Feed aggregator

Student claims Wassenaar Arrangement prevents him from publishing dissertation

Ars Technica - Fri, 03/07/2015 - 01:07

Grant Willcox, a student studying ethical hacking at the University of Northumbria in the UK, is claiming that the Wassenaar Arrangement, an arms control treaty that was expanded last year to prohibit the export of various kinds of software exploit, is forcing him to censor his dissertation.

Willcox's research investigates ways in which Microsoft's EMET software can be bypassed. EMET is a security tool that includes a variety of mitigation techniques designed to make exploiting common memory corruption flaws harder. In the continuing game of software exploit cat and mouse, EMET raises the bar, making software bugs harder to take advantage of, but does not outright eliminate the problems. Willcox's paper explored the limitations of the EMET mitigations and looked at ways that malware could bypass them to enable successful exploitation. He also applied these bypass techniques to a number of real exploits.

Typically this kind of dissertation would be published in full. Security researchers routinely explore techniques for bypassing system protections, with this research being one of the things that guides the development of future mitigations. Similarly, publishing the working exploit code (with a safe payload, to prove the concept) is standard within the research community.

Read 4 remaining paragraphs | Comments

Kim Dotcom appeals US seizure of his millions, jet skis, and more

Ars Technica - Fri, 03/07/2015 - 00:39

Kim Dotcom and his co-defendants have filed an appeal to the 4th Circuit Court of Appeals, arguing that the long list of property that was seized under American civil forfeiture was done so improperly.

Last month, a New Zealand court found in favor of the Megaupload founder’s attempt to halt the American government forfeiture of his New Zealand-held assets.

The decision by the High Court of New Zealand, Auckland Registry essentially found that because Dotcom lost the United States civil forfeiture case by default judgment in March 2015—and New Zealand law did not recognize such a concept—that his assets should not be handed over. In recent months, the American government has tried to work with its New Zealand counterparts to have this forfeiture enforced.

Read 4 remaining paragraphs | Comments

EFF Launches Badge Hacking Contest for DEF CON 23

EFF Breaking News - Thu, 02/07/2015 - 23:19

The Electronic Frontier Foundation is proud to present the DEF CON 23 Badge Hack Pageant (1337 skills required, swimsuit optional). Now is the time to bring out your sweetest hacks and sickest mods in a no-holds-barred battle for hardware supremacy. You are free to excel in practicality, absurdity, devastating good looks, or all three. Break out your hacker con badge collection and have at it. An esteemed panel of celebrity judges will decide the fate of contestants.

The path to victory is simple...

1. Enter in one of three categories:
    • DEF CON DIGITAL: Circuit board-based badge from DC 1-22
    • DEF CON ANALOG: Analog badge from DC 1-22
    • WILD CARD: Badge from any other hacker con

2. Get scored at DC23 by a panel of celebrity guest judges based upon these criteria:
    • Originality
    • Form
    • Utility
    • ¡X-FACTOR! (overall execution)

3. Identify the badge's origin and wear it around your neck during judging.

4. PROFIT!11!!1one!111 (in the form of bragging rights and gear, at least). EFF will name a winner in each category. Winners will receive special prizes and abundant glory.

There is no limit (except Johnny Law) to what you may add to enhance or embellish your entry. Get started on your entry today and let us know which category you plan to enter. Be sure to sign up officially for the competition at EFF’s Contest booth in Las Vegas. Contestants must be present for the judging session on Saturday at DEF CON to win. EFF celebrates your ability to pwn what you own.

EFF is a member-funded nonprofit organization that has fought to protect digital privacy, free expression, and innovation for 25 years. Our court work, activism, and tech projects aim to support individual rights worldwide. Consider donating to EFF at DEF CON or becoming an annual member today.

Related Issues: Coders' Rights Project
Share this:   ||  Join EFF

Enrico Zini: italian-fattura-elettronica

Planet Debian - Thu, 02/07/2015 - 22:48
Billing an Italian public administration

Here's a simple guide for how I managed to bill one of my customers as is now mandated by law in Italy.

