DMCA – Jupiter Broadcasting

“TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
“In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
“A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
“It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
“Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
“It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
Additional Coverage — The Independant
Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
Video from TalkTalk CEO
If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
“Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

“Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
“This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
“Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
“The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
“The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
US Regulators grant DMCA exemption to legalize vehicle software tinkering
Additional Coverage: NPR
The ruling uses the terms “good faith security research” and “lawful modification.”
“The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
“The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

“Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
Google’s Blog Post
Symantec Report
“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
It seems like Symantec was trying to downplay the incident, and gloss over its failings
“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
“The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
This brings up serious questions about the management and oversight of the Symantec certificate authority
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
“More immediately, we are requesting of Symantec that they further update their public incident report with:”
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
“Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

Round up:

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

What is the TPP | Unfilter 162

chris — Wed, 14 Oct 2015 21:02:51 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The Trans Pacific Partnership, Obama’s big legacy making deal is signed. Early details about how it handles copyright law, the pharma industry & labor have been leaked. We dig into how the TPP will impact online intellectual property & consumers.

Plus deeper look at Russia’s involvement in Syria, a high note & much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

U.S. Weaponry Is Turning Syria Into Proxy War With Russia – The New York Times

CIA Weapons now flooding into Syria since Russian support began.

The American-made TOW antitank missiles began arriving in the region in 2013, through a covert program run by the United States, Saudi Arabia and other allies to help certain C.I.A.-vetted insurgent groups battle the Syrian government.
The weapons are delivered to the field by American allies, but the United States approves their destination. That suggests that the newly steady battlefield supply has at least tacit American approval, now that Russian air power is backing President Bashar al-Assad.
“By bombing us, Russia is bombing the 13 ‘Friends of Syria’ countries,” he said, referring to the group of the United States and its allies that called for the ouster of Mr. Assad after his crackdown on political protests in 2011.

The C.I.A. program that delivered the TOWs (an acronym for tube-launched, optically tracked, wire-guided missiles) is separate from — and significantly larger than — the failed $500 million Pentagon program that was canceled last week after it trained only a handful of fighters. That was unsuccessful largely because few recruits would agree to its goal of fighting only the militant Islamic State and not Mr. Assad.

Rebel commanders scoffed when asked about reports of the delivery of 500 TOWs from Saudi Arabia, saying it was an insignificant number compared with what is available. Saudi Arabia in 2013 ordered more than 13,000 of them. Given that American weapons contracts require disclosure of the “end user,” insurgents said they were being delivered with Washington’s approval.

The post What is the TPP | Unfilter 162 first appeared on Jupiter Broadcasting.

Microsoft Snoops Too | Tech Talk Today 40

chris — Thu, 07 Aug 2014 09:38:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft tips off law enforcement based on contents of a users OneDrive, Docker lands some serious cash, Twitch gets down with the DMCA and then how to make the easiest, best, BBQ chicken.

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Docker closes in on funding round of over $40 million

Docker, the container management startup that’s caught a __whole lot of buzz __in the enterprise tech industry, is finalizing a significant funding round worth between $40 million to $75 million, according to two sources familiar with the situation. The company is said to be valued at roughly $400 million, these sources said, but the deal is still a few weeks away from being completed.

This past January, Docker landed $15 million in a Series B investment round, bringing the company’s then total amount of funding to $26 million.

Twitch implements YouTube-like system for blocking copyrighted audio | Polygon

In an announcement, Twitch says it has partnered with software company Audible Magic, which works with the music industry, “to scan past and future [videos-on-demand] for music owned or controlled by” its clients. If that scan identifies a recorded video that infringes upon a copyright claim, the video’s audio will be muted for a 30-minute block in which that song appears.

Here’s an example of what that looks like.

The practice only applies to pre-recorded video on demand, Twitch says. The company won’t be scanning live broadcasts, nor will it automatically take content down.

China anti-trust regulator conducts new raids on Microsoft, Accenture

A Chinese anti-trust regulator conducted new raids on Microsoft Corp (MSFT.O) and partner in China Accenture PLC (ACN.N), the agency said on its website on Wednesday, after saying last week Microsoft is under investigation for anti-trust violations.

