All posts by Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Facebook Verified App— Not So Verified After All

Every other person out there is developing apps nowadays, and while some apps are good at what they do, others abuse the security of their platform to steal data. In these dire situations, it comes as a relief when the platform starts checking these apps and gives them a badge of trust, like a “verified app”. Almost every app store has a verified app scheme. Android has a top-developer rating, Google Chrome Web Store shows a small green tick and Facebook had a “verified app” scheme too, until December 2009.

With Facebook, the verified app system worked a bit differently. Not only were these verified apps supposed to be secure, they also enjoyed certain promotional privileges, all for a price. Some developers have even paid Facebook $95,000 to enter as a verified app in Facebook! The Guardian writes,

Developers paid Facebook $375, or $175 for a student or non-profit organization, to be given the green tick. Verified apps were given other benefits including prominence in its search results and a higher ranking on the directory of apps.

What if you were using an app that said it was verified, when in fact it was just given the badge without any verification. After nearly two years and because of an ongoing FTC investigation, Facebook’s verified app system is under scrutiny now. Seemingly, the verified apps were nothing special, and they underwent the same checks as any other app on the Facebook platform. In short, Facebook charged developers for a fake verification, and a verified badge.

Guardian’s Josh Halliday has brought the matter to public notice, and this makes it hard times for Facebook. Facebook took a blow last Friday too, when another judgment was passed in the ongoing FTC Act investigation, which stated that Facebook would have regular privacy inspections for the next 20 years.

Although live only for six months, the verified apps system has earned Facebook a lifetime of notoriety. Facebook is yet to respond on this allegation. I seriously hope the response is something substantial, because if the allegation is true, Facebook being one of the largest internet companies out there, it undermines the whole system of verified apps.

Bitcoinica Sued for $460,457.70 over Lost Bitcoins Due to Lax Security

Bitcoin grew to be extremely popular over the last year, though the value of a Bitcoin fell from a whopping $15 to $3. Although it seems to have stabilized at $9 after a recent rise, the Bitcoin ecosystem is not free of troubles yet. Recently, the flagship Bitcoin trading platform, Bitcoinica has attracted a lot of hackers, and there have been two major security breaches at Bitcoinica.

Bitcoin

Bitcoinica started as a one-man show by Zhou Tong, and soon thereafter, he put together a team to manage this prospective business. However, the Bitcoinica platform has been upset by hack attempts, and the response from the people at Bitcoinica is not very promising either. In a disturbing statement made in May, Bitcoinica admits to have ignored user security, saying,

The recent security breach was not beyond our team’s skills to prevent. We know better. But we did not address relevant issues as quickly as was needed.

Now, the users of the Bitcoinica platform are suing Bitcoinica for $460,457.70 over lost Bitcoins. This includes the price of lost Bitcoins and other damages. Bitcoinica lost Bitcoins worth $87,000 in the first hack (43,554 Bitcoins), and $90,000 (18,547 Bitcoins) in the second hack.

The charge does not come out of the blue, as Bitcoinica promised to cover the losses of its users on two instances, once by promising to pay the entire Bitcoins lost due to hacking, and another time by promising to pay 50% of the lost Bitcoins. However, it has failed to live up to its promises on both instances, and the discontent towards Bitcoinica does not end here. The plaintiffs have also accused Bitcoinica of following corrupt processes.

For a currency system that emerged with a global outlook and a dream of government-intervention-free trading, the Bitcoin ecosystem just fell flat on its face with hack attacks and this recent court case.

Enter Gauss: A Nation State Sponsored Malware, with a Knack for Bank Accounts

We have seen Stuxnet designed to attack nuclear plants in Iran, we have seen Flame designed for mass surveillance of Middle-eastern nations and we have seen Duqu, the sister trojan of Stuxnet also aimed at Iran. How low does this cyber-espionage war fall? Well, low has a new definition now, as a new trojan Gauss has been discovered, which apparently steals bank account details of individuals.

stop-virus

The Gauss trojan surfaced as part of an ongoing investigation on Flame. It is believed to have been created mid-2011, and released in three months. The Gauss trojan shows the same level of sophistication as seen in Stuxnet and Duqu.

Kaspersky defines Gauss as,

In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload, which is activated on certain specific system configurations.

Gauss is based on the flame platform, and performs an array of hacks ranging from infecting USB sticks, to stealing browser cookies, to listing the contents of system drives to hijacking social networking accounts. It was aimed mainly at Here is a paper released by Kaspersky Labs on the Gauss trojan [PDF link].

The Gauss trojan names its modules after famous mathematicians like Gauss himself, Lagrange and Godel. The primary module which implements the data stealing capabilities is called Gauss, and hence the name itself. This main payload, which affects USB storage devices, is protected by numerous layers of hashing and a strong RC4 encryption. Kaspersky has also urged cryptography experts to help with the decryption.

