Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'google'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 893 results

  1. How well do you know your Android device? Here are some of the hidden Android secret codes. Since most hidden menus are manufacturer specific, there’s no guarantee that they’ll work across all Android smartphones, but you can try them out nevertheless on your Samsung, HTC, Motorola, Sony and other devices. Be advised, though, that some of these can cause serious changes to your device’s configuration, so don’t play with something that you don’t fully understand. You can find more of these spread across the internet, and they’re usually very handy to have, even if just to show off your geekiness to your social circle. Update x1: More codes! Source : Redmondpie
  2. No one considers the 20-year-old SHA-1 hash function secure, and browser makers are well on the way to phasing it out. But until yesterday's revelation by researchers at Google and CWI Amsterdam, there was no known reliable way of causing a SHA-1 collision. The SHA-1 algorithm produces a 160-bit mathematical representation, or hash value, that should be unique for a given file. It's been used to ensure the integrity of everything from digital certificates for HTTPS websites, to managing commits in code repositories, and protecting users against forged documents. Now the researchers, using a technique called SHAttered, have demonstrated that two PDFs with different content can have the same hash, which should never happen. "We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256," the researchers said. The two-year effort was led by CWI Amsterdam researcher Marc Stevens and Google head of anti-abuse research Elie Bursztein, and relied on some serious computing power from Google. The attack required nine quintillion (9,223,372,036,854,775,808) SHA-1 computations and took the equivalent of 6,500 years of single-CPU computations to complete phase one of the collision, and 110 years of single-GPU to finish phase two. Although that process sounds long, it's 100,000 times faster than a brute-force attack on SHA-1. The researchers note in a paper that the estimated cost of a collision attack has fallen significantly in the past few years, which is why it's being phased out for signing HTTPS certificates. Microsoft's Edge and Internet Explorer will warn users if a site is using a SHA-1 certificate by mid-2017, while Google's Chrome made the move in January. Firefox will do so in early 2017. Based on a SHA-1 attack developed by Stevens, cryptographer Bruce Schneier in 2012 estimated a SHA-1 collision attack would have a processing cost of around $700,000 in 2015 using spot prices for Amazon EC2 instances, which would fall to $173,000 in 2018. As noted in the SHAttered paper, the second and more expensive phase of the attack, which led to a full SHA-1 collision, was far less costly than the 2012 estimate. This phase relied on a cluster of GPUs hosted by Google. Again, using Amazon Web Services pricing as a yardstick, they write: "Using a p2.16xlarge instance, featuring 16 K80 GPUs and nominally costing $14.4 per hour would cost $560,000 for the necessary 71 device years. It would be more economical for a patient attacker to wait for low spot prices of the smaller g2.8xlarge instances, which feature four K520 GPUs, roughly equivalent to a K40 or a GTX 970. Assuming thusly an effort of 100 device years, and a typical spot price of $0.5 per hour, the overall cost would be $110,000." Potentially affected applications include SHA-1 signed digital certificates, email PGP/GPG signatures, and GIT. Google has released a tool to test if a file is part of a collision attack, and has added protections in Gmail and G Suite to detect its PDF collision technique. The researchers highlight that Linus Torvald's code version-control system Git "strongly relies on SHA-1" for checking the integrity of file objects and commits. "It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one," they note. However, Torvalds said on a mailing list yesterday that he's not concerned since "Git doesn't actually just hash the data, it does prepend a type/length field to it", making it harder to attack than a PDF. "Put another way: I doubt the sky is falling for Git as a source control management tool. Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not," wrote Torvalds. "I haven't seen the attack details, but I bet: (a) the fact that we have a separate size encoding makes it much harder to do on Git objects in the first place (b) we can probably easily add some extra sanity checks to the opaque data we do have, to make it much harder to do the hiding of random data that these attacks pretty much always depend on." Source
  3. “I could read that again, because you would probably need to hear it again to have the faintest idea what we are talking about,” he said. “I fear that it smacks of either a lowest common denominator approach or some hard arm-wrestling in the corridors where the discussion took place to get something that looks reasonable on paper. “It does not smack of a real commitment to scourge out the terrible way in which search engines have referred people who should have known better to material that was not cleared for copyright and should not have been made available to them through that route.” While Lord Stevenson clearly wasn’t happy, he did reveal some more information on how the code will be managed. The Minister of State for Intellectual Property will oversee its implementation, supported by quarterly meetings of all parties involved. The Minister will also “set requirements for reporting by search engines and rights holders on any matter herein, including in particular those matters where the Code of Practice calls for ongoing discussion.” Then, after a year of operation, the effectiveness of the code will be reviewed to ensure “continuing progress towards achieving the Shared Objectives.” What those objectives are will remain a mystery, however. In response to Lord Stevenson’s request to see a copy of the code, Baroness Buscombe said that wouldn’t be possible. “We do not plan to publish the code in full because details about the number of copyright infringement reports a site can receive before it is demoted might allow pirates to game the system. We are, however, very happy to share the commitments in the code in more general terms,” she said. Baroness Buscombe went on to ask for the amendment to be dropped and that was followed by a spirited response from Lord Stevenson. “I cannot see this agreement lasting and believe that there will have to be a backstop power at some stage,” he said. “At the moment, it is a ‘large copyright holders against large search engines’ agreement, and on that level it might operate. I do not think it will be effective. I do not think it is sustainable because there will be new people coming in and business models and practices will change — we cannot foresee that.” And with that the amendment was withdrawn and with it any chance of forcing search engines into compliance by law for the foreseeable future. Only time will tell how things will play out but as the wording of the paragraph cited by Lord Stevenson shows, there is plenty of room for manoever. source
  4. Unlike the United States where 'fair use' exemptions are entrenched in law, Australia has only a limited "fair dealing" arrangement. As a result, Google's head of copyright William Patry says that Australia wouldn't be a safe place for his company to store certain data, a clear hindrance to innovation and productivity. With Fair Use Week now in full swing, people around the world are celebrating the freedom to use copyrighted content in certain contexts without fear of prosecution, thereby enabling creativity and inspiring innovation. The legal freedom offered by fair use is a cornerstone of criticism, research, teaching and news reporting, one that enables the activities of thousands of good causes and enriches the minds of millions. However, not all countries fully embrace the concept. Perhaps surprisingly, Australia is currently behind the times on this front, a point not lost on Google’s Senior Copyright Counsel, William Patry. Speaking with The Australian (paywall), Patry describes local copyright law as both arcane and not fit for purpose, while acting as a hindrance to innovation and productivity. “We think Australians are just as innovative as Americans, but the laws are different. And those laws dictate that commercially we act in a different way,” Patry told the publication. “Our search function, which is the basis of the entire company, is authorized in the US by fair use. You don’t have anything like that here.” Australia currently employs a more restrictive “fair dealing” approach, but it’s certainly possible that fair use could be introduced in the near future. Last year, Australia’s Productivity Commission released a draft report covering various aspects of the country’s intellectual property system. One of its key recommendations was to adopt fair use legislation. “The Australian Government should amend the Copyright Act 1968 to replace the current fair dealing exceptions with a broad exception for fair use,” the Commission wrote in its report. “The new exception should contain a clause outlining that the objective of the exception is to ensure Australia’s copyright system targets only those circumstances where infringement would undermine the ordinary exploitation of a work at the time of the infringement.” Unfortunately, the concept of fair use is not universally welcomed. Local anti-piracy and royalty organizations are opposing its introduction, claiming that it will undermine their ability to make money. Interestingly, broadcaster Foxtel says that the deployment of fair use would introduce “significant and unnecessary uncertainty into Australian law.” This is the exact opposite of Google’s position. The search giant says that Australia’s current exceptions fail to offer legal certainty and that a US-style fair use system would be much more predictable. “If you are a company like Google who wants to store information in the cloud, or internet searches or text and data mining, we can do that safely in the US. We can’t do it here,” Patry concludes. In its final inquiry paper, Australia’s Productivity Commission renewed its calls for the introduction of fair use, noting that in the US, where fair use is long established, “creative industries thrive.” Whether fair use will ever hit Aussie shores remains to be seen, but yet again there is a division between how technology companies and entertainment groups would like copyright law to develop. It’s a battle that’s set to continue well into the future. Source: TorrentFreak