The State Administration for Industry and Commerce (SAIC) raided offices in Beijing and three other cities.

Microsoft has been suspected of violating China’s anti-monopoly law since June last year in relation to problems with compatibility, bundling and document authentication for its Windows operating system and Microsoft Office software, the SAIC said last week.

China is intensifying efforts to bring companies into compliance with an anti-monopoly law enacted in 2008, having in recent years taken aim at industries as varied as milk powder and jewelry.

Microsoft’s Windows ‘Threshold’ expected to add virtual desktops, drop charms | ZDNet

First up, as reported by Brad Sams at Neowin.net, Microsoft is moving toward adding virtual desktops to Threshold, the Windows release expected in the spring of 2015.

The other UI change coming to Threshold is the elimination of the Charms Bar, as first reported by Winbeta.org.

Existing “modern” Windows 8 apps will get title bars that include menus that have the charms components listed.

Microsoft tip leads to child porn arrest in Pennsylvania

A tip-off from Microsoft has led to the arrest of a man in Pennsylvania who has been charged with receiving and sharing child abuse images.

It flagged the matter after discovering that an image involving a young girl had been allegedly saved to the man’s OneDrive cloud storage account.

Microsoft’s terms and conditions for its US users explicitly state that it has the right to deploy “automated technologies to detect child pornography or abusive behavior that might harm the system, our customers, or others”.

Following the most recent case, Mark Lamb from the company’s Digital Crimes Unit released a statement.

“Child pornography violates the law as well as our terms of service, which makes clear that we use automated technologies to detect abusive behaviour that may harm our customers or others,” he wrote.

“In 2009, we helped develop PhotoDNA, a technology to disrupt the spread of exploitative images of children, which we report to the National Center for Missing and Exploited Children as required by law.”

PhotoDNA creates a unique signature for each image, similar to a fingerprint, to help pictures be matched.

This is done by converting the picture into black-and-white, resizing it and breaking it into a grid. Each grid cell is then analysed to create a histogram describing how the colours change in intensity within it, and the information obtained becomes its “DNA”.

Google also uses PhotoDNA, alongside its own in-house technologies, to detect child abuse images. In addition, the software is used by Facebook and Twitter, among others.

Best Easy BBQ Chicken

The Night Before:

Combine vegetable stock, salt, water and ice in something large enough to hold your chicken, like a cooler with some room to spare (for more ice if needed for ex).
Place the thawed chicken (with innards removed) breast side down in brine.
Refrigerate or set in cool area (with ice) for 8 to 16 hours. Turn once if you can half way. No bigs.

Cookin:

Prep that bird:

Take that bird out of the brine, rinse it, and pat it down dry. With some paper towls.
Put that bird on the Beer butt holder / “poultry holder”.
Flavor that bird.
Oil that bird. I like to use Garlic oil, or butter, or bacon grease.

Prep the BBQ

Start your coals if you use those. I have a link to a great stater below.
Really don’t use lighter fluid.
Spread the coals out evenly.

Cook that bird

(length of cook time we vary depending on bird size)

Cover that bird in a foil dome. Make it legit tight, the steam trapped in there is our helper.
Do this before you put it on the BBQ, its hard and HURTS if you do it while its sitting on top of fire.
Try to hold the BBQ around 400F. Don’t stress it too much, that’s our target area.
Cook until clear juices are noticeable, and it smells cooked. If you have a probe you are shooting for 165F – 175F. Or if you can pull a leg off with little effort.

Equipment:

The post Microsoft Snoops Too | Tech Talk Today 40 first appeared on Jupiter Broadcasting.

DMCA Whack-a-Mole | Tech Talk Today 26

chris — Tue, 15 Jul 2014 10:16:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Github is served with another DMCA takedown, this time for Popcorn Time. Is this the start of a bad trend, and does the open source community need to develop a Github replacement? We’ll debate.

Plus the latest Snowden leaks reveal the GCHQ’s troll like skills, Microsoft launches an assault on Chromebooks, the US says it can have your cloud data & more!

