Skip to main content


On the weekend of May 17th-18th, 2002, Steve Scalise was a 36-year-old Louisiana State Representative. Six years later, he’d become a United States Congressman. Six years after that, after only three terms, Steve Scalise would become the House Majority Whip, arguably the third most powerful and influential member of the United States House of Representatives.

But on that weekend in May, Scalise was reportedly armed with a microphone at the Landmark Best Western in Metairie and talking about tax policy to an international convention… of white supremacists and neo-Nazis. According to a commenter who used the name “Alsace Hebert,” Steve Scalise was a highlight of the convention.
...
And from the sound of it, Scalise accomplished what he came there to do: He convinced some vehement white racists and neo-Nazi bigots to vote for him.

The quote above comes from blogger Lamar White, Jr., who broke the story yesterday.  This link will take you to his blog entry (Note: Before you click the link to Mr. White's blog, be warned that some of the links in his article will take you to the Stormfront website): CenLamar.com

Mr. Lamar's account is confirmed by The Washington Post and The Times-Picayune.

Lamar's post is very interesting, as are the WaPo and Times-Pic articles.  In short, Steve Scalise spoke at the European-American Unity and Rights Organization convention in 2002.  The European-American Unity and Rights Organization (known as EURO - note: links to SPLC website) was established in 2001 by David Duke (links to SPLC), a former Grand Wizard of the Ku Klux Klan.  Scalise claims that he didn't know what EURO's politics were (yeah right, he didn't know what David Duke stood for), but he does not deny attending or speaking at the event.

Hopefully, the Republicans will need to find a new Majority Whip.

Discuss

Overview


According to the New York Times a group of Russian hackers named CyberVor has managed to amass a shitload of user information:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.

The New York Times and other media sources, credit Hold Security (and its owner Alex Holden) for finding the hacked data.

Is this a valid hack?


Yes (links to Politico).
The findings were verified by an independent security expert working on behalf of the Times

What sites were hacked?


At this point, there is no way to know (links to Washington Post):
Hold wouldn’t name the victims, citing nondisclosure agreements and the fact that some sites remain vulnerable.
According to PC Magazine, some of the data in CyberVor's database may have come from other high profile hacks:
The massive database of stolen online identification data purportedly owned by the Russian gang was not attained in a single attack, and in fact, most of the credentials it now possesses were likely purchased over time from other people, Holden said.

The Times speculated that credentials acquired by the gang might have come from both high-profile, corporate security breaches like the Target hack from late last year to simple, opportunistic penetrations of small online operations.

Interestingly, according to PC Magazine, Mr. Holden won't identify where the hacking team is located:
Holden declined to name the city, in the event that law enforcement might want to act on his Milwaukee-based company's findings.

How do users know if their credentials have been stolen?


This is where things get a little more "sketchy".  

Apparently, Hold Security has been in contact with the Washington Post.  In an email to the Post: "Holden clarified that the firm is offering to check people’s e-mails against their database of stolen information to see if it was compromised for free."  

I have been on Hold Security's web site a number of times over the last few hours and I have not seen a simple form which allows a user to enter an email address to determine whether they have been impacted or not.  What I have seen is a link to preregister for an "Identity Protection Service" which will be available in the next 60 days.  Apparently, if you sign up for the yet to be released service, Hold Security will check the email address you provided to see if it matches one in the hacker's database.  If there is a match between your email address and Hold Security's database, then:

If we discover that your email is on our list, we will ask you to provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised. Note that the passwords will be encrypted on your end using a very secure algorithm, so there would be no way for us or anybody else to read them in plain text. Once we find a match, we will let you know which of your passwords have been breached, so that you can go ahead and make the necessary changes to protect your information. We will check up to 15 passwords per email as we understand that many of us reuse the same email address on different websites, such as internet banking, social media etc. However, keep in mind that in some cases passwords may be very outdated or you might have some generic passwords assigned to you by various service providers.
Please note that we will not check any emails belonging to military or government domains.
I decided to investigate Hold Security's "Terms of Service".  Here they are in their entirety:
Any use of the CONSUMER HOLD IDENTITY PROTECTION SERVICE shall be subject to, and in compliance with, Hold Security’s CONSUMER HOLD IDENTITY PROTECTION SERVICE terms and conditions, a copy of which shall be sent to you in a separate confirmation email.
So, you don't know what you get until after you've signed up for it.

