Daily Archives: December 30, 2016
Changes in strength of Earth’s magnetic fieldMore about this video10 May 2016With more than two years of measurements by ESA’s Swarm satellite trio, changes in the strength of Earth’s magnetic field are being mapped in detail.Launched at the end of 2013, Swarm is measuring and untangling the different magnetic signals from Earth’s core, mantle, crust, oceans, ionosphere and magnetosphere – an undertaking that will take several years to complete.Although invisible, the magnetic field and electric currents in and around Earth generate complex forces that have immeasurable effects on our everyday lives.The field can be thought of as a huge bubble, protecting us from cosmic radiation and electrically charged atomic particles that bombard Earth in solar winds. However, it is in a permanent state of flux.The force that protects our planetPresented at this week’s Living Planet Symposium, new results from the constellation of Swarm satellites show where our protective field is weakening and strengthening, and importantly how fast these changes are taking place.
Laquan Clark, an alleged gang member in Jersey City, N.J., was arrested Thursday after posting several videos of police interrogations of witnesses on Facebook earlier in the week.Though it is not yet known, Clark may have obtained the videos as part of compulsory disclosure from the April arrest, a law-enforcement source told The Jersey Journal.“This chip right here got everybody that’s telling, yo, like that’s telling in our case,” the unseen man says in a Facebook video posted Tuesday, according to The Jersey Journal. “I’m airing this s*** out as soon as I get in the house.”Clark was charged with multiple crimes in April after authorities arrested 12 people accused of being violent gang members.
One of the now-deleted posts on Clark’s Facebook page was an image of a package with the caption, “Paper work arrive. Let see how many ppl pointed fingers.”Clark, who is usually very active on Facebook, posted four videos on his Facebook profile throughout the day showing law enforcement questioning people. The content was ultimately removed.
“That’s why I roll solo don’t need co defendants they get you caught up,” one comment on the video read, reports The Jersey Journal.Clark is being charged with two counts of witness tampering, a crime that authorities consider very severe. He faces up to 20 years in prison if convicted, and bail has been set at $150,000 cash only.
Clearly this type of criminal behavior is meant to intimidate and harass any potential witnesses from co-operating with law enforcement,” Hudson County Prosecutor Esther Suarez said in a statement, according to The Jersey Journal. “We take any interference with the criminal justice system very seriously and will prosecute this individual to the fullest extent of the law.”Suarez said that Clark was currently on bail and was under the supervision of police through the use of an administered ankle monitor.
Many people use torrent websites to download pirated and non-pirated content. It isn’t an unknown fact that it’s not much difficult to track anyone’s activities on the torrent network. And, to your ultimate happiness, this website called ‘I Know What You Download‘ actually tracks and saves the torrents people download in their everyday lives.
If you deleted the download history from you the torrent client, you could cross-check the names on ‘I Know What You Download.’ All you need to do is enter your IP address on the website and click Find IP.
In a matter of a few seconds, all of the downloads and the torrents you have distributed from your IP address will be displayed on your screen. Along with the date and time of the download, the list also includes the title and size of the torrent.
(Newser) – He was busted for driving while intoxicated, and now, 16 months later, Joseph Schwab has had his DUI charge dropped. The California man had been pulled over in Solano County in August 2015 after it was reported he was driving erratically, and he was arrested for DUI, although later tests found he had no alcohol or drugs other than caffeine in his system. The DUI charge was kept on the books, however, because prosecutors contended his driving was so all over the place that he had to have had another drug in his system that wasn’t showing up in tests, per the San Francisco Chronicle. Schwab was also said to have failed sobriety tests at the scene.The Solano County DA’s office conceded this week, noting in a written statement that it was finally giving up and dropping the DUI charge because it didn’t think it could prove it beyond a reasonable doubt, though it still maintains it’s “highly likely the defendant was under the influence of a drug,” per KTLA. A misdemeanor charge against Schwab for reckless driving remains. (A man in Japan drank himself to death with caffeine.)