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Latest Snowden Revelations Suggest GCHQ Is Just Like 4Chan Trolls, But With More Firepower

As Greenwald details (and the embedded document below reveals), among GCHQ’s capabilities in its Joint Threat Research Intelligence Group (JTRIG) are a bunch of things that sound quite a bit like traditional internet trolling efforts. These include juicing internet polls to vote for GCHQ’s favorite candidate as well as flooding email inboxes or websites and even connecting two people on the phone and listening to the conversation.

Here are the programs Greenwald highlights:

“Change outcome of online polls” (UNDERPASS)
“Mass delivery of email messaging to support an Information Operations campaign” (BADGER) and “mass delivery of SMS messages to support an Information Operations campaign” (WARPARTH)
“Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.” (SILVERLORD)
“Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.” (MINIATURE HERO)
“Find private photographs of targets on Facebook” (SPRING BISHOP)
“A tool that will permanently disable a target’s account on their computer” (ANGRY PIRATE)
“Ability to artificially increase traffic to a website” (GATEWAY) and “ability to inflate page views on websites” (SLIPSTREAM)
“Amplification of a given message, normally video, on popular multimedia websites (Youtube)” (GESTATOR)
“Targeted Denial Of Service against Web Servers” (PREDATORS FACE) and “Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG” (ROLLING THUNDER)
“A suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk)” (ELATE)
“Ability to spoof any email address and send email under that identity” (CHANGELING)
“For connecting two target phone together in a call” (IMPERIAL BARGE)

Of course, this is not the first time that JTRIG has been called out by Glenn Greenwald for its sneaky online practices. Last time, Greenwald highlighted its practice of putting a bunch of false info online about someone to destroy their reputation.

US government says online storage isn’t protected by the Fourth Amendment

A couple months ago, a New York judge ruled that US search warrants applied to digital information even if they were stored overseas. The decision came about as part of an effort to dig up a Microsoft user’s account information stored on a server in Dublin, Ireland. Microsoft responded to the ruling and challenged it, stating that the government’s longstanding views of digital content on foreign servers are wrong, and that the protections applied to physical materials should be extended to digital content. In briefs filed last week, however, the US government countered. It states that according to the Stored Communications Act (SCA), content stored online simply do not have the same Fourth Amendment protections as physical data.

From the Justice Department’s point of view, this law is necessary in an age where “fraudsters” and “hackers” use electronic communications in not just the U.S. but abroad as well. Indeed, the Microsoft account in this case is in relation to a drug-trafficking investigation. However, Microsoft believes there are wide-ranging implications for such a statement, and it’s not the only company that thinks so. Verizon also responded, stating that this would create “dramatic conflict with foreign data protection laws” and Apple and Cisco joined in by saying this could potentially damage international relations. In the meantime, a senior counsel for the Irish Supreme Court offered that a “Mutual Legal Assistance Treaty” be pursued so that the US government can get at the email account in question.

Microsoft launches a price assault on Chromebooks | The Verge

At the company’s partner conference today, Microsoft COO Kevin Turner revealed that HP is planning to release a $199 laptop running Windows for the holidays. Turner didn’t provide specifications for HP’s “Stream” device, but he did detail $249 laptop options from Acer and Toshiba. Acer’s low-cost laptop will ship with a 15.6-inch screen and a 2.16GHz Intel Celeron processor, and Toshiba’s includes a 11.6-inch display

Turner also revealed that HP is planning to release 7- and 8-inch versions of its new “Stream” PCs for $99 this holiday season, both running versions of Windows. “We are going to participate at the low-end,” says Turner.

Microsoft to Announce Job Cuts as Soon as This Week – Bloomberg

The reductions — which may be unveiled as soon as this week — will probably be in areas such as Nokia and divisions of Microsoft that overlap with that business, as well as marketing and engineering, said the people, who asked not to be identified because the plans aren’t public. The restructuring may end up being the biggest in Microsoft history, topping the 5,800 jobs cut in 2009, two of the people said. Some details are still being worked out, two of the people said.