WTF? What do I do?


Honestly, I can't advise you.  I am not going to pay up to $120 / month to a company for a product which hasn't been released yet.  Step one for me will be to change my passwords for my most sensitive financial (banks, credit cards, etc.) information.

Diarist's note: I use the Web of Trust (WOT) plugin to determine whether a site is safe to visit.  Hold Security is deemed "Suspicious" based on one user review.
Hold Security
Hold Security's page on the CyberVor hack
Hold Security Terms of Service

Discuss

Numerous news sources are reporting that ISIS leaders in the new Islamic State, have ordered Christians in the city of Mosul to either convert to Islam, pay a protection fee (known as a jiziya), or face death.  According to these sources, Christians have until tomorrow, Saturday, to make their choice.

From AlJazeera:

The Islamic State group has threatened Christians in the Iraqi city of Mosul with death if they do not to convert to Islam or pay a tax, Al Jazeera has learned.

The Sunni rebel group issued the orders in a letter after Friday prayers. The document, obtained by Al Jazeera, states that the order was issued after Christian leaders failed to attend a meeting called by the group.

In response, the group says in the letter that Christians must either convert to Islam, pay a special tax on non-Muslims known as jiziya, or face death "as a last resort".

According to the Daily Star, those Christian families which remain in Mosul are heeding ISIS' warning and leaving.
“Christian families are on their way to Dohuk and Irbil,” in the neighboring autonomous region of Kurdistan, Patriarch Louis Sako told AFP. “For the first time in the history of Iraq, Mosul is now empty of Christians.”

Witnesses said messages telling Christians to leave the city by Saturday were blared through loudspeakers from the city’s mosques Friday.

...

“We were shocked by the distribution of a statement by ISIS calling on Christians to convert to Islam, or to pay unspecified tribute, or to leave their city and their homes taking only their clothes and no luggage, and that their homes would then belong to ISIS,” Sako said.
--bolding by diarist

Reuters confirms that Christians have been ordered to leave and indicated that in addition to paying for protection, Christians must not display evidence of their faith:
It said Islamic State leader Abu Bakr al-Baghdadi, which the group has now named Caliph Ibrahim, had set a Saturday deadline for Christians who did not want to stay and live under those terms to "leave the borders of the Islamic Caliphate".

"After this date, there is nothing between us and them but the sword," it said.

The Nineveh decree echoes one that the Islamic State in Iraq and the Levant, the former name for the Islamic State, issued in the Syrian city of Raqqa in February, demanding that Christians pay the jizya levy in gold and curb displays of their faith in return for protection.

I am sure many recall the outrage we felt when the Jews in Donetsk were presented with flyers ordering them to register with the regional council.  This issue in Mosul takes things to a whole new level.

I am going to apologize in advance for this being a hit and run diary.  I will be going out in an hour or so, and won't be able to attend to the diary until late this evening or tomorrow morning.  But I felt this was far too important not to share.

Discuss

eBay is reporting that it has been hacked and is requesting that all of its users change their passwords.

According to CNET, hackers compromised the online giant's servers beginning in February or March of this year.  The company only noticed the issue two weeks ago.  In the course of their investigation, eBay has determined that Paypal (also owned by eBay) accounts have not been affected.  According to eBay (so far), financial information on eBay servers has not been stolen as they are stored on separate servers using a different type of encryption.  It appears that the breach was accomplished by compromising the login credentials of eBay employees.

I am sure there will be more information forthcoming about this hack - losing the data of 110 million people will generate some interest.  In the meantime -  change your password on eBay, and if your PayPal password is the same as your eBay password change that one too.

