratic Alliance to become the largest party in the country.

This brings the Pirates in an unusual position where they have to start thinking about possible partners to form a coalition Government, for the first time in history.

TF spoke with Ásta Helgadóttir, Member of Parliament for the Icelandic Pirate Party, who says that the party is ready to bring the change many citizens are longing for.

“Firstly, by adopting a new constitution which has already been voted on in a non-binding referendum,” Helgadóttir says.

asta“This will change how Iceland functions as a democracy, transitioning into a much more meaningful democracy. The Pirates are focused on decentralization of power, access to information and civil and human rights. The pillars of any meaningful notion of democracy.”

Despite the Pirate name, copyright issues are not central to their plans. That said, they have spoken out against recent web-blocking efforts.

Iceland’s ISPs have been ordered to block access to ‘infringing’ sites such as The Pirate Bay, which the party sees as a step in the wrong direction. The party fears that these censorship efforts will lead to more stringent measures.

“These measures are not a solution and only exacerbate the problem. There needs to be a review of copyright law and how creators are compensated for their work,” Helgadóttir notes, adding that some ISPs are planning to fight the blockades in court.

While the Pirate Party movement has always appealed to the younger generations, in Iceland it receives support across all age groups. One of their main selling points is a broad and clear vision for Iceland that breaks with the current political establishment.

The Pirate Party was in part formed by supporters of the Icelandic Modern Media Initiative, a unanimously adopted parliamentary resolution to create the optimal environment for freedom of information and free expression.

“This work is still under way but something the Pirates want to implement,” Helgadóttir says.

“The resolution brings limited liability for intermediaries, whistleblower protection, enhanced source protection, due process, defamation law reform and data protection, among other things.”

With just a week to go, there’s a realistic chance that the Pirates will book a historic election win, allowing them to govern the country during the years to come.

In that regard, the timing could hardly be any better. With the recent revelations from the Panama Papers scandal and the banking crisis fresh in mind, people are longing for change.

According to Helgadóttir, the party hasn’t set any specific goals in terms of a vote percentage they want to reach. Whatever the outcome, they will to their best to and steer the country in the right direction once again.

“We do not have a specific target in terms of percentages. Our objective is to get the ball rolling on some fundamental issues, whether that happens with 10% of the vote or 40% of the vote is not paramount.”

The parliamentary elections will take place next week, October 29.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Anti-Piracy Outfits Agree to Strengthen International Cooperation

Post Syndicated from Andy original https://torrentfreak.com/anti-piracy-outfits-agree-to-strengthen-international-cooperation-161022/

With the Internet and therefore online piracy having developed into a truly global phenomenon, anti-piracy groups everywhere are expanding their reach.

What was once a semi-isolated affair has become a multi-agency, cross-continent operation, with governments and rights holders alike striving to share information and pool resources.

An event this week illustrated where things are going, with representatives from around the world descending upon Brussels for a meeting hosted by the Motion Picture Association.

The International Roundtable, titled “Combating Internet Piracy: International Practice”, saw government officials from Europe and Russia join representatives from the United States and the UK to discuss cooperation against piracy.

The meeting (Photo via Роскомнадзор)


According to information released by Russian telecoms watchdog Roscomnadzor and translated by the MPA, those gathered agreed that a “lack of intellectual property protection causes significant economic damage to individual rights holders and the global economy.”

Of course, that message certainly isn’t new. Neither are mounting public claims by rights holders that Internet users are being put at risk through their visits to unauthorized sites.

Those assembled agreed that consumers are negatively impacted from enjoying entertainment in a safe environment since pirate sites “are a fertile ground for identity theft, viruses, malware or spyware.”

As mentioned earlier, anti-piracy groups and initiatives of all kinds now understand that collaboration is part of the way forward, whether that’s sharing information or working towards tougher legal frameworks.

“In particular, participants acknowledged the need to strengthen international cooperation in the fight against IPR violations on the Internet and to continue sharing experiences in improving legislation, and law enforcement practice in combating copyright infringement in the digital environment in the EU, Russian Federation, and USA,” a summary of the meeting reads.

Those at the meeting included representatives from the US “six-strikes” Copyright Alert System and the UK’s GetitRight campaign. Details are fairly scarce, but these groups are likely to have shared data on how educational messages affect the behaviors of Internet pirates and how voluntary agreements with industry players such as ISPs can become part of the anti-piracy package.

Another item on the agenda was the role that search engines and user-generated content companies play when it comes to fighting online piracy. While Russia has its own issues with services like Yandex, for the US and Europe the focus is very much on Google and sites such as YouTube.

Service provider liability and related legislative initiatives will continue to be hot topics in the months and years ahead. This is particularly true of the United States, where the safe harbor provisions of the DMCA are under scrutiny alongside a controversial debate on the so-called ‘value gap‘ claimed to be present on YouTube.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pirate Sites Remain Popular in the UK, Despite Website Blockades

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-sites-remain-popular-in-the-uk-despite-website-blockades-161022/

blocked-censorWebsite blocking has become one of the favorite anti-piracy tools of the entertainment industries in recent years.

The UK is a leader on this front, with the High Court ordering local ISPs to block access to many popular file-sharing sites.

Over time the number of blocked URLs has expanded to well over 1,000, with popular torrent, streaming, and direct download sites being the main targets.

