Language Selection

English French German Italian Portuguese Spanish

Proprietary Software and Security

Filed under
Software
Security
  • TurboTax Is Still Tricking Customers With Tax Prep Ads That Misuse the Word “Free”

    On Dec. 30, the IRS announced it was revamping a long-standing agreement with the online tax preparation industry in which companies offer free filing to people with incomes below certain levels, a category that includes 70% of filers. The change in what’s known as the Free File program came in the wake of multiple ProPublica articles that revealed how the companies in the program steered customers eligible for free filing to their paid offerings. Under the updated agreement, the companies are now prohibited from hiding their Free File webpages from Google searches, and the IRS was allowed to create its own online tax-filing system.

    So far, it seems, the companies are abiding by their promise to make their Free File webpages visible in online searches. But the updated agreement appears to have a loophole: It doesn’t apply to advertising. Nothing in it, the agreement states, “limits or changes the rights” of participating companies to advertise “as if they were not participating in the Free File program.”

  • Ransomware Shuts Gas Compressor for 2 Days in Latest Attack [iophk: Windows TCO]

    It appears likely that the attacker explored the facility’s network to “identify critical assets” before executing the ransomware attack, according to Nathan Brubaker, a senior manager at the cybersecurity firm FireEye Inc. This tactic -- which has become increasingly popular among hackers -- makes it “possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators,” he said.

  • Twitter says Olympics, IOC accounts [cracked]

    Twitter (TWTR.N) said on Saturday that an official Twitter account of the Olympics and the International Olympic Committee’s (IOC) media Twitter account had been [cracked] and temporarily locked.

    The accounts were [cracked] through a third-party platform, a spokesperson for the social media platform said in an emailed statement, without giving further details.

  • Olympics, IOC accounts were [cracked], Twitter says

    The social media company Twitter on Saturday said that the official Twitter accounts for the Olympics as well as the International Olympic Committee (IOC) have both been [cracked] and temporarily locked.

  • Apple warns revenue will be lower than expected because of coronavirus impact

    In a rare investor update on Monday, Apple said the global effects of the coronavirus outbreak are having have a material impact on the company bottom line. The company does not expect to meet its own revenue guidance for the second quarter due to the impact of the virus, and warns that “worldwide iPhone supply will be temporarily constrained.” Store closures and reduced retail traffic in China are also expected to have a significant impact.

    All of Apple’s iPhone manufacturing partner sites have been reopened but are “ramping up more slowly than we had anticipated,” which means that fewer iPhones than expected will be manufactured. As a result, “[t]hese iPhone supply shortages will temporarily affect revenues worldwide,” says Apple.

  • We decided to leave AWS

    For past adventures, I mostly use third-party email delivery services like Postmark, SendGrid, SES, etc. Unfortunately their pricing models are based on the number of emails, which are not compatible with the unlimited forwards/sends that SimpleLogin offers. In addition, we want SimpleLogin to be easily self-hosted and its components fit on a single server. For these reasons, we decide to run our MTA (Mail Transfer Agent) on EC2 directly.

  • [Old] Kerberos (Sleepy: How does Kerberos work? – Theory

    The objective of this series of posts is to clarify how Kerberos works, more than just introduce the attacks. This due to the fact that in many occasions it is not clear why some techniques works or not. Having this knowledge allows to know when to use any of those attacks in a pentest.

    Therefore, after a long journey of diving into the documentation and several posts about the topic, we’ve tried to write in this post all the important details which an auditor should know in order to understand how take advantage of Kerberos protocol.

    In this first post only basic functionality will be discussed. In later posts it will see how perform the attacks and how the more complex aspects works, as delegation.

  • [Old] Kerberos (II): How to attack Kerberos?

    These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.

  • Kerberos (III): How does delegation work?

    In this article, we will focus on understand how the different kinds of delegation work, including some special cases. Additionally, some scenarios where it could be possible to take advantage of these mechanisms in order to leverage privilege escalation or set persistence in the domain will be introduced.

    Before starting with the explanations, I will assume that you already understand Kerberos’ basic concepts. However, if expressions like TGT, TGS, KDC or Golden ticket sound strange to you, you should definitely check the article “How does Kerberos works?” or any related Kerberos’ introduction.