Discuss

The Department of Homeland Security Computer Emergency Response Team (CERT) has issued the following advisory for users of Microsoft Internet Explorer versions 6 through 11.

US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.

US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.

For more details, please see VU#222929.

According to the details of VU#222929:

Overview


Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description


Microsoft Internet Explorer contains a use-after-free vulnerability. This can allow for arbitrary code execution. Internet Explorer versions 6 through 11 are affected.

Note that this vulnerability is being exploited in the wild. Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.


Impact


By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

Solution


We are currently unaware of a practical solution to this problem. Please see Microsoft Security Advisory 2963983 for workarounds. Please also consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

All bolding by diarist.

According to CNET, an advisory of this type is very rare for DHS CERT to issue.

While the Department of Homeland Security's Computer Emergency Readiness Team regularly issues browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a specific browser.
A tip of the hat to ItsSimpleSimon for his cogent observation!

Note to Windows XP users:


XP users will not receive an update when Microsoft resolves this bug:
If you’re still using Windows XP, you do realize that Microsoft stopped supporting the operating system earlier this month, right?

You see, the computer giant has just said it’s been alerted to a serious security flaw in versions 6 through 11 of its Internet Explorer Web browser. The good news is it’s promising to roll out a fix for users soon; but the bad news is if you’re still using XP, you’ll get no fix, leaving your machine vulnerable to attack.

Discuss

On April 8, 2014, Microsoft will cease full support of its Windows XP operating system.  So what does this mean to you, if you are still using Windows XP?


Why is this important?


According to ComputerWorld, around 30% of the computers around the world still run Windows XP.  This translates to over 480 Million computers.  Unfortunately, security bugs are still being found and fixed in Windows XP 12 years after it was released.  As each new security bug found in Windows XP is reported, each of those 480,000,000 computers becomes more vulnerable to exploits which can expose data and allow  those computers to commandeered by people other than the computer's owner.  As a Windows XP user, you need to fully understand how this will impact you.

Will my computer still work after April 8?


Yes, your computer will still work as it does today.  The issue is that your computer will be at greater risk the longer you keep using Windows XP.

What's the big deal about this then?


Currently when someone finds a security problem with the code in any version of Windows, Microsoft fixes the problem.  Even when a security problem is found in a newer version of Windows, if the problem also exists in an older version of the code Microsoft will fix that too.  On "Patch Tuesday" Microsoft bundles all of the fixes it has made and sends them as an update to their users.  After April 8 ("Patch Tuesday" for April), that will change for Windows XP users.  Windows XP users will no longer receive security updates from Microsoft.  Per the Microsoft website:
As a result, after April 8, 2014, technical assistance for Windows XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer be providing security updates to help protect your PC.)  
Highlights by the diarist.
Microsoft's site geared towards the enterprise (businesses) lists the following risks associated with remaining on Windows XP:

Security:


Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.

Compliance:


Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements. More information on HHS’s view on the security requirements for information systems that contain electronic protected health information (e-PHI) can be found here (HHS HIPAA FAQ - Security Rule).

Lack of Independent Software Vendor (ISV) Support:


Many software vendors will no longer support their products running on Windows XP as they are unable to receive Windows XP updates. For example, the new Office takes advantage of the modern Windows and will not run on Windows XP.

Hardware Manufacturer support:


Most PC hardware manufacturers will stop supporting Windows XP on existing and new hardware. This will also mean that drivers required to run Windows XP on new hardware may not be available.

OK, so what are my options?


According to Microsoft you have two options:


Option 1: If the computer running XP is powerful enough to run Windows 8.1, then purchase the upgrade.  Microsoft has provided a tool (note: this link will download a tool from Microsoft) which you can use to test your XP computer to see if it is able to run the latest version of Windows.  If the computer running XP cannot support Windows 8.1, see Option 2.
Option 2: Buy a new computer.