In the last 10 years, GNU/Linux achieved something some foreseen as almost impossible: powering both the smallest and biggest devices in the world, and everything in between. Only the desktop is not a conquered terrain yet.
The year 2016 had an impact on the world. Both from a real life perspective, as digitally. Some people found their personal details leaked on the internet, others found their software being backdoored. Let’s have a look back on what happened this year regarding Linux security.
Why this report?
With this article we want to capture the most important events of the last year. By looking back we might be able to better predict what there is to come in the upcoming years. This article is posted on this blog to provide a flexible shell. Any feedback is welcome in the comments section.
This extensive article is created by the people at CISOfy. We focus on Linux and Unix security and created the open source tool Lynis and its bigger brother Lynis Enterprise. Helping you to perform a security scan on your systems and stay compliant with regulations.
25 years of Linux
This year included the celebration of the Linux project. It was 25 years ago that Linus Torvalds shared his initial creation. One of the lessons we can learn from his first announcement, is that security had to find its place. You just needed to spawn 64 processes to perform a denial of service. At that time a reasonable defect, considering the age of the project.
Security highlight: backdoors
Backdoor in Linux Mint (February 2016)
The popular Linux Mint distribution got a bad surprise. Users who downloaded the distribution on the 20th of February picked up a backdoored release.
The server of the project was apparently breached via WordPress. The attackers were able to put up a new ISO, with a backdoor in it. If your distribution had the file /var/lib/man.cy, then it was confirmed that this was the bad release.
Stop using MD5. If you still use SHA1, then add also the SHA256 or SHA512 hashes.
Linux kernel security and self-protection
A hot topic is around kernel hardening and the concept of ‘self-protection’. The kernel should be be able to defend itself to a basic set of attacks. Typically these are buffer overflows and result in unauthorized access to memory segments. Fortunately, some of these protections are now being discussed and the first set of patches have been applied to the official kernel sources.
One of these examples is the 4.9 release of Linux. The kernel can now enforce proper memory protections, based on the type of data stored in memory. Code memory is marked executable and read-only, with read-only data being marked read-only and non-executable, and writable data as non-executable.
Another recent addition is adding guard pages between stacks. Stacks are used for maintaining a list of activities of a process and determine the next step. The kernel has all these process stacks mapped together, with the risk of one process performing stack exhaustion (similar like a buffer overflow but for stacks). If that succeeds, a process can directly influence another process. With the guard pages this is protected, resulting in the kernel to send back a fault and thwart the attack.
- Thwarting Unknown Bugs: Hardening Features in the Mainline Linux Kernel (29 minutes)
- Kernel self-protection project
Relevant kernel parameters
- CONFIG_CPU_SW_DOMAIN_PAN (ARM)
- CONFIG_ARM64_PAN (ARM64)
- CONFIG_X86_SMAP (X86)
- CONFIG_KASAN_INLINE (for testing)
- CONFIG_KASAN_OUTLINE (for testing)
Live patching of the kernel
The technology of patching a running kernel is not new. Several technologies were being developed over the years:
- kGraft (SUSE)
- kpatch (Red Hat)
- Ksplice (Ksplice, now Oracle)
With support for kGraft in the kernel sources, distributions can now leverage this functionality. When a new security vulnerability hits the kernel, the distribution can create a related patch. This is then loaded as a kernel module and applies a bypass to the affected function that had the vulnerability. Great care should be put into creating these patches as they will change the running kernel. For this same reason, the kernel will mark itself as tainted to reflect this. It is similar to backdooring the kernel, except for a good cause. If you don’t allow loading kernel modules, then this technique won’t work obviously.
Canonical announced in October 2016 the availability of using Livepatch in Ubuntu. This service became available to both customers and free users, although limited up to three systems for the latter.
Average lifetime of security bugs
Kees Cook, currently working for Google, shared an interesting insight regarding the lifetime of security bugs before they are fixed. This can easily between 3 and 6 years for high and critical issues.
Like previous years, this year had a fair number of serious vulnerabilities. With differences in timing between discovery and public disclosure, this list is ordered by CVE number.