Create a new virtualbox machine

I would never do any of this to any system I would ever want to use for anything else, so it's virtual machine time.

  • I started virtualbox, created a new machine for Ubuntu 32bit, 8Gb disk, 4Gb RAM, and placed the .vdi image in an encrypted partition. The web services of Infocert's fattura-pa requires "Java (JRE) a 32bit di versione 1.6 o superiore".
  • I installed Ubuntu 12.04 on it: that is what dike declares to support.
  • I booted the VM, installed virtualbox-guest-utils, and de sure I also had virtualbox-guest-x11
  • I restarted the VM so that I could resize the virtualbox window and have Ubuntu resize itself as well. Now I could actually read popup error messages in full.
  • I changed the desktop background to something that gave me the idea that this is an untrusted machine where I need to be very careful of what I type. I went for bright red.
Install smart card software into it
  • apt-get install pcscd pcsc-tools opensc
  • In virtualbox, I went to Devices/USB devices and enabled the smart card reader in the virtual machine.
  • I ran pcsc_scan to see if it could see my smart card.
  • I ran Firefox, went to preferences, advanced, security devices, load. Module name is "CRS PKCS#11", module path is /usr/lib/opensc-pkcs11.so
  • I went to https://fattura-pa.infocamere.it/fpmi/service and I was able to log in. To log in, I had to type the PIN 4 times into popups that offered little explanations about what was going on, enjoying cold shivers because the smart card would lock itself at the 3rd failed attempt.
  • Congratulations to myself! I thought that all was set, but unfortunately, at this stage, I was not able to do anything else except log into the website.
Descent into darkness Set up things for fattura-pa
  • I got the PDF with the setup instructions from here. Get it too, for a reference, a laugh, and in case you do not believe the instructions below.
  • I went to https://www.firma.infocert.it/installazione/certificato.php, and saved the two certificates.
  • Firefox, preferences, advanced, show certificates, I imported both CA certificates, trusted for everything, all my base are belong to them.
  • apt-get install icedtea-plugin
  • I went to https://fattura-pa.infocamere.it/fpmi/service and tried to sign. I could not: I got an error about invalid UTF8 for something or other in Firefox's stdandard error. Firefox froze and had to be killed.
Set up things for signing locally with dike
  • I removed icedtea so that I could use the site without firefox crashing.
  • I installed DiKe For Ubuntu 12.04 32bit
  • I ran dikeutil to see if it could talk to my smart card
  • When signing with the website, I chose the manual signing options and downloaded the zip file with the xml to be signed.
  • I got a zip file, unzipped it.
  • I loaded the xml into dike.
  • I signed it with dike.
  • I got this error message: "nessun certificato di firma presente sul dispositivo di firma" and then this error message: "Impossibile recuperare il certificato dal dispositivo di firma". No luck.
Set up things for signing locally with ArubaSign
  • I went to https://www.pec.it/Download.aspx
  • I downloaded ArubaSign for Linux 32 bit.
  • Oh! People say that it only works with Oracle's version of Java.
  • sudo add-apt-repository ppa:webupd8team/java
  • apt-get update
  • apt-get install oracle-java7-installer
  • During the installation process I had to agree to also sell my soul to Oracle.
  • tar axf ArubaSign*.tar*
  • cd ArubaSing-*/apps/dist
  • java -jar ArubaSign.jar
  • I let it download its own updates. Another time I did not. It does not seem to matter: I get asked that question every time I start it anyway.
  • I enjoyed the fancy brushed metal theme, and had an interesting time navigating an interface where every label on every icon or input field was truncated.
  • I downloaded https://www.pec.it/documenti/Manuale_ArubaSign2_firma%20Remota_V03_02_07_2012.pdf to get screenshots of that interface with all the labels intact
  • I signed the xml that I got from the website. I got told that I needed to really view carefully what I was signing, because the signature would be legally binding
  • I enjoyed carefully reading a legally binding, raw XML file.
  • I told it to go ahead, and there was now a .p7m file ready for me. I rejoiced, as now I might, just might actually get paid for my work.
Try fattura-pa again

Maybe fattura-pa would work with Oracle's Java plugin?