But of course there are other options:


If your XP computer cannot run the latest Windows operating system, there is a third option, consider one of the free and open source operating systems.  Like Microsoft's options, this option should be well researched before you make the decision.  You will find that there is free and open source software available for almost anything you can do on a Windows computer.  You may also find that running an open sourced operating system on your old XP box will speed up your computer.  However, Linux based operating systems may not be the right fit for you.  Linux is lacking when it comes to gaming and running Microsoft Office applications (Linux is catching up on the gaming front and there are workarounds if you absolutely need to run MS Office).  I am sure that if you have questions about these operating systems, I and others in the discussion threads below will be happy to help.  In the interest of full disclosure, I have been running Ubuntu Linux on my personal computers for 5 years and love it.

Lastly, there is a fourth option - stick with Windows XP and hope for the best.  There may be reasons, financial and otherwise, that the other three options do not work for you.  SeaTurtle, whose diary inspired this one, has a number of customizations on the XP machine which make changing operating systems or upgrading to a newer version of Windows impractical.  SeaTurtle's solution is to stick with XP, but not use it online after the final Microsoft update on April 8.  This will keep SeaTurtle productive and buy some time for a comprehensive solution to those issues (like maybe moving to Apple computers).

I know you, you're that random guy on the internet giving me scary news about my computer!


I always tell everyone, never accept anything a guy on the internet says at face value.  Do some reading and some research before you make your final decision.  Learn about Windows 8.1 to see how other people like it, it will be a major change from Windows XP.  If you work for a company ask your IT people what they think.  If your kid is living in the basement, throw him a bag of Cheetos and a case of Nos and ask him to do some research and come up with a plan.  Ask questions here of people you trust.  

In all seriousness, I've been involved with personal computing since the mid-1980's.  I've done everything from selling PC's, building PC's, writing programs, and managing the development of huge programs for a Fortune 500 company.  These days I am not well versed in Windows 8.1 or Apple products in general, almost everything I do is on Linux and Android.  I know that there are a lot of people here are well versed in Apple and Microsoft technologies, and I hope they will help answer your questions about those platforms when they arise.

So what should I do next?


If you are not receiving it already.  Microsoft will begin displaying a "nag" box reminding you that you only have a few days left to upgrade your computer.

Make sure your friends and relatives are aware of this situation if they are running Windows XP.

If you are running Windows XP check to make sure that you have Microsoft's latest updates and security tools installed before April 8.  Also, make sure that you download and install the last update for Windows XP when it becomes available.

Make sure you have the ability to back up all of your computer's data - especially if you're going the upgrade or Linux route.

If you are planning on buying a new computer, plan to use a tool like Laplink to migrate your data and settings from your XP computer to your new computer.  Interestingly Microsoft recommends Laplink over a tool Microsoft designed themselves for the same purpose.

Start doing your homework now so you can make some decisions well before April 8.  If you run XP and plan to upgrade or buy a new computer, don't wait until the last minute especially if you plan on doing your taxes on your new or upgraded computer.

Got any more bad news for me?


Yes.  Support for Office 2003 ends the same day as support for Windows XP - April 8, 2014.  The same rules apply - no more support for any of the applications in that suite of programs.  Also, according to the Windows Lifecycle Factsheet, support for Windows Vista will end on April 11, 2017.

A word about the comments (if there are any)


I've refrained (as best I can) from taking a negative stance on Microsoft's position in the writing of this diary.  Please don't let the comment threads become burdened with anti-Microsoft flame laden comments, it won't help the people who have legitimate questions about this issue.  If you want to trash Microsoft, please do it in another diary.  Thanks, Hey338Too.
Discuss

News outlets are reporting that US retailer Target has been hacked, allowing the credit card information for up to 40 million people to be stolen.  If you have made any purchases at a Target store between Nov. 27 and Dec. 15, 2013, you should check your credit card statements carefully.  At this point it is not clear if hackers had access to credit card data for Target.com purchases or for those made at Target stores in Canada (but you should check your credit card statements anyway).

