Researchers Find Malicious Tor Exit Node Adding Malware to Binaries

Posted on by

The exit node in question was in Russia, and Pitts discovered that the node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including Microsoft.com, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.

via Researchers Finds Malicious Tor Exit Node Adding Malware to Binaries | Threatpost | The first stop for security news.

From: The Case of the Modified Binaries

Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to “Internet freedom,” as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear—and all users should have a way of checking hashes and signatures out of band prior to executing the binary.

The Horror of a ‘Secure Golden Key’

Posted on by

A “golden key” is just another, more pleasant, word for a backdoor—something that allows people access to your data without going through you directly. This backdoor would, by design, allow Apple and Google to view your password-protected files if they received a subpoena or some other government directive. You’d pick your own password for when you needed your data, but the companies would also get one, of their choosing. With it, they could open any of your docs: your photos, your messages, your diary, whatever.

via The Horror of a ‘Secure Golden Key’.

How a dumb software glitch kept thousands from reaching 911

Posted on by

At first, Intrado thought that the complaints arising from various PSAPs around the country were just isolated, unconnected events — even though alarm bells were going off an hour into the breakdown. Nobody noticed the warnings until it was too late; the server taking note of the alerts categorized them as “low level” incidents and were never flagged for a human, according to the FCC report.

via How a dumb software glitch kept thousands from reaching 911 – The Washington Post.

PSAP = Poor Sucker At Phone

Remove duplicates without sorting file

Posted on by

Usually whenever we have to remove duplicate entries from a file, we do a sort of the entries and then eliminate the duplicates using “uniq” command.

But if we have to remove the duplicates and preserve the same order of occurrence of the entries, here is the way:

via UNIX Command Line: Remove duplicates without sorting file – BASH.

$ awk ‘ !x[$0]++’ file3

From: Unix: removing duplicate lines without sorting

This command is simply telling awk which lines to print. The variable $0 holds the entire contents of a line and square brackets are array access. So, for each line of the file, the node of the array named x is incremented and the line printed if the content of that node was not (!) previously set.

MegaBots At New York Comic Con

Posted on by

The team hopes one day fans will root for bots the way they do for racing’s Jeff Gordon, ultimate fighting’s Ronda Rousey, and boxing’s Floyd Mayweather, Jr.

via MegaBots At New York Comic Con – Business Insider.

In a MegaBots battle, a two-member team sits inside the bot’s upper torso, where the controls systems are housed. Although the co-founders assure me that the pilot and gunner are well protected inside, the situation presents a heightened suspense.

Each 15,000-pound robot is equipped with six-inch cannons inside its arms that fire paint-filled missiles and cannon balls at 120 miles per hour. Good aim can cause enough damage to jam its opponent’s weapons system or shoot of a limb. “These aren’t Rock ‘Em Sock ‘Em Robots,” Stroup laughs.

Official Google Blog: From the height of this place

Posted on by

When data is abundant, intelligence will win
Putting the power to publish and consume content into the hands of more people in more places enables everyone to start conversations with facts. With facts, negotiations can become less about who yells louder, but about who has the stronger data. They can also be an equalizer that enables better decisions and more civil discourse. Or, as Thomas Jefferson put it at the start of his first term, “Error of opinion may be tolerated where reason is left free to combat it.”

via Official Google Blog: From the height of this place.

It then goes on to say this:

The vast majority of computing will occur in the cloud
Within the next decade, people will use their computers completely differently than how they do today. All of their files, correspondence, contacts, pictures, and videos will be stored or backed-up in the network cloud and they will access them from wherever they happen to be on whatever device they happen to hold.

Of course google wants this for everyone will need to use services like google to access their data.  Do people really need all their data accessible to them 24/7?   Can anyone trust the security of one’s data when placed in the hands of a stranger?

A bird in the hand is worth two in the bush.  There is nothing more secure than a hard drive or more (one or more for backups) in a safety deposit box.   No one needs to access their tax returns from anywhere at any time just because they can.

how Whisper app tracks ‘anonymous’ users

Posted on by

But on Monday – four days after learning the Guardian intended to publish this story – Whisper rewrote its terms of service; they now explicitly permit the company to establish the broad location of people who have disabled the app’s geolocation feature.

