The Upload: Your tech news briefing for Thursday, May 14

U.S. House votes to end NSA bulk data collectionThe dragnet collection of U.S. phone records by the National Security Agency exposed by former NSA contractor Edward Snowden nearly two years ago is finally on its way to being a relic of history. The U.S. House of Representatives voted 338 to 88 in favor of a bill that prohibits the practice. However, the USA Freedom Act does extend an expiring provision in the anti-terrorism Patriot Act that allows the NSA to collect U.S. telephone and business records, but with a more limited scope.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Thursday, May 14

U.S. House votes to end NSA bulk data collectionThe dragnet collection of U.S. phone records by the National Security Agency exposed by former NSA contractor Edward Snowden nearly two years ago is finally on its way to being a relic of history. The U.S. House of Representatives voted 338 to 88 in favor of a bill that prohibits the practice. However, the USA Freedom Act does extend an expiring provision in the anti-terrorism Patriot Act that allows the NSA to collect U.S. telephone and business records, but with a more limited scope.To read this article in full or to leave a comment, please click here

Validating and searching JSON

When it comes to dealing with network automation, you can find yourself battling with many things, including dealing with XML and JSON data structures as you build apps that consume or spit out data.

Recently I’ve been using ‘jq’ to provide my JSON validation (i.e. I’ve not missed a quotation, colon, comma, curly or square bracket) when building data in JSON. Its primary function and purpose is to search through JSON data to find something in the data set, or reduce the data set to an area of focus, thus also validating your application is generating what it should be generating! A ‘lightweight and flexible command line JSON processor’ if you take the website description which is here: http://stedolan.githib.io/jq/

So how do you use this jq?

Here’s a simple JSON example with an ‘error’.

{
	"name":"App1",
	"OS":["Linux", "Windows", "Solaris", "OSX"],
	"Author":"David Gee",
	"Email":"[email protected]",
	"Twitter":"@davidjohngee"
	"Version":"alpha-v0.1",
	"IP_Address":"192.0.2.1:5000"
}

Using ‘jq’ I can not only validate the structure, but in the case of a script, I can also parse out the key/value I need. But first, let’s see where our error is.

$ jq '.' tst.json 
parse error: Expected separator between  Continue reading

Japan’s Alsok to launch warning system for unwelcome drones

Burglar alarms could soon incorporate drone-detection technology if a new service from a Japanese security company is anything to judge by.Tokyo-based Sohgo Security Services, also known as Alsok, plans to introduce a system that can detect incoming drones by listening for the signature hum of their rotors.The service could be aimed at government entities, corporations and key facilities such as nuclear power plants as a terrorism countermeasure. Other potential users are people or groups in the public eye who want to ward off the prying eyes of unmanned aerial vehicles.Alsok’s move follows an incident last month when a quadcopter with trace amounts of radiation was found on the roof of the Japanese prime minister’s office, apparently a protest of the government’s nuclear energy policy.To read this article in full or to leave a comment, please click here

Alibaba won’t last without expanding globally, new CEO says

After taking over the reins, Alibaba Group’s new CEO has made global expansion a top priority for the Chinese e-commerce giant.Alibaba will heavily invest in “new and existing overseas operations,” said Daniel Zhang in a speech on Wednesday to employees, an excerpt of which was posted on the group’s website.Zhang, 43, was the company’s chief operating officer until he replaced CEO Jonathan Lu last week, as the group said it was looking to tap new younger talent.To read this article in full or to leave a comment, please click here

Alibaba won’t last without expanding globally, new CEO says

After taking over the reins, Alibaba Group’s new CEO has made global expansion a top priority for the Chinese e-commerce giant.Alibaba will heavily invest in “new and existing overseas operations,” said Daniel Zhang in a speech on Wednesday to employees, an excerpt of which was posted on the group’s website.Zhang, 43, was the company’s chief operating officer until he replaced CEO Jonathan Lu last week, as the group said it was looking to tap new younger talent.To read this article in full or to leave a comment, please click here

Google tightens restrictions on Chrome extensions

Google will require most extensions for its Chrome browser to be installed from its Web Store, a move intended to stop users from inadvertently installing malicious ones.Google has gradually been changing its policy around extensions to prevent abuse. Last year, it mandated that all Chrome extensions for Windows be hosted in its store, wrote Jake Leichtling, an extensions platform product manager.The change caused a 75 percent drop in requests from customers asking how to uninstall unwanted extensions, he wrote. It did not apply to the Windows developer channel, but hackers are now using that in order to install extensions, he wrote. Starting Wednesday, all extensions for Windows will have to be hosted in the store, and the same will apply to OS X in July.To read this article in full or to leave a comment, please click here

A feisty John Chambers bows out on his final Cisco earnings call

John Chambers got a little feisty and a little sentimental in his last earnings call as Cisco’s CEO on Wednesday, dismissing a criticism of the company as “garbage” and saying he hopes to be working half time by the fall because “the hunting season’s coming up.”“It’s been fun, it’s been challenging, and I’m very humbled by having this chance for 20 years,” he said.Cisco said last week that Chambers will be replaced as CEO in July by Chuck Robbins. He’ll stay on as executive chairman of the board.“Let me first say very crisply: Chuck is the CEO. Period. He’ll make the decisions,” Chambers said. He’ll be an advisor to Robbins and be involved “where he wants me to be.”To read this article in full or to leave a comment, please click here

CloudFlare Supports the Passage of the USA Freedom Act

alt

Earlier today, the lower house in the U.S. Congress (the House of Representatives) passed the USA FREEDOM Act. The Act, if passed by the Senate and signed by the President, would seek to sunset the National Security Agency’s bulk collection and mass surveillance programs, which may or may not be authorized by Section 215 of the PATRIOT Act. Under this authority the U.S. government has established its broad surveillance programs to indiscriminately collect information. Other governments have followed this lead to create additional surveillance capabilities—most recently, the French Parliament has moved a bill that would allow broad surveillance powers with little judicial oversight.