According to Target:

We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).
Krebs on security says major credit card issuers are confirming the breach, and defines the scope as:
nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.
InformationWeek is also reporting on the story.  According to their story:
The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."

Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.
...
Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didn't immediately respond.

If you have shopped at Target recently - CHECK YOUR CREDIT CARD STATEMENT TODAY.
Discuss

With the focus on Washington D.C. over the last few days, I guess it kind of makes sense that one of the premier software companies in the world would quietly announce that they have been hacked over the last few months.  In August, it appears that Adobe, Inc. lost control over the source code for, at least, their Acrobat and ColdFusion product lines.  Then in September - specifically between the 11th and 17th - the personal information for 2.9 million individuals was stolen from their servers.

The personal data which the hackers stole, according to ComputerWorld includes:

So far, Adobe's investigation has revealed that attackers managed to access Adobe customer IDs and encrypted passwords, as well as obtain information on 2.9 million customers, including names, encrypted credit or debit card numbers with their expiration dates, and other customer order details.
At this point, no one thinks that any of the credit card data which was stolen was decrypted.  However, it is also important to note here that the full scope of the theft doesn't seem to be completely understood.  The hackers obviously had a long time to access the data on the servers.  According to Krebs, Adobe Chief Security Officer Brad Arkin, told them:
“We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”
However, according to ComputerWorld:
Adobe could not confirm whether the popular Adobe Reader product was also affected, or if the security breach also resulted in the theft of encryption keys or code-signing certificates.

If you have purchased software from Adobe


For those of you who have purchased Adobe applications for your home or office, start looking for emails from the company.  And do not ignore them, and if you work for a company that has purchased multiple licenses for Adobe software (for example for Acrobat) forward the information you receive to your payables and legal departments so they can be informed and take action.  Already, Adobe has changed the passwords for the accounts which they know have been stolen.  In addition Adobe will be providing those users whose data was stolen with optional 1 year of free credit monitoring services.

Adobe's press release states that they are conducting the following actions immediately:

  • As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
  • We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
  • We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
  • We have contacted federal law enforcement and are assisting in their investigation.[Authors note: with the government shut down, I wonder how many law enforcement resources are available to work on this issue]
So please keep a wary eye out for anything suspicious on your credit card statements if you have purchased software from Adobe.

If you use Adobe software


Currently, Adobe doesn't know exactly how much of their code has been stolen.  It is more than a little disconcerting that one of the stolen titles they do acknowledge, ColdFusion (a rapid web application development platform), had an update released after the source code theft.  Adobe's Arkin seems confident that the ColdFusion code has "maintained its integrity".

I would be remiss if I did not mention that it was an investigation by Krebs into a series of hacks into LexisNexis, Dun & Bradstreet and Kroll Background America, which led Krebs to the discovery of the ColdFusion source code.  Those hacks, which supposedly took place over three to six months allowed the thieves to access social security numbers, birth records, credit and background reports on millions of Americans.  In addition to the three companies mentioned, Krebs was investigating a similar ColdFusion based hack which compromised the National White Collar Crime Center:

a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
Krebs believes that the same group that stole the Adobe code is responsible for the data thefts of the companies mentioned above.  Krebs and Adobe have also announced that the source code for Acrobat and ColdFusion Builder has been found on non-Adobe servers.

While most casual computer users may not recognize Adobe's ColdFusion product.  Many of us know and use Adobe Acrobat or it's companion product the Acrobat Reader.  Adobe Acrobat is used to generate and modify the ubiquitous .pdf files found on the internet.  The Acrobat Reader is the tool we use to read those .pdf files.  Next Tuesday (October 8) Adobe will be releasing updates to the Windows versions of both of these products.  Krebs describes these updates as "critical security updates".

