All posts by Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Microsoft Finally Sees the Evil in CISPA, Backs Out

Earlier this year, a draconian bill called SOPA troubled the Internet for months. After months of protests and pleas, it was finally withdrawn at the last stage. However, that was not the end of it. Now, CISPA has arrived to haunt us. CISPA is a less aggressive version of the SOPA bill that threatens online privacy. It grants unquestionable powers to Internet and telecom companies, allowing them to spy on their users with zero accountability.
microsoft-cispa-support
CISPA has passed at the House of Representatives, and awaits an approval by the President’s office now. However, President Obama has declared that he will veto the bill.

The U.S. House of Representatives approved CISPA by a 248 to 168 margin yesterday in spite of a presidential veto threat and warnings from some House members that the measure represented “Big Brother writ large”.

Like SOPA, CISPA also saw an array of supporters from big names in the world of technology and just like with SOPA, Microsoft offered the CISPA bill its support earlier. However, in a recent development, Microsoft has decided to back out of support for CISPA. In conversation with CNET, Microsoft said it wants to honor the “privacy and security promises” it makes to its customers.

Dan Auerbach at the EFF appreciates Microsoft’s move, saying-

We’re excited to hear that Microsoft has acknowledged the serious privacy faults in CISPA. We hope that other companies will realize this is bad for users and bad for companies who may be coerced into sharing information with the government.

CISPA is an evil bill. It grants law enforcement agencies powers to spy on people without requiring any provision by the law. This bill puts law enforcement agencies above the law by waiving all privacy laws related to cyber security. This is beyond disastrous. CISPA must be stopped.

Also read: Microsoft’s initial statement of support for CISPA

(Image via)

Firefox 13 Beta Ships with SPDY Enabled by Default

SPDY has seen a major push yesterday, with Firefox finally making the move to SPDY. The latest beta of Firefox 13 arrived with SPDY enabled by default and this makes SPDY a primary candidate in the world of application layer protocols. Besides Internet Explorer, Firefox and Google Chrome are the two major browsers by market share. While Google Chrome has shipped with SPDY for a long time now, although Firefox had SPDY present from version 11 onwards, it was turned off by default. Finally, after a series of bug fixes, SPDY has made it to the latest beta of Firefox 13.

Apart from SPDY, Firefox 13 will have major behind-the-scene changes and some long-awaited UI changes too. The latest release of Firefox version 13 brings the much awaited speed dial, which is a necessity for any modern browser. Firefox 13 will also turn on smooth scrolling and on-demand tab loading, when opening tabs from a saved session.

firefox-13

When Google announced SPDY for the first time, it was unclear whether it would catch up with the well-established HTTP protocol. SPDY was invited to be a part of the new HTTP standard and things were off to a promising slow start. However, Google has also taken the alternate path, by marking a presence on major browsers first, and then creating a lock-in situation so that it ends up as a web-standard anyway. Nevertheless, to survive the competition with a rapidly developing browser like Google Chrome, Firefox has to improve on speed, and SPDY will be a good start.

The release notes for the latest beta can be found at this page.

German Court Rules Against a Bank Client in a Phishing Case

A German court has ruled against a disgruntled client, who sued his bank over a phishing case. The client claimed to have lost €5,000 ($6,608) in a fraudulent transfer, where the amount was sent to an account in Greece. The Sparda Bank customer in question had entered his Transaction Authentication Number (TAN) code into a phishing website that was designed to look like his bank’s website.

phishingA TAN code a one-time password that is used for two-factor authentication. Sparda Bank, or any other bank for that sake, warns its customers of phishing attacks repeatedly. In this case, the negligent user entered his TAN code into the phishing website over ten times. The bank’s argument in the case was- having to enter the code ten times should have raised an eyebrow.

One time password is a standard (though not quite secure) way of authentication used by many banks across the world. In Germany, Sparda Bank is one of the few bans to stick to the iTAN procedure. For most banks, these codes stay valid for a maximum of 24 hours after generation. However, in this case, the transaction occurred three months after the codes were entered into the phishing website. Surprisingly, the TAN codes were valid for over three months!

This case might create a new storyline in the world of phishing and let banks wash their hands off cases where they are actually guilty for lax security measures. Clearly, the bank too has a responsibility here, because once generated, its TAN codes are valid three months later, which should not be the case.