While research has shown that this approach is somewhat effective, there are plenty of options through which people can circumvent the blockades, including many reverse proxies.

Similarly, pirate sites can simply switch to a new domain name to evade the court orders, and new sites are allowed to flourish in the shadow of those that are no longer available.

This week we decided to take a look at the current pirate site landscape in the UK, with some surprising results.

As it turns out, the list of top ten most-used pirate sites in the UK includes several sites that are on the ISPs blockists. In some cases the sites remain accessible on their original domain names, via the HTTPS URL.

As we’ve highlighted before, not all ISPs are able to block HTTPS traffic, which allows their subscribers to load The Pirate Bay and other blocked sites just fine.

There are also websites that intentionally help visitors to circumvent the blocks by registering new domain names. Unblocked.vip, for example, has cycled through various domain names in order to remain available.

And then there are the newcomers. 123movies.to deserves a mention here as it’s currently the most-used pirate site in the UK. With an Alexa rank of 81, it’s even one of the 100 most-visited sites in the country.



Below we’ve made an overview of the ten most-used pirate sites in the UK. Several of these are on the blocklist, with a current or previous URL. This suggests that the blocking efforts are not as effective as rightsholders would like them to be.

The conclusion is also in line with research from Italy, which suggested that site-blocking can actually be counterproductive. Similarly, a UK report revealed that it significantly boosts traffic to non-blocked websites.

While the entertainment industries still see enough value in website blocking, it’s clear that it’s not the silver bullet that will defeat piracy. And at a rate of £14,000 per site, it comes at a high cost.

The label “pirate site” applies to sites that have been classified as such by entertainment industry groups. It’s worth noting that at the time of writing, several of the sites (*) had already started redirecting to new domain names. Putlocker.is is currently down.

Site Alexa rank Type Original site blocked?
123movies.to 81 Streaming No
Watchseries.ac (*) 126 Streaming Yes
Unblocked.vip (*) 127 Proxy links Yes
Putlocker.is (down) 161 Streaming No
Pirateproxy.red (*) 183 Torrents (proxy) Yes
Thepiratebay.org 316 Torrents Yes
Rutracker.org 384 Torrents No
Vodlocker.com 407 Cyberlocker No
Zippyshare.com 412 Cyberlocker No
Yify-torrent.org 431 Torrents No

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Fixing the IoT isn’t going to be easy

Post Syndicated from Matthew Garrett original http://mjg59.dreamwidth.org/45098.html

A large part of the internet became inaccessible today after a botnet made up of IP cameras and digital video recorders was used to DoS a major DNS provider. This highlighted a bunch of things including how maybe having all your DNS handled by a single provider is not the best of plans, but in the long run there’s no real amount of diversification that can fix this – malicious actors have control of a sufficiently large number of hosts that they could easily take out multiple providers simultaneously.

To fix this properly we need to get rid of the compromised systems. The question is how. Many of these devices are sold by resellers who have no resources to handle any kind of recall. The manufacturer may not have any kind of legal presence in many of the countries where their products are sold. There’s no way anybody can compel a recall, and even if they could it probably wouldn’t help. If I’ve paid a contractor to install a security camera in my office, and if I get a notification that my camera is being used to take down Twitter, what do I do? Pay someone to come and take the camera down again, wait for a fixed one and pay to get that put up? That’s probably not going to happen. As long as the device carries on working, many users are going to ignore any voluntary request.

We’re left with more aggressive remedies. If ISPs threaten to cut off customers who host compromised devices, we might get somewhere. But, inevitably, a number of small businesses and unskilled users will get cut off. Probably a large number. The economic damage is still going to be significant. And it doesn’t necessarily help that much – if the US were to compel ISPs to do this, but nobody else did, public outcry would be massive, the botnet would not be much smaller and the attacks would continue. Do we start cutting off countries that fail to police their internet?

Ok, so maybe we just chalk this one up as a loss and have everyone build out enough infrastructure that we’re able to withstand attacks from this botnet and take steps to ensure that nobody is ever able to build a bigger one. To do that, we’d need to ensure that all IoT devices are secure, all the time. So, uh, how do we do that?

These devices had trivial vulnerabilities in the form of hardcoded passwords and open telnet. It wouldn’t take terribly strong skills to identify this at import time and block a shipment, so the “obvious” answer is to set up forces in customs who do a security analysis of each device. We’ll ignore the fact that this would be a pretty huge set of people to keep up with the sheer quantity of crap being developed and skip straight to the explanation for why this wouldn’t work.

Yeah, sure, this vulnerability was obvious. But what about the product from a well-known vendor that included a debug app listening on a high numbered UDP port that accepted a packet of the form “BackdoorPacketCmdLine_Req” and then executed the rest of the payload as root? A portscan’s not going to show that up[1]. Finding this kind of thing involves pulling the device apart, dumping the firmware and reverse engineering the binaries. It typically takes me about a day to do that. Amazon has over 30,000 listings that match “IP camera” right now, so you’re going to need 99 more of me and a year just to examine the cameras. And that’s assuming nobody ships any new ones.

Even that’s insufficient. Ok, with luck we’ve identified all the cases where the vendor has left an explicit backdoor in the code[2]. But these devices are still running software that’s going to be full of bugs and which is almost certainly still vulnerable to at least half a dozen buffer overflows[3]. Who’s going to audit that? All it takes is one attacker to find one flaw in one popular device line, and that’s another botnet built.