Why this is important


Hold Security, the company that worked with Krebs to shine some light on this issue, says it best:
This breach poses a serious concern to countless businesses and individuals.  Adobe products are installed on most end-user devices and used on many corporate and government servers around the world.  While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data.  Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.
Discuss

Mon Aug 05, 2013 at 03:41 PM PDT

Before you TOR

by Hey338Too

With all of the NSA related diaries on the site recently, I have seen folks mention the use of TOR (an acronym for "the onion router") as a means to do things on the web anonymously.  Personally, I don't use TOR because I don't see the need and I am inherently skeptical of "we can hide you" services such as this.  Over the last couple of days the service, and the browser and network which support it have been in the news - this piqued my curiosity.  Please read on if you are curious too.

So what is TOR?  According to their website:

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
In addition to providing anonymous access to internet services, the network also allows for anonymous or hidden web site hosting as well.  These hidden websites (which are accessible only through TOR), allow not only the users to be anonymous but the servers as well:
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
According to TOR, this allows the service to:
protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Anonymous web hosting can also be used for nefarious purposes, as is the case with the examples below.

TOR's recent controversy began with the arrest of a man in Ireland named Eric Eoin Marques.  The FBI alleges that the 28 year old Mr. Marques is "the largest facilitator of child porn on the planet."  Mr. Marques is also "believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network".

According to The Verge:

Freedom Hosting is the largest and best-known hidden service provider, hosting a number of prominent darknet destinations, including well-known child pornography sites as well as [site name redacted by the diarist], an online marketplace for drugs and other illegal merchandise. Its high profile as a safe haven for child porn earned it the ire of internet activist collective Anonymous, which used DDoS attacks to temporarily take it offline in 2011. Marques is scheduled to appear in Ireland’s High Court on Thursday, reports The Independent.
In all fairness to TOR, they released a statement:
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.
So, the Freedom Hosting servers are now down (along with the child porn it was serving) and Mr. Marques is in jail awaiting extradition to Maryland to face the FBI charges.  But the story doesn't end here, it just gets more interesting.

Apparently, to make TOR easier to use, the TOR team created a package called the TOR Browser Bundle (TBB).  The TBB is based on a modified version of a Firefox release, named Firefox 17 ESR.  According to TOR:

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
An exploit of TBB allowed this to occur:
Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.
Not only were web sites impacted, but according to InformationWeek:
"The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service."
In short, anyone accessing Freedom Hosting servers was not anonymous if they were using anything other than the latest, patched, version of TBB.  It is not clear to me if users of the other affected TOR services were compromised.  It should also be noted that this was not a 0 day exploit, a bug had been opened in June with Mozilla (the organization which develops Firefox) against the vulnerability which allowed this exploit to occur.  According to Mozilla the bug has been fixed and a new version of Firefox ESR has been released.  The TOR project did release a rather interesting statement related to this issue, when it said yesterday (August 4):
We're investigating these bugs and will fix them if we can.
Whether this means that the TOR team has more to do to fix this exploit is unclear to me.

In the interest of full disclosure about this exploit, according to Wired.com:

“The attackers pent [sic] a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.

The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?

Before anyone goes on a tear about Wired's speculation, imagine what would happen if the person writing the malware was not writing code which was not the "embodiment of a carefully crafted court order".  In short, you'd be seriously hosed.  Secondly, I would hope that we all can agree that catching people who traffic in or consume child pornography is the right thing to do.

So what are the takeaways from this?

  • There is no shortcut to protecting yourself on the internet.  If anyone actually reads this, and there are comments which recommend solutions - don't just start using them, do some research first!
  • Understand the technology you are introducing into your lives - whether it's TOR, a cell phone or a smart tv.
  • If you do decide to use TOR to access the secret sites it hosts, do your best to make sure you understand the organization hosting the site.  Since everything is anonymous I have no idea how you would do that.
  • Keep your anti-virus definitions up to date and make sure you are protected by a firewall
  • Keep the applications on your computer up to date too
  • It can't be stressed enough, do your research!
Discuss

A short diary to alert those in this community who are members of the Ubuntuforums.org website that, according to OMG! Ubuntu:

‘Every user’s local username, password, and email address [were stolen] from the Ubuntu Forums database’ Canonical say in a statement posted on the website, adding that while the ‘passwords (stolen) are not stored in plain text’ those who use the same password on other services should ‘change the password on the other service[s] ASAP.’

