All posts by Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Reckz0r Hacks Sony, Dox Available on Pastebin as Usual

Reckz0r is a known online hacktivist who has been involved in many online hacks and security breaches. What makes him unique, is that he likes to fly solo and regularly exposes (wannabe) security experts who cannot secure their own websites well enough. Nonetheless, Reckz0r has always supported the Anonymous group and is active on Twitter as well.

This time, Reckz0r has brought us some loot from Sony, and dramatically, it appears just in time for the court trials of the LulzSec four. Reckz0r has hacked Sony and posted the looted data on Pastebin. The Pastebin page also gives away an SQL injection vulnerability, however, it seems like not everyone is excited is about this hack. Discordian has criticized Reckz0r on this hack, saying most of the data was already out in the public domain. He wrote on Twitter, saying,

These websites and emails in that pastebin are ALL publically available, can you tell me where the vulnerabilities are listed?

The complete release is available on Pastebin.

In other news, Sony has recorded a loss for the fourth year in a row, and the amount this time is Y457 billion out of which, Y255 billion was in the last quarter alone. To make a comparison, Sony’s loss in the last fiscal year was Y260 billion. This year, a large part of this loss is being accounted to the Thailand floods and the tsunami in Japan.

Adobe Photoshop: Need a Security Fix? Upgrade to a Later Version and Don’t Forget to Pay for It!

Adobe has posted a security bulletin for Adobe Photoshop recently, where it addressed a security vulnerability regarding TFF files. The vulnerability allows arbitrary code execution resulting in a system wide control for a cracker. This vulnerability affects all versions of Photoshop prior to and including CS5, on both Windows and Mac.

The vulnerability is specified on Symantec’s Security Focus as:

Adobe Photoshop is prone to a use-after-free memory-corruption vulnerability.
Attackers may exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Photoshop CS5.1 (version 12.1) is vulnerable; other versions may also be affected.

The only solution, which in reality is a non-solution, is to update to Adobe Photoshop CS6 and just in case you were wondering, no, it will not come for free if you already have CS5. With this shoddy decision, Adobe is creating a new trend in the world of security fixes, where a later paid version can be called as a fix for an existing vulnerability in an earlier version. In a way, it will force users to upgrade and while they are at it, Adobe will earn some free cash out of its own fault.

Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Whenever we install software, we agree to an EULA. The same EULA statement has liability provisions as well, and now that Adobe is (probably) psych testing its users for this new liability based business model, someone might just go ahead and file a class action lawsuit in the coming days.

If you want to see this vulnerability in action, proof-of-concept apps are available at this page.

(Via: Slashdot)

Pirate Bay Criticizes Anonymous for Virgin Media DDoS

A UK based ISP Virgin Media has decided to ban access to the Pirate Bay, following a court order. The court order affects five major ISPs in the UK, Virgin Media being the second largest in all of Britain. British Telecom (BT) is still in talks over this matter, in spite of being asked to implement a ban, last year. The ban on The Pirate Bay came after the British Phonographic Industry (BPI), which represents a number of media houses, aggressively pursued a case.

Furious over the ban, The Pirate Bay has given enough tips to circumvent this ban, rendering it useless anyway. On the bright side of things, it has also recorded a traffic boost of 12 million, after the court order. However, when Anonymous came out in support of The Pirate Bay and decided to DDoS Virgin Media, it was not pleased at all. The DDoS was carried out between 5 and 6 PM and Anonymous took down the Virgin Media website for over an hour.

The Pirate Bay has made it clear that it does not support DDoS as a means of protest.the-pirate-bay-virgin-hack

We believe in the open and free Internet, where anyone can express his or her views. Even if we strongly disagree with them and even if they hate us. So don’t fight them using their ugly methods. DDOS and blocks are both forms of censorship. If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol, print some pro piracy posters and decorate your town with, support our promo bay artists.

With this ban, Virgin Media has become the first UK based ISP to impose a ban on The Pirate Bay. Legally, Virgin Media is not at fault here because it is just following court orders. However, instead of accepting the ban so happily, Virgin should have questioned the decision and followed BT’s example. ISPs should in no way determine what content to push to its users, and what to filter; this is against net-neutrality and free speech. If they are being forced to censor content like in this case, it is their rightful duty to question such decisions, as BT did.

Facebook Enters the World of Apps with Its App Center

Facebook has unveiled plans to create an app store exclusively for Facebook. This app store called the App Center will run inside the native Facebook apps on the respective platforms. It will offer apps like Pintrest, Spotify, Viddy and many others, all inside the native Facebook app. However, the apps displayed on the store will be coupled with a rating system that will use the existing Facebook Insights platform.