Whisper has developed an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent.

via Revealed: how Whisper app tracks ‘anonymous’ users | Technology | The Guardian.

Whisper, which was recently valued at over $200m, has grown rapidly since its launch two years ago. It is among the fleet of confessional apps, such as Secret and Yik Yak, which backers say enable users to be more candid than they are on other social media platforms.

Web app open source alternatives

Posted on by

You can replace a number of popular web apps with solid open source alternatives. If you want to embrace your inner geek, you can even run many of them on your own web server. Or, you can use hosted versions of those apps which will only set you back a few dollars a month.

Let’s take a look at 5 open source alternatives to some popular web apps.

via Web app open source alternatives | Opensource.com.

I have been pleased with Owncloud which he lists as one of the five.  Its install was straightforward and it works allowing for easy file sync with my android tablet using their app as a client and their software on a specified server.

Here’s another one of the five I hadn’t heard before which prompted me to repost this article here:

ownStaGram is a self hosted replacement for Instagram. All you need is a web server that runs PHP and mySQL, and you can install it in a few minutes. From there, you can upload photos from your computer to your instance of ownStaGram. Or, you can use the Android app (which includes several of those hackneyed Instagram-like filters).

I will give ownStaGram a try and post my thoughts soon.

Update:  I ran ownStaGram on a Fedora 19 build running php 5.5 and a warning message popped up about a deprecated mysql connect method.  This is clearly a problem that hasn’t been fixed in quite awhile.  Tried to download their app from Google Play but couldn’t find it.  Some of the comments on the web version of Google Play suggested it was a buggy app which may be why it got pulled.

ownStaGram is a good concept.  I’d love to be able to snap a pic and have it automatically upload onto my local “cloud” device connected only to the local wifi.

Linux Command: xxd

Posted on by


[rmiller@pacific]# echo "hello world" > hello
[rmiller@pacific]# xxd hello
0000000: 6865 6c6c 6f20 776f 726c 640a hello world

So you can use this tool to byte edit files. One rather unusual use I’ve found for it is to paste in an RPM to a system that I only had serial console access to. I just ran xxd on it, copied it into the buffer, and pasted it into a file on the remote server. A quick xxd -r, and voila. RPM.

via Linux Tips and Tricks.

I recently ran across the above blog entry which is from 2010.  All these years working with Unix systems and I never knew about this command.  When I parse a web site to extract information it’s necessary to output clean and concise ASCII data for my downstream scripts.  My perl scripts that html parse do filter this out but sometimes a funny character gets through.  Normally I have been using hexedit to determine the hex code of the offending character and although it works, it’s not as elegant as the above xxd command.  Now I can do the following:

xxd offendingdatafile.txt | grep "mystring" | more

The above should simply output lines containing the offending hexcode using grep if I kind of notice a unique searchable string (mystring) before the offending hex character.  I could also:

xxd offendingdatafile.txt > myfile.dat
vi myfile.dat

Instead of using clunky hexedit to search for mystring I can use good old vi.

I’m sure there are lots of other uses for this utility — especially in shell scripts.  Unix has so many commands and I utilize a subset adequate to getting whatever it is I need to do.  Every year I pick up one or two new useful commands that are more efficient and xxd is one of them.

Snapchat Can’t Stop the Parasite Apps That Screw Its Users

Posted on by

In a statement, Snapchat puts the blame on third party applications like Snapsaved.com that use its API to allow Snapchatters to save its disappearing messages on their devices, or worse yet, on a remote server. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokesperson writes in a statement. “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

via Snapchat Can’t Stop the Parasite Apps That Screw Its Users | WIRED.

This should have been obvious from the beginning.  Nothing can stop an end user from taking a screenshot of an incoming photo.  Their “privacy” claim was bogus from the beginning and not sure why anyone took this business model seriously.  More …

But even if Snapchat users’ data was accessed via someone else’s servers, that doesn’t make the breach any less of Snapchat’s problem, says security researcher Adam Caudill. He’s been reverse engineering Snapchat’s API to demonstrate exactly the problem of rogue third party apps for years. “Your average developer can build something in a day’s time that interacts with Snapchat’s API and saves everything that comes through it,” Caudill says. “Quite honestly, I’m surprised this hasn’t happened sooner.”