Negligent customers can and will blame banks for their losses in phishing cases. With reports of phishing attacks in Germany going up by 82% over the last year, perhaps it is time banks and all financial institutions up their security measures, to protect their users from the phishing industry.

The Long Awaited Ubuntu 12.04 is Here Finally

We have been hearing about Ubuntu 12.04 Precise Pangolin and how awesome it is going to be, for quite some time now. The wait is finally over, and Ubuntu 12.04 has been released. It sports some bold features, and the fact that this is a long-term release (LTS) makes Ubuntu 12.04 even more special.

This release will be supported with updates and fixes for the next five years, and this will call for an upgrade across many Ubuntu installations that are still on the previous LTS release. Moreover, Ubuntu also supports Hyper-V for virtualization on a Widows server.
ubuntu-logo
The Fridge writes on this release, saying,

The Ubuntu team is very pleased to announce the release of Ubuntu 12.04 LTS (Long-Term Support) for Desktop, Server, Cloud, and Core products. Codenamed “Precise Pangolin”, 12.04 continues Ubuntu’s proud tradition of integrating the latest and greatest open source technologies into a high quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing a few new features and improving quality control.

Ubuntu is known for bringing new UX features to the table. With a significant growth in the server business, it has managed to register another win. Recently, HUD and Ubuntu for Android turned quite a few heads and this release of Ubuntu 12.04 lives up to the hype that was built over the last few months.

You can find different versions of Ubuntu at the release page. A tour of Ubuntu is also available online, at this page. However, if you are looking for direct download links for the English desktop version, you can download the 32 bit desktop CD or the 64-bit desktop CD ISO image.

Linus Torvalds Nominated for the 2012 Millennium Technology Prize

Linus Torvalds has been nominated for the Millennium Technology prize for 2012, besides Dr. Shinya Yamanaka. Dr. Yamanaka is an eminent stem-cell researcher and Torvalds is the creator of the Linux kernel. The award is given out every two years. Put in a single line, this is the most befitting description of the award.

The prize seeks to highlight innovations that assist and enrich our everyday lives today as well as in the future.

Linus Torvalds has been nominated for the award for his efforts with the legendary Linux kernel.
linus-torvalds

In recognition of his creation of a new open source operating system for computers leading to the widely used Linux kernel. The free availability of Linux on the Web swiftly caused a chain-reaction leading to further development and fine-tuning worth the equivalent of 73,000 man-years. Today millions use computers, smartphones and digital video recorders like Tivo run on Linux. Linus Torvald’s achievements have had a great impact on shared software development, networking and the openness of the web, making it accessible for millions, if not billions.

Torvalds is one of the most respected men in the world of software. He has made considerable efforts to build and maintain an OS kernel that changed the way software is done. He has created a new storyline in the world of software development, and we all are parts of that story. Over two decades have passed since the first release of the Linux kernel and it has improved vastly, with timely support for new hardware.

Although some may argue that the Linux kernel is a one-man show, it really is a community effort. Linus truly deserves this award for bringing together an awesome group of selfless people and creating a better world for us all.

(Via: The Verge)

Twitter Lights Up the Path for a Better World of Patents

Twitter has revealed its plan to introduce fairness in the world of patents and is making the first move with a draft of the “Innovator’s Patent Agreement” or the IPA. Twitter holds a bunch of patents and wants to make sure that the actual innovator who worked on the patented technology has a say in lawsuits involving the patent.

twitter-agreement

Adam Messinger, VP of Engineering Adam Messinger, VP of Engineering at Twitter writes on the official Twitter blog, saying,

The IPA is a new way to do patent assignment that keeps control in the hands of engineers and designers. It is a commitment from Twitter to our employees that patents can only be used for defensive purposes. We will not use the patents from employees’ inventions in offensive litigation without their permission.

Twitter dreams of a world where innovation is not hampered by patent trolls. It dreams of a world with proper use of patents. According to the IPA, the innovator’s rights to a patent remain even after they are sold to a third party. This ensures patents are not misused by trolls and this is a significant improvement over the current disoriented world of patents. However, one important pint to remember here, is that the ownership of the patent still lies with the patent owner, and the inventors are only a part of the decision making process, in case of disputes.

Twitter is undoubtedly being a trendsetter in this case. However, for this model to gain a respectable amount of acceptance, more companies should embrace it.