Aaron Brady announced the App Center on the Facebook developers Blog, saying,

In the coming weeks, people will be able to access the App Center on the web and in the iOS and Android Facebook apps. All canvas, mobile and web apps that follow the guidelines can be listed. All developers should start preparing today to make sure their app is included in the launch.

facebook-apps

The URL for App Center has been decided as https://www.facebook.com/appcenter. However, the page is unavailable currently. Currently, all apps that wish to make it to Facebook’s App Center are required to use the Facebook login feature. Apps from the Facebook App Center will be linked to the respective native apps on platforms like Android and iOS. For now, the App Center is not hosting or selling any apps. Its primary focus is creating accurate visibility for apps based on user ratings.

More details on the App store can be found at this page.

With so many apps stores around, in order to hit critical mass Facebook’s App Center has to make an offer to developers, an offer that they cannot refuse. Facebook is rightfully venturing out and trying new things, because as far as a user-base is concerned, Facebook is already at its peak. Moreover, existing app stores are vastly disorganized and some rating and review system will create a more competitive platform and bring in the much-needed order.

Massive Dump of Twitter Passwords Appears on Pastebin

Hours after Twitter announced its plan to support one of its users in a court case, and thereby, stand up for the larger cause of online privacy and protection of the First Amendment’s free speech, a massive dox of Twitter accounts appeared on Pastebin. The dump contains nearly 55,000 usernames and passwords. However, it was also found later that many of these login credentials were redundant and some others did not match with any account.

In conversation with CNET, Twitter spokesperson Robert Weeks said,twitter-logo

We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected. For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center.

Twitter has also found that nearly 20,000 of the accounts in the list of 55,000+ were duplicates, and many others did not match as proper login credentials. Though, it was good to see that Twitter took care to force password resets for users whose accounts appeared on that list.

At the moment, it is unclear who carried out this hack and why. The Pastebin page containing the hacked accounts can be found here. However, there might be a relation between Twitter’s announcement to stand up for one of its users in a court case and this hack. Until now, Pastebin has been used by Anonymous for releasing doxes, but a drum roll usually accompanies it.

Twitter Refuses to Hand over Personal Data of a User to the Court

With Cybersecuritry bills like CISPA floating around waiting to be passed, and its parents like SOPA and PIPA defeated, people are more aware than ever about privacy and online security concerns. This is a good time to redefine the handling of some matters, and Twitter has gone a step forward by taking its privacy policy seriously. Recently, Twitter has taken a bold step by standing up for one of its users, who took part in the Occupy Wall Street protests. The Occupy Wall Street protests saw heavy use of social media, and the Twitter user in question, Malcolm Harris, is being prosecuted for ‘disorderly conduct’ in relation to the Occupy Wall Street protests.

Federal agencies and governments ask for a user’s online personal information too often nowadays, and they have aggravated their strategy for obtaining this information. Oftentimes, the user is totally unaware of a data request of this nature, and has no chance of reacting to such a request on time. Though, in some other cases, even after knowing this problem, the user is tied up in further legal constraints.

Indeed, even though Twitter provided notice to the Twitter user in this particular case, and even though he was able to get an attorney to file a motion seeking to quash the subpoena, the court found that the Twitter user did not have legal “standing” to challenge the D.A.’s subpoena.

This support shows clearly that Twitter stands for what it believes in, even if it is for one user. The First Amendment has been challenged numerous times, and with every passed challenge, it gets refined and defined better.

Ubuntu Sees Growing Adoption from OEMs, Will Capture 5% of the PC Market Next Year

At the ongoing Ubuntu 12.10 developer summit, Chris Kenyon, the VP of sales and business development at Canonical has unveiled Ubuntu’s ambitious expansion plans in the PC market. Ubuntu is already collaborating with OEMs to deliver Ubuntu Linux based machines. However, the good news is that the Ubuntu is looking forward to a 5% market share in the PC segment.

The advantage of buying a system with Ubuntu or any Linux flavor pre-loaded is eliminating the time spent in initial-configuration of display drivers, network components and syncing across monitors. These are common bummers, when we try to replace a new Windows box with Linux. However, Ubuntu has an extensive list of supported hardware, and this OEM deal will make the hardware support even better.

Phoronix lists some interesting points from Kenyon’s keynote speech.
ubuntu-developer-summit

Here’s some of the facts that Kenyon tossed out in his after-lunch keynote:

– Eight to ten million units shipped last year world-wide.

– Canonical will be opening their first Beijing office this year (their Taipei office right now handles most of their Asian operations since 2008).

– Last year Ubuntu shipped on 7.5 billion dollars (presumably USD) worth of hardware.

– Next year they expect to more than double these numbers to 18 million units world-wide, or what Chris says would be 5% of PCs shipping world-wide would be with Ubuntu Linux.

Finally, after years of vendor lock-in, the PC has finally been freed from its shackles. We hope to see an open hardware market, where the end-user has more choices and there are more than one prominent software development ecosystems.