If we can’t stop the vulnerabilities getting into people’s homes in the first place, can we at least fix them afterwards? From an economic perspective, demanding that vendors ship security updates whenever a vulnerability is discovered no matter how old the device is is just not going to work. Many of these vendors are small enough that it’d be more cost effective for them to simply fold the company and reopen under a new name than it would be to put the engineering work into fixing a decade old codebase. And how does this actually help? So far the attackers building these networks haven’t been terribly competent. The first thing a competent attacker would do would be to silently disable the firmware update mechanism.

We can’t easily fix the already broken devices, we can’t easily stop more broken devices from being shipped and we can’t easily guarantee that we can fix future devices that end up broken. The only solution I see working at all is to require ISPs to cut people off, and that’s going to involve a great deal of pain. The harsh reality is that this is almost certainly just the tip of the iceberg, and things are going to get much worse before they get any better.

Right. I’m off to portscan another smart socket.

[1] UDP connection refused messages are typically ratelimited to one per second, so it’ll take almost a day to do a full UDP portscan, and even then you have no idea what the service actually does.

[2] It’s worth noting that this is usually leftover test or debug code, not an overtly malicious act. Vendors should have processes in place to ensure that this isn’t left in release builds, but ha well.

[3] My vacuum cleaner crashes if I send certain malformed HTTP requests to the local API endpoint, which isn’t a good sign

comment count unavailable comments

Yes, we can validate the Wikileaks emails

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/10/yes-we-can-validate-wikileaks-emails.html

Recently, WikiLeaks has released emails from Democrats. Many have repeatedly claimed that some of these emails are fake or have been modified, that there’s no way to validate each and every one of them as being true. Actually, there is, using a mechanism called DKIM.

DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.
Hillary’s team uses “hillaryclinton.com”, which as DKIM enabled. Thus, we can verify whether some of these emails are true.
Recently, in response to a leaked email suggesting Donna Brazile gave Hillary’s team early access to debate questions, she defended herself by suggesting the email had been “doctored” or “falsified”. That’s not true. We can use DKIM to verify it.
You can see the email in question at the WikiLeaks site: https://wikileaks.org/podesta-emails/emailid/5205. The title suggests they have early access to debate questions, and includes one specifically on the death penalty, with the text:
since 1973, 156 people have been on death row and later set free. Since 1976, 1,414 people have been executed in the U.S

Indeed, during the debate the next day, they asked the question:

Secretary Clinton, since 1976, we have executed 1,414 people in this country.  Since 1973, 156 who were convicted have been exonerated from the death row.

It’s not a smoking gun, but at the same time, it both claims they got questions in advance while having a question in advance. Trump gets hung on similar chains of evidence, so it’s not something we can easily ignore.
Anyway, this post isn’t about the controversy, but the fact that we can validate the email. When an email server sends a message, it’ll include an invisible “header”. They aren’t especially hidden, most email programs allow you to view them, it’s just that they are boring, so hidden by default. The DKIM header in this email looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hillaryclinton.com; s=google;
How do you verify this is true. There are a zillion ways with various “DKIM verifiers”. I use the popular Thunderbird email reader (from the Mozilla Firefox team). They have an addon designed specifically to verify DKIM. Normally, email readers don’t care, because it’s the email server‘s job to verify DKIM, not the client. So we need a client addon to enable verification.
Downloading the raw email from WikiLeaks and opening in Thunderbird, with the addon, I get the following verification that the email is valid. Specifically, it validates that the HillaryClinton.com sent precisely this content, with this subject, on that date.
Let’s see what happens when somebody tries to doctor the email. In the following, I added “MAKE AMERICA GREAT AGAIN” to the top of the email.
As you can see, we’ve proven that DKIM will indeed detect if anybody has “doctored” or “falsified” this email.
I was just listening to ABC News about this story. It repeated Democrat talking points that the WikiLeaks emails weren’t validated. That’s a lie. This email in particular has been validated. I just did it, and shown you how you can validate it, too.

Btw, if you can forge an email that validates correctly as I’ve shown, I’ll give you 1-bitcoin. It’s the easiest way of solving arguments whether this really validates the email — if somebody tells you this blogpost is invalid, then tell them they can earn about $600 (current value of BTC) proving it. Otherwise, no.

Update: I’m a bit late writing this blog post. Apparently, others have validated these, too.

Update: In the future, when HilaryClinton.com changes their DKIM key, it will no longer be able to verify. Thus, I’m recording the domain key here:

google._domainkey.hillaryclinton.com: type TXT, class IN
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJdAYdE2z61YpUMFqFTFJqlFomm7C4Kk97nzJmR4YZuJ8SUy9CF35UVPQzh3EMLhP+yOqEl29Ax2hA/h7vayr/f/a19x2jrFCwxVry+nACH1FVmIwV3b5FCNEkNeAIqjbY8K9PeTmpqNhWDbvXeKgFbIDwhWq0HP2PbySkOe4tTQIDAQAB

Some notes on today’s DNS DDoS

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/10/some-notes-on-todays-dns-ddos.html

Some notes on today’s DNS outages due to DDoS.

We lack details. As a techy, I want to know the composition of the traffic. Is it blindly overflowing incoming links with junk traffic? Or is it cleverly sending valid DNS requests, overloading the ability of servers to respond, and overflowing outgoing link (as responses are five times or more as big as requests). Such techy details and more make a big difference. Was Dyn the only target? Why were non-Dyn customers effected?