More in Tux Machines

Sparky 5.11

A quarterly update point release of live/install media of Sparky 5.11 “Nibiru” of the stable line is out. This is a release based on Debian 10 “Buster”. Changes: – the base system upgraded from Debian stable repos as of March 1, 2020 – Linux kernel 4.19.98 LTS (PC) – Linux kernel 4.19.97 LTS (ARMHF) – added 9 new nature wallpapers captured by Aneta, Pavbaranov and me – Sparky repository changed to the named “nibiru” (“stable” works as before); no need to manually change the repo; see also: https://sparkylinux.org/sparky-named-repos/ – Firefox 68.6.0 ESR – Thunderbird 68.6.0 – LibreOffice 6.1.5 Read more

Steam Survey Points To Tiny Uptick In Linux Percentage For March

With the Steam Survey numbers out this week, the March 2020 statistics point to the Linux gaming marketshare ticking up by 0.04% to 0.87%. But in reality that is almost a rounding error and sticks to what we have largely been seeing in recent months of 0.8~0.9% for Linux gaming on Steam. Though even with the record number of users on Steam in March, it's good to see the Linux percentage didn't actually diminish -- at least according to the survey numbers. Read more

Python Programming

  • Analysis of the progress of COVID-19 in the world with Data Science.

    All the data in this article was made with Data Scientis tools. Given the circumstances the planet is experiencing at the moment, we show below a series of results after implementing Data Science techniques to monitor the virus. For the following analyzes, the data from the Johns repositories were taken Hopkins University Center for Systems Science and Engineering (JHU CSSE). As it is public knowledge, the advance of the pandemic is a worldwidede concer, that is why I consider interesting to be able to make an analysis of certain countries. Therefore we can see in the following graph how the curve of confirmed infected persons in countries such as USA, Italy, France and Argentina advances from the beginning to today.

  • Introduction to the Python HTTP header

    You can create your own custom headers for the HTTP destination using the Python HTTP header plugin of syslog-ng and Python scripts. The included example configuration just adds a simple counter to the headers but with a bit of coding you can resolve authentication problems or fine tune how data is handled at cloud-based logging and SIEM platforms, like Sumologic.

  • Announcing a new Sponsorship Program for Python Packaging

    The Packaging Working Group of the Python Software Foundation is launching an all-new sponsorship program to sustain and improve Python's packaging ecosystem. Funds raised through this program will go directly towards improving the tools that your company uses every day and sustaining the continued operation of the Python Package Index.

  • Python String Concatenation

    String concatenation means creating a new string by combining two or more string values. Many built-in methods and ‘+’ operator are used to combine string values in many programming languages. ‘+’ operator is also used in python to combine string values but it works differently than other scripting languages. In JavaScript, when a string value combines with the number value then the number value will convert automatically into the string and combines with the other string value. But if you do the same task in Python then it will generate an error because Python can’t convert the number into string automatically. Many other ways exist in Python to combine string values. This article shows how you can do string concatenation in Python in different ways. Here, spyder3 editor is used for writing and executing the scripts of this article.

  • Python String Replacement using Pattern

    Any string data can be replaced with another string in Python by using the replace() method. But if you want to replace any part of the string by matching a specific pattern then you have to use a regular expression. It is used to search a specific pattern in a particular string value and the string will be replaced with another string if any match found. Python uses ‘re’ module to use regular expression pattern in the script for searching or matching or replacing. Using regular expression patterns for string replacement is a little bit slower than normal replace() method but many complicated searches and replace can be done easily by using the pattern. You can replace a string in various ways using the pattern in Python. Some common uses of pattern to replace string are shown in this tutorial. Spyder3 editor is used here to write and run the script.

  • Python String startswith and endswith

    Sometimes we need to check the starting or the ending part of any string for the programming purpose. There are two built-in methods in Python to do the task. These are startswith() and endswith() methods. If any string starts with a given prefix then startswith() method will return true otherwise returns false and if any string ending with a given suffix then endswith() method will return true otherwise returns false. How these methods work and use in Python are shown in this tutorial. Spyder3 editor is used here to write and run the python script.