 

The Internet Archive Starts Sharing Content Through Torrents

BitTorrent is the fastest and easiest way to transfer and distribute files. However, for the last few years, the world of torrent technology is trying hard to get rid of the stigma associated with it. Founders from torrent sites like The Pirate Bay were charged as guilty and this poses a huge risk for torrent technology. At this point, any legitimate business based on torrents comes out like a ray of hope. A few days ago, we saw BitTorrent trying to clear the name of torrent technology by creating its own content distribution network based on torrents.

internet-archive

This time, the Internet Archive is embracing torrent technology to make thousands of legacy files available to users. The Internet Archive is good at what it does, and with this new distribution strategy, they will reach a much wider audience. These files being distributed include old record albums, book collections, movies, radio shows and much more. John Gilmore, the founder of the EFF had this to say in a blog post announcing this release:

 I supported the original creation of BitTorrent because I believe in building technology to make it easy for communities to share what they have. The Archive is helping people to understand that BitTorrent isn’t just for ephemeral or dodgy items that disappear from view in a short time. BitTorrent is a great way to get and share large files that are permanently available from libraries like the Internet Archive.

Not only can you download files, but you can also contribute files to The Internet Archive torrents through http://archive.org/upload or http://archive.org/create. This makes it a true community, and provides a long-term solution for archiving of files, in an easier and better manner.

 

After Sitting on a Vulnerability for a Month, Nvidia Finally Fixes Its GPU Driver

The relation between Nvidia and Linux worsens each day, as Linus Torvalds spills hatred for Nvidia publicly. He even went to the extent of uttering the f-word for Nvidia (with a finger gesture), in a public presentation. That should tell us enough, and it is a known fact that every Linux user has had bad experiences with Nvidia’s driver support for Linux, at some point of time.

nvidia

While Nvidia provides the best closed-source graphics driver as compared to AMD, it is not good enough. That is because; AMD provides better open-source graphics drivers and some acceptable documentation too. Nvidia only allows its proprietary driver to be reverse engineered as part of the Nouveau project. To make things worse, the Nvidia proprietary driver for Linux just earned fame that is even more notorious.

The proprietary graphics driver released by Nvidia had a serious security flaw, and it was reported to Nvidia more than a month ago. However, Nvidia decided to ignore the vulnerability completely and did not act upon it until someone went public with it. After a month, David Airlie, who is a well-known Linux developer, made the exploit public. It was then that Nvidia came out of its reluctance and decided to do something.

The vulnerability allowed root access, and it was blocked by denying user-space access to the registers which could be programmed to redirect the VGA window unwantedly. The vulnerability affected not only Linux x86 and x86_64 drivers, it also made FreeBSD and Solaris potentially vulnerable. Nvidia has released a new version of its driver for Unix- version 304.32, and patched older versions.

Trolling to Get Faster Answers in the World of Linux?

How would you, a seasoned red wine connoisseurs feel if you were told by someone, that the Chteau Lafite Rothschild Pauillac does not taste anything exquisite? Well, that was a bad start, and I don’t know how wine enthusiasts react to people like these. Perhaps they think of people like these as being too crude, and just ignore them. I have no idea myself, and by the way, I picked that wine brand name from a list at AskMen. But here is what I have seen happening day in, day out in the world of Linux, and this discussion on Reddit hits the bull’s-eye.

So, the story goes like this: You are unaware of how to do something on Linux, you go ahead and ask a straight question online. You will be surprised to see that people do answer your question, but they won’t exactly answer your query. Instead, they will ask you to go learn five other thing surrounding and including what you wanted to know about, and then get an idea. But then, if you would simply have cursed Linux for making it so hard for you, you would have seen tens of thousands of people come to the rescue, offering you more than one way of doing the same thing.

duty_calls

The world of Linux has had this problem for years. Most people are not too helpful, and the kind of help you get is not very easy to follow either. But then, why does trolling Linux users work? Why do they come in swarms to defend Linux, if you simply curse Linux for being unable to do something?

Here is what I think. When people ask really simple things, they are told to go learn, because Linux gurus see these people as a prospective user, and with this kind of help, they might learn more, and get interested in Linux even more. If along with your question, you also post what you have tried so far, people will take even more interest in you and will definitely help you. Though, looking for a rote solution is like getting homework help, and while you get your stuff done, you do not have any idea of what to do the next time you need help on a variant of that problem. Trolling is like getting homework help, and you are not helping yourself by trolling.

What do you think? Does trolling for answers on Linux work simply because people want to prove that Linux is better?

(Image via XKCD)

Netflix Open Sources One of its Simians for Cloud-Testing

Netflix is known for its Simian Army, which it lets loose to test its service every once in a while. The cloud calls for strict availability and reliability, and the only way to ensure this is through stringent testing. Netflix has an amusing nomenclature for its testing strategy. It likes to group its cloud testing tools into a simian army. As amusing as that may be, when it comes to implementation, the simian army is a piece of commendable technical wizardry. The Latency monkey, Doctor Monkey, Janitor Monkey, Security Monkey, all are part of the simian army at Netflix.