  5. In comments submitted to a U.S. Copyright Office consultation, Google has given the DMCA a vote of support, despite widespread abuse. Noting that the law allows for innovation and agreements with content creators, Google says that 99.95% of URLs it was asked to take down last month didn't even exist in its search indexes. Under current legislation, US-based Internet service providers are not expected to proactively police infringing user content. They are, however, expected to remove it, if a copyright holder complains. The so-called ‘safe harbor’ that providers enjoy as a result of such cooperation is currently under the microscope, following rightsholder complaints that the Digital Millenium Copyright Act is failing them. To address these concerns, the U.S. Copyright Office has been running an extended public consultation. As noted earlier, the RIAA and other music groups just submitted their comments and Google have now added theirs. In contrast to the music groups who believe that the DMCA is “failing”, Google believes otherwise. Noting that rogue sites have been driven out of the United States by an effective DMCA, the search giant suggests leaving the law intact while encouraging voluntary mechanisms between content owners and providers. “In short, the DMCA has proven successful at fostering ongoing collaboration between rightsholders and online service providers, a collaboration that continues to pay dividends both in the U.S. and in international contexts,” Google writes. The company highlights its YouTube-based Content ID as one such collaboration, with the system helping creators take down or monetize infringing content, as they see fit. Google also cites the benefits afforded by the takedown tools it provides to rightsholders in respect of Google search. “First, in recent years, Google has streamlined its submission process, enabling rightsholders to send more notices more easily (while still continuing to reduce the average time to resolution to under six hours),” the company notes. “Second, Google has provided new incentives to make heavy use of the DMCA takedown system. We now use the number of valid DMCA requests a domain has received as one of the inputs in making ranking determinations in search results, so rightsholders seeking to take advantage of this signal have further incentive to file notices.” But while Google supports the current takedown provisions, there are problems. The company says that a significant portion of the recent increases in DMCA submission volumes stem from notices that are either duplicate, unnecessary, or bogus. “A substantial number of takedown requests submitted to Google are for URLs that have never been in our search index, and therefore could never have appeared in our search results,” Google states. “For example, in January 2017, the most prolific submitter submitted notices that Google honored for 16,457,433 URLs. But on further inspection, 16,450,129 (99.97%) of those URLs were not in our search index in the first place.” This kind of rampant abuse was highlighted in our recent report which revealed that one small site had millions of bogus notices filed against it. But, according to Google, that’s just the tip of the iceberg. “In total, 99.95% of all URLs processed from our Trusted Copyright Removal Program in January 2017 were not in our index,” the company reveals. But despite the abuse, Google is apparently giving these ‘trusted’ submitters some wiggle room to be creative. In a rather unexpected move, the search giant says that it now accepts takedown notices for URLs that don’t exist, to ensure that they never appear in future search results. While copyright holders will presumably enjoy that feature, it is a fairly curious move. A proactive takedown of a non-existent URL necessarily happens in advance of any determination of whether that URL is infringing, which goes way beyond any legislation currently being demanded. That being said, some of these non-existent (and essentially fabricated) URLs do eventually turn up in Google search, albeit at a tiny rate. “Of the 35,000,000 URLs we processed in the latter half of September 2016 that were not in our index, fewer than 2% of those would have made it into our index in the intervening four months; notices for the other 98% therefore were at best unnecessary,” Google says. “Many of these submissions appear to be generated by merely scrambling the words in a search query and appending that to a URL, so that each query makes a different URL that nonetheless leads to the same page of results,” it adds, referencing an earlier TF report. Overall, however, Google seems comfortable with the current notice-and-takedown framework, noting that a “robust ecosystem” of companies with expertise in sending takedown requests is being bolstered by voluntary service provider measures that already go beyond the requirements of Section 512 of the DMCA. “While stakeholders can be expected to disagree about the details of these voluntary efforts, it cannot be said that the DMCA safe harbors are failing in the face of this overwhelming evidence that these voluntary measures continue to grow both in number and diversity,” Google concludes. It’s crystal clear from Google’s submission that it sees the DMCA as a law it can work with, since it enables service providers to innovate without fear while simultaneously addressing the concerns of copyright holders. The latter see things quite differently though, so expect the battles to continue. Google’s submission can be found here, via Michael Geist. Source: TorrentFreak
  6. SAN FRANCISCO—Google may have sent the tired castle analogy of network security’s soft center protected by a tough exterior out to pasture for good. On Tuesday at RSA Conference, Google shared the seven-year journey of its internal BeyondCorp rollout where it affirms trust based on what it knows about its users and devices connecting to its networks. And all of this is done at the expense—or lack thereof—of firewalls and traditional network security gear. Director of security Heather Adkins said the company’s security engineers had their Eureka moment seven years ago, envisioning a world without walls and daring to challenge the assumption that existing walls were working as advertised. “We acknowledged that we had to identify [users] because of their device, and had to move all authentication to the device,” Adkins said. Google, probably quicker than most enterprises, understood how mobility was going to change productivity and employee satisfaction. It also knew that connecting to corporate resources living behind the firewall via a VPN wasn’t a longterm solution, especially for those connecting on low-speed mobile networks where reliability quickly became an issue. The solution was to flip the problem on its head and treat every network as untrusted, and grant access to services based on what was known about users and their device. All access to services, Adkins said, must then be authenticated, authorized and on encrypted connections. “This was the mission six years ago, to work successfully from untrusted networks without the use of a VPN,” Adkins said. Implementing BeyondCorp required a new architecture, said Rory Ward, a site reliability engineering manager at Google, with a sharp focus on collecting quality data for analysis. The first step was to inventory users and their roles as their careers at Google progress, essentially re-inventing job hierarchies, and assessing how and why they need to access internal services. The same intimacy was needed with respect to device information, requiring construction of a similar inventory system that tracks all devices connecting to services through its lifecycle. For the time being, Ward said, this applies to managed devices only, though in the future he hopes to extend this capability to user-owned private devices. With that in place, Ward said Google engineers went to work building a dynamic trust repository that ingested data from more than two dozen data sources feeding it information about what devices were doing on the network. Policy files would describe how to define trust for a device and that would be done dynamically. “The trust definition of a device can go up or down dynamically depending on what was done and what the policy says,” Ward said. “We have complete knowledge of users, devices and an indication of trust of every device accessing Google systems.” Next, an access control engine was developed to enforce policy; it has the capability to ingest service requests along with user and device information and apply and enforce policy rules for accessing resources. For example, Ward said, to access source code systems, one would have to be a full-time Google employee in engineering and using a fully trusted desktop. This part of the