Tuesday, 6 March 2018

On 10:34 by Vismit Rakhecha   No comments
Earlier today, Reddit CEO Steve Huffman, known within his website as /u/spez, responded to allegations made against the popular website's integrity.
This comes hot on the heels of sitewide complaints against a group of users posting within /r/the_donald, a subreddit dedicated to discussing US President Donald Trump and his various statements and policies. Having grown in popularity throughout the 2016 election season, the subreddit has over time earned criticism for the content and commentary it has attracted, accompanying an uptick in pro-Russian posts that affected other areas of the website.
Reddit users have since questioned the administrators' ability to quell such mass violations of the site's policy.
Huffman stated that the site has removed "a few hundred accounts" linking directly to propaganda domains, the now-deleted Twitter account, @TEN_GOP being one of them. In his response, Huffman said:
"@TEN_GOP’s Tweets were amplified by thousands of Reddit users, and sadly, from everything we can tell, these users are mostly American, and appear to be unwittingly promoting Russian propaganda. I believe the biggest risk we face as Americans is our own ability to discern reality from nonsense, and this is a burden we all bear."
Beyond this, the CEO offered little else, saying that Reddit is making progress through cooperation and vigilance. Huffman was also asked by a commenter on the same thread if the administrators would be taking any action against other unrelated, but disturbing and gruesome subreddits, to which Huffman gave a similar pointed response that he is aware of it and a review was underway.
At the end of it all, Reddit's transparency towards the steps it takes to solve its ongoing issues is undeniably appreciable, but all of these appear to be temporary recourses, rather than preventative solutions.

Monday, 5 March 2018

On 10:32 by Vismit Rakhecha   No comments
In a recent round of surveys sent to its users, social media giant Facebook asked how they would react to a private message in which an adult asks a 14-year-old for sexual pictures.

Even ignoring that the included options say "This content should be allowed on Facebook, and I would not mind seeing it" and "I have no preference on this topic", the fact that the only sane, proper recourse, "Report this to the police because it is illegal" is missing in its entirety is utterly baffling.
This apparent legitimization of alternative lines of action against illegal acts is best described as horrifying. In a statement to The Times, British Labour MP Yvette Cooper has described the survey as "stupid" and "irresponsible", saying:
"I cannot imagine that Facebook executives ever want it on their platform but they also should not send out surveys that suggest they might tolerate it or suggest to Facebook users that this might ever be acceptable."
In response, Facebook Product VP Guy Rosen tweeted:
I mean, this is not the kind of topic you should be determining policy on by surveying your readers. Facebook so out of touch with the real world.
We run surveys to understand how the community thinks about how we set policies. But this kind of activity is and will always be completely unacceptable on FB. We regularly work with authorities if identified. It shouldn't have been part of this survey. That was a mistake.
Given that in a company, common procedure for outreach such as this survey involves more than one person approving it, to say that "it was a mistake" feels like a flimsy excuse.
On 08:37 by Vismit Rakhecha   No comments
The Chinese philosopher Lao Tzu said, "Give a man a fish and you feed him for a day. Teach him how to fish and you feed him for a lifetime." That seems to have been the guiding philosophy for a bunch of thieves in Iceland who are reported to have stolen bitcoin mining servers worth $2 million from data servers.
The local media has dubbed the entire affair the 'Big Bitcoin Heist' and, according to Reykjanes peninsula police commissioner Olafur Helgi Kjartansson, the crime constitutes 'grand theft on a scale never seen before' in the country. He reckons this was the work of organised criminal elements.
The servers themselves were lifted during three robberies in December last year and one in January. The police had, however, chosen to remain silent in the hopes that this would make catching the culprits easier.
11 people - including one security guard - have been arrested as part of the scandal, and a judge at the Reykjanes District Court ordered two of the alleged culprits to remain in custody in a ruling last Friday. The equipment has unfortunately not yet been recovered.
While the market value of the equipment stands at a significant $2 million itself, if the thieves instead use it to mine bitcoin, they could easily turn an even larger profit over time. Running a mining server farm, however, does require a significant amount of energy and the police are hoping that they might be able to track down the thieves by looking for unusual spikes in power consumption.
Iceland's access to multiple forms of renewable energy via geothermal and hydroelectric power plants, alongside the lower operating costs for cooling the server farm given the North Atlantic country's cooler climate, have made it a popular choice among large-scale cryptocurrency mining operations looking for a more power-efficient setup.