  • I went to https://fattura-pa.infocamere.it/fpmi/service
  • I got asked to verify java at www.java.com. I did it.
  • I told FireFox to enable java.
  • Suddenly, and while I was still in java.com's tab, I got prompted about allowing Infocert's applet to run: I allowed it to run.
  • I also got prompted several times, still while the current tab was not even Infocert's tab, about running components that could compromise the security of my system. I allowed and unblocked all of them.
  • I entered my PIN.
  • Congratulations! Now I have two ways of generating legally binding signatures with government issued smart cards!
Aftermath

I shut down that virtual machine and I'm making sure I never run anything important on it. Except, of course, generating legally binding signatures as required by the Italian government.

What could possibly go wrong?

US sees its first measles death in a dozen years

Ars Technica - Thu, 02/07/2015 - 21:40

Today, Washington state health authorities announced that an autopsy revealed that a woman who had died earlier this year had succumbed to the measles, making her the first US casualty of the disease in a dozen years. The announcement comes just days after California's decision to tighten its vaccination requirements.

According to the announcement, the woman "had several other health conditions and was on medications that contributed to a suppressed immune system." Thus, even if she had been vaccinated (it wasn't clear if she had), her treatments put her at the mercy of herd immunity—having sufficient people immunized to prevent her from being exposed to the virus. But Washington has seen 11 cases of measles so far this year, half of them in the county where the woman was infected (Clallam, which covers the northern part of the Olympic Peninsula). The victim was apparently at a health clinic at the same time as an infectious individual.

In part because of her symptoms and other health conditions, the case was not diagnosed immediately but was only detected on autopsy.

Read 1 remaining paragraphs | Comments

Antonio Terceiro: Upgrades to Jessie, Ruby 2.2 transition, and chef update

Planet Debian - Thu, 02/07/2015 - 21:26

Last month I started to track all the small Debian-related things that I do. My initial motivation was to be concious about how often I spend short periods of time working on Debian. Sometimes it’s during lunch breaks, weekends, first thing in the morning before regular work, after I am done for the day with regular work, or even during regular work, since I do have the chance of doing Debian work as part of my regular work occasionally.

Now that I have this information, I need to do something with it. So this is probably the first of monthly updates I will post about my Debian work. Hopefully it won’t be the last.

Upgrades to Jessie

I (finally) upgraded my two servers to Jessie. The first one, my home server, is a Utilite which is a quite nice ARM box. It is silent and consumes very little power. The only problem I had with it is that the vendor-provided kernel is too old, so I couldn’t upgrade udev, and therefore couldn’t switch to systemd. I had to force systemv for now, until I can manage to upgrade the kernel and configure uboot to properly boot the official Debian kernel.

On my VPS things are way better. I was able to upgrade nicely, and it is now running a stock Jessie system.

fixed https on ci.debian.net

pabs had let me know on IRC of an issue with the TLS certificate for ci.debian.net, which took me a few iterations to get right. It was missing the intermediate certificates, and is now fixed. You can now enjoy Debian CI under https .

Ruby 2.2 transition

I was able to start the Ruby 2.2 transition, which has the goal of switch to Ruby 2.2 on unstable. The first step was updating ruby-defaults adding support to build Ruby packgaes for both Ruby 2.1 and Ruby 2.2. This was followed by updates to gem2deb (0.18, 0.18.1, 0.18.2, and 0.18.3) and rubygems-integration . At this point, after a few rebuild requests only 50 out of 137 packages need to be looked at; some of them just use the default Ruby, so a rebuild once we switch the default will be enough to make it use Ruby 2.2, while others, specially Ruby libraries, will still need porting work or other fixes.

Updated the Chef stack

Bringing chef to the very latest upstream release into unstable was quite some work.