Nothing to do with the IANA handover. So this post blames Obama for handing control of DNS to the Russians, or some such. It’s silly, and not a shred of truth to it. For the record, I’m (or was) a Republican and opposed handing over the IANA. But the handover was a symbolic transition of a minor clerical function to a body that isn’t anything like the U.N. The handover has nothing to do with either Obama or today’s DDoS. There’s no reason to blame this on Obama, other than the general reason that he’s to blame for everything bad that happened in the last 8 years.

It’s not a practice attack. A Bruce Schneier post created the idea of hacking doing “practice” DDoS. That’s not how things work. Using a botnot for DDoS always degrades it, as owners of machines find the infections and remove them. The people getting the most practice are the defenders, who learn more from the incident than the attackers do.

It’s not practice for Nov. 8. I tweeted a possible connection to the election because I thought it’d be self-evidently a troll, but a lot of good, intelligent, well-meaning people took it seriously. A functioning Internet is not involved in counting the votes anywhere, so it’s hard to see how any Internet attack can “rig” the election. DDoSing news sources like CNN might be fun — a blackout of news might make some people go crazy and riot in the streets. Imagine if Twitter went down while people were voting. With this said, we may see DDoS anyway — lots of kids control large botnets, so it may happen on election day because they can, not because it changes anything.

Dyn stupidly uses BIND. According to “version.bind” queries, Dyn (the big DNS provider that is a major target) uses BIND. This is the most popular DNS server software, but it’s wrong. It 10x to 100x slower than alternatives, meaning that they need 100x more server hardware in order to deal with DDoS attacks. BIND is also 10x more complex — it strives to be the reference implementation that contains all DNS features, rather than a simple bit of software that just handles this one case. BIND should never be used for Internet-facing DNS, packages like KnotDNS and NSD should be used instead.

Fixing IoT. The persistent rumor is that an IoT botnet is being used. So everything is calling for regulations to secure IoT devices. This is extraordinarily bad. First of all, most of the devices are made in China and shipped to countries not in the United States, so there’s little effect our regulations can have. Except they would essentially kill the Kickstarter community coming up with innovative IoT devices. Only very large corporations can afford the regulatory burden involved. Moreover, it’s unclear what “security” means. There no real bug/vulnerability being exploited here other than default passwords — something even the US government has at times refused to recognize as a security “vulnerability”.

Fixing IoT #2. People have come up with many ways default passwords might be solved, such as having a sticker on the device with a randomly generated password. Getting the firmware to match a printed sticker during manufacturing is a hard, costly problem. I mean, they do it all the time for other reasons, but it starts to become a burden for cheaper device. But in any event, the correct solution is connecting via Bluetooth. That seems to be the most popular solution these days from Wimo to Echo. Most of the popular WiFi chips come with Bluetooth, so it’s really no burden for make devices this way.

It’s not IoT. The Mirai botnet primarily infected DVRs connected to security cameras. In other words, it didn’t infect baby monitors or other IoT devices insider your home, which are protected by your home firewall anyway. Instead, Mirai infected things that were outside in the world that needed their own IP address.

DNS failures cause email failures. When DNS goes down, legitimate email gets reclassified as spam, and dropped by spam filters

It’s all about that TTL. You don’t contact a company’s DNS server directly. Instead, you contact your ISPs “cache”. How long something stays in that cache is determined by what’s known as the TTL or “time to live”. Long TTLs mean that if a company wants to move servers around, they’ll have to wait until for until caches have finally aged out old data. Short TTLs mean changes propagate quickly. Any company that had 24 hours as their TTL was mostly unaffected by the attack. Twitter has a TTL of 205 seconds, meaning it only takes 4 minutes of DDoS against the DNS server to take Twitter offline. One strategy, which apparently Cisco OpenDNS uses, is to retain old records in its cache if it can’t find new ones, regardless of the TTL. Using their servers, instead of your ISPs, can fix DNS DDoS for you:

Why not use anycast?

The attack took down only east-coast operations, attacking only part of Dyn’s infrastructure located there. Other DNS providers, such as Google’s famed resolver, do not have a single location. They instead us anycasting, routing packets to one of many local servers, in many locations, rather than a single server in one location. In other words, if you are in Australia and use Google’s resolver, you’ll be sending requests to a server located in Australia, and not in Google’s headquarters.

The problem with anycasting is it technically only works for UDP. That’s because each packet finds its own way through the Internet. Two packets sent back-to-back to may, in fact, hit different servers. This makes it impossible to establish a TCP connection, which requires all packets be sent to the same server. Indeed, when I test it here at home, I get back different responses to the same DNS query done back-to-back to, hinting that my request is being handled by different servers.

Historically, DNS has used only UDP, so that hasn’t been a problem. It still isn’t a problem for “root servers”, which server only simple responses. However, it’s becoming a problem for normal DNS servers, which give complex answers that can require multiple packets to hold a response. This is true for DNSSEC and things like DKIM (email authentication). That TCP might sometimes fail therefore means things like email authentication sometimes fail. That it will probably work 99 times out of 100 means that 1% of the time it fails — which is unacceptable.

There are ways around this. An anycast system could handle UDP directly and pass all TCP to a centralized server somewhere, for example. This allows UDP at max efficiency while still correctly with the uncommon TCP. The point is, though, that for Dyn to make anycast work requires careful thinking and engineering. It’s not a simple answer.