rollout, Ward said, took two to three years to implement and brought Google closer to its goal of enabling access from anywhere. The final part of the rollout, Adkins and Ward said, was the implementation phase. While the project had executive support, there was a caveat: Don’t break anything or anybody. This was a tall order given Google’s tens of thousands of internal users and devices and 15 years of assertions about a privileged network. Ward said the expensive first step was to deploy an unprivileged and untrusted network in every one of Google’s approximately 200 buildings. Engineers grabbed samples of traffic from its trusted network and replayed it on the new untrusted network in order to analyze how workloads would behave. An agent was installed on every device in its inventory and every packet from those devices was also replayed on the new network to see what would fail as unqualified. This was a two-year process as well, and as it turned out, the project successfully chugged ahead to its full implementation. “We managed to move the vast majority of devices, tens of thousands of devices and users, onto the new network and did not manage to break anybody,” Ward said. Adkins said that earning executive support required making convincing arguments about this initiative making IT simpler, less expensive, more secure and employees happier and more productive. “Clear business objectives are compelling to executives,” Adkins said. “We went from location-based authentication and knowledge-based authentication that relies on quality data. Accurate data was the key to be able to make this thing work.” Article source
  7. The tech giant's Australian hiring raid may likely exacerbate the IT skills shortage in government agencies. Despite the various specialised courses offered by Australian universities, not many appear to be interested in taking up the courses Google is reportedly seeking out Australia's best and brightest hackers as part of its latest hiring raid. The firm wants to fill a number of cybersecurity positions in Australia, which the company considers to be a good place to hire security specialists, given the wide ranging courses that Australian universities offer to students. However, the tech giant's move may likely exacerbate the already widening IT skills shortage prevalent in various Australian government agencies. Google security expert Parisa Tabriz told ABC Australia, "I think finding the right people who have the skills of someone who can hack into a system but ultimately want to make it more secure and not use those skills for bad and are willing to also work in a big software company — it's hard to find that intersection of good people." Tabriz, who serves as the head of security for Google Chrome and has worked with the tech giant since 2007, added, "Sydney's actually been a really good recruiting spot for some security people because there's good universities that really help train cyber security professionals." Government competing with private firms on salaries compared to 'fighting gravity' It is a common problem for governments across the globe, when attempting to attract people for jobs, to fall short of being able to provide the kind of salaries and perks that private firms serve up to prospective employees. The Australian government is no different in this matter. "If we try to compete on salaries it's like fighting ageing and gravity — we're not going to win," said Michael Scott, the assistant secretary for cybersecurity at one of Australia's leading spy agencies, the Australian Signals Directorate. "I think for a long time government has looked at this problem by saying we just can't compete financially — well we probably can't," he added. "But we can compete in terms of job satisfaction, the phenomenal access to information and technology that some Federal Government agencies have and it's not as binary as being you work for the Commonwealth or you work for the private sector." Scott also explained that one of the other major issues with recruiting skilled cybersecurity personnel is the time consuming process required to grant prospective employees with top secret clearance. "The demand for specialists with those skills is so great, many of them aren't prepared to wait to get a security clearance," Scott said. "So having a space where they can perform work at a lower level of classification is going to help with our task of recruiting." However, despite the various specialised courses offered by Australian universities, not many appear to be interested in taking up the courses. "We don't have enough students, that's the real problem," said Richard Buckland from the University of New South Wales."We're training good ones, but we just don't have enough. There's a big demand and not much supply." According to Buckland, although there is no easy way to quickly solve the skills shortage issue, one way by which to attract more students into enrolling in courses is to radically change the way the courses are taught. "We know what a good cyber security professional looks like, but it's still new, it's still disputed how to actually go about creating them," he said. "We need someone who's a rascal, who's cheeky, who's disrespectful and doesn't really obey authority. Most of our teaching institutions are based around authority and respect and perhaps not to questioning, so there is a challenge to produce them in a formal academic environment." By India Ashok http://www.ibtimes.co.uk/google-looking-hire-hackers-australia-1607435
  8. Chloe Bridgewater, who lives in Hereford, England, has a little more drive than most 7-year-olds. Fascinated by her Kindle Fire tablet and robots — and totally taken by the idea of working somewhere with bean-bag chairs, go-karts, and slides — Chloe decided to apply for a job at Google. Here's Chloe's letter, shared with Business Insider by her father, Andy Bridgewater: Super cute, right? Imagine her surprise and delight when she got a letter back from the CEO of Google, Sundar Pichai, who encouraged her to follow her dreams. "I look forward to receiving your job application when you are finished with school! :)" he wrote. Take a look at the letter, shared in a viral LinkedIn post by Andy earlier this week: (Business Insider has confirmed the veracity of the letter.) In that LinkedIn post, Andy said the letter was a much-needed confidence booster for Chloe, who was "knocked down" by a car years ago. Chloe Bridgewater with her dad, Andy. Andy Bridgewater Chloe's fascination with Google began recently, Andy told Business Insider, when she asked her father where his ideal place to work would be. Andy currently works in sales for a refrigeration-system parts manufacturer. "And I said, 'Oh, Google would be a nice place to work,'" he said, because of its world-famous perks and the cutting-edge work it does. When Chloe decided she wanted to work there, too, her father encouraged her to apply and "get the ball rolling," he said. All the attention garnered from Pichai's response has redoubled Chloe's drive to work for Google. Andy says his daughter now wants to find a way into the Silicon Valley-based company through going on TV and talking to the media. He's largely resisted, though, saying he wants her to focus on her studies and develop her skills. But Andy wants to brush up on his own technological skills to catch up with Chloe. "Sadly, I think I've got to up my game," he said. Article source
  9. Oracle insinuates Google was “a plagiarist” that committed “classic unfair use.” Google successfully made its case to a jury last year that its use of Java APIs in Android was "fair use." A San Francisco federal jury rejected Oracle's claim that the mobile system infringed Oracle's copyrights. But Oracle isn't backing down. Late Friday, the company appealed the high-profile verdict to a federal appeals court. This is the latest stage of a seemingly never-ending legal battle over intellectual property that began in 2010. The conflict has meandered through two federal trials, in addition to multiple trips to the appellate courts and to the Supreme Court. Oracle opened its brief to the US Court of Appeals for the Federal Circuit right where it left off after losing its case. Among other things, Oracle is refusing to believe that the "fair use" defense to copyright-infringement allegations should have protected Google from having to pay billions of dollars in damages. "When a plagiarist takes the most recognizable portions of a novel and adapts them into a film, the plagiarist commits the 'classic' unfair use," Oracle said in its opening brief. Fair use is a defense to copyright infringement if certain elements are met. It's decided on a case-by-case basis. "There is no specific number of words, lines, or notes that may safely be taken without permission," according to the US Copyright Office. There are, however, at least four factors to be considered when deciding fair use: the purpose of use, the nature of the copyrighted work, the amount and substantiality of the portion taken, and the effect of the use upon the potential market. Before going to the appeals court, Oracle asked US District Judge William Alsup to overturn the jury's verdict. Alsup, who presided over the second trial, ruled that Google's use cleared all four factors. Here's how we got to this point: Oracle purchased Sun Microsystems and acquired the rights to Java in 2009. Oracle then sued Google in 2010, saying that Google infringed copyrights and patents connected to Java. The case went to federal trial in 2012. Oracle initially lost. But part of its case was revived on appeal and another trial was ordered. The sole issue in the second trial, the one now being appealed, was whether Google infringed the APIs in Java, which the appeals court held were copyrighted. In May, a jury found in Google's favor after the second trial. The jury found that Google's use of the APIs was protected by "fair use"—a decision Alsup refused to disturb. Google declined to comment on the appeal. Google must file its response in the coming months. By David Kravets https://arstechnica.com/tech-policy/2017/02/oracle-refuses-to-accept-pro-google-fair-use-verdict-in-api-battle/
