Tag Archives: sms

[$] BPF comes to firewalls

Post Syndicated from corbet original https://lwn.net/Articles/747551/rss

The Linux kernel currently supports two separate network packet-filtering
mechanisms: iptables and nftables. For the last few years, it has been
generally assumed that nftables would eventually replace the older iptables
implementation; few people expected that the kernel developers would,
instead, add a third packet filter. But that would appear to be what is
happening with the newly announced bpfilter
mechanism. Bpfilter may eventually replace both iptables and nftables, but
there are a lot of questions that will need to be answered first.

EFF Urges US Copyright Office To Reject Proactive ‘Piracy’ Filters

Post Syndicated from Andy original https://torrentfreak.com/eff-urges-us-copyright-office-to-reject-proactive-piracy-filters-180213/

Faced with millions of individuals consuming unlicensed audiovisual content from a variety of sources, entertainment industry groups have been seeking solutions closer to the roots of the problem.

As widespread site-blocking attempts to tackle ‘pirate’ sites in the background, greater attention has turned to legal platforms that host both licensed and unlicensed content.

Under current legislation, these sites and services can do business relatively comfortably due to the so-called safe harbor provisions of the US Digital Millennium Copyright Act (DMCA) and the European Union Copyright Directive (EUCD).

Both sets of legislation ensure that Internet platforms can avoid being held liable for the actions of others provided they themselves address infringement when they are made aware of specific problems. If a video hosting site has a copy of an unlicensed movie uploaded by a user, for example, it must be removed within a reasonable timeframe upon request from the copyright holder.

However, in both the US and EU there is mounting pressure to make it more difficult for online services to achieve ‘safe harbor’ protections.

Entertainment industry groups believe that platforms use the law to turn a blind eye to infringing content uploaded by users, content that is often monetized before being taken down. With this in mind, copyright holders on both sides of the Atlantic are pressing for more proactive regimes, ones that will see Internet platforms install filtering mechanisms to spot and discard infringing content before it can reach the public.

While such a system would be welcomed by rightsholders, Internet companies are fearful of a future in which they could be held more liable for the infringements of others. They’re supported by the EFF, who yesterday presented a petition to the US Copyright Office urging caution over potential changes to the DMCA.

“As Internet users, website owners, and online entrepreneurs, we urge you to preserve and strengthen the Digital Millennium Copyright Act safe harbors for Internet service providers,” the EFF writes.

“The DMCA safe harbors are key to keeping the Internet open to all. They allow anyone to launch a website, app, or other service without fear of crippling liability for copyright infringement by users.”

It is clear that pressure to introduce mandatory filtering is a concern to the EFF. Filters are blunt instruments that cannot fathom the intricacies of fair use and are liable to stifle free speech and stymie innovation, they argue.

“Major media and entertainment companies and their surrogates want Congress to replace today’s DMCA with a new law that would require websites and Internet services to use automated filtering to enforce copyrights.

“Systems like these, no matter how sophisticated, cannot accurately determine the copyright status of a work, nor whether a use is licensed, a fair use, or otherwise non-infringing. Simply put, automated filters censor lawful and important speech,” the EFF warns.

While its introduction was voluntary and doesn’t affect the company’s safe harbor protections, YouTube already has its own content filtering system in place.

ContentID is able to detect the nature of some content uploaded by users and give copyright holders a chance to remove or monetize it. The company says that the majority of copyright disputes are now handled by ContentID but the system is not perfect and mistakes are regularly flagged by users and mentioned in the media.

However, ContentID was also very expensive to implement so expecting smaller companies to deploy something similar on much more limited budgets could be a burden too far, the EFF warns.

“What’s more, even deeply flawed filters are prohibitively expensive for all but the largest Internet services. Requiring all websites to implement filtering would reinforce the market power wielded by today’s large Internet services and allow them to stifle competition. We urge you to preserve effective, usable DMCA safe harbors, and encourage Congress to do the same,” the EFF notes.

The same arguments, for and against, are currently raging in Europe where the EU Commission proposed mandatory upload filtering in 2016. Since then, opposition to the proposals has been fierce, with warnings of potential human rights breaches and conflicts with existing copyright law.

Back in the US, there are additional requirements for a provider to qualify for safe harbor, including having a named designated agent tasked with receiving copyright infringement notifications. This person’s name must be listed on a platform’s website and submitted to the US Copyright Office, which maintains a centralized online directory of designated agents’ contact information.

Under new rules, agents must be re-registered with the Copyright Office every three years, despite that not being a requirement under the DMCA. The EFF is concerned that by simply failing to re-register an agent, an otherwise responsible website could lose its safe harbor protections, even if the agent’s details have remained the same.

“We’re concerned that the new requirement will particularly disadvantage small and nonprofit websites. We ask you to reconsider this rule,” the EFF concludes.

The EFF’s letter to the Copyright Office can be found here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Pirate Site Blockades Enter Germany With Kinox.to as First Target

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-site-blockades-enter-germany-with-kinox-to-as-first-target-180213/

Website blocking has become one of the leading anti-piracy mechanisms of recent years.