Monday, 26 February 2018

On 11:27 by Vismit Rakhecha   No comments
The countdown to the funeral for net neutrality has begun, with official services slated for April 23, unless Congress or the courts pull off a miracle. All the ISPs have paid their lip service respects, saying they will carry on the way they always have. But it appears AT&T is starting to celebrate even before the casket is lowered into the ground.
The wireless carrier is expanding its sponsored data program to prepaid customers. The program gives content providers the option of paying to be a sponsor, which in turn means their content would not count toward a user's data cap. Right now, participants in the program include DirecTV, UVerse and FullScreen, the three video services owned by ... surprise ... AT&T.
In a text message to prepaid users, the company said:
“Now your plan includes sponsored data. This means, for example, that customers who have DirecTV or U-verse TV can now stream movies and shows … without it counting against their plan data."
AT&T was one of the many companies trying to allay user fears of fast lanes and throttling as the FCC dismantled net neutrality in December. AT&T exec Bob Quinn even was so bold as to say after the repeal:
“AT&T intends to operate its network the same way AT&T operates its network today: in an open and transparent manner. We will not block websites, we will not throttle or degrade internet traffic based on content, and we will not unfairly discriminate in our treatment of internet traffic."
So to be clear, once a user hits their data cap, they usually get throttled back from 4G LTE speeds to 2G or 3G. However, if a content provider wants to be sponsored, their content will not be subjected to the slower speeds. There is no word on how much AT&T charges "sponsors."
To be fair, AT&T has had its sponsored data program since 2014, and is expanding it to cover a different level of customers. Currently, there are five sponsored data providers listed on the official site. While most of those appear to be marketers having their own client base, the fact that AT&T chose to list its own streaming services as exempt from data caps seems to signal a willingness by the company to expand on its current targets for sponsors.
Also, the timing of the expansion of the program is a bit worrisome, as it signals to potential sponsors that AT&T may be starting to throw caution to the wind in its efforts to channel specific content to its users with net neutrality on its way out.
Obviously, this is only one way for ISPs to take advantage of net neutrality's demise. Others could include dumping costs on the consumer for plans involving specific websites, or even making it harder to get to sites that compete with their sponsors.
Once April 23 rolls around, start watching for more ISPs joyfully kicking dirt on net neutrality's headstone

Thursday, 22 February 2018

On 13:58 by Vismit Rakhecha   No comments
Iran is thinking about developing its own cryptocurrency, according to the country’s ICT minister. The news comes just days after Venezuela launched its petro cryptocurrency that is fixed to the price of a barrel of oil. Both countries see cryptocurrencies as a way of allowing money to flow into the respective countries, essentially getting around U.S.-imposed sanctions. The developments are also significant because they’re some of the first countries to officially adopt cryptocurrencies.

در جلسه‌ای که با هیئت مدیره پست بانک در خصوص ارزهای دیجیتال مبتنی بر زنجیره بلوکی داشتم، مقرر شد این بانک اقدامات لازم برای پیاده سازی آزمایشی اولین ارز دیجیتالی کشور را با استفاده از ظرفیت نخبگان کشور به عمل آورد. مدل آزمایشی برای بررسی و تایید به نظام بانکی کشور ارائه خواهد شد.
In a post on Twitter, which has been roughly translated below, the ICT minister, Mohammad-Javad Azari Jahromi, said:
“In a meeting with the board of directors of Post Bank on digital currencies based on the blockchain, I … prescribed … measures to implement the country’s first cloud-based digital currency.”