CVE-2015-7547 – glibc
Issues in glibc, a very generic library affecting almost all Linux systems, caused some attention early in the year. Discovered by troubleshooting strange issues with SSH, it was discovered the cause was at another location: glibc.
CVE-2016-1247 – nginx (root privilege escalation)
Rotation of log files on systems running nginx on Debian or derivatives could be tricked into escalating privileges.
CVE-2016-0636 – OpenJDK
An issue in some versions of Java 7 and 8 hit in particular desktops, including those running on Linux. With the tendency of security professionals advising to disable Java and Flash, we wouldn’t be surprised that issues with this kind of packages will slowly decrease. Oracle bulletin for CVE-2016-0636
CVE-2016-0800 – DROWN attack
The DROWN attack was a discovered weakness with SSLv2. Although many web servers are now properly configured, there are still systems around having it enabled. And even your web server is not vulnerable, it can be if SSLv2 is enabled on another system (e.g. mail), while reusing the same key for the SSL certificate.
CVE-2016-0728 – 0-day Linux root exploit
An issue in the keyrings functionality could trigger a leakage of data. Those who discovered the issue explain how it can result in root privileges, in their great write-up.
CVE-2016-5696 – Linux kernel vulnerability for 4.6
Luckily without affecting many servers and desktops, it affected Android 4.4 KitKat and later. This vulnerability could be used to hijack TCP sessions.
CVE-2016-6662 – Critical issue in MySQL and MariaDB
This vulnerability could result in root privileges. A extensive write-up explains how it works.
CVE-2016-4484 – Linux Disk Encryption Bypass
This issue is very similar to the GRUB2 authentication bypass discovered in 2015. This time it resulted in a root shell on the machine. Although you still can’t access data of the encrypted disks, it should not be there. This issue was limited to systems running Debian or a derivative.
CVE-2016-5195 – Dirty COW
Copy-on-write issues in memory resulting in “dirty COW”. This time with another great logo and official website.
A lot of the things that hit the media were related to malicious software. Malware is not new on Linux and may exist since the beginning. Early 2000’s we saw rootkits, backdoored binaries, and an arsenal of tools to crash well-known software. We can say that the quality of most software increased. This is especially true when considering the addition of security settings and an ongoing trend to enable them by default. And while the effectiveness of most rootkits diminished, malware on Linux looks to be growing.
Botnets are a powerful tool for those who want to perform denial of service attacks, send spam email, or simply harvest bitcoins on the cost of others. Linux has a past of botnet clients, varying from simple IRC clients that could execute commands, up to heavily encrypted binaries with different mechanisms to be controlled by the botnet master. Fortinet disassembled the Mirai.B worm on their blog.
Core Infrastructure Initiative
The Linux Foundation released funds and energy into making Linux more secure. Not just the Linux kernel, but also commonly used software components like OpenSSL, or supporting other open source projects. This work is done under the Core Infrastructure Initiative, or CII.
With CII there are four projects which enhance each other and help projects all over the world. One of them is tooling, like offering the right tools. This helps with reproducible builds, something being used with Debian now. Also fuzzing tools, which throw garbage at tools to detect missing input validation or memory issues. Besides tooling there is education, helping projects to connect and find the right resources when it comes to security.
Then there are those special projects that need a little bit more attention. For example, because they are used by many other projects, or consist of a library. A flaw like we have seen in glibc can have a high impact due to this relationship with other software. These projects are tracked with the Census project and scored on risk.
Conferences are a great way to share knowledge and insights. Two particular conferences can be highlighted that really focus on security in the area of Linux and open source.
Most security conferences focus on the offensive side, think Black Hat and Defcon. Rarely we see conferences focused on just defensive. O’Reilly made the bold move to organize two events, one in New York, the other in Amsterdam. The recordings are available if you have a subscription to Safari.
Linux Security Summit
This yearly summit provides a good insight on the status of Linux security. There is so much to tell and to see. So have a look at the playlist.
Canada’s telecommunications watchdog has ordered Internet service providers to offer an unlimited data plan for home Internet access, and to issue easy-to-understand bills.