Friday Squid Blogging: Which Squid Can I Eat?

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/10/friday_squid_bl_549.html

Interesting article listing the squid species that can still be ethically eaten.

The problem, of course, is that on a restaurant menu it’s just labeled “squid.”

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

EDITED TO ADD: By “ethically,” I meant that the article discusses which species can be sustainably caught. The article does not address the moral issues of eating squid — and other cephlapods — in the first place.

Android Pirate App Store Case Ends in Mistrial, Jury Undecided

Post Syndicated from Ernesto original https://torrentfreak.com/android-pirate-app-store-case-ends-in-mistrial-jury-undecided-161021/

applanetAssisted by police in France and the Netherlands, the FBI took down the “pirate” Android stores Appbucket, Applanet and SnappzMarket during the summer of 2012.

During the years that followed several people connected to the Android app sites were arrested and indicted, and slowly but surely these cases are now reaching their conclusions.

Two months ago the first sentencing was announced, and it was a big one. SnappzMarket’s ‘PR manager’ Scott Walton was handed a 46-month prison sentence for conspiracy to commit copyright infringement.

Like several others, Walton had pleaded guilty in order to get a reduced sentence. However, not all did. David Lee, a California man linked to Applanet, decided to move to trial instead.

The indictment charged Lee with aiding and abetting criminal copyright infringement (pdf). In addition, he was charged with conspiring to infringe copyrights and violating the DMCA’s anti-circumvention provision.

As the case progressed it became clear that the U.S. Government’s evidence wasn’t as strong as initially thought. Before the trial even started, the prosecution voluntarily dropped the criminal copyright infringement charge.

The “overt” acts that were scrapped due to a lack of evidence are all related to an undercover FBI agent in the Northern District of Georgia, who supposedly downloaded pirated apps from Applanet’s computer servers.

What remained was the conspiracy charge and last week both parties argued their case before the jury. Over the course of several days many witnesses were heard, including FBI agents and co-defendant Gary Sharp, who previously pleaded guilty.

Friday last week the closing arguments were presented after which the jury retreated to deliberate at 10:30 in the morning. At the end of the day, however, they still hadn’t reached a decision so the court decided to continue after the weekend.

On Monday the jury got back together but after having failed to reach a verdict by the end of the day, a mistrial was declared. This means that David Lee has not been found guilty.



TorrentFreak reached out to Lee’s lawyers for more information but they declined to comment.

In the jury instructions the defense hammered on the fact that the government must prove that either the conspiracy or an overt act took place in the District of Georgia, even if the defendant never set foot there.

It could be that the Jury couldn’t reach a unanimous decision on that point or any of the other key issues.

TF also contacted the Department of Justice, who didn’t go into detail either, but informed us that they are still evaluating the outcome. “We are considering our options,” a DoJ spokesperson said.

In theory, the U.S. Government can ask for a retrial, which means that the case has to be tried again. For now, however, David Lee remains out of prison.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

AWS Budgets Update – Track Cloud Costs and Usage

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-budgets-update-track-cloud-costs-and-usage/

As Spider-Man and others before him have said, “with great power comes great responsibility.” In the on-demand, pay-as-you-go cloud world, this means that you need to be an informed, responsible consumer. In a corporate environment, this means that you need to pay attention to budgets and to spending, and to make sure that your actual spend is in line with your projections. With AWS in use across multiple projects and departments, tracking and forecasting becomes more involved.

Today we are making some important upgrades to the AWS Budgets feature (read New – AWS Budgets and Forecasts for background information). This feature is designed to be used by Finance Managers, Project Managers, and VP-level DevOps folks (please feel free to share this post with similarly-titled members of your organization if you are not directly responsible for your cloud budget).  You can use AWS Budgets to maintain a unified view of your costs and usage for specific categories that you define, and you can sign up for automated notifications that provide you with detailed status information (over or under budget) so that you can identify potential issues and take action to prevent undesired actual or forecasted overruns.

AWS Budgets Updates
You can create up to 20,000 budgets per payer account. In order to allow you to stay on top of your spending in environments where costs and resource consumption are changing frequently, the budgets are evaluated four times per day. Notifications are delivered via email or programmatically (an Amazon Simple Notification Service (SNS) message), so that you can take manual, semi-automated, or fully automated corrective action.  This gives you the power to address all of the following situations, along with others that may arise withing your organization:

VP – Optimize your overall cloud spend, with budgets for each business unit and for the company as a whole, tracking spending by region and other dimensions and comparing actual usage against budgets.

Project Manager – Manage costs within your department, watching multiple services, tags, and regions. Alert stakeholders when thresholds have been breached, and ask them to take action. When necessary, give resource budgets to individual team members to encourage adoption and experimentation.

Finance Manager – Analyze historical costs for your organization and use your insight into future plans to develop suitable budgets. Examine costs across the entire company, or on a per-account, per-service, business unit, or project team level.

Creating a Budget
Let’s create a budget or two!

Start by opening up Billing and Cost Management:

And then click on Budgets:

If you are new to AWS Budgets, you may have to wait up to 24 hours after clicking Create budget before you can proceed to the next step. During this time, we’ll prepare the first set of Detailed Billing Reports for your account.