  10. Why it matters to you The Google Play Store will soon be much easier to search through -- and potentially much safer to use. The Google Play Store could shortly be a whole lot smaller. Google has been sending notices out to developers around the world saying that it will soon “limit visibility” or even totally remove apps from the Play Store that violate Google’s User Data Policy. So why are so many developers getting the notice? Well, most of them seem to have one issue in common: the lack of a privacy policy. According to Google’s User Data Policy, developers have to submit a valid privacy policy, especially when that app handles sensitive information. Those developers will now have to submit a valid privacy policy both on the Google Play Store listing and within the app. “Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information,” says the notice, according to a report from VentureBeat. “Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.” Even though the move may get rid of a ton of apps, it could wind up making the Play Store more useful. There are thousands upon thousands of so-called “zombie apps” that have been around for years without being updated, and many of those have been rendered useless by newer versions of Android. Not only that, but an overly crowded Play Store often makes it hard to find what you’re looking for. It won’t just be zombie apps that get removed — some developers might not be motivated to include a privacy policy for badly performing apps, so many of those apps will likely disappear as well. Still, it’ll be a while before anything changes on the Play Store — Google has given developers until March 15 to add the privacy policy, so it will be at least a month before we see a cleaner store. Article source
  11. One OS to rule all devices? Short Bytes: After Windows 10 Composable Shell and Windows 10 Cloud leaks, there are reports regarding Microsoft working on Windows Andromeda. It’s expected to compete directly with Google’s hybrid OS project Andromeda. Microsoft is expected to realize its OneCore operating system dream with Andromeda. While nothing is certain at the moment, Windows Andromeda feature is unlikely to arrive before Redstone 3. Back in September 2016, we told you that Google is working on a hybrid OS that’s supposed to be a combination of Android and Chrome OS. The project is currently named Andromeda, but there’s no fixed release date. Now, surprisingly, it has been revealed that Microsoft is also working on a new project called Andromeda. At the moment, we don’t even know how to address it. So, I’ll stick with “Windows Andromeda.” Moreover, Microsoft aims to do something similar to Google, i.e., build a hybrid OS that provides a similar experience on all devices. This is something that Microsoft has been trying to achieve for a long time. As reported by MSPU, Windows Andromeda might be a part of something even bigger, i.e., its new Composable Shell. For those who don’t know, it’s a new adaptive shell that’ll allow the Windows OS to adapt to the device. Looking at the current state of Microsoft’s operating systems on different devices, they do share the universal OneCore, but the company has designed different shells for them. These shells are used by Microsoft for different Windows 10 devices, including PCs, mobile, Xbox, HoloLens, IoT, etc. Windows Andromeda is expected to improve and extend the capabilities of Windows 10 Continuum. It’ll get advanced features like toast notifications, resizable windows, PC-like complete taskbar, and other polished components. About the name Windows Andromeda, I think Microsoft is going to change it. It’s just a codename, just like Windows 10 Cloud. Windows Andromeda is likely to arrive later this year, but not before Windows 10 Redstone 3. Also, it goes without saying that nothing is certain at the moment. By Adarsh Verma https://fossbytes.com/windows-10-andromeda/
  12. Google and other search companies are close to striking a voluntary agreement with entertainment companies to tackle the appearance of infringing content links in search results. Following roundtable discussions chaired by the UK's Intellectual Property Office, all parties have agreed that the code should take effect by June 1, 2017. For several years the entertainment industries have blamed companies like Google for not doing enough to prevent instances of Internet piracy. At times, Google has even been accused of fueling it. The problem is with search results. Whether they’re presented by Google, Bing or Yahoo, copyright holders wish that more could be done to prevent the appearance of infringing links, particularly in the first crucial pages of results. To its credit, Google has taken a number of measures over the years but in the eyes of copyright holders, it’s never been enough. Instead, Google has been flooded with a billion takedown requests in the last year alone, each demanding that links to infringing content be removed. When the notices are accurate, Google always complies but there have been rumblings in recent years, particularly in the UK, that search engines could find themselves on the end of legislation that forces them to do more. With that eventuality a daunting prospect, companies like Google and representatives from the entertainment industries have been trying to reach some kind of voluntary agreement. Their meetings generally aren’t spoken about in public, but the UK government has played a strong role in bringing the groups together. What we now know is that a deal is extremely close to being signed. This week, during a Digital Economy Bill committee, discussion again turned to the role of service providers when it comes to infringing content. For example, should they enjoy reduced safe harbors if they optimize the presentation and promotion of copyright-protected works? A draft amendement to the bill would allow the government to impose a code of practice on search engines, forcing them to deal with infringement – a proposal that has proven popular in parliament. However, when the matter was raised again this week it was revealed that the imposition of such a regime probably won’t be needed. “Since the idea was last discussed in [parliament], Intellectual Property Office officials have chaired a further round-table meeting between search engines and representatives of the creative industries,” Baroness Buscombe said. “While there are still elements of detail to be settled, the group is now agreed on the key content of the code and I expect an agreement to be reached very soon.” According to Buscombe, all parties involved (that’s the search engines and entertainment industry companies) have agreed that the code should come into effect within four months. “All parties have also agreed that the code should take effect, and the targets in it be reached, by 1 June this year,” the Baroness said. With no such meetings ever documented in public by either the companies involved or the government, TorrentFreak reached out to Google – who are definitely at the hub of the agreement – with a few questions. What companies are involved in the agreement, both from the search side and entertainment industries? What are the basics of the voluntary code and how will it affect the visibility of allegedly-infringing results? How will the agreement manifest itself to Google’s users come June 1? At the time of publication, Google had not responded to our request for comment. However, without mentioning them by name, Baroness Buscombe was complimentary about Google and the other search engines involved, noting that cooperation with entertainment companies is ongoing. “The search engines involved in this work have been very co-operative, making changes to their algorithms and processes, but also working bilaterally with creative industry representatives to explore the options for new interventions, and how existing processes might be streamlined,” she said. “I understand that all parties are keen to finalize and sign up to the voluntary agreement, and so we believe there is no need to take a legislative power at this time.” Noting that moving forward on a co-operative basis now is better than introducing legislation later, the Baroness said that other options could always be revisited in the future, should things not work out. At this stage, however, it seems unlikely that Google et al would prefer legislation over a voluntary code. Due to the worldwide nature of the web, it will be extremely interesting to see how any UK-based agreement plays out overseas. It seems unlikely that Google will be able to implement strictly local measures without coming under pressure to follow suit in the United States, for example.If you can do it in the UK, you can do it everywhere, the company will be told. Source: TorrentFreak