Restricting routine bulk collection is important: it’s not the government’s job to collect everything that passes over the Internet. The new version of the USA FREEDOM Act keeps useful authorities but ends bulk collection of private data under the PATRIOT Act. It also increases the transparency of the secret FISA court, which reviews surveillance programs—a key start to understanding and fixing broken policies around surveillance. The Act would also allow companies to be more transparent in their reporting related to FISA orders.

To be clear, we continue to be supportive of law enforcement and work Continue reading

House votes to narrow NSA’s phone records collection

The U.S. House of Representatives has voted to rein in the National Security Agency’s bulk collection of the country’s telephone records, while allowing the agency to engage in more targeted surveillance.The House voted 338-88 late Wednesday to approve the USA Freedom Act, a bill intended to end the NSA’s mass collection of telephone metadata within the U.S. But the bill would extend an expiring provision in the anti-terrorism Patriot Act that allows the NSA to collect U.S. telephone and business records, but with a more limited scope.To read this article in full or to leave a comment, please click here

House votes to narrow NSA’s phone records collection

The U.S. House of Representatives has voted to rein in the National Security Agency’s bulk collection of the country’s telephone records, while allowing the agency to engage in more targeted surveillance.The House voted 338-88 late Wednesday to approve the USA Freedom Act, a bill intended to end the NSA’s mass collection of telephone metadata within the U.S. But the bill would extend an expiring provision in the anti-terrorism Patriot Act that allows the NSA to collect U.S. telephone and business records, but with a more limited scope.To read this article in full or to leave a comment, please click here

NSA: ad hominem is stil a fallacy

An ad hominem attack is where, instead of refuting a person's arguments, you attack their character. It's a fallacy that enlightened people avoid. I point this out because of a The Intercept piece about how some of NSA's defenders have financial ties to the NSA. This is a fallacy.


The first rule of NSA club is don't talk about NSA club. The intelligence community frequently publishes rules to this effect to all their employees, contractors, and anybody else under their thumb. They don't want their people talking about the NSA, even in defense. Their preferred defense is lobbying politicians privately in back rooms. They hate having things out in the public. Or, when they do want something public, they want to control the messaging (they are control freaks). They don't want their supporters muddying the waters with conflicting messaging, even if it is all positive. What they fear most is bad supporters, the type that does more harm than good. Inevitably, some defender of the NSA is going to say "ragheads must die", and that'll be the one thing attackers will cherry pick to smear the NSA's reputation.

Thus, you can tell how close somebody is to the NSA by Continue reading

HP’s PC group cranks up design, gaming efforts ahead of spin-off

HP’s PC group doesn’t want to be a “screwdriver” PC maker making look-alike laptops and desktops, and it is focusing heavily on design and new innovations as it prepares for a spin-off into a separate company.The company is focusing on cutting the plastic and adding metal and new colors to the chassis of its laptops and desktops. HP also is expanding its hardware options for consumers, businesses and gamers, and focusing on a future when virtual reality will be an important part of the computing experience.PC makers need to update the devices because customers are paying more attention to how devices look and function, said Mike Nash, vice president for consumer PC and solutions at HP’s Printing and Personal Systems Group.To read this article in full or to leave a comment, please click here

How China’s smartphone market is evolving

The Chinese mobile market has long been described as the ultimate prize for smartphone handset makers and app developers. China has the most people, income is rising, and the population has an insatiable appetite for mobile technology.That's all true, except when the facts don't quite support the narrative.For example, the conventional wisdom holds that most Chinese mobile consumers are interested in inexpensive phones from upstart manufacturers like Xiaomi, Huawei, and ZTE. And that's true, up to a point. According to IDC's latest Mobile Phone Tracker, many of those brands are trying to move up into the mid- and high-end segments.To read this article in full or to leave a comment, please click here

Some brief technical notes on Venom

Like you, I was displeased by the lack of details on the "Venom" vulnerability, so I thought I'd write up what little I found.

The patch to the source code is here. Since the note references CVE-2015-3456, we know it's venom:
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c

Looking up those terms, I find writeups, such as this one from RedHat:
https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/

It comes down to a typical heap/stack buffer overflow (depending), where the attacker can write large amounts of data past the end of a buffer. Since this is the kernel, there are no protections like NX or ASLR. To exploit this, you'd likely need some knowledge of the host operating system.

The details look straightforward, which means a PoC should arrive by tomorrow.

This is a hypervisor privilege escalation bug. To exploit this, you'd sign up with one of the zillions of VPS providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.

People suggest adding an exploit to toolkits like Continue reading
1 3,412 3,413 3,414 3,415 3,416 3,763