It is particularly prevalent across Europe, where thousands of sites are blocked by ISPs following court orders.

This week, these blocking efforts also reached Germany. Following a provisional injunction issued by the federal court in Munich, Internet provider Vodafone must block access to the popular streaming portal Kinox.to.

The injunction was issued on behalf of the German film production and distribution company Constantin Film. The company complained that Kinox facilitates copyright infringement and cited a recent order from the European Court of Justice in its defense, Golem reports.

While these types of blockades are common in Europe, they’re a new sight in Germany. Vodafone users who attempt to access the Kinox site will now be welcomed with a blocking notification instead.

“This portal is temporarily unavailable due to a copyright claim,” it reads, translated from German.

Blocked

The Kinox streaming site has been a thorn in the side of German authorities and copyright holders for a long time. Last year, one of the site’s admins was detained in Kosovo after a three-year manhunt, but despite these and other actions, the site remains online.

With the blocking efforts, Constantin Film hopes to make it harder for people to access the site, although this measure is also limited.

For now, it seems to be a simple DNS blockade, which means that people can bypass it relatively easily by switching to a free alternative DNS provider such as Google DNS or OpenDNS.

And there are other workarounds as well, as operators of Kinox point out in a message on their homepage.

“Vodafone User: Use the public Google DNS server: 8.8.8.8, that goes the .TO domain again! Otherwise, a VPN or the free Tor Browser can be used!” they write.

While the measure may not be foolproof, the current order is certainly significant. Previously, all German courts have denied similar blocking orders based on different arguments. This means that more blocking efforts may be on the horizon.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Backblaze B2 Supports CORS for Cross Origin Resource Sharing

Post Syndicated from Roderick Bauer original https://www.backblaze.com/blog/enable-cors-for-cross-origin-resource-sharing/

Host files between domains with B2 CORS Rules

Web pages do their magic by loading assets such as images, videos, fonts, text, and other resources from one or more servers on the internet. Most often, data for a website is stored on the same server where the webpages themselves are stored. Sometimes, though, websites will pull in data from servers located elsewhere on the internet.

Allowing websites to include data from other servers can pose possible security risks. To protect users, web browsers enforce security policies that allow scripts in one web page to access data in a second web page only if both web pages have the same origin (i.e. server). This prevents a malicious or faulty script on one page from obtaining access to data on another page that it shouldn’t.

There are many times, however, when one might want to load assets hosted on other servers across the internet. Resources such as fonts, videos, style sheets, images, and iframes are commonly loaded from other origins. It’s great to restrict access to content that might be unauthorized or dangerous, but the web developer needs to be able to specify when it’s okay to load a resource from a different origin.

That’s where CORS comes in.

What is CORS?

To enable web pages to load content that is stored in a different origin, W3C (World Wide Web Consortium), the international community that develops open standards to ensure the long-term growth of the Web, created the Cross-Origin Resource Sharing (CORS) mechanism that allows web pages to access data with a different origin.

The web page might be located on one origin, e.g.

http://origin-a.com

And some data the web page loads might be located on a different origin, e.g.

http://origin-b.com

CORS requires that the resource server explicitly declare that it’s OK to load the asset from a different origin. The browser accomplishes this by making a “preflight” request to ask the server whether it’s OK to make the cross-origin request. By default, servers will say “no” to preflight requests. Rules must be put into place to enable the server to reply to these preflight requests saying it’s OK to serve the asset to a different origin.

B2 Supports CORS for Cross Origin Resource Sharing

B2 is Backblaze’s general purpose cloud storage that can include any type of data that can be stored in the cloud. With pricing that’s ¼ of Amazon’s S3, web developers use B2 as an origin for web data, including text, numbers, scripts, fonts, images, stylesheets, iframes, and videos.

Backblaze supports the standard CORS mechanism that allows B2 customers to share the content of their buckets with web pages hosted in origins other than B2.

In keeping with CORS practices, B2 servers will say “no” to preflight requests to protect the unauthorized sharing of assets to other origins. Adding CORS rules to your bucket tells B2 which preflight requests to approve. CORS is a security feature that is in addition to normal B2 authorization mechanisms. Requests will still need to present normal B2 authorization tokens to download content from non-public buckets.

B2 Cloud Storage Buckets dialog

B2 Cloud Storage Buckets dialog

CORS Rules for BzFileShare

B2 CORS Rules settings dialog

Learn More about B2 and CORS

You can read all about B2’s support of CORS, and how to add rules to your B2 buckets to serve web assets cross-origin, on Backblaze’s website at CORS: Cross-Origin Resource Sharing.

The post Backblaze B2 Supports CORS for Cross Origin Resource Sharing appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Planned Piracy Upload Filters are ‘Censorship Machines,’ MEPs Warn

Post Syndicated from Ernesto original https://torrentfreak.com/planned-piracy-upload-filters-are-censorship-machines-meps-warn-180122/

Through a series of new proposals, the European Commission is working hard to modernize EU copyright law. Among other things, it will require online services to do more to fight piracy.