  13. Google has released the February 2017 Android Security Bulletin. Partners have had access to the warnings in this month’s bulletin since January 3, 2017 or earlier. The February bulletin has two security patch levels to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices. 2017-02-01: Partial security patch level string. This security patch level string indicates that all issues associated with 2017-02-01 (and all previous security patch level strings) are addressed. 2017-02-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2017-02-01 and 2017-02-05 (and all previous security patch level strings) are addressed. Supported Google devices will receive a single OTA update with the February 05, 2017 security patch level The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. Alongside the bulletin, Google have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of February 05, 2017 or later address all of these issues. The tables below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not Google devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. Security patch levels of 2017-02-01 or later must address the following issues. Issue CVE Severity Affects Google devices? Remote code execution vulnerability in Surfaceflinger CVE-2017-0405 Critical Yes Remote code execution vulnerability in Mediaserver CVE-2017-0406, CVE-2017-0407 Critical Yes Remote code execution vulnerability in libgdx CVE-2017-0408 High Yes Remote code execution vulnerability in libstagefright CVE-2017-0409 High Yes Elevation of privilege vulnerability in Java.Net CVE-2016-5552 High Yes Elevation of privilege vulnerability in Framework APIs CVE-2017-0410, CVE-2017-0411, CVE-2017-0412 High Yes Elevation of privilege vulnerability in Mediaserver CVE-2017-0415 High Yes Elevation of privilege vulnerability in Audioserver CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419 High Yes Information disclosure vulnerability in AOSP Mail CVE-2017-0420 High Yes Information disclosure vulnerability in AOSP Messaging CVE-2017-0413, CVE-2017-0414 High Yes Information disclosure vulnerability in Framework APIs CVE-2017-0421 High Yes Denial of service vulnerability in Bionic DNS CVE-2017-0422 High Yes Elevation of privilege vulnerability in Bluetooth CVE-2017-0423 Moderate Yes Information disclosure vulnerability in AOSP Messaging CVE-2017-0424 Moderate Yes Information disclosure vulnerability in Audioserver CVE-2017-0425 Moderate Yes Information disclosure vulnerability in Filesystem CVE-2017-0426 Moderate Yes Security patch levels of 2017-02-05 or later must address all of the 2017-01-01 issues, as well as the following issues. Issue CVE Severity Affects Google devices? Remote code execution vulnerability in Qualcomm crypto driver CVE-2016-8418 Critical No* Elevation of privilege vulnerability in kernel file system CVE-2017-0427 Critical Yes Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2017-0428, CVE-2017-0429 Critical Yes Elevation of privilege vulnerability in kernel networking subsystem CVE-2014-9914 Critical Yes Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2017-0430 Critical Yes Vulnerabilities in Qualcomm components CVE-2017-0431 Critical No* Elevation of privilege vulnerability in MediaTek driver CVE-2017-0432 High No* Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2017-0433, CVE-2017-0434 High Yes Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver CVE-2016-8480 High Yes Elevation of privilege vulnerability in Qualcomm sound driver CVE-2016-8481, CVE-2017-0435, CVE-2017-0436 High Yes Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2016-8476 High Yes Elevation of privilege vulnerability in Realtek sound driver CVE-2017-0444 High Yes Elevation of privilege vulnerability in HTC touchscreen driver CVE-2017-0445, CVE-2017-0446, CVE-2017-0447 High Yes Information disclosure vulnerability in NVIDIA video driver CVE-2017-0448 High Yes Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2017-0449 Moderate Yes Elevation of privilege vulnerability in Audioserver CVE-2017-0450 Moderate Yes Elevation of privilege vulnerability in kernel file system CVE-2016-10044 Moderate Yes Information disclosure vulnerability in Qualcomm Secure Execution Environment Communicator CVE-2016-8414 Moderate Yes Information disclosure vulnerability in Qualcomm sound driver CVE-2017-0451 Moderate Yes Android and Google Service Mitigations This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android. Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible. The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application. As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver. Full details of the February 2017 Android Security Bulletin is available here. By Rapid John http://rapidmobile.biz/devices-and/google-releases-february-2017-android-security-bulletin-and-google-device-images/
  14. The 2016 U.S. Presidential election cycle won’t be soon forgotten. It shattered old conventions and introduced a completely new way of running a campaign, including fake news. No doubt some of that content was generated for political purposes. But, for better worse, some fake news was created simply for profit. For social media giants Facebook (NASDAQ:FB) and Google (NASDAQ:GOOGL), this new trend represents a challenge that can greatly affect the monetization of their platforms. If the billions of consumers and businesses that use these two brands can’t rely on the information they are accessing, advertisers may drop support for these channels. On the other hand, could small content creators face backlash whether their content is truly fake news or simply viewed that way by these digital behemoths? Facebook and Google Will Crack Down on Fake News Facebook has just announced a new initiative to identify authentic content because, as the company puts it, stories that are authentic resonate more with its community. During the election, the social media giant was criticized for doing very little to combat fake news. Instead, Facebook tried to outsource the task of identifying this content to third parties including five fact checking organizations: the Associated Press, ABC news, Factcheck.org, Snopes and PolitiFact. However, the new update ranks authentic content by incorporating new signals to better identify what is true or false. These signals are delivered in real-time when a post is relevant to a particular user. The signals are determined by analyzing overall engagement on pages to identify spam as well as posts that specifically ask for likes, comments or shares — since these might indicate an effort to spread questionable content. As for Google, the tech company released its 2017 Bad Ads report. Google says the report plays an important role in making sure users have access to accurate and quality information online. Still, the report addresses only ads thus far. Google warns more broadly that the sustainability of the web could be threatened if users cannot rely on the information they find there. https://smallbiztrends.com/2017/02/facebook-and-google-will-crack-down-on-fake-news.html
  15. From the if-you-can't-beat-them,-establish-diplomatic-relations-with-them dept As you may have noticed, here on Techdirt we write quite a lot about companies like Apple, Google and Facebook. That's partly because they are very rich and very powerful, and therefore tend to be driving many of the key developments in the tech field. Some think they are too powerful. Here, for example, is Robert Reich, writing for The New York Times, in a 2015 piece entitled "Big Tech Has Become Way Too Powerful": As Reich points out, the European Union seems to agree, and is investigating Amazon, Apple and Google for various alleged abuses of that growing power. More recently, the European Commission signalled that it was not happy about aspects of Facebook's takeover of WhatsApp. But not everyone thinks fighting tech giants is the solution. Here, for example, is what Denmark's Foreign Minister Anders Samuelsen has announced, as reported by The Local: Saying that tech giants like Google and Apple now have more influence than many countries, Denmark will become the first nation in the world to appoint a so-called digital ambassador. … There's a certain logic there, but it does set a worrying precedent. If there's an official digital ambassador, why not have an energy ambassador for the giant oil and gas companies, and a drug ambassador for Big Pharma? And won't that kind of political apparatus provide yet more ways for already influential companies to bend and shape government policy in a country -- tipping the balance against ordinary people even further? By Glyn Moody https://www.techdirt.com/articles/20170201/10380736608/court-tosses-lawsuit-brought-brother-sister-against-take-two-interactive-over-nba2k-face-scans.shtml
  16. A U.S. judge has ordered Google to comply with search warrants seeking customer emails stored outside the United States, diverging from a federal appeals court that reached the opposite conclusion in a similar case involving Microsoft Corp (MSFT.O). U.S. Magistrate Judge Thomas Rueter in Philadelphia ruled on Friday that transferring emails from a foreign server so FBI agents could review them locally as part of a domestic fraud probe did not qualify as a seizure. The judge said this was because there was "no meaningful interference" with the account holder's "possessory interest" in the data sought. "Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Rueter wrote. Google, a unit of Mountain View, California-based Alphabet Inc (GOOGL.O), said in a statement on Saturday: "The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants." The ruling came less than seven months after the 2nd U.S. Circuit Court of Appeals in New York said Microsoft could not be forced to turn over emails stored on a server in Dublin, Ireland that U.S. investigators sought in a narcotics case. That decision last July 14 was welcomed by dozens of technology and media companies, privacy advocates, and both the American Civil Liberties Union and U.S. Chamber of Commerce. On Jan. 24, the same appeals court voted not to revisit the decision. The four dissenting judges called on the U.S. Supreme Court or Congress to reverse it, saying the decision hurt law enforcement and raised national security concerns. Both cases involved warrants issued under the Stored Communications Act, a 1986 federal law that many technology companies and privacy advocates consider outdated. In court papers, Google said it sometimes breaks up emails into pieces to improve its network's performance, and did not necessarily know where particular emails might be stored. Relying on the Microsoft decision, Google said it believed it had complied with the warrants it received, by turning over data it knew were stored in the United States. Google receives more than 25,000 requests annually from U.S. authorities for disclosures of user data in criminal matters, according to Rueter's ruling. The cases are In re: Search Warrant No. 16-960-M-01 to Google and In re: Search Warrant No. 16-1061-M to Google, U.S. District Court, Eastern District of Pennsylvania, Nos. 16-mj-00960, 16-mj-01061. Reporting by Jonathan Stempel in New York; Editing by Chizu Nomiyama http://www.reuters.com/article/us-google-usa-warrant-idUSKBN15J0ON