The new rules are part of an overhaul of the country’s Internet service regulations that the Canadian Radio-television and Telecommunications Commission (CRTC) announcedWednesday. The CRTC also declared broadband internet access a basic service across the country, just like current landline telephone service.
The CRTC also significantly increased target speeds for broadband Internet, to 50 Mbps download and 10 Mbps upload, 10 times the existing speed targets.
Why do I look like Justin Timberlake?”Facebook CEO Mark Zuckerberg was on stage wearing a virtual reality headset, feigning surprise at an expressive cartoon simulacrum that seemed to perfectly follow his every gesture.The audience laughed. Zuckerberg was in the middle of what he described as the first live demo inside VR, manipulating his digital avatar to show off the new social features of the Rift headset from Facebook subsidiary Oculus. The venue was an Oculus developer conference convened earlier this fall in San Jose. Moments later, Zuckerberg and two Oculus employees were transported to his glass-enclosed office at Facebook, and then to his infamously sequestered home in Palo Alto. Using the Rift and its newly revealed Touch hand controllers, their avatars gestured and emoted in real time, waving to Zuckerberg’s Puli sheepdog, dynamically changing facial expressions to match their owner’s voice, and taking photos with a virtual selfie stick — to post on Facebook, of course.The demo encapsulated Facebook’s utopian vision for social VR, first hinted at two years ago when the company acquired Oculus and its crowd-funded Rift headset for $2 billion. And just as in 2014, Zuckerberg confidently declared that VR would be “the next major computing platform,” changing the way we connect, work, and socialize.“Avatars are going to form the foundation of your identity in VR,” said Oculus platform product manager Lauren Vegter after the demo. “This is the very first time that technology has made this level of presence possible.”But as the tech industry continues to build VR’s social future, the very systems that enable immersive experiences are already establishing new forms of shockingly intimate surveillance. Once they are in place, researchers warn, the psychological aspects of digital embodiment — combined with the troves of data that consumer VR products can freely mine from our bodies, like head movements and facial expressions — will give corporations and governments unprecedented insight and power over our emotions and physical behavior.
Yes, you read that right and this isn’t science fiction but something that is very real! A South Korean robotics company — Hankook Mirae Technology — has managed to help the ginormous robot take its first baby steps.method2Claimed as first of its kind by the creators, the robot which is being trained and tested in Seoul, South Korea, has been christened Method-2.The 1.5-ton robot which shook the ground in its baby steps bears a close resemblance to the robots in the movie ‘Avatar’, as it also has a seat that can be used to pilot it via human intervention.“Our robot is the world’s first manned bipedal robot and is built to work in extremely hazardous areas where humans cannot go. The robot is one-year-old so it is taking baby steps; but just like humans, it will be able to move more freely in the next couple of years,” company chairman Yang Jin-Ho told phys.org.
In an interview for The Atlantic with Ta-Nehisi Coates, President Obama’s take on race added to the list of bizarre things he’s said over the years. According to our outgoing president, “if you are perceived as African American, then you’re African American.”
Coates asked Obama, “I wonder how you came to think of yourself as black and why,” after a lengthy commentary about his upbringing that, frankly, could have been boiled down to the simple fact that Obama is mixed race — both white and black.
Obama responded: “Well, part of my understanding of race is that it’s more of a social construct than a biological reality.”
Okay wait, I had to stop it there. You can call just about anything a “social construct,” but there is a biological reality no matter how you look at it.
Obama continued his answer: “And in that sense, if you are perceived as African American, then you’re African American.”
Wow, I didn’t know it was that simple. If someone “perceives” you as something, that is what you are. So much for telling young people not to allow bullies to define who they are…
Remember Rachel Dolezal? The white woman who pretends to be black will surely be happy to hear about this!
Apparently Obama takes the “one-drop theory” a step further and acknowledges the Dolezals of the world who want to identify as anything they want to no matter what the biological reality is.