The Ubuntu Developer Summit is taking place from 7th of this month and will continue until the 11th. The complete event schedule can be found here. The events to watch out for, include the one titled Next Steps for Hadoop on UbuntuApp Developer EventsUbuntu Mobile Use-cases and all events that focus on Ubuntu TV.

BitTorrent Might Soon Be Known as Gyre Inc.

Citing some changes from the latest release of uTorrent, it looks like BitTorrent is up for a company rebranding. The uTorrent about page from its build 27147 of Version 3.3 Alpha listed not BitTorrent, but Gyre Inc. as the company. The name has been changed in subsequent builds, but it sparked an investigation, and TorrentFreak has found some interesting facts.

Notice how the company name flip-flops between Gyre Inc. and BitTorrent.

bittorrent-renamed-gyre

bittorrent-new-name

BitTorrent was approached by TorrentFreak with specific questions about this rebranding. While they did not dismiss the rebranding completely, they attributed the appearance of that name to a programming error. Ernesto, who investigated the matter over at TorrentFreak, writes,

TorrentFreak contacted BitTorrent Inc. to find out more, and we were told that Gyre Inc. was listed there because of a “coding error.” The company didn’t want to confirm or deny the existence of a rebranding exercise, but did say that they “regularly test new brand and product names internally.

However, Ernesto found out that the iceberg goes deeper than this tip. Gyre Inc. was registered in January this year and lists BitTorrent CEO Eric Klinker as the service agent. Moreover, the company address is identical to that of the BitTorrent San Francisco office.

The name Gyre Inc. also appears in the Share app, released by BitTorrent, and this definitely is not a branding test. Perhaps, this rebranding will let BitTorrent shed the piracy stigma associated with the word torrent. Whatever may be the case, BitTorrent seems like it is in a transition to Gyre Inc. and we hope to get some official word on this matter, soon.

Discovery Channel Thinks Web, Acquires Revision3 for $30 Million

The video watching consumer group is divided into the world of web-video fans and regular Cable TV viewers. Web video is extremely popular with the younger generation. The size of the web-video industry will hit critical mass someday, and Discovery Communications foresees this just in time. The Discovery Channel is announcing that it just acquired Revision3, the epic web-video company. Revision3 too, has confirmed the deal in a statement of its own.
revision-3
Revision3 was founded in 2005 by Kevin Rose. Its biggest strength is the coverage of niche topics, which helped it gain a huge viewer base over a short span of time. Revision3 has a completely different business model from cable TV. Most of the content on Revision3 is produced independently, and Revision3 only takes care of marketing and distribution.

The deal will close on June 1 and all of Revision3’s 50 employees will stay. Discovery had not delved into web-video until now, and airs most of its shows on Cable TV. This acquisition, will let it better explore the world of web-video, for its business.

Discovery Digital’s JB Perrette remarks on the acquisition, saying,

We want them to continue doing what they’re doing, and to continue developing native digital talent.

We produce content on a $500,000 to $750,000-an-hour scale. Producing something at a tenth of that cost means it has to be very different.

After this acquisition, one of two things can happen. With the backing of Discovery, Revision3 can emerge as a leading web-video content provider. Discovery’s association will bring Revision3 shows better advertising deals and sponsorship. However, this is possible only as long as revision3’s current style is not disrupted in any way by Discovery. However, Discovery has some great minds in its arsenal, and with the proper management, this acquisition might just create synergy.

Judge Rules That an IP Address is Not Equivalent to a Person

Over the last few years, copyright owners have walked into courthouses, armed with nothing but an IP address, and have claimed exorbitant amounts in copyright infringement cases. However, recent rulings in similar cases are changing this trend, and making things a bit difficult for copyright holders. In a recent BitTorrent case, Judge Gary Brown has dismissed an IP address as evidence against an individual for download of copyrighted material, and has given ample explanation for this dismissal.

Judge Gary Brown talks about the current trend in BitTorrent cases, saying:
ip-address

The assumption that the person who pays for Internet access at a given location is the same individual who allegedly downloaded a single sexually explicit film is tenuous, and one that has grown more so over time.

Nonetheless, he simplified how weak a copyright infringement case is when presented with an IP address as evidence, in these lines:

An IP address provides only the location at which one of any number of computer devices may be deployed; much like a telephone number can be used for any number of telephones.

As it has been known from the early days of networking, an IP address of a computer inside a network is valid only inside the network. As soon as a computer connects to an external address through a router, the router carries out a NAT. Whenever a data packet is sent back to a computer on another network, it is sent to the router, and the IP address of the computer is visibly, the IP address of the router.

With more than 60% of American households Internet connections being wireless, there are numerous John Does piggybacking on unsecured Wi-Fi networks.

Also read about a similar ruling, that was passed by a judge in an Illinois case, last year.