  17. Google announced that it implemented S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption, with a twist, for its enterprise customers. That twist is that its implementation of S/MIME, which is typically an end-to-end encryption protocol, is centralized or “hosted” by Google. In other words, Google can see what’s in all of those S/MIME-protected emails. S/MIME Protocol The S/MIME protocol was first invented in 1995. A few years later, it also became an IETF standard (after a few more modifications to the original protocol). S/MIME aimed to be an end-to-end encrypted protocol that would replace the non-encrypted SMTP email protocol. It was also meant to be a little easier to use than PGP (Pretty Good Privacy), another end-to-end encryption protocol that was invented a few years before S/MIME. With PGP, users have to share their public keys with each other prior to using end-to-end encryption, but with S/MIME, this key distribution is handled by a Certificate Authority that gives each user a certificate. Importing the certificate in the email client and signing email messages with it is what proves that the senders are who they say they are. Google’s Hosted S/MIME Google said that instead of supporting the standard client-side S/MIME protocol that allows users to encrypt emails end-to-end (meaning only the sender and receiver can read the emails), it will host all of the users’ certificates and private keys on its own servers. This will allow the company to essentially read (with its computers) all communications that are protected by S/MIME. From this point of view, it’s no different than the way Gmail emails are encrypted today with TLS. Google said that this will make it more convenient to enterprise customers to use S/MIME encryption, although without the benefit of end-to-end encryption. The company said that doing things this way allows it continue to stop phishing attempts and block spam email. The fact that email companies wouldn’t be able to stop spam has long been a criticism of end-to-end encryption. However, WhatsApp seems to have managed quite well by employing techniques that don’t even require them to see people’s messages to block spam. The techniques seem to involve a combination of verifying the identity of the sender and by tracking their behavior. For instance, if one user sends messages to 100,000 people, chances are that user is spamming. WhatsApp’s anti-spam solution is likely a little more advanced than in that example, but the point is stopping spam when end-to-end encryption is used is not as impossible as previously thought. It’s Not All Bad Although Google is essentially downgrading the security of the S/MIME protocol, the move still seems to be an upgrade over the existing, mainly hacked-together email encryption and authentication solutions. The email protocol was never designed to be encrypted, so even today’s best improvements made to it can’t guarantee the security of the message in transit. This is especially true if the recipients use email services that don’t support the same encryption and authentication protocols that Gmail supports. With S/MIME, the messages are encrypted with symmetric encryption as well, so it doesn’t matter what sort of hops it passes until the destination, as the messages will be unreadable to anyone intercepting them. They are also automatically signed by the senders, which will guarantee that the senders are who they say they are. Of course, digital certificates are still vulnerable to certificate authorities going rogue or to being stolen from Google’s servers. The latter is something that may be quite difficult to achieve these days, but likely not impossible. Is Google Giving Up On End-To-End Encryption? Back in 2014, and soon after Edward Snowden made public the extent of the NSA’s mass surveillance, Google started working on an end-to-end encryption tool called, appropriately, “End-to-End.” The company seemed furious that the NSA broke into its network and monitoring every packet going through its unencrypted internal network. From that point forward, it started aggressively adopting encryption everywhere it could add it, whether it was for internal or external communications, or for securing data at rest. One of those measures also involved starting End-to-End. This was a browser extension that would work with multiple email providers (Yahoo joined as well, but it later dropped it around the time it allegedly gave NSA access to its networks), and it would provide PGP end-to-end encryption to users that wanted it. The project doesn’t seem to have been touched for almost a year (at least in its public code repository). After we contacted Google to ask about this a few months ago, the company declined to give a clear answer on whether it’s still working on this specific project. Google did launch Allo with end-to-end encryption provided by the Signal protocol, but it’s not enabled by default like it is for the Signal app itself, or WhatsApp. There is also no easy way to make end-to-end encryption the default, if you’re not interested in using Allo’s AI assistant. “Incognito” chats have to be started manually with each contact. Unlike Signal and WhatsApp, Allo also doesn’t provide safety numbers that guarantee there’s no man-in-the-middle attack. Avoiding Public Email Exposure If companies want to avoid the type of hacks that hit Sony, the Democratic National Committee, and other organizations that exposed everyone’s emails, then end-to-end encryption is still the way to go. This may include the client-sided (non-hosted) S/MIME protocol or PGP, or even using a service such as ProtonMail. For other companies that don’t worry as much about Google being hacked (again) and just want an easy to use, well known, and well supported encrypted email service, Gmail’s new hosted S/MIME protocol may still be an acceptable compromise and an upgrade over their existing email encryption hygiene. Bu Lucian Armasu http://www.tomshardware.com/news/google-hosted-smime-gmail-encryption,33582.html
  18. OAKLAND, Calif.—In September, KrebsOnSecurity—arguably the Internet's most intrepid source of security news—was on the receiving end of some of the biggest distributed denial-of-service attacks ever recorded. The site soon went dark after Akamai said it would no longer provide the site with free protection, and no other DDoS mitigation services came forward to volunteer their services. A Google-operated service called Project Shield ultimately brought KrebsOnSecurity back online and has been protecting the site ever since. At the Enigma security conference on Wednesday, a Google security engineer described some of the behind-the-scenes events that occurred shortly after Krebs asked the service for help, and in the months since, they said yes. While there was never significant hesitancy to bring him in, the engineers did what engineers always do—weighed the risks against the benefits. "What happens if this botnet actually takes down google.com and we lose all of our revenue?" Google Security Reliability Engineer Damian Menscher recalls people asking. "But we considered [that] if the botnet can take us down, we're probably already at risk anyway. There's nothing stopping them from attacking us at any time. So we really had nothing to lose here." It took only about an hour for Menscher's team to arrive at the decision to help Krebs. A much more lengthy process involved actually admitting KrebsOnSecurity into Project Shield, a free service with the mission of protecting news-, journalist-, human rights-, and elections-monitoring sites from DDoS attacks that might otherwise prevent them from publishing. A key requirement for admittance is that the person requesting service proves they have control over the site. Because KrebsOnSecurity was down at that moment, Krebs was unable to satisfy this requirement. Making matters worse, the domain-name system settings KrebsOnSecurity used had been locked to thwart the attempted domain hijacking attacks that regularly targeted the site. That prevented Krebs from showing he had control of the site's DNS settings. Once Project Shield ultimately got KrebsOnSecurity back online, it took just 14 minutes for the attacks to resume. The first one came in the form of a flood of 130 million syn packets per second, a volume that's big enough to bring down plenty of sites, but a tiny drop when measured against the resources Google has. About a minute later, the attack shifted to a slightly more powerful flood of about 250,000 HTTP queries per second. It came from about 145,000 different IP addresses, making it clear that Mirai, an open-source botnet app that enslaves cameras and other Internet-of-things devices, was responsible. The attackers followed it with yet more variations, including a 140 gigabit-per-second attack made possible through a technique known as DNS