I had to update:

  • ruby-columnize (0.9.0-1)
  • ruby-mime-types (2.6.1-1)
  • ruby-mixlib-log 1.6.0-1
  • ruby-mixlib-shellout (2.1.0-1)
  • ruby-mixlib-cli (1.5.0-1)
  • ruby-mixlib-config (2.2.1-1)
  • ruby-mixlib-authentication (1.3.0-2)
  • ohai (8.4.0-1)
  • chef-zero (4.2.2-1)
  • ruby-specinfra (2.35.1-1)
  • ruby-serverspec (2.18.0-1)
  • chef (12.3.0-1)
  • ruby-highline (1.7.2-1)
  • ruby-safe-yaml (1.0.4-1)

In the middle I also had to package a new dependency, ruby-ffi-yajl, which was very quickly ACCEPTED thanks to the awesome work of the ftp-master team.

Random bits

  • Sponsored a upload of redir by Lucas Kanashiro
  • chake, a tool that I wrote for managing servers with chef but without a central chef server, got ACCEPTED into the official Debian archive.
  • vagrant-lxc , a vagrant plugin for using lxc as backend and lxc containters as development environments, was also ACCEPTED into unstable.
  • I got the deprecated ruby-rack1.4 package removed from Debian

Nintendo execs talk VR, downloadable games, “letting down” fans

Ars Technica - Thu, 02/07/2015 - 20:01

The close of Nintendo's 2015 fiscal year coincided with its annual Japanese shareholders meeting, an event whose closing Q&A session has been transcribed, translated, and posted in English every year since 2010. This year saw the company talking frankly about its position in the gaming market, its slow transition into smartphone game development, and more.

Nintendo President Satoru Iwata fielded most of the questions, the first of which concerned downloadable game prices—and why they are higher than boxed ones. Iwata described the risks that big-box retailers take on when buying bulk inventory, then acknowledged that Nintendo "sets a different wholesale price for these two versions."

But he didn't speak to any efforts by Nintendo to adjust pricing for customers who don't care for the "business risk" issues that retailers face and just want a fair game price; instead, he hinted that the company's upcoming replacement for Club Nintendo, coming this fall, might include "a system where Nintendo can give (individual) offers to each consumer." Iwata confirmed that Nintendo's total downloadable game sales reached 31.3 billion yen—about $254 million—in revenue, which he said was a 30 percent increase from fiscal year 2014.

Read 10 remaining paragraphs | Comments

Images from immediate aftermath of the Deepwater Horizon oil spill

Ars Technica - Thu, 02/07/2015 - 19:40

Five years ago, the Deepwater Horizon disaster spewed out some 134 million gallons of oil, soiling 1,000 miles of Gulf of Mexico coastline. On Thursday, BP agreed to pay an $18.7 billion settlement that will help repair the damage from the televised spill that began April 20 and ended July 15, 2010.

Environmentalists suggest it could take decades to determine the extent of the damage. Here's some imagery of the spill's immediate aftermath:

Read on Ars Technica | Comments

Man found guilty in California laser strike case, faces up to 5 years

Ars Technica - Thu, 02/07/2015 - 19:25

A Bakersfield, California resident is the latest person to be facing prison time for aiming a laser pointer at an aircraft.

Barry Lee Bowser was convicted after a two-day trial, the Department of Justice announced on Wednesday. Bowser was the 13th person to be charged by federal prosecutors in the Eastern District of California, which has taken the lead in prosecuting laser strike" cases nationwide.

Bowser will be sentenced on September 28 and faces a maximum penalty of five years in prison and a $250,000 fine.

Read 6 remaining paragraphs | Comments

Chevy builds A/C vent for hot phones into new cars

Ars Technica - Thu, 02/07/2015 - 19:15

The Active Phone Cooling vent and charging platform.

4 more images in gallery

.related-stories { display: none !important; }

ars.AD.queue.push(["xrailTop", {sz:"300x250", kws:[], collapse: true}]);Smartphone heat output has been in the news lately. This year's flagship Qualcomm chip, the Snapdragon 810, is one of the hottest SoCs on record; due to the heat, it can throttle so much that for some workloads it's actually slower than its predecessors. Batteries don't work well when they're hot, either, to the point where—despite having a power source—they will stop charging completely at high temperatures. A hot car can exacerbate all these heat problems.