Click on Create budget, decide whether you want the budget to be based on costs or usage, and give your budget a name. Then select Monthly, Quarterly, or Annual. I’ll go for a cost-based ($1000) monthly budget named MainBudget to get started:

By not checking any of the options next to Include costs related to, my budget will apply to my entire account. Checking a box opens the door to all sorts of additional options that give you a lot of flexibility. Here’s how I could create a budget for usage of EC2 instances where the Owner tag is set to jbarr:

I could be even more specific, and choose to set a very modest budget for usage that is on Non-Reserved instances. This would be a great way to make sure that I am making good use of any Reserved Instances that my organization owns.

The next step is to set up email or programmatic notifications:

The programmatic notification option can be used in many different ways. I could create a new web app with a fixed budget, and then invoke a AWS Lambda function if costs are approaching the budgeted amount. The app could take corrective action to ensure that the budget is not exceeded. For example, it could temporarily disable some of the more computationally intensive features, or it could switch over to a statically hosted alternative site.

With everything set up as desired I simply click on Create. My budget is visible right away (I clicked on the triangle in order to display the details before I took this screen shot):

As you can can see, I have already overspent my $1000 budget, with a forecast of almost $5,600 for the month. Given that we are a frugal company (read our leadership principles to learn more), I really need to see what’s going on and clean up some of my extra instances! Because I had opted for email notification, I received the following message not too long after I created my budget:

Suppose that my data transfer budget is separate from my compute budget, and that I am allowed to transfer up to 100 GB of data out of S3 every month, regardless of the cost at the time. I can create a budget that looks like this:

And I can see at a glance that I am in no danger of exceeding my data transfer budget:

I can also download the on-screen information in CSV form for further inspection or as input to another part of my budgeting process:

As you can see, this new feature gives you the power to set up very detailed budgets. Although I have introduced this feature using the AWS Management Console, you can also set up budgets by making calls to the new Budget API or by using the AWS Command Line Interface (CLI). This API includes functions like CreateBudget, DescribeBudget, and UpdateBudget that you can use from within your own applications.

Available Now
This new feature is available now and you can start using it today! You can create two budgets per account at no charge; additional budgets cost $0.02 per day (again, you can have up to 20,000 budgets per account).

To learn more, read Managing Your Costs with Budgets.



Sisyphus: the kinetic art table

Post Syndicated from Courtney Lentz original https://www.raspberrypi.org/blog/sisyphus-kinetic-art-table/

Surely if he had been given the opportunity, Sisyphus would have engineered a way out of his eternal punishment of rolling a boulder up a hill. It’s just too bad for him that Raspberry Pi wasn’t around to help. While it’s a far cry from his arduous task, the Pi has been used to power Bruce Shapiro’s Sisyphus, a continuous and ever-changing kinetic art piece that creates unique design patterns in sand using a small metal ball.


Sisyphus is truly mesmerising. We learned this first-hand: at Maker Faire New York earlier this month, it captured the attention of not only the Raspberry Pi crew, but also thousands of attendees throughout the weekend. Sisyphus momentarily drowned out the noise and action of the Faire.

You can think of Sisyphus as a cross between an Etch A Sketch and Spirograph, except this is no toy.

Under the table is a two-motor robot (the “Sisbot”) that moves a magnet which draws a steel ball through the sand. The motors are controlled by a small Raspberry Pi computer which plays a set of path files, much like a music player plays an MP3 file.


Bruce is using Kickstarter in the hope of transitioning Sisyphus from what’s currently a large art installation exhibited around the world into a beautiful piece to be enjoyed in the home, as both furniture and art.

annmarie thomas on Twitter

Sisyphus- Stunning art/furniture kickstarter (fully funded in <a day) by friend Bruce Shapiro. https://t.co/ijxHQ0fYb5

Bruce says:

Of all works I made, Sisyphus stood out – it was my first CNC machine to break out of the studio/shop. No longer tasked with cutting materials to be used in making sculptures, it was the sculpture itself. It was also unique in another way – I wanted to live with it in my home. I’ve spent the last three years perfecting a home version that’s beautiful, user-friendly, near-silent, and that will run for years.

Like most great Maker Faire projects, it’s centred around a wonderful community. The collaboration and access to tools in Shapiro’s local makerspace helped develop the final design seen today. While Shapiro’s original makerspace has since closed its doors, Shapiro and his fellow members opened up what is now Nordeast Makers. It’s where the production for Sisyphus will take place.


The Kickstarter products come in three styles: an end table, and two different coffee tables. You might want to find another place to display your coffee table books, though, so as to keep Sisyphus’s designs visible…


This Kickstarter won’t be running forever, so be sure to pledge if you love the sound of the Sisyphus.

The post Sisyphus: the kinetic art table appeared first on Raspberry Pi.

Cisco Develops System To Automatically Cut-Off Pirate Video Streams

Post Syndicated from Andy original https://torrentfreak.com/cisco-develops-system-automatically-cut-off-pirate-video-streams-161021/

network-roundWhile torrents continue to be one of the Internet’s major distribution methods for copyrighted content, it’s streaming that’s capturing the imagination of the pirating mainstream.

Easy to use via regular web browsers, modified Kodi installations, and fully-fledged IPTV services, streaming is now in the living rooms of millions of people. As such it is viewed as a threat to subscription and PPV TV providers worldwide, especially those offering live content such as sporting events.