These proposals have not been without controversy. Article 13 of the proposed Copyright Directive, for example, has been widely criticized as it would require online services to monitor and filter uploaded content.

This means that online services, which deal with large volumes of user-uploaded content, must use fingerprinting or other detection mechanisms – similar to YouTube’s Content-ID system – to block copyright infringing files.

The Commission believes that more stringent control is needed to support copyright holders. However, many legal scholars, digital activists, and members of the public worry that they will violate the rights of regular Internet users.

In the European Parliament, there is fierce opposition as well. Today, six Members of Parliament (MEPs) from across the political spectrum released a new campaign video warning their fellow colleagues and the public at large.

The MEPs warn that such upload filters would act as “censorship machines,” something they’ve made clear to the Council’s working group on intellectual property, where the controversial proposal was discussed today.

“Imagine if every time you opened your mouth, computers controlled by big companies would check what you were about to say, and have the power to prevent you from saying it,” Greens/EFA MEP Julia Reda says.

“A new legal proposal would make this a reality when it comes to expressing yourself online: Every clip and every photo would have to be pre-screened by some automated ‘robocop’ before it could be uploaded and seen online,” ALDE MEP Marietje Schaake adds.

Stop censorship machines!

Schaake notes that she has dealt with the consequences of upload filters herself. When she uploaded a recording of a political speech to YouTube, the site took it down without explanation. Until this day, the MEP still doesn’t know on what grounds it was removed.

These broad upload filters are completely disproportionate and a danger for freedom of speech, the MEPs warn. The automated systems make mistakes and can’t properly detect whether something’s fair use, for example.

Another problem is that the measures will be relatively costly for smaller companies ,which puts them at a competitive disadvantage. “Only the biggest platforms can afford them – European competitors and small businesses will struggle,” ECR MEP Dan Dalton says.

The plans can still be stopped, the MEPs say. They are currently scheduled for a vote in the Legal Affairs Committee at the end of March, and the video encourages members of the public to raise their voices.

“Speak out …while you can still do so unfiltered!” S&D MEP Catherine Stihler says.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Amazon Web Services Is the First Global Cloud Service Provider to Achieve the Korea-Information Security Management System Certification

Post Syndicated from Oliver Bell original https://aws.amazon.com/blogs/security/amazon-web-services-is-the-first-global-cloud-service-provider-to-achieve-the-korea-information-security-management-system-certification/

Scope of certification: Operation of infrastructure in the AWS Asia Pacific (Seoul) Region
Period of validity: December 27, 2017, through December 26, 2020

Amazon Web Services (AWS) has achieved the Korea-Information Security Management System (K-ISMS) Certification. The Korea Internet and Security Agency (KISA) completed its assessment of AWS, which covered the operation of infrastructure (such as compute, storage, networking, databases, and security) in the Asia Pacific (Seoul) Region. AWS is the first global cloud service provider to earn this status in Korea.

Sponsored by KISA and affiliated with the Korean Ministry of Science and ICT (MSIT), K-ISMS serves as a standard for evaluating whether enterprises and organizations operate and manage their information security management systems consistently and securely such that they thoroughly protect their information assets. The K-ISMS certification assessment covers 104 criteria, including 12 control items in 5 sectors for information security management, and 92 control items in 13 sectors for information security countermeasures.

With this certification, enterprises and organizations across Korea can meet KISA compliance requirements more effectively. Achieving this certification demonstrates the proactive approach AWS has taken with regard to driving compliance with the Korean government’s requirements and delivering secure AWS services to Korean customers. Enterprises and organizations in Korea that need the K-ISMS certification can use the work that AWS has done to reduce the time and cost of getting their own certification.

– Oliver

Cloud Babble: The Jargon of Cloud Storage

Post Syndicated from Andy Klein original https://www.backblaze.com/blog/what-is-cloud-computing/

Cloud Babble

One of the things we in the technology business are good at is coming up with names, phrases, euphemisms, and acronyms for the stuff that we create. The Cloud Storage market is no different, and we’d like to help by illuminating some of the cloud storage related terms that you might come across. We know this is just a start, so please feel free to add in your favorites in the comments section below and we’ll update this post accordingly.

Clouds

The cloud is really just a collection of purpose built servers. In a public cloud the servers are shared between multiple unrelated tenants. In a private cloud, the servers are dedicated to a single tenant or sometimes a group of related tenants. A public cloud is off-site, while a private cloud can be on-site or off-site – or on-prem or off-prem, if you prefer.

Both Sides Now: Hybrid Clouds

Speaking of on-prem and off-prem, there are Hybrid Clouds or Hybrid Data Clouds depending on what you need. Both are based on the idea that you extend your local resources (typically on-prem) to the cloud (typically off-prem) as needed. This extension is controlled by software that decides, based on rules you define, what needs to be done where.

A Hybrid Data Cloud is specific to data. For example, you can set up a rule that says all accounting files that have not been touched in the last year are automatically moved off-prem to cloud storage. The files are still available; they are just no longer stored on your local systems. The rules can be defined to fit an organization’s workflow and data retention policies.