Antioxidants in Polypodium leucotomos, a tropical fern, can technically block UV radiation. But antioxidants are unstable molecules, so getting them from stomach to skin is hard. Today’s fern-extract pills, like Solaricare or Heliocare, reach only SPF 4, not nearly enough for daily protection, let alone a beach day. This instability issue won’t be solved soon, so keep slathering up.Want to know if your fantasy invention could become a reality? Tweet @PopSci or tell us on Facebook. Popular Science reader Chad Wells submitted this question via Facebook.
Vera Rubin, an astronomer who proved the existence of dark matter, one of the fundamental principles in the study of the universe, but who battled sex discrimination throughout her career, died Dec. 25 at an assisted living facility in Princeton, N.J. She was 88.She had dementia, said a son, Allan Rubin.Dr. Rubin’s groundbreaking discoveries, made primarily with physicist W. Kent Ford, have revolutionized the way scientists observe, measure and understand the universe.The concept of “dark matter,” an unknown substance among stars in distant galaxies, had existed since the 1930s, but it was not proved until Dr. Rubin’s studies with Ford in the 1970s. It is considered one of the most significant and fundamental advances in astronomy during the 20th century.
NICE, France — Sébastien Faustini’s decision to skip the firework display at the beach not only potentially saved his life — it steered his politics toward the far right.The soft-spoken 18-year-old stayed home with his cousin and watched the Bastille Day display on TV, instead of heading to the Nice promenade as they’d planned on July 14.A truck was driven into the crowd that night, killing 86 people.
“We could have been there,” said Faustini, who is now forced to pass by the scene of attack daily on his way to university. “Every day that hits me.”Three weeks ago, he joined France’s far-right National Front.”Certain media organizations stigmatize members of the National Front calling them fascists, insults that have nothing to do with the party’s program,” Faustini told NBC News.
Ralph and Robert Schwitzgebel were identical twins from Ohio, champion high school debaters who won the state title in 1951, graduated from different colleges, and both — unbeknownst to the other — applied to Harvard’s graduate program in psychology. “We kind of show up on campus one day — ‘What are you doing here?’ ” Robert recalls.It was a heady time at the Harvard psych department. The faculty included B. F. Skinner, behaviorism’s leading figure, and also Timothy Leary, who demonstrated during his brief time at the university that he was willing to go to unprecedented lengths to test the molding of human behavior. Leary became Ralph’s adviser. Ralph coauthored the paper detailing Leary’s infamous Concord Prison experiment, in which young inmates were given psilocybin as part of group therapy, between 1961 and 1963. The study proposed that the drug had a positive effect on the recidi- vism rate of the experimental group.Ralph took from his mentor a willingness — even an eagerness — to deploy unorthodox methodologies, especially in the treatment of young people on the margins of society. Ralph wanted to merge the experimental psychologist’s lab with the psychotherapist’s office.
It may surprise you that ads can still follow you around in “Incognito” and other “private browsing” modes.
That’s because Incognito mode isn’t really private.
Incognito mode only deletes your local search and browsing history – just the content on your computer. Websites, search engines, internet service providers, and governments can still easily track you across the web.
That’s why it’s important to use privacy alternatives that don’t share your personal information – such as DuckDuckGo for search.
Using Incognito mode to keep you private online is kind of like using a bucket to put out a raging fire:
In a study we ran, we found that 74% of people over-estimate the protection that private browsing modes offer. Now you don’t have to be part of that statistic — welcome to the Duck Side!
Dax the Duck,
Mascot – DuckDuckGo
You know what they say about trademark law: It’s tricky, tricky, tricky. Reuters reports Run-DMC founder Darryl “DMC” McDaniels filed a lawsuit Thursday in New York seeking at least $50 million from Amazon, Walmart, and a number of other retailers. The lawsuit accuses the retailers of infringing on the Run-DMC trademark and “trading on the goodwill” of the hip-hop legends by “advertising, manufacturing, selling, and distributing multiple products” that imply they were officially endorsed by Run-DMC, according to USA Today. Those items include DMC’s trademark glasses, as well as shirts, hats, patches, wallets, and more items “too numerous to properly list” that bear the Run-DMC name.