Pirate services obtain content by capturing and restreaming feeds obtained from official sources, often from something as humble as a regular subscriber account. These streams can then be redistributed by thousands of other sites and services, many of which are easily found using a simple search.

Dedicated anti-piracy companies track down these streams and send takedown notices to the hosts carrying them. Sometimes this means that streams go down quickly but in other cases hosts can take a while to respond or may not comply at all. Networking company Cisco thinks it has found a solution to these problems.

The company’s claims center around its Streaming Piracy Prevention (SPP) platform, a system that aims to take down illicit streams in real-time. Perhaps most interestingly, Cisco says SPP functions without needing to send takedown notices to companies hosting illicit streams.

“Traditional takedown mechanisms such as sending legal notices (commonly referred to as ‘DMCA notices’) are ineffective where pirate services have put in place infrastructure capable of delivering video at tens and even hundreds of gigabits per second, as in essence there is nobody to send a notice to,” the company explains.

“Escalation to infrastructure providers works to an extent, but the process is often slow as the pirate services will likely provide the largest revenue source for many of the platform providers in question.”

To overcome these problems Cisco says it has partnered with Friend MTS (FMTS), a UK-based company specializing in content-protection.

Among its services, FMTS offers Distribution iD, which allows content providers to pinpoint which of their downstream distributors’ platforms are a current source of content leaks.

“Robust and unique watermarks are embedded into each distributor feed for identification. The code is invisible to the viewer but can be recovered by our specialist detector software,” FMTS explains.

“Once infringing content has been located, the service automatically extracts the watermark for accurate distributor identification.”

Friend MTS also offers Advanced Subscriber iDentification (ASiD), a system that is able to identify legitimate subscribers who are subsequently re-transmitting content online.

According to Cisco, FMTS feeds the SPP service with pirate video streams it finds online. These are tracked back to the source of the leak (such as a particular distributor or specific pay TV subscriber account) which can then be shut-down in real time.

“The process is fully automated, ensuring a timely response to incidents of piracy. Gone are the days of sending a legal notice and waiting to see if anyone will answer,” Cisco says.

“SPP acts without the need to involve or gain cooperation from any third parties, enabling an unmatched level of cross-device retransmission prevention and allowing service providers to take back control of their channels, to maximize their revenue.”

Friends MTS and Cisco believe the problem is significant. During the last month alone the company says it uncovered 12,000 HD channels on pirate services that were being sourced from Pay TV providers.

How much of dent the companies will be able to make in this market will remain to be seen but not having to rely on the efficiency of takedown requests certainly has the potential to shift the balance of power.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Word-wrapping dialogue

Post Syndicated from Eevee original https://eev.ee/blog/2016/10/20/word-wrapping-dialogue/

I have a teeny tiny pet peeve with dialogue boxes. Er, not dialog boxes — dialogue boxes, the ones in video games with scrolling lines of dialogue.

A fake dialogue box, with scrolling text that jumps when it wraps

I recently wrote a dialogue box, and I saw a game that made this mistake, so here’s a post about it.

Obvious, simple, but wrong

Here’s a live example of the above animation. (You can double-click on any of these to restart them.)

And the code responsible. I wrote this in the form of a fairly generic update() function, rather than in terms of requestAnimationFrame, to minimize the DOM-specific stuff. All the JS in this post is vanilla DOM.

"use strict";
var TEXT = "Demonstrating inadequate word-wrapping functionality necessitates conspicuously verbose representative scripture.";
var SPEED = 8;  // characters per second

// Number of characters currently visible
var cursor = 0;
// Elapsed time * SPEED, so every time this value increases by
// 1, one more character should be displayed
var timer = 0;
function update(dt) {
    timer += dt * SPEED;
    while (timer >= 1 && cursor < TEXT.length) {
        // Don't count spaces as characters
        if (TEXT.charAt(cursor) != " ") {
            timer -= 1;

        cursor += 1;

    var el = document.getElementById('target');
    el.textContent = TEXT.substr(0, cursor);

    // Stop updating once we run out of text
    if (cursor >= TEXT.length) {
        return false;

If you’ve ever written dialogue handling code, this shouldn’t be too surprising. Multiplying dt (seconds) by SPEED (characters per second) produces a number of characters, so whenever timer is at least 1, another character should be displayed. Spaces are counted as “free”; otherwise, the scrolling would seem to pause between words.

(The above code has a bug, as does most “string” manipulation code in JavaScript: it cuts astral plane characters in half, briefly displaying garbage. Fixing this is left as an exercise.)

The problem, of course, is that the resulting text looks like this on successive frames, where the |s mark the edges of the box:

  1. |Demonstrating inadequate word-wra |
  2. |Demonstrating inadequate word-wrap|
  3. |Demonstrating inadequate          |
    |word-wrapp                        |

And so on. The renderer has no way of knowing that “word-wrap” is only part of a longer word, so it merrily puts everything on one line. The player then sees half a word abruptly jump to a new line, and judges you harshly for it.

Depending on your environment, you can solve this one of two ways, or not-solve it a third way.

Render everything, but only draw some of it

This works well in browser-based games, where you have a comically powerful text rendering engine at your fingertips. In graphics-oriented engines that don’t offer any text rendering beyond “print this text to the screen somewhere”, this approach may not be practical.