amplification and a 4 million packet per-second syn-ack flood. At the four-hour mark, KrebsOnSecurity experienced one of the bigger attacks seen by Project Shield engineers. It delivered more than 450,000 queries per second from about 175,000 different IP addresses. Like the attacks that preceded it, it posed no immediate threat to KrebsOnSecurity or the Google resources that were protecting it. The attacks were the most powerful in the first two weeks, but as they continued, they incorporated a variety of new techniques. One, dubbed a WordPress pingback attack, abused a feature in the widely used blogging platform that automates the process of two sites linking to each other. It caused a large number of servers to simultaneously fetch KrebsOnSecurity content in an attempt to overwhelm site resources. Google was able to block it, because each querying machine broadcast a user agent that contained the words "WordPress pingback," which Google engineers promptly blocked. Another technique dubbed "cache-busting attacks" was also stopped. The DDoS attacks on KrebsOnSecurity remain a regular occurrence even today, and while some have resulted in brief interruptions so far none have caused sustained outages. Menscher shared the following lessons with the audience, which was made up largely of security-related engineers, technologists, and researchers: Defending a small site is really hard. All of my experience at Google for years was defending a very large site. If we had an extra thousand queries going through to one of our services, it wasn't a big deal. But Brian's origin server could maybe handle around 20 queries per second. We saw attacks of up to 450,000 queries per second. How do you deal with that? It's a little bit challenging. One thing you can do is you can rate limit the bad traffic. So you have to identify the bad traffic and try to throttle that down. Another thing that helps a lot is you can serve good traffic from cache. This takes a lot of load off the origin server. It also gives you this benefit of even if the origin server is unhealthy, you still have its content cached so you can continue to serve users and there isn't really a visible outage. Asked why a sprawling service such as Google is able to defend Krebs for free when officials at Prolexic—an Akamai-owned service with a core competency in DDoS mitigation—reportedly said it was no longer viable to continue its pro-bono arrangement, Menscher said: There's a lot to be said for economy of scale. In Google's case, we're already serving a lot of properties. By having all of that, it's more cost effective for us to have a terabit of spare capacity. I would expect Prolexic would also want to have a terabit of spare capacity, but then it starts eating into their spare capacity if... there are two dos attacks coming at the same time. The ultimate takeaway, Menscher said, is that even at a company like Google where it's crucial to have no more than five minutes of downtime in a given year, it's sometimes necessary to take risks. "I was trained as a physicist, and in physics we're always trying to figure out how the world works," he explained. "But you have to ask the right questions. You have to investigate things. You always have to be willing to question your assumptions. DDoS defense is very similar. You can't just look at the attacks you're getting. You have to be more proactive and try to attract more attacks and take some risks." Source
  19. Bad Ad Johnny Is An Ad, Tracker And Malware-Blocker For Chrome Developed by VPN provider PureVPN, Bad Ad Johnny is a one-stop ad, tracker and malware-blocker for Chrome. The extension aims to block absolutely everything, says the website, in particular those "acceptable ads": "I DO NOT shake hands with publishers under the table and let some ads slide." Installation is automatic and initially there’s nothing to do, just browse as usual and enjoy your ad-free existence. The Bad Ad Johnny icon updates in real time with the total number of blocked threats on the current page. If a figure seems high or you’re just curious, clicking the icon breaks down the figure by ads, trackers and malware. If this doesn’t completely work, a "Targeted Elements" enables choosing an area of the current page to block. A "Disable on this site" button turns the extension off for the current site only, and as you click a voice says "Enable me if you want to live". That’s funny for the first two or three times, annoying after that, but fortunately it can be turned off with a click. If you need more control, there are plenty of settings available. The "Global List" section is a good place to start, displaying the lists used to identify ads, malware, privacy and social media intrusions. You can disable some of these if they’re causing problems, or turn on others to try and block even more threats. Bad Ad Johnny is a free extension for Google Chrome. Source
  20. Google announced yesterday plans to become a self-standing, certified, and independent Root Certificate Authority, meaning the company would be able to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, and not rely on intermediaries, as it does now. In the past years, Google has used certificates issued by several companies, with the latest suppliers being GlobalSign and GeoTrust. Currently, Google is operating a subordinate Certificate Authority (Google Internet Authority G2 - GIAG2), which manages and deploys certificates to Google's infrastructure. Google is currently in the process of migrating all services and products from GIAG2 certificates to the new Root Certificate Authority, named Google Trust Services (GTS). According to the search giant, the migration to GTS will take time, and users will see mixed certificates from both GIAG2 and GTS until then. What this means for regular users is that when they'll click to view a site's HTTPS security certificate, it will say "Google Trust Services" instead of Google Internet Authority, GeoTrust, GlobalSign, or any other term. This will make it easier to identify authentic Google services. For Google, GTS means its engineers will have full control over its HTTPS certificates since the time they're issued to the time they're revoked. Situations, when another Certificate Authority issues SSL certificates for Google domains, will stand out immediately. GTS will provide HTTPS certificates for a broad range of services, such as public websites to API servers, for all Alphabet companies, not just Google. More technical information, such as Google's current active root certificates and their https://pki.goog/SHA1 fingerprints are available on the Google Trust Services homepage. Article source
  21. Lineage OS Announces A Bunch Of Newly Supported Devices For Its Preview Builds Last month, Cyanogen announced that it was shutting down its offices, leaving the future of CyanogenMod in question. However, from the company's digital ashes rose a new project called Lineage OS. The developer team behind the operating system announced that it would support more than 80 devices. However, at launch, it only supported a handful of devices. Now, the company has updated its roster of supported devices, adding a number of older handsets to the list. Previously, the developer team had only included the LG Nexus 5X, Huawei Nexus 6P, Motorola Moto G4 / G4 Plus, Nextbit Robin and Xiaomi Redmi 1S. The company has now updated its list of supported devices to include: Asus Nexus 7 2013 (4G / Wi-Fi) LG Nexus 5 Huawei Honor 5X LG G4 (T-Mobile / International) LG G3 S LG G3 Beat Motorola Moto X Pure (2015) Motorola Moto E Motorola Moto G Motorola Moto G4 Play OnePlus One Oppo Find 7a Oppo Find 7s Samsung Samsung Galaxy S III (AT&T / Sprint / T-Mobile / Verizon / International) Samsung Galaxy S II (International) Sony Xperia SP Xiaomi Mi 3w and Mi 4 Xiaomi Mi 5 Xiaomi Mi Max Xiaomi Redmi 3/Prime Xiaomi Redmi Note 3 As can be seen, the list of devices has increased drastically. That said, the developer team has not announced how many installs its operating system has garnered. Previously, the company had announced that experimental builds of Lineage OS had been downloaded more than 50,000 times. This figure is bound to change with more devices being supported everyday. You can download the latest nightly and experimental builds on supported handsets by heading over to the download page here. Source