A grandes problemas, ¡grandes soluciones! Desde el primer minuto el juego arrancó bien, y arrancamos ganando: 4.777 millones de yuanes o 735 millones de dólares es el resultado inicial de las operaciones de intención de compra del Petro.
On Wednesday, Nicolas Maduro, tweeted out to followers that the newly minted petro cryptocurrency had raised $735 million. Both Iran and Venezuela are members of the Organization of the Petroleum Exporting Countries (OPEC) so it would make sense if Iran, too, pegged its potential offering to the price of a barrel of oil, once it has finally been approved and developed.
It’s fair to say that cryptocurrencies are starting to enter a new phase, with national governments deploying them. Aside from Iran and Venezuela, Russia has also show an interest in developing an offering called CryptoRuble.

Wednesday, 21 February 2018

On 09:05 by Vismit Rakhecha   No comments
Google's Project Zero team of security researchers is tasked with finding bugs in software products developed by the firm itself as well as those from other tech giants. On successfully finding a flaw, the researchers report it to the relevant company and provide them with 90 days to fix the issue before it is made public.
Over the past couple of years, the initiative has disclosed several vulnerabilities in the same manner. Now, Project Zero has exposed a "high" severity security flaw in Windows 10.
According to the report in the Project Zero directory, the issue has been definitively tested on Windows 10 version 1709.
The flaw in question relates to the SvcMoveFileInheritSecurity remote procedure call (RPC), which if exploited, can lead to an arbitrary file being assigned an arbitrary security descriptor, that can potentially lead to elevation of privilege.
The remote procedure call makes use of the MoveFileEx function call which moves a file to a new destination. The problem occurs when the RPC moves a hardlinked file to a new directory which has inheritable access control entries (ACEs). Now even if the hardlinked file doesn't allow deletion, it can be allowed based on the permissions provided by the new parent directory that it has been moved to.
This essentially means that even if the file is read-only, if the server calls the SetNamedSecurityInfo on the parent directory, it will be able to assign it an arbitrary security descriptor, which would potentially allow other users on the network to modify it.
The security researcher who discovered this flaw has also attached a proof-of-concept code in C++ which creates a text file in the Windows folder, and abuses the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor to allow access to everyone.
The security researcher went on to say that:
Some additional notes about this issue. Firstly based on the fix for issue 1427 this only affects Windows 10, it does not affect any earlier versions of Windows such as 7 or 8.1. However I've not verified that to be the case but there's no reason to believe it's incorrect. MS consider this to be an 'Important' issue, but crucially not a 'Critical' issue. This is because this issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However in order to execute the exploit you'd have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place.
According to the details presented in the report, the flaw - labeled "1428" - was disclosed as a "high" severity security issue to Microsoft on November 10, 2017, along with a similar security issue, dubbed 1427. The standard 90-day deadline was provided to resolve both the problems. When the issue proved difficult to fix, Microsoft asked for an extension in the deadline and released the supposed fix last week on Patch Tuesday.
However, contrary to what Microsoft may have believed, the patch fixed issue 1427, but detailed analysis from the Google researcher proves that 1428 - detailed above - still hasn't been resolved. As such, Google has informed the Microsoft Security Response Center (MSRC) that it is making the flaw visible to the public. It will be interesting to see if this disclosure accelerates the fixing of the bug given that it is now public knowledge accessible to everyone, even those with malicious intent.
Google has clarified to Neowin that it's just a coincidence that the two flaws have been publicly disclosed in such close proximity in terms of time, simply because the standard 90-day deadlines and 14-day grace periods aligned as such.
We have reached out to Microsoft for clarification regarding the security flaw, and will provide an update if the company responds.

Tuesday, 20 February 2018

On 15:08 by Vismit Rakhecha in    No comments