Netflix-Logo

Recently, Netflix has decided to share one of its earliest cloud-testing tools with the world, and what better way is there to share a piece of technology than open sourcing it? Netflix describes Chaos Monkey:

A tool that randomly disables our production instances to make sure we can survive this common type of failure without any customer impact. The name comes from the idea of unleashing a wild monkey with a weapon in your data center (or cloud region) to randomly shoot down instances and chew through cables — all the while we continue serving our customers without interruption.

Chaos Monkey runs in the Amazon Web Services (AWS). The service has a configurable schedule that defaults to run from 9 AM to 3 PM. The schedule can be configured and it can be used as a great tool to perform system downtime drills.

The world of steaming media is expanding and high availability and is key to this entire industry. Netflix has done a good job by giving back something to its own ecosystem. This is just the beginning, and Netflix has plans to release its other simian tools as well.

Artists Get Nothing from Record Labels After Pirate Bay Verdict

The Pirate Bay verdict was announced earlier this year, and it came down hard on them. There was prison time, and €550,000 to be paid in claims to various record labels. The judgment was passed keeping in mind that this amount will be used to compensate artists for their losses. However, being the shoddy organization that these record labels are, they are not giving a single penny to any artist. Instead, they are using this loot to strengthen their lobbying efforts by investing it in IFPI.

The €550,000 figure was arrived at by weighing all the illegal content being distributed on The Pirate Bay, and estimating the cost if the Pirate Bay would have bought licenses to sell them. The verdict has been passed, and record labels are already counting their chicken. However, they are also finding it hard to recover the claimed money, as the verdict was passed in Sweden, but the Pirate Bay has no assets in Sweden. TorrentFreak quotes a report, saying,

We have filed applications with Sweden’s Enforcement Agency to secure assets to satisfy these funds. So far very little has been recovered as the individuals have no traceable assets in Sweden and the Enforcement Agency has no powers to investigate outside Sweden. There seems little realistic prospect of recovering funds.

Music labels see a potential investment market in this business and they do not want to let go of it so easily. Moreover, artists never have, and never will benefit from these copyright claims. It is sad to see that they are being the silent sufferers in this war, which the record labels are fighting in their name.

BitTorrent Plans on Remodeling the Entertainment Industry

The internet is a digital content haven. It has created a profitable industry for content producers as well as content hosting mediums. Though, the best thing to have happened, is the rise of indie artists. If you are an artist, you no longer needs to have a record label branding or million dollar contracts to sell content. All you need to do is pick a content-hosting service, and you are good to go.

Being a proponent of open content, BitTorrent knows this fact, and it has a grand plan to monetize the massive amount of content flying and flowing around. A recent post on the BitTorrent blog announces their desire to monetize the BitTorrent stream. This is one such monetization plan.

Not only does the BitTorrent Bundle contain exclusive video, artwork and tracks from DJ Shadow’s new project Hidden Transmissions From The MPC Era (1992-1996); a celebration of the vintage years which made Shadow world-famous. It’s also a glimpse into the future of creativity. This is the first BitTorrent Bundle to feature a software package offer from one of our media partners, in what promises to be a groundbreaking experiment.

According to this new model, DJ Shadow here is the content producer, and BitTorrent gets a cut from its media partners, every time his bundle is downloaded via BitTorrent. In turn, DJ Shadow gets a share of this revenue earned by BitTorrent, and everyone goes home happy. This makes sense, and at the end of the day, the artist is paid well, without all the layers of bureaucracy between the content producer and the revenue source.

Content comes in various forms. We have bloggers on the Internet who are at times, better than conventional journalists are. We have YouTube artists who sing better than the original artists do at times. There are a number of people on the Internet doing amazing things and teaching others to do it as well. The world has undergone a cultural revolution, thanks to the Internet and digital content is at the heart of this revolution. This remodeling will go a long way towards clearing the stigma associated with torrent technology, as one that steals money from artists.

Mozilla, Reddit, WordPress and Others Join Hands to Create the Internet Defense League

The Internet is a wonderful place for activism, and when we speak of activism, what names come to your mind? Reddit, 4chan, EFF? Well, the Internet just got its own vigilante club, with its own bat signal (a cat signal actually) and the timing could not have been better, with the Dark Knight Rising this weekend.

The movement is done in style, and it is extremely appealing for geeks and Internet fans. The EFF has done a wonderful job protecting Internet users, though not many people know about them. The purpose of this league, is to engage more youngsters and get them interested in rights and freedom over the Internet. The League was launched yesterday with real cat-signals being projected at various cities. You can check out the launch page for more details.

nyc-cat-signal

An important part of making an expression is understanding your audience, and this might be a point of failure for the Internet Defense League. The Internet Defense League starts off with a funny name and takes the fun a step further with the cat signal. At the end of the day, it would project itself as a group with strong ethical beliefs and concerns, but these idiosyncrasies might overshadow the seriousness of their cause (though not in my eyes). In other words, good luck explaining to a 60 year old judge or senator the seriousness of your movement, after he sees a cat signal.

If you want to express your support for the movement, head over to their website, join the league and save the Internet.