A Hybrid Cloud is similar to a Hybrid Data Cloud except it also extends compute. For example, at the end of the quarter, you can spin up order processing application instances off-prem as needed to add to your on-prem capacity. Of course, determining where the transactional data used and created by these applications resides can be an interesting systems design challenge.

Clouds in my Coffee: Fog

Typically, public and private clouds live in large buildings called data centers. Full of servers, networking equipment, and clean air, data centers need lots of power, lots of networking bandwidth, and lots of space. This often limits where data centers are located. The further away you are from a data center, the longer it generally takes to get your data to and from there. This is known as latency. That’s where “Fog” comes in.

Fog is often referred to as clouds close to the ground. Fog, in our cloud world, is basically having a “little” data center near you. This can make data storage and even cloud based processing faster for everyone nearby. Data, and less so processing, can be transferred to/from the Fog to the Cloud when time is less a factor. Data could also be aggregated in the Fog and sent to the Cloud. For example, your electric meter could report its minute-by-minute status to the Fog for diagnostic purposes. Then once a day the aggregated data could be send to the power company’s Cloud for billing purposes.

Another term used in place of Fog is Edge, as in computing at the Edge. In either case, a given cloud (data center) usually has multiple Edges (little data centers) connected to it. The connection between the Edge and the Cloud is sometimes known as the middle-mile. The network in the middle-mile can be less robust than that required to support a stand-alone data center. For example, the middle-mile can use 1 Gbps lines, versus a data center, which would require multiple 10 Gbps lines.

Heavy Clouds No Rain: Data

We’re all aware that we are creating, processing, and storing data faster than ever before. All of this data is stored in either a structured or more likely an unstructured way. Databases and data warehouses are structured ways to store data, but a vast amount of data is unstructured – meaning the schema and data access requirements are not known until the data is queried. A large pool of unstructured data in a flat architecture can be referred to as a Data Lake.

A Data Lake is often created so we can perform some type of “big data” analysis. In an over simplified example, let’s extend the lake metaphor a bit and ask the question; “how many fish are in our lake?” To get an answer, we take a sufficient sample of our lake’s water (data), count the number of fish we find, and extrapolate based on the size of the lake to get an answer within a given confidence interval.

A Data Lake is usually found in the cloud, an excellent place to store large amounts of non-transactional data. Watch out as this can lead to our data having too much Data Gravity or being locked in the Hotel California. This could also create a Data Silo, thereby making a potential data Lift-and-Shift impossible. Let me explain:

  • Data Gravity — Generally, the more data you collect in one spot, the harder it is to move. When you store data in a public cloud, you have to pay egress and/or network charges to download the data to another public cloud or even to your own on-premise systems. Some public cloud vendors charge a lot more than others, meaning that depending on your public cloud provider, your data could financially have a lot more gravity than you expected.
  • Hotel California — This is like Data Gravity but to a lesser scale. Your data is in the Hotel California if, to paraphrase, “your data can check out any time you want, but it can never leave.” If the cost of downloading your data is limiting the things you want to do with that data, then your data is in the Hotel California. Data is generally most valuable when used, and with cloud storage that can include archived data. This assumes of course that the archived data is readily available, and affordable, to download. When considering a cloud storage project always figure in the cost of using your own data.
  • Data Silo — Over the years, businesses have suffered from organizational silos as information is not shared between different groups, but instead needs to travel up to the top of the silo before it can be transferred to another silo. If your data is “trapped” in a given cloud by the cost it takes to share such data, then you may have a Data Silo, and that’s exactly opposite of what the cloud should do.
  • Lift-and-Shift — This term is used to define the movement of data or applications from one data center to another or from on-prem to off-prem systems. The move generally occurs all at once and once everything is moved, systems are operational and data is available at the new location with few, if any, changes. If your data has too much gravity or is locked in a hotel, a data lift-and-shift may break the bank.

I Can See Clearly Now

Hopefully, the cloudy terms we’ve covered are well, less cloudy. As we mentioned in the beginning, our compilation is just a start, so please feel free to add in your favorite cloud term in the comments section below and we’ll update this post with your contributions. Keep your entries “clean,” and please no words or phrases that are really adverts for your company. Thanks.

The post Cloud Babble: The Jargon of Cloud Storage appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Announcing our new beta for the AWS Certified Security – Specialty exam

Post Syndicated from Janna Pellegrino original https://aws.amazon.com/blogs/architecture/announcing-our-new-beta-for-the-aws-certified-security-specialty-exam/

Take the AWS Certified Security – Specialty beta exam for the chance to be among the first to hold this new AWS Certification. This beta exam allows experienced cloud security professionals to demonstrate and validate their expertise. Register today – this beta exam will only be available from January 15 to March 2!

About the exam

This beta exam validates that the successful candidate can effectively demonstrate knowledge of how to secure the AWS platform. The exam covers incident response, logging and monitoring, infrastructure security, identity and access management, and data protection.