Anonymous Brings Down the Great Firewall of China with a Massive Hack

After a long inactive period, Anonymous has resurfaced with a massive hack in China. Nearly 500 websites have been hacked in this operation and these attacks have been carried out by an Anonymous group based off China. A Chinese Anonymous Twitter account was created to announce this operation involving the takedown of government websites, contractors and several trade groups. This marks the most successful hack by the Anonymous faction, because the Great Firewall of China was believed to be impenetrable until now.

Anonymous China started announcing the hack on a Twitter account, @AnonymousChina. However, the account was taken down later and all its tweet were removed. Nonetheless, Anonymous China has another Twitter account in place (WeWorkForGlobal) to spread its propaganda. Most of the hacked websites are still showing a message from Anonymous. It was reported that some of these websites came back online for a brief period, only to be DDoSed again. The complete list of hacked websites can be found on this page.

The message on all the hacked websites reads,

Hello, everyone! Message to the Chinese government: Over the years, the Chinese communist government to unfair laws and unhealthy process to control the people. Dear Chinese government, you is not never fall, and today the website is black, tomorrow is your evil regime fell. So do not think we will give up, never give up. All you have done to the people today, tomorrow will double back. Not a hint of tolerance. No one can stop us, not your anger, nor your arms. Not deter us, because you can not be intimidated by the thought. Chinese friend’s message: You have been in a do not understand you suffer under the tyranny of the government. We are with you. At this point, here with you. Tomorrow and beyond will be to ensure your freedom. We never give up. Do not give up hope, and revolution created since your heart. The silence of other countries has highlighted the fact that China’s lack of democracy and justice. This is intolerable. We are fully committed to fighting for your freedom.

Just last week, one of China’s defence contractors, China National Import & Export Corp. (CEIEC), was hacked by a hacker who likes to call himself Hardcore Charlie.

This breach of the Great Firewall of China proves the futility of having a government regulated censorship of this form. However, the matter might not end here. China itself has many pro-government hackers and they might retaliate with a counter attack or a dox of the hackers involved in this breach. We have seen Anonymous getting pwned by the ruthless Mexican drug mafia earlier. Let us just hope that this does not end up in bloodshed.

Visa and MasterCard Warn of a Massive Data Breach at Global Payments

In the latter half of last week, Visa and MasterCard sent out notices to several banks asking them to verify a security breach. The massive scale of the breach generated enough noise to come to their notice, and although they did not name any credit card processor responsible for this breach, it has been identified recently as Global Payments.

Payment Processors are used to send your credit card information to a bank in an encrypted format, so that it stays safe from prying eyes. Most of the confirmed breach in this case are believed to have happened at parking garages across New York City area. This massive security breach has resulted in 10 million stolen credit card details . However, the worrisome part is that the breach facilitated enough data to be stolen, that counterfeit credit cards can be created from those details.
global-payments
Global Payments has explained its position in the matter with a statement saying,

In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potentialcardholder impact. The company is continuing its investigation into this matter.

Payment processors form a critical part of payment systems and are the most attacked financial institutions too. Just last year, an Indian payment gateway took a hit that resulted from an SQL Injection attack. Credit Card information are extremely critical from a privacy perspective. In the event of a breach, the company should act responsibly and proactively, and should issue fair warnings and notices immediately. This goes a long way towards building trust in financial businesses. Kudos to Brian Krebs for bringing this to everyone’s notice.

US Senators Urge Employers Asking for Facebook Passwords to be Put Under Investigation

Over the last week, Facebook has gained quite some attention and some positive karma by announcing that it will not tolerate employers asking for passwords of user accounts. This announcement has led to a mini-drama with the news world reporting that Facebook will sue any employer asking for passwords, and Facebook issuing a clarification that it does not intend to sue any employers as yet, but some legal actions can be taken nonetheless.

The recent development in this whole play has become quite the anti-climax for Facebook. US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT) have urged the Attorney General, Eric Holder, to investigate into this brewing drama and unravel whatever truth is there in this matter.

Nathan Ingraham at The Verge reports this request by the senators, saying,

facebook-logo

the senators want to know if this practice would violate the Stored Communications Act (SCA) or the Computer Fraud and Abuse Act (CFAA) — the SCA gives fourth amendment-type protection to online communications, while the CFAA prevents intentional access to information stored on a computer without authorization. Blumenthal appears particularly concerned about this issue: only a few days ago, he started drafting a bill that would prohibit such requests.