  • Examples are Awesome

    There are two things I look for whenever I check out an Opensource project or library that I want to use. 1. Screenshots (A picture is worth a thousand words). 2. Examples (Don't tell me what to do, show me how to do it). Having a fully working example (or many examples) helps me shape my thought process.

  • App Assisted Contact Tracing

    I don't know how I thought the world would look like 10 years ago, but a pandemic that prevents us from going outside was not what I was picturing. It's about three weeks now that I and my family are spending at home in Austria instead of going to work or having the kids at daycare, two of those weeks were under mandatory social distancing because of SARS-CoV-2. And as cute as social distancing and “flattening the curve” sounds at first, the consequences to our daily lives are beyond anything I could have imagined would happen in my lifetime. What is still conveniently forgotten is that the curve really only stays flat if we're doing this for a very, very long time. And quite frankly, I'm not sure for how long our society will be able to do this. Even just closing restaurants is costing tens of thousands of jobs and closing schools is going to set back the lives of many children growing up. Many people are currently separated from their loved ones with no easy way to get to them because international travel grinded to a halt.

Proprietary Stuff and Openwashing

  • Federal, State, and Local Law Enforcement Warn Against Teleconferencing [Cracking] During Coronavirus Pandemic

    Western District of Michigan U.S. Attorney Andrew Birge advised video conference users: “Whether you run a business, a law enforcement meeting, a classroom or you just want to video chat with family, you need to be aware that your video conference may not be secure and information you share may be compromised. Be careful. If you do get [attacked], call us.”

  • Zoom CEO says company reached 200 million daily users in March

    In order to address the company’s problems, Yuan detailed steps taken including removing Facebook’s software development kit to stop the collection of unnecessary user data, updating Zoom’s privacy policy to be more transparent, giving tips to users to prevent Zoom bombings and offering more specific programs for classes on Zoom.

  • Update: Zoom issues fix for UNC vulnerability that lets [attackers] steal Windows credentials via chat

    All an attacker needs to do is to send a link to another user and convince them to click it, for the attack to commence. Though the Windows password is still encrypted, the hack claims it can be easily decrypted by third-party tools if the password is a weak one.

  • Thousands of Zoom recordings exposed because of the way Zoom names recordings

    Thousands of Zoom cloud recordings have been exposed on the web because of the way Zoom names its recordings, according to a report by The Washington Post. The recordings are apparently named in “an identical way” and many have been posted onto unprotected Amazon Web Services (AWS) buckets, making it possible to find them through an online search.

    One search engine that can look through cloud storage space turned up more than 15,000 Zoom recordings, according to The Washington Post. “Thousands” of clips have apparently also been uploaded to YouTube and Vimeo. The Washington Post said it was able to view recordings of therapy sessions, orientations, business meetings, elementary school classes, and more.

  • Move Fast & Roll Your Own Crypto

    Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

    The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

    Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

  • ‘Zoombombing’ is a federal offense that could result in imprisonment, prosecutors warn

    Federal prosecutors are now warning pranksters and [attackers] of the potential legal implications of “Zoombombing,” wherein someone successfully invades a public or sometimes even private meeting over the videoconferencing platform to broadcast shock videos, pornography, or other disruptive content.

    The warning was posted as a press released to the Department of Justice’s website under the US Attorney’s office for the state’s Eastern district with support from the state attorney general and the FBI.

  • [Attackers] are targeting your kids to infect Android and Chromebook devices with malware

    Hide your kids; hide your wives. Security investigators from Check Point Research discovered 56 malware-infected Google Play apps. Before Google had a chance to pull them down, users already downloaded the apps one million times; 24 of those apps, Check Point Research discovered, targeted children.

    The study -- spearheaded by Israel Wernik, Danil Golubenko , Aviran Hazum -- found that the Google Play Store-based apps were poisoned with Tekya, which is a form of adware. The goal of Tekya, Hazum told Laptop Mag, is to commit mobile-ad fraud.