The exam validates:

  • Familiarity with regional- and country-specific security and compliance regulations and meta issues that these regulations embody.
  • An understanding of specialized data classifications and AWS data protection mechanisms.
  • An understanding of data encryption methods and AWS mechanisms to implement them.
  • An understanding of secure Internet protocols and AWS mechanisms to implement them.
  • A working knowledge of AWS security services and features of services to provide a secure production environment.
  • Competency gained from two or more years of production deployment experience using AWS security services and features.
  • Ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements.
  • An understanding of security operations and risk.

Learn more and register >>

Who is eligible

The beta is open to anyone who currently holds an Associate or Cloud Practitioner certification. We recommend candidates have five years of IT security experience designing and implementing security solutions, and at least two years of hands-on experience securing AWS workloads.

How to prepare

We have training and other resources to help you prepare for the beta exam:

AWS Security Fundamentals Digital| 3 Hours
This course introduces you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure.

Security Operations on AWS Classroom | 3 Days
This course demonstrates how to efficiently use AWS security services to stay secure and compliant in the AWS Cloud. The course focuses on the AWS-recommended security best practices that you can implement to enhance the security of your data and systems in the cloud. The course highlights the security features of AWS key services including compute, storage, networking, and database services.

Online resources for Cloud Security and Compliance

Review documentation, whitepapers, and articles & tutorials related to cloud security and compliance.

Learn more and register >>

Please contact us if you have questions about exam registration.

Good luck!

Validate Your IT Security Expertise with the New AWS Certified Security – Specialty Beta Exam

Post Syndicated from Sara Snedeker original https://aws.amazon.com/blogs/security/validate-your-it-security-expertise-with-the-new-aws-certified-security-specialty-beta-exam/

AWS Training and Certification image

If you are an experienced cloud security professional, you can demonstrate and validate your expertise with the new AWS Certified Security – Specialty beta exam. This exam allows you to demonstrate your knowledge of incident response, logging and monitoring, infrastructure security, identity and access management, and data protection. Register today – this beta exam will be available only from January 15 to March 2, 2018.

By taking this exam, you can validate your:

  • Familiarity with region-specific and country-specific security and compliance regulations and meta issues that these regulations include.
  • Understanding of data encryption methods and secure internet protocols, and the AWS mechanisms to implement them.
  • Working knowledge of AWS security services to provide a secure production environment.
  • Ability to make trade-off decisions with regard to cost, security, and deployment complexity when given a set of application requirements.

See the full list of security knowledge you can validate by taking this beta exam.

Who is eligible?

The beta exam is open to anyone who currently holds an AWS Associate or Cloud Practitioner certification. We recommend candidates have five years of IT security experience designing and implementing security solutions, and at least two years of hands-on experience securing AWS workloads.

How to prepare

You can take the following courses and use AWS cloud security resources and compliance resources to prepare for this exam.

AWS Security Fundamentals (digital, 3 hours)
This digital course introduces you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure.

Security Operations on AWS (classroom, 3 days)
This instructor-led course demonstrates how to efficiently use AWS security services to help stay secure and compliant in the AWS Cloud. The course focuses on the AWS-recommended security best practices that you can implement to enhance the security of your AWS resources. The course highlights the security features of AWS compute, storage, networking, and database services.

If you have questions about this new beta exam, contact us.

Good luck with the exam!

– Sara

Spectre and Meltdown Attacks Against Microprocessors

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/01/spectre_and_mel_1.html

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which of course is not a solution — is to throw them all away and buy new ones.

On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15-20 years. They’ve been named Spectre and Meltdown, and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are here and here.)

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other users on the same hardware.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.

“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (Here’s a running list of who’s patched what.)

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computer and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices. We’re already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can’t be fixed.

The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.

We’re already seeing this. Some patches require users to disable the computer’s password, which means organizations can’t automate the patch. Some antivirus software blocks the patch, or — worse — crashes the computer. This results in a three-step process: patch your antivirus software, patch your operating system, and then patch the computer’s firmware.

The final reason is the nature of these vulnerabilities themselves. These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of the vulnerable fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It’s a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they’ll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.

But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.

Note: A shorter version of this essay previously appeared on CNN.com. My previous blog post on this topic contains additional links.

The Top 10 Most Downloaded AWS Security and Compliance Documents in 2017

Post Syndicated from Sara Duffer original https://aws.amazon.com/blogs/security/the-top-10-most-downloaded-aws-security-and-compliance-documents-in-2017/

AWS download logo

The following list includes the ten most downloaded AWS security and compliance documents in 2017. Using this list, you can learn about what other AWS customers found most interesting about security and compliance last year.