Home Depot begins selling MakerBot 3D printers

Home Depot became the latest retailer to offer 3D printers today when it began selling MakerBots online and in 12 stores nationwide. The store is selling three printer models, plus MakerBot’s 3D scanner and filament. The 12 stores are located in California, Illinois and New York. “Imagine a world where you can 3D print replacement parts and use 3D printing as an integral part of design and building work,” MakerBot CEO Bre Pettis said in a release.

Announcing CrossOver 13.2.0

CrossOver 13.2.0 provides much greater ease of installation for Linux
users. With CrossOver 13.2.0, more Windows applications
will run out-of-the box on a fresh installation of CrossOver.

In the Linux version of CrossOver 13.2.0 we have changed our philosophy
about what to install automatically alongside CrossOver. In the past,
CrossOver sought to have the smallest possible footprint by depending
only on packages which were absolutely necessary for CrossOver to run.
Many times, this meant that our Linux users were forced to install
additional packages to get Windows applications running. With
CrossOver 13.2.0, we have made the CrossOver Linux packages depend on
many of the most common packages which Windows applications need.
Linux users can install CrossOver 13.2.0 and Windows applications more
easily than ever before.

For both Mac and Linux, CrossOver 13.2.0 includes stability
improvements for games running with Performance Enhanced Graphics.
Problems installing Adobe Acrobat have been resolved, as has a bug
registering CrossOver for users with non-Latin characters in their
usernames.

Yet another DMCA takedown on Github: MPAA PULLS “POPCORN TIME” REPOSITORIES OFF GITHUB : linux

Aside from the fact that this is a controversial piece of software (let’s not get into it), it looks like that Github is no longer a safe place to work with.

First Qualcomm[1] , now MPAA[2] , I wonder how many projects were taken down which are not big enough thing for media to cover.

The post DMCA Whack-a-Mole | Tech Talk Today 26 first appeared on Jupiter Broadcasting.

Island Hopping Explained | TechSNAP 149

chris — Thu, 13 Feb 2014 09:06:57 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A disastrous fire strikes a major data player, and then we explain Island Hopping, and how attackers use it to exploit a network.

Then it’s a great batch of your questions, a rockin round up, and much much more.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Fire Destroys Iron Mountain Data Warehouse in Buenos Aires

Although it’s unclear how the fire started, it spread quickly and took hours to control.
Nine first-responders were killed during the blaze, while two are missing, and seven others are reported injured.
By the time the fire was put out, the building “appeared to be ruined” according to news reports.
Among the data stored there were several archives containing corporate and central bank records, a potentially huge loss that could have some surprisingly far reaching consequences.
Just last month, for instance, the United States Supreme Court decided to hear a case on whether creditors could seek historic bank records from Argentina regarding the country’s default in 2001. Whether or not such files have now been destroyed is unknown.
The Buenos Aires facility apparently was supposed to have had a team of private firefighters at the facility. That’s in addition to the sprinkler systems, and automatic containment mechanisms designed to stop fires from spreading through the building.
According to local reports, it appears that the storage facility this occurred at was primarily used to store physical, paper records, not digital data. Iron Mountain has yet to release any further statements on the issue, so it’s unclear if there are any digital copies of these records. There is no mention of backup copies however in either Iron Mountain’s original press release, or in any of the statement’s from Argentine officials.
Even with paper records (or maybe especially?), it is important to have backups, stored off-site

What happens with digital rights management in the real world?

This article attempts to skip over the usual arguments about DRM, Copyright vs Fair Use, Morality, etc.
Instead it focuses on what has actually happened with DRM in the real world
The only reason most DRM works at all, is the legal protection it gets from the Government
DRM is fundamentally technically flawed, as it relies on encrypting the valuable data, but having to give the keys to decrypt it to the attacker
“A good analogue to this is inkjet cartridges. Printer companies make a lot more money when you buy your ink from them, because they can mark it up like crazy. So they do a bunch of stuff to stop you from refilling your cartridges and putting them in your printer. Nevertheless, you can easily and legally buy cheap, refilled and third-party cartridges for your printer. “
This is no so with DRM, because it enjoys legal protections in the form of laws like the DMCA which make breaking DRM, even without committing any copyright infringement, illegal
“Here\’s another thing about security: it’s a process, not a product (hat tip to Bruce Schneier!)”
“Here is where DRM and your security work at cross-purposes. The DMCA\’s injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.“
“However, various large and respected security organisations say they knew about the Sony Rootkit months before the disclosure, but did not publish because they feared punishment under the DMCA”
“But there can be no real security in a world where it is illegal to tell people when the computers in their lives are putting them in danger. In other words, there can be no real security in a world where the DMCA and its global cousins are still intact.”
“You see, contrary to what the judge in Reimerdes said in 2000, this has nothing to do with whether information is free or not – it\’s all about whether people are free.”