  • Apparently Microsoft’s Claim of 775 Percent Surge in Cloud Services Wasn’t Really Accurate

    The company has now made a correction, saying that the 775 percent increase was experienced by Microsoft Teams, not all of the cloud offerings, which isn't as surprising since the video calling app generated over 900 million meeting and calling minutes daily in a one-week period alone.

    As it turns out the figure also only came from Microsoft Teams' users in Italy, where millions of people were put under lockdown. The corrected statement now reads: [...]

  • Zoom isn’t actually end-to-end encrypted

    Zoom does use TLS encryption, the same standard that web browsers use to secure HTTPS websites. In practice, that means that data is encrypted between you and Zoom’s servers, similar to Gmail or Facebook content. But the term end-to-end encryption typically refers to protecting content between the users entirely with no company access at all, similar to Signal or WhatsApp. Zoom does not offer that level of encryption, making the use of “end-to-end” highly misleading.

  • Zoom Calls Are Not End-to-End Encrypted Contrary to Claims

    What this means it that Zoom can access the video feed of your meetings. The company did confirm that it does not “directly access, mine, or sell user data.”

    Zoom offers an option where a meeting can only be hosted with mandatory encryption for third-party endpoints. However, when contacted, the company clarified that it is currently not possible to hold E2E video meetings using Zoom.

  • Zoom’s sudden spike in popularity is revealing its privacy (and porn) problems

    With its vaguely worded privacy policies and misleading marketing materials, Zoom’s real overarching issue seems to be a lack of transparency. Combine that with an apparent lack of forethought about how video meetings with insufficient privacy protections — both on the back and the front end — could be exploited by [attackers] or trolls. This entire scenario becomes especially problematic considering the growing number of students that Zoom eagerly recruits for the platform. It all seems like a bad publicity time bomb that went off as soon as Zoom became an essential piece of pandemic software and people started really looking more closely at how the service worked.

  • Dark Sky Has a New Home

    Android and Wear OS App

    The app will no longer be available for download. Service to existing users and subscribers will continue until July 1, 2020, at which point the app will be shut down. Subscribers who are still active at that time will receive a refund.

    Website

    Weather forecasts, maps, and embeds will continue until July 1, 2020. The website will remain active beyond that time in support of API and iOS App customers.

  • Microsoft’s Skype struggles have created a Zoom moment

    The transition lasted years, and resulted in calls, messages, and notifications repeating on multiple devices. Skype became unreliable, at a time when rivals were continuing to offer solid alternatives that incorporated messaging functionality that actually worked and synced across devices. Instead of quickly fixing the underlying issues, Microsoft spent years trying to redesign Skype. This led to a lethal combination of an unreliable product with a user experience that changed on a monthly basis.

  • ‘War Dialing’ Tool Exposes Zoom’s Password Problems

    Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

    Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

  • Open Source Moves From Rebel to Mainstream

    That shift has its critics. “The degree in which corporations knowingly and openly use open source has grown,” says Karl Fogel, a developer and open-source advocate. Still, some open-source developers feel that although these businesses build a lot of value on top of their work, they’re not seeing “enough of it flowing back to them,” Fogel says.

    But the narrative of a noncommercial open source being colonized by the corporate world also has its flaws, cautions Fogel. Open source has always been commercial to a certain degree. Even in the more radical currents of the movement, where the term “free software” is preferred over open source, making money isn’t necessarily shunned. Richard Stallman, one of the movement’s pioneers, famously said that the “free” in “free software” should be taken as “free speech, not free beer.” All the talk about freedom and digital self-ownership doesn’t preclude making money.

  • HPE announces new open source programme to simplify 5G rollout

    Hewlett Packard Enterprise (HPE) today announced the Open Distributed Infrastructure Management initiative, a new open source programme that will simplify the management of large-scale geographically distributed physical infrastructure deployments. In addition, HPE will introduce an enterprise offering, the HPE Open Distributed Infrastructure Management Resource Aggregator that is aligned with the initiative. Open Distributed Infrastructure Management helps resolve the complexity that telcos face in rolling out 5G networks across thousands of sites equipped with IT infrastructure from multiple vendors and different generations of technology. This new initiative underlines HPE’s continued leadership in open 5G technologies and commitment to accelerating industry alignment through open source innovation.