And why are you still using Windows?
A flaw in Microsoft's Internet Explorer which leaves users vulnerable to hackers has not been fixed, despite its discoverer giving the company six months grace to do so before publishing details.
Auction site eBay asked all its 233m users to change their passwords following a "cyber attack" that saw their names, email and postal addresses, phone numbers and dates of birth fall into the hands of hackers.
(Video inside link)
Video: eBay cyber attack: why you should change your password now - Telegraph.
Google has been named ahead of Apple as the world's most valuable brand, according to a new survey.
Google overtakes Apple as world’s most valuable brand - Telegraph.
The owner of Lavabit, the encrypted email service used by Edward Snowden finally tells his story. And it makes uncomfortable reading.
China believes that Windows 8 poses enough of a future security risk that it's banning government agencies from installing the operating system on any of its new computers.
China bans the installation of Windows 8 on government computers.
A Californian woman has filed a class action against Apple after switching to an Android phone and finding that text messages sent by friends with iPhones didn't reach her.
Apple sued over iMessages that fail to reach ex-iPhone user | Technology | theguardian.com.
I really need to pick up and freshen up my Java knowledge. The last time I seriously programmed in it, we had no generic types, no lambda expressions, the Collections framework was not actively in use, and the dynamic object type of choice was Vector.
An interesting look at 15 different sorting algorithms with a visual representation of how well they run. Everything from the classic Bubble Sort, Heap Sort and Quick Sort. Including a few I didn’t even know about. Radix, Cocktail Shaker, Gnome.
Bitonic is a really weird sort method. And Bogo, well, I have no clue what that one is trying to do.
THE UK GOVERNMENT has bought a lifeline for Windows XP ahead of the software's 8 April cut-off date, handing Microsoft £5.5m to continue supporting the operating system for an additional year. The government's £5.48m will ensure that Microsoft continues to provide critical and important security updates for Windows XP, Microsoft Office 2003 and Exchange 2003, and comes just five days ahead of the operating system's End of Life.
UK government buys last-minute lifeline with £5.5m Windows XP support deal- The Inquirer.
Heartbleed certainly shook up a lot of companies, and whilst a lot of companies did their best to get system updated, doing so has caused users side effects, including me.
I use an extension for Chrome/Chromium called HTTPS Everywhere and this forces HTTPS connections to the site you’re visiting. However, since the patching of Heartbleed, some sites have started misbehaving and only work “properly” if I use either the Incognito mode (which means no extensions), or if I deactivate HTTPS Everywhere for the site in question. The side effect of this, unfortunately, means my net traffic to the site in question is exposed via non-secure HTTP. Fortunately, I have encountered only two sites so far which have this problem, neither of them I am too concerned (at the moment) about:
If I encounter any more, I’ll post it here.
So, compared to my previous post, my phone is nearly 10 times faster.
...when there is a need for a security patch or other bug fix, the person in control of implementation is…you. With closed source, you need to wait for the enterprise in control to fix the problem and make it available to users. For example, Akamai, one of the best, most sophisticated technology firms on the planet, is still working to address its Heartbleed vulnerabilities. Thus, users have no choice but to wait on Akamai for a complete fix. Open source users can do what they want with the code. They can use a patch that has been made available on Github, or can otherwise modify their code as they see fit. In fact, because Spree is open source and its users control their own code, they can choose to replace OpenSSL altogether if they so desire.
Has Heartbleed Made You Think Twice About Open Source Security? Think Again. | Spree Commerce.
Found on LinkedIn
The Heartbleed bug is among the major security vulnerabilities we have seen in recent times. It's one of those cases where precaution is the order of the day. You could manually check sites or use Chromebleed, an extension that tells you if the site you're on was affected by the bug.Chromebleed uses Filippo Valsorda’s little tool to test if the page was hit by Heartbleed and hasn’t issued a patch yet. You’re going to be safe on the bigger websites like Yahoo, but there’s a chance that some of the smaller sites haven’t yet patched their servers, so this little protection will help. If you do visit some such site, Chromebleed will throw a notification warning you, in which case it’s best to exit and notify the site’s developers to fix their issue.
Chromebleed Notifies You if a Visited Site was Hit by Heartbleed Bug.
This week, a giant security hole came to lightthat affects a large portion of the internet. As different sites recover, you'll need to change your passwords, and now LastPass tells you when to do so.
Due to the nature of the Heartbleed bug (read more here), you'll need to wait until affected sites update their infrastructure before you change your passwords. LastPass' ever-useful Security Check tool now includes recommendations for Heartbleed, letting you know which sites have closed the hole, when, and if you should update yet.