  1. AWS Security Best Practices – This guide is intended for customers who are designing the security infrastructure and configuration for applications running on AWS. The guide provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organization so that you can protect your data and assets in the AWS Cloud.
  2. AWS: Overview of Security Processes – This whitepaper describes the physical and operational security processes for the AWS managed network and infrastructure, and helps answer questions such as, “How does AWS help me protect my data?”
  3. Architecting for HIPAA Security and Compliance on AWS – This whitepaper describes how to leverage AWS to develop applications that meet HIPAA and HITECH compliance requirements.
  4. Service Organization Controls (SOC) 3 Report – This publicly available report describes internal AWS security controls, availability, processing integrity, confidentiality, and privacy.
  5. Introduction to AWS Security –This document provides an introduction to AWS’s approach to security, including the controls in the AWS environment, and some of the products and features that AWS makes available to customers to meet your security objectives.
  6. AWS Best Practices for DDoS Resiliency – This whitepaper covers techniques to mitigate distributed denial of service (DDoS) attacks.
  7. AWS: Risk and Compliance – This whitepaper provides information to help customers integrate AWS into their existing control framework, including a basic approach for evaluating AWS controls and a description of AWS certifications, programs, reports, and third-party attestations.
  8. Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities – AWS WAF is a web application firewall that helps you protect your websites and web applications against various attack vectors at the HTTP protocol level. This whitepaper outlines how you can use AWS WAF to mitigate the application vulnerabilities that are defined in the Open Web Application Security Project (OWASP) Top 10 list of most common categories of application security flaws.
  9. Introduction to Auditing the Use of AWS – This whitepaper provides information, tools, and approaches for auditors to use when auditing the security of the AWS managed network and infrastructure.
  10. AWS Security and Compliance: Quick Reference Guide – By using AWS, you inherit the many security controls that we operate, thus reducing the number of security controls that you need to maintain. Your own compliance and certification programs are strengthened while at the same time lowering your cost to maintain and run your specific security assurance requirements. Learn more in this quick reference guide.

– Sara

Modding Legends Team-Xecuter Announce “Future-Proof” Nintendo Switch Hack

Post Syndicated from Andy original https://torrentfreak.com/modding-legends-team-xecuter-announce-future-proof-nintendo-switch-hack-180104/

Since the advent of the first truly mass-market videogames consoles, people have dreamed about removing the protection mechanisms that prevent users from tinkering with their machines.

These modifications – which are software, hardware, or combination of the two – facilitate the running of third-party or “homebrew” code. On this front, a notable mention must go to XBMC (now known as Kodi) which ran on the original Xbox after its copy protection mechanisms had been removed.

However, these same modifications regularly open the door to mass-market piracy too, with mod-chips (hardware devices) or soft-mods (software solutions) opening up machines so that consumers can run games obtained from the Internet or elsewhere.

For the Nintendo Switch, that prospect edged closer at the end of December when Wololo reported that hackers Plutoo, Derrek, and Naehrwert had given a long presentation (video) at the 34C3 hacking conference in Germany, revealing their kernel hack for the Nintendo Switch.

While this in itself is an exciting development, fresh news from a veteran hacking group suggests that Nintendo could be in big trouble on the piracy front in the not-too-distant future.

“In the light of a recent presentation at the Chaos Communication Congress in Germany we’ve decided to come out of the woodwork and tease you all a bit with our latest upcoming product,” the legendary Team-Xecutor just announced.

While the hack announced in December requires Switch firmware 3.0 (and a copy of Pokken Tournament DX), Team-Xecutor say that their product will be universal, something which tends to suggest a fundamental flaw in the Switch system.

“This solution will work on ANY Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof,” the team explain.

Xecutor say that their solution opens up the possibility of custom firmware (CFW) on Nintendo’s console. In layman’s terms, this means that those with the technical ability will be able to dictate, at least to a point, how the console functions.

“We want to move the community forward and provide a persistent, stable and fast method of running your own code and custom firmware patches on Nintendo’s latest flagship product. And we think we’ve succeeded!” the team add.

The console-modding community thrives on rumors, with various parties claiming to have made progress here and there, on this console and that, so it’s natural for people to greet this kind of announcement with a degree of skepticism. That being said, Team-Xecutor is no regular group.

With a long history of console-based meddling, Team-Xecutor’s efforts include hardware solutions for the original Playstation and Playstation 2, an array of hacks for the original Xbox (Enigmah and various Xecuter-branded solutions), plus close involvement in prominent Xbox360 mods. Their pedigree is definitely not up for debate.

For now, the team isn’t releasing any more details on the nature of the hack but they have revealed when the public can expect to get their hands on it.

“Spring 2018 or there around,” they conclude.

Team-Xecutor demo

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

12 B2 Power Tips for New Users

Post Syndicated from Roderick Bauer original https://www.backblaze.com/blog/newbie-cloud-storage-guide/

B2 Tips for Beginners
You probably know that B2 is Backblaze’s fast and economical general purpose cloud storage, but do you know everything that you can do with it?

If you’re a B2 newbie, here are some blazing power tips to help you get the most out of B2 Cloud Storage.

If you’re a B2 expert or a developer, stay tuned. We’ll be publishing power tips for you in the near future. Enter your email address using the Join button at the top of the page and you won’t miss any upcoming blog posts.
Backblaze logo

1    Drag and Drop Files to B2

Use Backblaze’s drag-and-drop web interface to store, restore, and share B2 files.

Backblaze logo

2    Share Files You Have in B2

You can designate a B2 bucket as private or public. If the bucket is public and you’d like to share a file with others, you can create and copy a Friendly URL and paste it into an email or message.

