Uber dares hackers to find flaws, offers up to $10K bounty

On-demand car service Uber is offering from $3,000 to $10,000 to hackers who can find flaws in its computer and communications systems.HackerOne, a company that connects white-hat hackers to companies who want to use them to test the security of systems, is running Uber's "bounty program."The amount of the reward is based on the severity of the flaw discovered by a hackers, i.e., security researchers.HackerOne has established three categories of rewards; $10,000 for a "critical flaw," $5,000 for a "significant flaw" and $3,000 for "medium issues."INSIDER: Traditional anti-virus is dead: Long live the new and improved AV "Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains!" Uber stated in its online challenge. "If you get access to an Uber server, please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self-XSS? Nice! Using AWS access key to dump user info? Not cool."To read this article in full or to leave a comment, please click here

Microsoft adds macros lockdown feature in Office 2016 in response to increasing attacks

Enterprise system administrators can now block attackers from using a favorite malware infection method: Microsoft Office documents with malicious macros. Microsoft this week added a new option in Office 2016 that allows administrators to block macros -- embedded automation scripts -- from running in Word, Excel and PowerPoint documents that originate from the Internet. Microsoft Office programs support macros written in Visual Basic for Applications (VBA), and they can be used for malicious activities like installing malware. Macro viruses were popular more than a decade ago but became almost extinct after Microsoft disabled macros by default in its Office programs.To read this article in full or to leave a comment, please click here

TLS Certificate Optimization: The Technical Details behind “No Browser Left Behind”

Overview

Back in early December we announced our "no browser left behind" initiative to the world. Since then, we have served well over 500 billion SHA-1 certificates to visitors that otherwise would not have been able to communicate securely with our customers’ sites using HTTPS. All the while, we’ve continued to present newer SHA-2 certificates to modern browsers using the latest in elliptic curve cryptography, demonstrating that one does not have to sacrifice security to accommodate all the world’s Internet users. (If you weren’t able to acquire a SHA-1 certificate before CAs ceased issuing them on 2015/12/31, you can still sign up for a paid plan and we will immediately generate one to serve to your legacy visitors.)

Shortly after we announced these new benefits for our paid Universal SSL customers, we started hearing from other technology leaders who were implementing (or already had implemented) similar functionality. At first glance, the logic to identify incoming connections that only support SHA-1 seems straightforward, but as we spoke with our friends at Facebook, Twitter, and Mozilla, I realized that everyone was taking a slightly different approach. Complicating the matter even further was the fact that at CloudFlare we not only Continue reading

What does Etsy’s architecture look like today?

This is a guest post by Christophe Limpalair based on an interview (video) he did with Jon Cowie, Staff Operations Engineer and Breaksmith @ Etsy.

Etsy has been a fascinating platform to watch, and study, as they transitioned from a new platform to a stable and well-established e-commerce engine. That shift required a lot of cultural change, but the end result is striking.

In case you haven't seen it already, there's a post from 2012 that outlines their growth and shift. But what has happened since then? Are they still innovating? How are engineering decisions made, and how does this shape their engineering culture? These are questions we explored with Jon Cowie, a Staff Operations Engineer at Etsy, and the author of Customizing Chef, in a new podcast episode.

What does Etsy's architecture look like nowadays?

Stop renting: 30% off Arris SURFboard Cable Modem – Deal Alert

If your ISP or cable provider supplied you with a cable modem, you're probably renting it from them and paying fees of up to $10 per month. In most cases there's nothing preventing you from just buying your own. With this 30% off deal, you may run the numbers and decide that today's the day you exercise this freedom.The SURFboard SB6141 cable modem from Arris currently receives 4.5 out of 5 stars (9,000 reviews on Amazon). List price is $99.99, but with 31% off you can buy it now for just $69.99. At this price, it may pay for itself in just months. SURFboard supports IPv6, the latest internet standard. DOCSIS 3.0 technology provides eight downstream channels and four upstream channels. Data rates clock in at 343 Mbps download and 131 Mbps upload, depending on your cable internet provider. So there's plenty of speed for streaming HD video, gaming, video-conferencing, shopping, etc.To read this article in full or to leave a comment, please click here

Stop renting: 31% off Arris SURFboard Cable Modem – Deal Alert

If your ISP or cable provider supplied you with a cable modem, you're probably renting it from them and paying fees of up to $10 per month. In most cases there's nothing preventing you from just buying your own. With this 31% off deal, you may run the numbers and decide that today's the day you exercise this freedom. The SURFboard SB6141 cable modem from Arris currently receives 4.5 out of 5 stars (9,000 reviews on Amazon). List price is $99.99, but with 31% off you can buy it now for just $69.18. At this price, it may pay for itself in just months. SURFboard supports IPv6, the latest internet standard. DOCSIS 3.0 technology provides eight downstream channels and four upstream channels. Data rates clock in at 343 Mbps download and 131 Mbps upload, depending on your cable internet provider. So there's plenty of speed for streaming HD video, gaming, video-conferencing, shopping, etc.To read this article in full or to leave a comment, please click here

Testing Ansible Roles with Docker

Ansible-Docker-Blog

Background

When you first start using Ansible, you go from writing bash scripts that you upload and run on machines to running desired end state playbooks. You go from a write-once read-never set of scripts to an easily readable and updatable yaml. Life is good.