While data from the Forums has been compromised they stress that other services, such as Ubuntu One and Launchpad, ‘are not affected by the breach’.

Apparently the breach occurred because the system administrators apparently hadn't kept the bulletin board software up to date.  Interestingly, the software being used by the Ubuntu Forums admins was not open source.  The impact of the breach was compounded because the site administrators also failed to use a strong password protection routine - so the passwords were being stored in a relatively easy to hack fashion.

There is an anecdotal report of the email list having been released into "the wild".

So, if you're one of those one password for every website folks (and you use ubuntuforums.org, reputation.com or livingsocial.com which hacked earlier this year), change your passwords.

Discuss

So, you just bought your new iPhone 9 and you're showing it off to your friends.  Of course, the inevitable occurs when you try to let one of your friends handle the apple of your eye:

Your state of the art technological wonder, that you waited two days in line (and signed a 5 year contract with AT&T - without an insurance plan) to obtain, is mishandled and begins crashing towards the earth.  Each millisecond it is in free fall it gets closer to terminal velocity and its inevitable demise.  Most of your friends recoil in horror, but one of them makes a valiant effort to arrest the fall, failing in his attempt.  Yet you remain calm and cool while you think to yourself, "Heh, there's an app for that."
The dogged reporters at Apple Insider have uncovered a patent application filed by Apple, Inc. which may forever solve the "Oops, I dropped my iPhone and it broke" problem.  iPootie technology which will insure that the iPhone always lands on its "feet".

Apple is very well known for its use of technology to solve man and womankind's most vexing problems.  So rather than simply make the iPhone tougher, their solution is one of technological elegance:

In order to work, the system needs a sensor or sensor array that can detect when a device is in freefall and how it is positioned relative to the ground. These can be simple gyroscopes, accelerometers or position sensors, but the patent also notes more advanced components like GPS and imaging sensors may be employed. Coupled to the sensor is a processor that can help determine a freefall state, including how fast a device is falling, how far away it is from the ground and time to impact, among other metrics. Statistics of various fall heights, speeds and other data can be stored on system memory to aid the processor in making a decision on how best to land the device.
...
Finally, the system requires a mechanism to either reorientate the device while in flight, or otherwise protect certain sensitive device components in the event of a fall. Here, the patent calls for a number of solutions, including the movement of a weighted mass within the device, a means to "grip a plug" to prevent a freefall, lift foils that can be extended out from the surface of a device, and a thrust mechanism such as a can of gas, among other countermeasures.
Indeed, the patent application includes a number of alternatives to protect the device - some examples:
[0028] In one example, the protective mechanism is configured to alter the device orientation as the device is falling. ... the device may be rotating around a particular rotational axis when it first enters freefall and the protective mechanism may cause the device to rotate around a different rotational axis.

[0030] In another example, the protective mechanism may vary the angular momentum and/or orientation of the device during freefall by activating a thrust mechanism. The thrust mechanism may produce a thrust force in one or multiple directions in order to reorient the device. For example, the thrust mechanism may include a gas canister that may deploy the compressed gas outside of the device to change its orientation.

[0031] In yet another example, the protective mechanism may activate an air foil to change the aerodynamics of the mobile electronic device. The air foil may help to reduce a velocity of the free-fall of the device by producing a lift force. In this example, the air foil may help to reduce the force of impact as the device hits the surface, as the momentum of the device may be reduced (as the velocity of the fall may be reduced).

[0032] ... the protective device may contract buttons, switches, or the like that may be exposed on an outer surface of the enclosure, so that the buttons or switches may be protected within the enclosure at impact. This may help to prevent the buttons or switches from being damaged...