Backblaze logo

3    Use B2 Just Like Any Other Drive

Use B2 just as if it were a drive on your computer — drag and drop files and folders, save files to it — using one of a number of integrations that let you mount B2 as a volume in your Windows or Macintosh file system (Mountain Duck, ExpanDrive, odrive). Pick the files you want to save, drop them in a desktop folder, and they are automatically saved to B2.

Backblaze logo

4    Drag and Drop To and From B2 from the Desktop, Too

Use Cyberduck, a B2 integration partner, to drag-and-drop files to and from B2 right from the Windows or Macintosh desktop.

Backblaze logo

5    Determine the Speed of your Connection to B2

You can check the speed and latency of your internet connection between your location and Backblaze’s data centers, and see how much data you could theoretically transfer in a day, at https://www.backblaze.com/speedtest/.

Backblaze logo

6    No Matter What Type of Data you Have, B2 Can Handle It

You can transfer any type or amount of data to B2 from any device that can connect to the internet, including Windows, Macintosh, Linux, servers, mobile devices, external drives, and NAS.

Backblaze logo

7    Get Your Files from B2 by Mail

You have a choice of how to receive your data from B2. You can download data directly or request that your data be shipped to you via FedEx.

Backblaze logo

8    Back Up Your Backups to B2

You can automatically back up your Apple Time Machine backup or Windows backup to a NAS and then back that up to B2 to give you both local and cloud backups for a 3-2-1 backup solution.

Backblaze logo

9    Protect Your B2 Account with Two-Factor Verification

You can (and should) protect your Backblaze account with two-factor verification (such as using an app on your smartphone), and you can use backup codes and SMS verification in case you lose access to your smartphone.

Backblaze logo

10    Preview Photos Stored on B2 from the Web

Preview your photos as thumbnails (and optionally download individual photos) in common image formats (including jpg, png, img, tiff, and gif) with the B2 web interface.

Backblaze logo

11    B2 Has Group Management, Too

Backblaze Groups works for B2, too — just like Backblaze Personal Backup and Business Backup. You can manage billing, group membership, and control access using Group Management in your Backblaze account dashboard.

Backblaze logo

12    B2 Integrations Make B2 More Powerful and Useful

There are over 30+ software and hardware integrations that make B2 more powerful. You can visit our integrations page to find a solution that works for you.

Want to Learn More About B2?

You can find more information on B2 on our website and in our help pages.

The post 12 B2 Power Tips for New Users appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

PS4 4.05 Kernel Exploit Released, Full Jailbreak Round the Corner

Post Syndicated from Andy original https://torrentfreak.com/ps4-4-05-kernel-exploit-released-full-jailbreak-round-the-corner-171227/

Most custom hardware is seriously locked down these days, with many corporations viewing any tinkering with their machines as unacceptable at best, illegal at worst.

When people free computing hardware – so-called jailbreaking – it can be used for almost any purpose. The famous Cydia, for example, created a whole alternative iOS app store, one free of the constraints of Apple.

Of course, jailbreaking has also become synonymous with breaking fundamental copy protection, allowing pirated software to run on a range of devices from cellphones to today’s cutting-edge games consoles. The flip side of that coin is that people are also able to run so-called ‘homebrew’ code, programs developed by hobbyists for purposes that do not breach copyright law.

This ‘dual use’ situation means that two separate sets of communities get excited when exploits are found for key hardware. That’s been the case for some time now with two sets of developers – Team Fail0verflow and Specter – revealing work on a kernel exploit for firmware 4.05 on Playstation 4.

In November, Wololo published an interview with Specter and two days ago received direct confirmation that the exploit would be published soon. That moment has now arrived.

As noted in Specter’s tweet, the release is available on Github, where the developer provides more details.

“In this project you will find a full implementation of the ‘namedobj’ kernel exploit for the PlayStation 4 on 4.05,” Specter writes.

“It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system.”

The news that the exploit can enable a jailbreak is huge news for fans of the scene, who will be eagerly standing by for the next piece of the puzzle which is likely to be just around the corner.

Still, Specter is wisely exercising caution when it comes to the more risky side of his exploit – the potential for running homebrew and, of course, pirate games. He doesn’t personally include code for directly helping either.

“This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew,” he notes.

That being said, the exploit clearly has potential and Specter has opened up a direct channel for those wishing to take things to the next level. He reveals that the exploit contains a loader that listens for a payload and once it receives it, executes it automatically.

“I’ve also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020,” he concludes.

That’s likely to prove very attractive to those with a penchant for tinkering. Let’s see which direction this goes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

За 2018 година без излишен оптимизъм

Post Syndicated from Йовко Ламбрев original https://yovko.net/2018-without-optimism/

От самото начало бързам да заявя, че този текст няма да е песимистичен. Уточнявам го, защото черно-бялото мислене у нас е еталон за преценка на всичко. Ако не си весел, значи си тъжен; ако не си умен, си тъп; ако не си десен, не може да си нищо друго освен ляв, даже направо комунист. Няма средно положение. Какви са тези уклончиви работи – уточни се, мама ти стара, че иначе объркваш хората! Та се уточнявам… ама не за да улеснявам някого. Защото, щем – не щем, живеем сложен живот и нещата няма как да са простички.