Defense Contractors Say They Remain Vulnerable To Cyber-Attack

The ThreatTrack Security defense contractor survey focused on a unique population of IT managers and staffers responsible for securing networks for organizations fulfilling U.S. government defense contracts.
One quarter of those polled work for organizations with IT security budgets of $1 million to $10 million, and another 23% for organizations with budgets exceeding $10 million
88% believe “the government provides adequate guidance and support to contractors to ensure sensitive data is secure and protected against cyber-attacks.”
Despite the high level of confidence regarding the government’s security guidance, almost two-thirds (62%) of IT managers polled worry that their companies are vulnerable to targeted malware attacks.
The survey uncovered sharp differences in security attitudes and practices between defense contractors and the overall enterprise community.
For instance, senior leaders within defense contractors far less frequently engage in risky behavior, such as opening phishing emails, lending work computers to family members or using company-owned PCs to visit pornographic websites harboring malware.
And though their level of anxiety over vulnerability to cybercrimes isn’t too different – 62%
among contractors and 68.5% in the enterprise – their reasons differ.
Enterprise executives said they fear they lack adequate protection (based on a June 2013 ThreatTrack Security survey), while contractors worry more about the frequency and complexity of malware attacks.
The survey also found contractors take more precautions against cyber-attacks than their general enterprise counterparts, which is a positive discovery considering the nature of their work.
Asked about the most difficult aspects of defending their organizations from advanced malware, 61% of respondents cited the volume of attacks and 59% pointed to malware complexity. The number of people concerned about other aspects drops dramatically, with
34% blaming the ineffectiveness of anti-malware tools and 29% saying they don’t have enough budget for the right tools.
Also notable: More than a quarter of respondents (26%) said their staffs don’t have enough highly skilled IT security experts, including malware analysts.
Based on the survey’s findings, the Snowden affair has had a profound impact on how defense contractors hire and train employees who handle sensitive information. Snowden’s leaks have caused contractors to restrict IT administrative rights and be more alert to any potential misbehavior by employees regarding data access.
55% of respondents said employees now get more cybersecurity-awareness training, 52% said they have reviewed and/or re-evaluated employee data-access privileges, and 47% said they are on higher alert for “potential misbehavior or anomalous network activity.”
In addition, 41% said they have implemented stricter hiring practices, and 39% have curtailed
IT administrative rights. Respondents who said nothing has changed were in the minority, though they still amounted to nearly one quarter (23%) of participants.

Feedback:

Join us LIVE on Sunday for LAS 300 10am Pacific / 1pm Eastern / 6pm UTC

Round Up:

The post Island Hopping Explained | TechSNAP 149 first appeared on Jupiter Broadcasting.

Best Tool for the Job | TechSNAP 80

chris — Wed, 17 Oct 2012 11:39:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Samsung’s new Flash file system, WoW’s Exploit, Microsoft’s DMCA takedowns, hard core data center tech, and a ton of your questions and our answers!