[0033] In another example, the protective device may include a gripping member configured to grip onto a power cord, headphone cord, or the like that may be partially received within the device. For example, headphones may be inserted within an audio port and the headphones may be operably connected to a user's head. As the device experiences a freefall (e.g., is dropped by the user), the grip members may expand within the audio port to grip or otherwise retain the headphones (or other plug). This may help to prevent the device from impacting a surface, or may at the least slow down or reduce the velocity at impact, which may give a user a chance to grasp the device.  

Of course, the engineers at Apple realize that an iPhone is never dropped just once, so:
[0034] The electronic device may also store information correlating to various impacts and freefalls of the device. This information may include the drop heights, drop frequency, device orientation prior to the drop, and/or drop velocity. This type of fall or drop information may be stored in order to improve or better protect the device from impacts due to freefalls. For example, the information may be used by the phone to better estimate a predicted freefall orientation and activate a particular protective mechanism or device. In another example, the information may be provided to a device manufacturer so that the device may be constructed to better withstand the most common freefall impacts, such as but not limited to, creating a thicker enclosure on a particular area of the device, relocating particular components within the device, or changing an overall shape of the device.
It should be noted that Apple has apparently chosen to disregard the Mars Rover approach to landing an iPhone, and no air bag deployment system was included in the patent application.  Until this new technology is perfected and integrated into the iPhone, one of the readers at Apple Insider has come up with a novel way to protect his investment, AI user "Plagen" says:
"Just spread some butter over the side opposite to the fragile one"
While I applaud Apple's forward thinking approach to solve this problem, I did notice one obvious case missing from their analysis: the ubiquitous iPhone meets commode bowl scenario.
Discuss
The NFL is adding a new rule this year to try and make the sport a little safer and to increase the quality of life of its players once they leave the game.  According to the Washington Post (and other media sources):
Under the rule, it will be illegal for either a runner or a tackler to initiate contact with the crown of his helmet while outside the tackle box (the area between the two offensive tackles when they line up) and more than three yards beyond the line of scrimmage. Such an action will result in a 15-yard penalty.
Some football purists may disagree with this rule, but personally I think it's a step in the right direction.

The idea is to stop a person from using their head as a battering ram in the open field where players are generally at their fastest.  While this may make sense to people who do not follow football, those that do follow the game have seen any number of collisions where a player lowers his head to gain an advantage prior to contact, only to be carted off the field with his head and neck restrained.  These incidents are becoming more frequent.  And no matter how many times you see it, the violence which causes a large human being, in motion a few seconds ago, to be rendered almost instantly motionless takes your breath away.  After these collisions, football fans these days are savvy enough to know to look for any movement of the extremities, which may indicate that the player is not paralyzed (or worse).  Without exception, seeing a downed and possibly semi-conscious player move a foot or even a finger causes everyone in the room (or stadium) breathe a sigh of relief.

The problem is the helmet, which gives the player a sense of security.  While the helmet does cushion a blow to the head area, it does nothing to protect the neck or brain from the forces related to 500 pounds or more of humanity colliding with each other from opposite directions.  Hopefully this rule will make those collisions less violent by making sure the top of the helmet is not involved and players rely more on their arms, bodies and instincts to escape (or stop) opposing players.

For the purists, helmet to helmet hits will still be allowed within three yards of the line of scrimmage and within the "tackle box".

The keys to this making a real difference are coaching and a similar rule at all other levels of organized football.  Coaches need to make sure that players understand that an extra yard to two is not worth the punishment the player absorbs or the possible penalty the team is assessed.  By enacting this kind of rule at all levels of football, from pee-wee to the pros, hopefully the number of football related head trauma injuries we read about on our sports pages will be reduced.  Let's hope other football sanctioning bodies follow the NFL's lead.

And now it's time to hear from the football purists.

Poll

Is preventing the use of the crown of the helmet a good step for the NFL?

82%39 votes
12%6 votes
4%2 votes

| 47 votes | Vote | Results

Discuss
You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.

RSS

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site