Not only this, a number of Government representatives have come out claiming that they were in the process of either drafting or introducing a bill that handles these issues. As it turns out, the US government is taking this growing practice by employers seriously, and the matter is already being taken care of by them.

 

Government of Iceland Plans a Migration to Open Source Software

The Government of Iceland has started a one-year migration plan for all its public offices. As part of this plan, all public administration will be moved to use open source software in their daily operations. This includes all the ministries, the national hospital and the capital city of Reykjavik. A popular software programmer and OSS enthusiast from Iceland named Tryggvi Björgvinsson is heading the migration project.
open-source
The statement from the Prime Minister’s Office reads,

The government of Iceland has agreed on a policy regarding free and open-source software. The policy states, among other things, that when purchasing new software, free and open-source software and proprietary software are to be considered on an equal footing, with the object of always selecting the most favorable purchase.

The document [PDF link] highlights the open source policy of the Icelandic Government mentions five important points. The most important of these decisions is that there will be no discrimination between free and open source software and proprietary software when making new software purchases. The policy also promotes the use of FOSS in education.

With this migration, Iceland will join an array of countries in the Europe, which are saving considerable government budgets spent on proprietary IT solutions. It will also boost the development of selected projects and increase their credibility. Nonetheless, the use of Open Source in Governments also bolsters existing FOSS projects and encourages a healthy and competitive ecosystem.

Facebook Discards Rumors About Suing Employers

Facebook has recently stepped up its efforts to combat organizations, which have made it a practice to ask Facebook for user-account credentials as part of their recruitment strategy. This is a direct violation of the privacy of Facebook users. Moreover, the activities of a user on Facebook should in no way decide his chances of being hired into a company.

The good news is that Facebook knows this and is willing to respect the privacy of its users. In a post titled “Protecting Your Passwords and Your Privacy”, Facebook has made it clear that it will not tolerate employers asking for user-account details anymore.

facebookThe Chief Privacy Officer at Facebook, Erin Egan, writes,

Facebook takes your privacy seriously.  We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges.

While we will continue to do our part, it is important that everyone on Facebook understands they have a right to keep their password to themselves, and we will do our best to protect that right.

Now, Facebook was not exactly precise on the nature of the legal action they would take, and everyone thought it was wise to assume the worst. Seeing this publicity go the absolute wrong way, Facebook has come up with a clarification. It has now issued a second statement discarding any possibility of it suing employers. Although Facebook has decided to take necessary legal actions, suing employers is not on their list of things to do.

We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s right the thing to do. While we do not have any immediate plans to take legal action against any specific employers, we look forward to engaging with policy makers and other stakeholders, to help better safeguard the privacy of our users.

Redditor Uncovers the Mystery Behind the DuQu Trojan

Although a large part of the DuQu trojan was confirmed to have been written in C++, Kaspersky could not reach a conclusion about a particular section of the code. This section deals with the communication with the command and control servers, and is contained inside the payload.dll file. This section of code is expected to have been written in an object-oriented language and Kaspersky Lab engineer, Igor Soumenkov, says

The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.

This mysterious section of code receives instructions and returns stolen data. The Kaspersky Labs turned to enthusiastic programmers and asked for help on deciphering the doubtful section of code. Reddit, being the awesome community that it is, offered some timely help, nonetheless.

It is interesting to note that the mystery man why demystified DuQu is none other than Igor Skochinsky, who reverse-engineered the Kindle in early 2008. You can always visit his blog to refresh your memory. He goes by the handle igor_sk on Reddit and his exact comment on DuQu was,

I can say with some certainty that the code in the snippets comes from the MSVC compiler, since its register allocator tends to use esi first. “pop ecx” instead of “add esp, 4″ is another MSVC trait. Have a look at this presentation for a more formalized approach to compiler detection.

When confronted with the fact that Kaspersky had debunked the possibility of the code being compiled with MSVC compiler, he boldly claimed that the guys at Kaspersky were wrong. Redditors never fail to amaze me. This vital piece of information will be useful when dealing with the DuQu trojan and stopping its communications with the command center.