The idea is to always “draw” the entire phrase, but implement scrolling by making it partially invisible. Consider this HTML:

<span class="visible">Demonstra</span><span class="invisible">ting</span>

Even though the word is split across two tags, the browser must still treat it as a single word, because there’s no space anywhere. So the phrase will be word-wrapped correctly from the beginning, and the problem is solved.

You could implement this with only two <span>s, as above, but that forces the browser to reflow the text every single frame. It probably doesn’t make a visible difference, but I prefer to wrap each character in its own <span> and simply make them visible one at a time. As a minor bonus, you can put whitespace in the same <span> as the preceding letter, and you won’t have to worry about it within your update loop.

Also, if your text contains formatting — i.e., more HTML — then one <span> per character is much simpler to deal with. (Dealing with it is left as an exercise.)

Here it is live:

"use strict";
var TEXT = "Demonstrating inadequate word-wrapping functionality necessitates conspicuously verbose representative scripture.";
var SPEED = 8;  // characters per second

// The first invisible letter <span>
var next_letter = null;

function init() {
    var el = document.getElementById('target');

    // Setup: populate the element with the entire phrase,
    // split into characters, each wrapped in a <span>
    var i = 0;
    while (i < TEXT.length) {
        var span = document.createElement('span');
        span.textContent = TEXT.charAt(i);
        i += 1;

        // Also include any following whitespace
        var ch;
        while ((ch = TEXT.charAt(i)) == " ") {
            span.textContent += ch;
            i += 1;

    next_letter = el.firstChild;

// Elapsed time * SPEED, so every time this value increases by
// 1, one more character should be displayed
var timer = 0;
function update(dt) {
    timer += dt * SPEED;
    while (timer >= 1) {
        timer -= 1;
        next_letter = next_letter.nextSibling;

        // Stop updating once we run out of text
        if (next_letter == null) {
            return false;

I added an init() function (called from a load handler, not shown here) to do the setup and split the string into a series of <span>s. (If you wanted to be especially clever, you could use the DocumentFragment API here, but I’m not sure it’d make a real difference.) The main loop becomes much simpler: rather than counting characters, it can use the DOM tree API and hop from one <span> to the next with .nextSibling. Once you hit null, you’ve run out of characters, so you’re done.

The CSS is merely:

.js-invisible {
    visibility: hidden;

Be sure to use visibility: hidden; here and NOT display: none;! The latter tells the browser to ignore the hidden characters while rendering, which defeats the whole purpose of having them.

Hard wrap ahead of time

The other fix is to keep drawing one character at a time, but split the phrase into lines once ahead of time.

DO NOT use your programming language’s standard library to do this. DO NOT just Google for code that does this. You will get something that word wraps based on number of characters without taking the font into account, and the results will be wrong.

DO NOT fudge it by guessing the width of the “average” character. You will hit edge cases, and they will look ridiculous.

Find something in your graphics library to do this for you. For example, LÖVE has the poorly-named Font:getWrap: it takes a string of text and a width, and it returns a set of wrapped strings, one per line.

(Of course, if your font is monospace and will always be monospace, feel free to do naïve word-wrap.)

Font-aware word-wrapping is surprisingly difficult in JavaScript, even though it’s sitting on top of a glorified text renderer, so in the following example I’ve totally fudged it. It may not work the same way on your screen that it does on mine, which is why you shouldn’t be fudging it.

"use strict";
var TEXT = "Demonstrating inadequate word-wrapping functionality necessitates conspicuously verbose representative scripture.";
var SPEED = 8;  // characters per second

function init() {
    // This is hard in JavaScript, so just pretend there's
    // an API to do it for us
    //var lines = magical_word_wrap_api(TEXT);
    var lines = [
        "Demonstrating inadequate",
        "word-wrapping functionality",
        "necessitates conspicuously verbose",
        "representative scripture."
    TEXT = lines.join('\n');

// Number of characters currently visible
var cursor = 0;
// Elapsed time * SPEED, so every time this value increases by
// 1, one more character should be displayed
var timer = 0;
function update(dt) {
    timer += dt * SPEED;
    while (timer >= 1 && cursor < TEXT.length) {
        // Don't count spaces as characters
        if (TEXT.charAt(cursor).match(/\S/)) {
            timer -= 1;

        cursor += 1;

    var el = document.getElementById('target');
    el.textContent = TEXT.substr(0, cursor);

    // Stop updating once we run out of text
    if (cursor >= TEXT.length) {
        return false;

This code is fairly similar to the original, since the basic idea is the same. All I did was add the init() step and change the space code to also skip over newlines.

And, hm, that’s all there is to it, really.

The desperate approach

Maybe you don’t have a fancy text rendering engine, and you don’t have any way to correctly break the text, and you’re dead set on using a proportional font.

At this point I would be questioning some of the decisions that had brought me to this point in my life, but you do still have one final recourse. The classic solution, dating back decades. Pokémon did it. Come to think of it, Pokémon might still do it.

What you do is: manually include line breaks in your dialogue. All of it. Everywhere.

That is, instead of this:

var TEXT = "Demonstrating inadequate word-wrapping functionality necessitates conspicuously verbose representative scripture.";

You will need to literally have this:

var TEXT = "Demonstrating inadequate\nword-wrapping functionality\nnecessitates conspicuously verbose\nrepresentative scripture.";

Have fun.


I hope at least one person reads this and goes to fix the word-wrapping in their scrolling dialogue. I’ll have made the world a slightly better place. 🌈