Fast forward to when you become an Ansible power user. You’re now:

  • Writing playbooks that run on multiple distros

  • Breaking down your complex Ansible project into multiple bite-sized roles

  • Using variables like a boss: host vars, group vars, include variable files

  • Tagging every possible task and role so you can jump to any execution point and control the execution flow

  • Sharing your playbooks with colleagues and they’ve started contributing back

As you gain familiarity with Ansible, you inevitably end up doing more and more stuff-- which in turn makes the playbooks and roles that you’re creating and maintaining longer and a bit more complex. The side effect is that you may feel that development begins to move a bit slower as you manually take the time to verify variable permutations. When you find yourself in this situation, it’s time to start testing. Here’s how to get started by using Docker and Ansible to automatically test Continue reading

Three more hospitals hit with ransomware attacks

Wham, bam, bam – three more hospitals have been hit with ransomware.Kentucky hospital hit with ransomwareDavid Park, COO of Methodist Hospital in Henderson, Kentucky, told WFIE 14 News that after attackers copied patients’ files, locked those copies and deleted the originals, the hospital notified the FBI. The attack happened on Friday after the ransomware made it past the hospital’s email filter; by Monday, Methodist officials said their system was “up and running.”To read this article in full or to leave a comment, please click here

Wireless As We Know It Is Dead

WirelessTombstone

Congratulations! We have managed to slay the beast that is wireless. We’ve driven a stake through it’s heart and prevented it from destroying civilization. We’ve taken a nascent technology with potential and turned it into the same faceless corporate technology as the Ethernet that it replaced. Alarmist? Not hardly. Let’s take a look at how 802.11 managed to come to an inglorious end.

Maturing Or Growing Up

Wireless used to be the wild frontier of networking. Sure, those access points bridged to the traditional network and produced packets and frames like all the other equipment. But wireless was unregulated. It didn’t conform to the plans of the networking team. People could go buy a wireless access point and put it under their desk to make that shiny new laptop with 802.11b work without needing to be plugged in.

Wireless used to be about getting connectivity. It used to be about squirreling away secret gear in the hopes of getting a leg up on the poor schmuck in the next cube that had to stay chained to his six feet of network connectivity under the desk. That was before the professionals came in. They changed wireless. They put a Continue reading

Bridge vs Macvlan

Bridge

A bridge is a Layer 2 device that connects two Layer 2 (i.e. Ethernet) segments together. Frames between the two segments are forwarded based on the Layer 2 addresses (i.e. MAC addresses). Although the two words are still often used in different contexts, a bridge is effectively a switch and all the confusion started 20+ years ago for marketing purposes.

Switching was just a fancy name for bridging, and that was a 1980s technology – or so the thinking went.

A bridge makes forwarding decisions based on the MAC address table. Bridge learns MAC addresses by looking into the Frames headers of communicating hosts.

A bridge can be a physical device or implemented entirely in software. Linux kernel is able to perform bridging since 1999. By creating a bridge, you can connect multiple physical or virtual interfaces into a single Layer 2 segment. A bridge that connects two physical interfaces on a Linux host effectively turns this host into a physical switch.

Linux Bridge

Switches have meanwhile became specialized physical devices and software bridging had almost lost its place. However, with the advent of virtualization, virtual machines running on physical hosts required Layer 2 connection to the physical network Continue reading

Prepare to patch a critical flaw in Windows and Samba file sharing in 3 weeks

Systems administrators should get ready to fix a critical vulnerability on April 12 that affects the Windows and Samba implementations of the Server Message Block (SMB) protocol. The vulnerability was discovered by Stefan Metzmacher, a core developer of the Samba software, which is a popular open-source implementation of the SMB/CIFS (Server Message Block/Common Internet File System) networking protocol. SMB/CIFS is implemented by default in Windows, where it's used for network file and printer sharing. Linux and other Unix-like systems can interoperate and share resources with Windows systems over the same protocol using the Samba software.To read this article in full or to leave a comment, please click here

Should your board of directors include a cybersecurity expert?

Should companies have a cybersecurity expert on their board of directors? The federal government seems to think so, and increasingly so do security and risk professionals, although companies would prefer to make that decision without government involvement, according to a sampling of industry pros. A disclosure bill introduced by the U.S. Senate in December would ask companies to disclose whether they have a “cyber security expert” or equivalent measure on its board of directors. While no action is required if no expert currently has a seat on the board, the company would need to provide an explanation for how it is approaching cybersecurity.To read this article in full or to leave a comment, please click here(Insider Story)

Should you worry that your car will be hacked?

The federal government's warning last week about cybersecurity vulnerabilities in vehicles is a well-intentioned public service announcement that has little value for consumers.The warning noted the highly publicized wireless vehicle hack of a Chrysler Jeep Cherokee last July, where two security experts demonstrated they could control critical functions of the vehicle. The revelation lead to Chrysler recalling 1.4 million vehicles to update software.To read this article in full or to leave a comment, please click here