Firefox 14 to Come with Built-in PDF Support

With all the recent changes in the web technology stack and the advancements in web-browsers, third-party plugins are becoming a thing of the past. A decade ago, Adobe thrived on a business, which was based around providing an extra layer on top of the web. Adobe provided us with PDF readers and flash for web. However, with HTML 5, videos do no need a flash container to run inside a browser. When it comes to PDF files, Google Chrome has already devised a way to display PDF files in a web browser and now, Firefox has deployed its own solution to display PDF files in the browser.
firefox-logo

PDF.js is a well-known script that renders PDF files with HTML and JavaScript successfully. It can be installed as an extension. However, the good news is that the latest nightly version of Firefox 14 ships with PDF.js built in. This is a major improvement as it adds a default PDF support in Firefox. Although the PDF rendering from Pdf.js is not as smooth as Adobe Reader, it is worth the freedom.

Dr. Andreas Gal, the Director of research t Mozilla writes about the benefits of the PDF.js extension, saying,

The traditional approach to rendering PDFs in a browser is to use a native-code plugin, either Adobe’s own PDF Reader or other commercial renderers, or some open source alternative (e.g. poppler). From a security perspective, this enlarges the trusted code base, and because of that, Google’s Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems.

Adobe plugin have attracted security vulnerabilities for too long, and with Flash losing ground, finally, we are moving towards a truly open web without any proprietary layers on top of it. The PDF.js project is developed openly and can be found on Github.

Shuttleworth Highlights the Growth of Ubuntu in the Enterprise Server Business

For years, the Enterprise Server business has been dominated by Linux distributions. Debian and CentOS are the most popular of these distributions with 9.8 and 9.1 percent of total market share, respectively. However, over the past year, Ubuntu has been rising in popularity to threaten Red Hat’s position as the third most popular Linux distribution for servers.

Ubuntu is preferred on the server because of its LTS releases, which are supported with updates for long years. Moreover, it has a large base of zealots who participate closely in the state of affairs. This gives Ubuntu servers excellent hardware support, security, timely updates and ease of installation.

However, Shuttleworth attributes the growth of Ubuntu Server business to the enhanced focus on quality.

The key driver of this has been that we added quality as a top-level goal across the teams that build Ubuntu – both Canonical’s and the community’s. We also have retained the focus on keeping the up-to-date tools available on Ubuntu for developers, and on delivering a great experience in the cloud, where computing is headed.

ubuntu-rhel
However, the data referred by Shuttleworth in his blog post cannot be taken at face value. The graph that Shuttleworth used to bolster his claims was derived from public websites as a whole and not just enterprise business. Nonetheless, Red Hat has based a billion dollar business around this business of enterprise servers, and the slightest hint that Canonical is about to overtake Red Hat with Ubuntu can shake things up in the world of Linux based server distros.

Nouveau Moves out of Staging, Releases Same-Day Driver for the First Time

The Nouveau project made two awesome announcements recently. While the first one was related to the latest Kepler chipset released by NVIDIA, the second one was about a long-term change in the project that will be appreciated by the entire FOSS and Linux community.

Recently, NVIDIA has released the GeForce GTX 680, the first NVIDIA GPU with the all-new Kepler architecture. As always, it was released with the official binary drivers.

Nouveau is a software project aiming to develop free software drivers for NVIDIA graphics cards, by reverse engineering NVIDIA’s current proprietary drivers for Linux.

Usually, work on Nouveau drivers starts once the binary drivers are out and available for update. This involves months of reverse engineering the binary drivers. However, to everyone’s surprise, Ben Skeggs from RedHat has managed to reverse engineer the binary driver and commit the reverse engineered code to the Nouveau DRM repository, hours after the launch of the official GPU. Effectively, this made Nouveau drivers available on the same day as the official GPU release.

Although the driver is a bit bland, it does the job nonetheless. This was a major breakthrough for the Nouveau project. Although NVIDIA does not officially support the Nouveau project, it allows this reverse engineering and the project has thrived on this very fact. However, this quick release has raised many questions and we cannot overlook the possibility of NVIDIA’s involvement in this release.

The second breakthrough is the state of the project. The Nouveau driver was a staging driver until now. It was considered stand-alone and was not merged with the mainline Linux kernel because of some technical reasons. Finally, the driver has moved out of staging. It has found a place in the mainline Linux kernel, and it will be available from Kernel version 3.4.