  22. Try These Cool Android Smartphone Hacks And Get The Best Out Of Your Mobile Here are some of the best Android smartphone hacking Apps Android is undoubtedly the world’s most popular mobile operating system. With over 1.5+ billion plus users, Android is way ahead of iOS. Similarly, in Apps space, Android hacking apps are also increasing. Many of these hacking Apps are meant for pros but some can become useful to you also. With such hacking Apps, you can remove unnecessary bloatware utilizing most of the internal storage memory. While other times, such hacking App may help you remove irritating ads or allow you to access blocked system Apps. We bring you such hacking Apps which let you get the best out of your Android smartphone. Remember most of these Apps require a rooted smartphone to try them out. INCREASE RAM Root your phone. Download ROEHSOFT RAM EXPANDER from Google Play Store. Convert desired amount of SD card space into system swap RAM. This will make apps perform better when you have lot of storage area in your SD card. Wi-Fi WPS/WPA TESTER Download WIFI PS/WPA Tester App from Google Play Store. It let’s you analyze your WiFi security and others in the vicinity and attempts to hack their password It only hacks WPS enabled WiFi networks. REMOVE UNWANTED SYSTEM APPS OR BLOATWARE Root your android phone and Download sSystem app remover (ROOT) from Google Play Store. Remove many unwanted inbuilt Apps which you don’t think are necessary from internal storage of your Android phone.\ HACKING HUB Download the app Linux Deploy from Google Play Store. This installs Linux Operating system on your Android phone. Then use use Aircrack and other hacking Apps on your phone to hack WiFi and website passwords. FREE STUFF Root your phone Download and install BusyBox App from Google Play Store. Install modded Play Store from Lucky Patcher. With Lucky Patcher App you hack in-App purchases and get free stuff or game coins ACCESS BLOCKED CONTENT Download CyberGhost App from Google Play Store. Use it to connect to a VPN of a country of your choice. Now you can download apps from Google Play Store which are blocked in your country and also use websites like torrent websites blocked in your country. BATTERY LIFE Root your phone Download Greenify App from Google Play Store Hibernate many user and system apps. Greenify allows you to hibernate apps that won’t use battery and memory in background. So, you can save battery life and RAM. BUILD PROP EDITING Most of the Android smartphones out promise you 8MP images but in fact deliver only 6MP picture quality on 8MP camera. If you are facing a similar issue, you can solve it using this hack. This also requires a rooted smartphone. Download BuildProp Editor App from Google Play Store. Goto –>add entry Ro.ril.max.jpeg.quality. And set it’s value to 100 so it looks like Ro.ril.max.jpeg.quality = 100 Once done, your 8MP smartphone camera will deliver you 8MP images TUBEMOTE Download Tubemote from Google Play Store. Now you can download any and all online videos, not just from YouTube but any website in your desired resolution and quality at high speeds. You can also download just mp3 or m4a sound files from videos. ANDROID ID CHANGER Root your phone. Download Android Device ID Changer App from Google Play Store. Change your Android ID, which apps use to identify you and restart the phone. Your Android smartphone has a new Android ID. DRIVEDROID Download Drivedroid App from Google Play Store. Once installed, open the App and download LINUX.iso file from the dropdown menu. Burn this image on your phone and use it as CD or USB drive to boot your PC. KABOOM THE SELF DESTRUCTING APP Download and install Kaboom App from Google Playstore This App lets you control the photos and messages you post online. You can use this App to make the images and posts disappear at a set time. FAKE LOCATION Download Fake Location GPS App from Google Play Store Go to —> Settings Tap on Build Number 7 times to unlock Developer Options. Enable Mock Locations. Open Fake Location GPS app and set your location to any place in the world you wish. Source
  23. Android 7.1.1 Nougat Running Surprisingly Well on a 7-Year Old Galaxy S1 Samsung released the Galaxy S in June 2010 YouTuber XTvideos posted a video showing how Android 7.1.1 Nougat performs on the 7-year old Galaxy S smartphone, announced in March 2010 and released a couple of months later in June. The video shows the first boot of Galaxy S1 i9000 running the latest version of Android. Obviously, this is an unofficial CM version of Nougat, nobody expects Samsung to release an update for devices so old. The smartphone runs a bit slow, it takes some time to load the settings menu, and the phone is running a clean OS, no apps were flashed. The user installed CyanogenMod 14.1 on the Galaxy S (GT-I9000), and since it’s an unofficial version, the phone is a bit slow in certain areas. The phone also appears to have the December security patch, which was the latest when the video was uploaded. 512MB of RAM and Hummingbird chipset inside The video shows that 7.1.1 Nougat contains most of the features that you would expect, like a revamped notification area and even quick reply. The phone can open all settings menus and it provides the user with access to developer options, without crashing, freezing or shutting down. Samsung’s Galaxy S1 (GT-I9000) had a 4-inch AMOLED display with 480 x 800 pixel resolution and Corning Gorilla Glass coating on top. It ran Android 2.1 Eclair out of the box and later received an update to 2.3 Gingerbread. These two versions haven’t been included in Android Distribution reports for quite some time now, meaning that they’re market share is well below 0.1%. Moving on the Galaxy S1 came with 512MB of RAM, 8 or 16GB of internal storage which could be expanded to 32GB with a microSD card and ran a Hummingbird chipset or Exynos 3110 with a 1.0GHz Cortex-A8 processor, coupled with PowerVR SGX540 graphics processing units. Rear camera capacity reached 5MP with autofocus, while the secondary camera was VGA. The phone drew power from a removable 1,500mAh battery. Source
  24. Where Can You Download LineageOS, CyanogenMod's Replacement? It's only a matter of weeks since we learned that CyanogenMod was closing down and LineageOS would replace it. At the time, little was known about the launch schedule for the open source, Android-based operating system, but that has all changed. On Friday, the LineageOS team announced that builds will "start rolling out this weekend". At time of writing the downloads have yet to make an appearance, but there is a download portal ready for you to keep an eye on. The team excitedly says that "it's nearly 'go time' for builds to start flowing", and advertised the availability of the Lineage infrastructure status page. More usefully, there is also a wiki for the OS, as well as a stats page that shows (at time of writing) that even before builds have been officially made available, there have been more than 75,000 installs. But what about the all-important download page? There is now a LineageOS Downloads portal up and running, but despite the proclamation that downloads would roll out this weekend, the page currently disappointingly reads: "Coming soon". What's clear, however, is that LineageOS is about to arrive any second, and with this in mind the development team has shared further details about what to expect: More than this, eager users are provided with more details about how the actual installation process will work: If you're missing CyanogenMod, now is the time to turn your attention to the LineageOS download page. Source Alternate Source: First Official Lineage OS Builds To Roll Out This Weekend
  25. Mozilla: The Internet Is Unhealthy And Urgently Needs Your Help Mozilla argues that the internet's decentralized design is under threat by a few key players, including Google, Facebook, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce, and search. Can the internet as we know it survive the many efforts to dominate and control it, asks Firefox maker Mozilla. Much of the internet is in a perilous state, and we, its citizens, all need to help save it, says Mark Surman, executive director of Firefox maker the Mozilla Foundation. We may be in awe of the web's rise over the past 30 years, but Surman highlights numerous signs that the internet is dangerously unhealthy, from last year's Mirai botnet attacks, to market concentration, government surveillance and censorship, data breaches, and policies that smother innovation. "I wonder whether this precious public resource can remain safe, secure and dependable. Can it survive?" Surman asks. "These questions are even more critical now that we move into an age where the internet starts to wrap around us, quite literally," he adds, pointing to the Internet of Things, autonomous systems, and artificial intelligence. In this world, we don't use a computer, "we live inside it", he adds. "How [the internet] works -- and whether it's healthy -- has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies." Surman's call to action coincides with nonprofit Mozilla's first 'prototype' of the Internet Health Report, which looks at healthy and unhealthy trends that are shaping the internet. Its five key areas include open innovation, digital inclusion, decentralization, privacy and security, and web literacy. Mozilla will launch the first report after October, once it has incorporated feedback on the prototype. That there are over 1.1 billion websites today, running on mostly open-source software, is a positive sign for open innovation. However, Mozilla says the internet is "constantly dodging bullets" from bad policy, such as outdated copyright laws, secretly negotiated trade agreements, and restrictive digital-rights management. Similarly, while mobile has helped put more than three billion people online today, there were 56 internet shutdowns last year, up from 15 shutdowns in 2015, it notes. Mozilla fears the internet's decentralized design, while flourishing and protected by laws, is under threat by a few key players, including Facebook, Google, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce and search. "While these companies provide hugely valuable services to billions of people, they are also consolidating control over human communication and wealth at a level never before seen in history," it says. Mozilla approves of the wider adoption of encryption today on the web and in communications but highlights the emergence of new surveillance laws, such as the UK's so-called Snooper's Charter. It also cites as a concern the Mirai malware behind last year's DDoS attacks, which abused unsecured webcams and other IoT devices, and is calling for safety standards, rules and accountability measures. The report also draws attention to the policy focus on web literacy in the context of learning how to code or use a computer, which ignores other literacy skills, such as the ability to spot fake news, and separate ads from search results. Source Alternate Source - 1: Mozilla’s First Internet Health Report Tackles Security, Privacy Alternate Source - 2: Mozilla Wants Infosec Activism To Be The Next Green Movement