Now, Chevy has a solution: it built a special air-conditioning vent just for your smartphone.

Chevy calls it "Active Phone Cooling." On select vehicle models equipped with Qi and PMA wireless charging, Chevy has a smartphone charging bin with a vent aimed right at the phone. Turn on the AC and, in addition to cooling the cabin, cool air will be blasted at the charging phone. Chevy calls this an "industry-first technology" and says the feature is available on some versions of the 2016 Impala, Malibu, Volt, and Cruze.

Read 1 remaining paragraphs | Comments

It’s official: North America out of new IPv4 addresses

Ars Technica - Thu, 02/07/2015 - 19:05

Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.

ARIN, the American Registry for Internet Numbers, has now activated its "IPv4 Unmet Requests Policy." Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.

"If you take a smaller block, you can't come back for more address space for 90 days," John Curran, CEO of ARIN, told Ars. "We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks."

Read 16 remaining paragraphs | Comments

Christoph Berg: PostgreSQL 9.5 in Debian

Planet Debian - Thu, 02/07/2015 - 19:03

Today saw the release of PostgreSQL 9.5 Alpha 1. Packages for all supported Debian and Ubuntu releases are available on apt.postgresql.org:

deb http://apt.postgresql.org/pub/repos/apt/ YOUR_RELEASE_HERE-pgdg main 9.5

The package is also waiting in NEW to be accepted for Debian experimental.

Being curious which PostgreSQL releases have been in use over time, I pulled some graphics from Debian's popularity contest data:

Before we included the PostgreSQL major version in the package name, "postgresql" contained the server, so that line represents the installation count of the pre-7.4 releases at the left end of the graph.

Interestingly, 7.4 reached its installation peak well past 8.1's. Does anyone have an idea why that happened?

WikiLeaks drops new set of secret TISA docs: Yep, no one agrees

Ars Technica - Thu, 02/07/2015 - 18:53

Not content to simply publish National Security Agency intelligence briefs, WikiLeaks has also released its second round of leaked drafts from the Trade in Services Agreement (TISA) negotiations. For the first time, the group also released the “Core Text”—the primary guiding document part of any trade negotiations.

Nearly a month ago, the group released the first round of 17 secret documents. The main participants in the treaty deal are the United States, the European Union, and 23 other countries including Turkey, Mexico, Canada, Australia, Pakistan, Taiwan, and Israel, which together comprise two-thirds of global GDP.

The TISA has been criticized by labor and advocacy groups, particularly with respect to some of its tech-related draft provisions. The leak comes just days before the next scheduled round of talks to open on July 6 in Geneva, Switzerland.

Read 9 remaining paragraphs | Comments

Colorful Contraptions Show How Musicians Make Sound Effects

Wired - Thu, 02/07/2015 - 18:51

Each of James Boock's analog objects creates a different sound effect---tremolo, reverb, delay, and voice modulation---just as a digital tool might.

The post Colorful Contraptions Show How Musicians Make Sound Effects appeared first on WIRED.











Yo Air Force: Don’t You Dare Kill Off Our Toughest Warplane

Wired - Thu, 02/07/2015 - 18:41

The A-10 Warthog is a hammer. But sometimes you need to hit some nails.

The post Yo Air Force: Don’t You Dare Kill Off Our Toughest Warplane appeared first on WIRED.











BP to pay $18.7 billion in Deepwater Horizon legal settlement

Ars Technica - Thu, 02/07/2015 - 18:30

BP, the federal government, and five Gulf of Mexico states announced an $18.7 billion (£12 billion) settlement Thursday that essentially ends much of the legal wrangling over the massive Deepwater Horizon oil spill in 2010. It is the nation's largest legal settlement over an environmental disaster.

The historic accord with Louisiana, Alabama, Mississippi, Texas, and Florida still needs the signature of US District Judge Carl Barbier of New Orleans. The deal comes five years after the Deepwater Horizon spewed some 3.2 million barrels (about 134 million gallons) of oil into the Gulf of Mexico, bringing with it long-lasting environmental consequences.