To run the tool, just click on the LastPass extension and head to Tools > Security Check. After running the tool, you'll get the results (shown above) so you know what passwords to change. Hit the link to read more.
LastPass Now Tells You Which Heartbleed-Affected Passwords to Change.
Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday.
The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon.
A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well.
The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.
And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.
A security patch for the bug was announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.
Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords.
If you have a domain of your own, especially one for a business, this is a must-read. If you have an easily guessable password, you DEFINITELY must read this.
For several days last week, RamshackleGlam.com –- the domain name that I have owned and operated since March of 2010 –- did not belong to me, but rather to a man who goes by the name “bahbouh” on an auction website called Flippa.com, and who was attempting to sell off the site to the highest bidder (with a “Buy It Now” price of $30,000.00). He promised the winner my traffic, my files, and my data, and suggested that I was available “for hire” to continue writing posts (alternatively, he was willing to provide the winner with “high-quality articles” and “SEO advice” to maintain the site’s traffic post-sale).
I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.
Blogger Pulls Off $30,000 Sting to Get Her Stolen Site Back.
Yeah, nice try, TechCrunch. #aprilfools
I’m one of those people who hates having to shutdown machines, then restart them, and start logging into all my sites all over again, so I’m particularly thankful for hibernation functionality.
On Ubuntu (possibly Debian as well, but I haven’t checked), you can install either (or both) of the hibernate package, or the TuxOnIce-enabled kernel.
Hibernate is a script that detects whether or not you have a TOI-enabled kernel, and if you have such a kernel, it will use the TOI routines.
Hibernate worked perfectly for me, until I started using BOINC. Then, hibernation would hang with my laptop in a “limbo” state. Neither fully on, nor fully powered off. Turns out that BOINC must be either hogging the memory, or not releasing it properly. So, instead of doing
sudo hibernate
I do this
sudo service boinc-client stop
sudo hibernate -k
sudo service boinc-client start
So I stop the BOINC service (freeing up memory and CPU cycles), then I do the hibernate (allowing it to kill processes if needed), and then I startup the BOINC service again. The last line only gets executed upon resuming.
The ICO’s investigation found that Kent Police had no guidance or procedures in place to makes sure personal information was securely removed from former premises. The problem was made worse due to an apparent breakdown in communications between the various departments involved in the move.<
ICO Head of Enforcement, Stephen Eckersley, said: “If this information had fallen into the wrong hands the impact on people’s lives would have been enormous and damaging. These tapes and files included extremely sensitive and confidential information relating to individuals, many of whom had been involved in serious and violent crimes. How a police force could leave such information unattended in a basement for several years is difficult to understand.“Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned. It is only good fortune that the mistake was uncovered when it was and the information hasn’t fallen into the wrong hands.”
Kent Police fined £100,000 after interview tapes abandoned at former station | ICO news release.
I’ve started looking at the iptables function within the Linux kernel, and found out, that with a bit of tinkering, you can use the IBLOCK lists to do a machine-wide block based on IP. You use pipes (gotta love ‘em) to route them into ipset which allows you to create a set of IP addresses/ranges which then reference in the iptables. You can use wget or curl. If you use wget, you might need to use the quiet switch. You can use xargs to multi-download lists and concatenate. I’m tinkering with my download script at the moment.
First, create the set. Here, I have used a high maxelem number because I use a lot of IBLOCK’s lists. The “maxelem 1048576” can be omitted or the number reduced if you are only using one or a small number of IBLOCK lists.
ipset create IBLOCK hash:net maxelem 1048576
Second, download and add to the set if it doesn’t already exist. You can chain multiple lists into the wget or use xargs. For this example, I’m only using one.
wget -q "[list.iblocklist.com](http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz)" -O- |
gunzip |
cut -d: -f2 |
grep -E "^[-0-9.]+$" |
gawk '{print "add IBLOCK "$1}' |
ipset restore -exist
Finally, add rules into the iptables to drop package to and from IP addresses that exist in the set. This means that packets coming in from external IPs that match IP addresses in the set will not be answered.
iptables -I INPUT -m set --match-set IBLOCK src -j DROP iptables -I OUTPUT -m set --match-set IBLOCK dst -j DROP
When I tried this with my IBLOCK download script, it seemed to kill TOR functionality as well, which I suspect means that IBLOCK have included the TOR IP range in one or more of their lists, so I’ll need to determine which one(s) they are and exclude them, as I do use TOR actively.
As with most things, there’s more than one way to do this, and this is one of many ways you could implement blocking behaviour.