All that and so much more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Samsung creates new Log Structured File System, F2FS for NAND Flash

Also known as the Flash-Friendly File System
A file system designed to take advantage of, and avoid some of the drawbacks to SSDs and other flash based storage devices
It is based on the concept of a Log Structured File System, with some redesign (LSFS is a very old design, based on assumptions that did not come true)
What is a Log Structured File System
- Proposed in 1988
- Stores data in a circular log file, constantly writing new changes to the head of the log
- Recovers more easily from unexpected shutdowns
- Based on the assumption that writes need to be faster, as reads will be almost free due to caching
- Gains speed, especially on rotary devices because writes are done contiguously, instead of seeking to various places
- SSDs reduce seek times, making discontiguous reads no longer a performance detriment
- Requires a garbage collection process, where blocks at the tail of the log that are still in use (not superseded by updated blocks) must be rewritten to the head of the log so that the tail can be overwritten by the new head
- Most modern implementations are not actually circular, but rather break the disk up into segments, and garbage collect the least used segments
F2FS was designed by Samsung to allow Android based devices to make better use of their eMMC storage
F2FS is focused on SSDs and other block devices rather than raw NAND devices
There are other Log Structured File System implementations such as NILFS and BSD-LFS
There is a FreeBSD project NANDFS to implement a Log Structured File System on raw NAND devices, removing the controller logic/layer from an SSD and allowing the file system to make all of the decisions

WoW exploit allows attackers to kill entire cities

On October 7th, all player and even NPC characters in a number of cities of various servers in the MMO World of Warcraft started dying mysteriously
Videos show characters just falling over dead in rapid succession
Forum Thread reporting the issue
A hotfix has been applied to resolve the issue
Official Blizzard Response

Mozilla pulls Firefox 16 from website due to flaw

Mozilla has removed the Firefox 16 downloads from their website, reverting to offering 15.0.1
A vulnerability was found in Firefox 16 that could allow a malicious website to determine what URLs you had visited, and have access to the URLs and possibly URL parameters, which could disclose sensitive information or authentication tokens
The vulnerable version was pulled from the download page less than a day after it was posted
No users were automatically updated to Firefox 16, only users to manually downloaded it are vulnerable
All users of Firefox 16 should downgrade to 15.0.1, any users still using 16 will be automatically upgraded to 16.0.1 when it is released
Firefox 16 was released with patches for 24 known vulnerabilities , 21 of which were labelled critical
BBC Coverage

Microsoft issues a slew of bad DMCA requests

Microsoft has stepped up its automated DMCA requests, causing it to incorrectly ask Google to censor/remove search results linking to AMC Theatres, the BBC, Buzzfeed, CNN, HuffingtonPost, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect, Washington Post, Wikipedia, the U.S. Government and many more sites
In another request the software giant seeks the removal of a URL on Spotify.com
Claiming to be attempting to prevent unauthorized distribution of the Windows 8 Beta, Microsoft listed 65 “infringing” web pages, nearly half of which have nothing to do with Windows 8

Thanks to GoDaddy, take a peek at their Data Center:

Tech.GoDaddy.com – Data Center – YouTube

Feedback:

What I wish the new hires “knew”.
What will be in the news the week in October when Allan is at Euro BSD Con?
Setting up a large scale monitoring system for Linux/Mac/Windows?
- Often times a function of the driver for the RAID controller, even under Linux/BSD
- Many controllers offer some type of SNMP agent
Hegemon8’s batch of questions
A few Linux SysAdmin questions
What is an IPKVM?
- IP-KVM is KVM (keyboard video mouse), over IP
- Original KVMs allowed you to manage multiple machines from a single keyboard/monitor/mouse
- IP-KVMs allow you to do this remotely, over the internet, most IP-KVMs also include ‘virtual media’, which allows you to mount DVD or USB images from your client machine, allowing you to rescue or install the OS from across the world
- I regularly use IP-KVM to manage servers all over europe from my desk
- Most IP-KVM systems support SSL
Varnish instead of NGINX in front of Apache?
- Varnish can be faster, but has no support for something like FastCGI to handle applications
- Varnish does not support SSL
- Varnish is probably less useful during a DDoS attack, because it uses 1 thread per connection, whereas NGINX uses a fixed number of threads and is event driven. For a large number of simultaneous connections, NGINX will likely use less system resources
- Varnish is fast and awesome
Some guy names Chris asks about ISPs tracking users

Round-Up:

The post Best Tool for the Job | TechSNAP 80 first appeared on Jupiter Broadcasting.