Read 7 remaining paragraphs | Comments

Confirmed stupid: A patent on firewalls, circa 2000

Ars Technica - Thu, 02/07/2015 - 18:18

Last month, the EFF faced down a lawsuit claiming that one of its "Stupid Patent of the Month" blog posts illegally defamed the inventor, a patent lawyer named Scott Horstemeyer. Days after the lawsuit became public, it was dropped.

The series hasn't skipped a beat, though, and the newest edition highlights another serial litigator with a ridiculous patent. Wetro Lan LLC believes that its US Patent No. 6,795,918 covers Internet firewalls, or as it says, a system of "filtering data packets" by "extracting the source, destination, and protocol information" and "dropping the received data packet if the extracted information indicates a request for access to an unauthorized service."

"This month’s winner is a terrible patent," writes EFF patent lawyer Daniel Nazer. "But it earns a special place in the Pantheon of stupid patents because it is being wielded in one of most outrageous trolling campaigns we have ever seen."

Read 6 remaining paragraphs | Comments

Audio Visuals: These Ice Cream Cones Sure Are Emotional

Wired - Thu, 02/07/2015 - 18:15

This week's music video roundup has everything: love stories, ice cream cones, and Kendrick Lamar.

The post Audio Visuals: These Ice Cream Cones Sure Are Emotional appeared first on WIRED.











The ‘Aurorasaurus’ Maps This Year’s Spectacular Auroras

Wired - Thu, 02/07/2015 - 17:51

Scientists are using a combination of outer space technology and crowdsourced observations to map the location of aurora.

The post The ‘Aurorasaurus’ Maps This Year’s Spectacular Auroras appeared first on WIRED.











Getting a "free" phone now a lot harder in The Netherlands

OS news - Thu, 02/07/2015 - 17:46
Buying a phone in combination with a contract - the mislabeled "free phone" - just became a whole lot more complicated in my home country of The Netherlands. Today, our minister of finance, Jeroen Dijsselbloem (if you follow international news - yes, that one) today announced that he is not going to create an exemption in Dutch finance laws specifically for mobile carriers offering "free" phones on contract. Last year, The Hoge Raad der Nederlanden (our supreme court) ruled that if carriers offer a loan of €250 or higher, they need to abide by the same rules as any other company, institution, or entity providing such loans - meaning, they will have to perform an income check, check if people have prior debts, and in general, if their financial situation is sound enough for them to be able to take on a loan for a smartphone. They will also need to be a lot more transparent and upfront about the fact they are offering a loan, including warnings, the terms, and so on. This, of course, affects carriers a great deal; a lot of expensive, high-end phones, like iPhones or the latest Galaxy phones, are sold in combination with contracts, their true price hidden in monthly payments. Making it harder for consumers to take on these loans hurts their business model. As such, carriers had asked our minister of finance to create an exemption specifically for them - but he refused. Carriers are, of course, not happy. T-Mobile, Vodafone, and KPN - our three major carriers - have already voiced their displeasure. They're complaining they will have to do considerable investments to change their sales model, and that it will become a lot harder for customers to buy high-end phones. To be fair to the carriers, all this does mean consumers will have to reveal a considerable amount of private information to carriers if they want to take out a loan to buy a phone. That being said, there are alternatives: carriers could simply charge the price of the phone upfront. This, of course, is not something they want - they'd much rather be a little bit shady and fuzzy about the true price of smartphones. Samsung, Apple, and other smartphone makers surely won't be happy with this either, as they rely on these somewhat shady deals to peddle their wares. Half of Dutch consumers are already on SIM-only contracts, and this will only push more consumers to cheaper phones. As a Dutchman, I find this great news. My financial means are such that I don't have to worry about this sort of thing, but there are enough people out there for whom this is not the case, and there are certainly quite a few people lured into these seemingly "cheap" phones, only to suffer for it down the line. While I'm sure people living in Libertarian la-la-land will scream bloody murder, the fact of the matter is that if left to their own devices, these companies will abuse people left and right.
Syndicate content