Не съм песимист за 2018 година, защото има достатъчно причини да гледаме на следващите няколко месеца с надежда. Добрите новини са свързани с подема на икономиката (и у нас, и в Европа) и с очакванията за още повече ръст, и с липсата на някакви кой знае какви очаквани събития, отключващи потенциални сътресения. В европейски контекст най-интересни може би ще са парламентарните избори в Унгария и Италия и вероятно локалните във Великобритания. От президентските избори в Русия едва ли можем да очакваме нещо различно, но пък изборите през ноември в САЩ вероятно ще са много любопитни.

Липсата на излишен оптимизъм е свързана с България. И с наблюдението, че картелът, който управлява държавата (и политическият му параван) става все по-безочлив и дебелокож. Липсата на критична парламентарна опозиция (ако изобщо може да говорим за каквато и да била опозиция в текущия парламент), отсъствието на четвъртата власт – медиите, като фактор в политическия живот (чрез обсебването им или чриз притискане на собствениците им), и липсата на критична маса гражданска (ре)активност – тези три отсъствия съвсем естествено водят до липсваща демокрация в държавата ни.

За жалост нищо не показва, че през 2018 година това ще се промени, а пропиляването на още една година във вегетативен комфорт отдалечава с много повече време реформите, възстановяването на репутацията на институциите и завръщането на смисъла в тях.

Ние не живеем в демокрация. Прекрачихме прага на опасен тоталитаризъм, който е прикриван зад формална многопартийна система и приватизирани институции. Държавата продължава да се управлява невидимо, с SMS-и, от клика с тежки икономическо-мафиотски взаимоотношения. Нашата корпоратокрация е по-опасна от всяка друга, защото кукловоди продължават да са старите ченгеджийски фамилии, независимо дали се крият зад уж леви, десни или либерални партии. Ако позволим на този нов тоталитаризъм да се установи като нова нормалност, накъдето вече сме се запътили, сме загубени. Заедно с няколко от бъдещите поколения, а най-големият срам ще е да ги обречем на нов преход.

Ключово е да осъзнаем, че сме напълно сами в тази битка. Европейският съюз е затънал в умопомрачително безсилие. Текущият европейски политически елит в последните няколко години не само показа, че трудно управлява кризи (Гърция, мигрантите), но не успява да разпознае и предотврати и задаващи се такива, които имат достатъчно лесни решения (Каталуния). Брюксел все повече изглежда като политическа кооперация, в която формално съкооператорите се събрали да се трудят заедно, но в действителност внимават единствено да не бъдат ощетени откъм права или блага, а малко се вълнуват от общите си задължения.

За съжаление, както писах вчера по друг повод, дали защото не сме заслужили с кой знае какво да сме част от ЕС и ни пуснаха да се шмугнем през задната врата само за да не объркаме маршрутката, сега нашите проблеми нямат особена стойност. Европа, вглъбена в далеч по-важните си грижи, е напълно доволна откъм нас да не се вдига много шум. Което съвпада напълно и с гледната точка на нашенеца в ролята на гратисчия, който се е качил без билетче в автобуса и трепери да не го спипа кондукторът.

Русия ще се възползва максимално от ситуацията, за да държи в изкушение нашия политически картел с орбитата на вечната дружба. Те никога няма да се откажат от това. А той, картелът, така или иначе там му е пъпната връв. Не можем да разчитаме, че в Русия ще се случи нещо, което да ги преориентира към собствените им грижи, за да ни оставят на мира. Напротив. Евентуален нов руски икономически колапс вероятно ще бъде прикриван максимално дълго зад ескалации на замразени конфликти или създаване на нови (специалитет на Путин), а ние сме твърде интересни и твърде близо, за да ни е спокойно. Комшулукът с Ердоган не прави нещата по-розови. Докато Тръмп е в Белия дом, оттам ще се лее предимно непредвидимост. А в НАТО и ООН се отразява същата повсеместна посредственост, безсилие и липса на световно лидерство.

На този фон ние можем да проспим 2018 година и от кръчмите и кафенетата да наблюдаваме радикализацията и профанизацията по света, да сме безразлични към проблемите около нас, да спечелим безусловно световната титла по Facebook многознайство, да се делим и мразим едни други и да оставим да ни разиграват политици на дистанционно управление или журналисти с евтино купена съвест, докато всичко, за което страдаха родителите ни и бабите и дядовците ни, отиде по дяволите.

Можем и друго – например да се съпротивляваме ежедневно, да задаваме неудобни въпроси, да изискваме отчетност и истинска политика, да не купуваме, гледаме или четем свински медии и да си върнем демокрацията и държавата, която час по-рано трябва да се преизгради като модерен и деен участник в един динамичен, различен и много свързан свят. Никой не може да ни спре да искаме по-добро бъдеще. Никой не може и да ни отнеме свободата, ако не се откажем сами от нея. Само от нас зависи да върнем обратно тази блудкава безвкусица, която ни сервират ежедневно, и да я плиснем във врата на некадърните готвачи и техните сервитьорчета. И никой не може да ни спре!