newsletters – Tech Today w/ Ken May

Copyright case over “Happy Birthday” is done, trial canceled

With less than a week to go before a trial, a class-action lawsuit over the copyright status of “Happy Birthday” has been resolved. Details of the settlement, including what kind of uses will be allowed going forward, are not clear. A short order (PDF) filed yesterday by US Chief District Court Judge George King says that all parties have agreed to a settlement, and it vacates a trial which was scheduled to start on December 15. The key turning point came in September , when King ruled that Warner/Chappell’s copyright transfer was invalid because there was no proof it was ever properly transferred from the Hill sisters, who claimed to have written the song. The trial would have addressed damages issues. Also looming was a late copyright claim by Association for Childhood Education International (ACEI), a children’s’ charity affiliated with the Hill sisters. ACEI came forward in November to say that if Warner/Chappell didn’t own the song, it did. The settlement revealed yesterday resolves all claims by the plaintiffs, Warner/Chappell, and ACEI. Read 4 remaining paragraphs | Comments

Getting a Linux box corralled into a DDoS botnet is easier than many think

Enlarge (credit: Aurich Lawson and Getty) Getting a Linux server hacked and made part of a botnet is easier than some people may think. As two unrelated blog posts published in the past week demonstrate, running a vulnerable piece of software is often all that’s required. Witness, for example, a critical vulnerability disclosed earlier this year in Elasticsearch , an open source server application for searching large amounts of data. In February, the company that maintains it warned it contained a vulnerability that allowed hackers to execute commands on the server running it. Within a month, a hacking forum catering to Chinese speakers provided all the source code and tutorials needed for people with only moderate technical skills to fully identify and exploit susceptible servers. A post published Tuesday by security firm Recorded Future deconstructs that hacker forum from last March. It showed how to scan search services such as Shodan and ZoomEye to find vulnerable machines. It includes an attack script written in Python that was used to exploit one of them and a separate Perl script used to make the newly compromised machine part of a botnet of other zombie servers. It also included screenshots showing the script being used against the server. The tutorial underscores the growing ease of hacking production servers and the risk of being complacent about patching. Read 5 remaining paragraphs | Comments

See the article here:
Getting a Linux box corralled into a DDoS botnet is easier than many think

“Nemesis” malware hijacks PC’s boot process to gain stealth, persistence

Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer’s boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads. The so-called bootkit has been in operation since early this year and is part of “Nemesis,” a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled. “The use of malware that persists outside of the operating system requires a different approach to detection and eradication,” researchers from security firm FireEye’s Mandiant Consulting wrote in a blog post published Monday . “Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system. As a result, incident responders will need tools that can access and search raw disks at scale for evidence of bootkits.” Read 5 remaining paragraphs | Comments

Follow this link:
“Nemesis” malware hijacks PC’s boot process to gain stealth, persistence

DirecTV will broadcast live 4K content by “early next year”

(credit: Adam Melancon ) Even if 4K TVs were popular Black Friday and Cyber Monday steals, there continues to be a lack of 4K content to watch on them. DirecTV wants to provide a solution: the company’s SVP of Video and Space Communications Phil Goswitz confirmed at New York’s TranSPORT conference that DirecTV will launch a live 4K broadcasting service sometime in “early 2016.” At the conference, Goswitz explained that the company currently has the ability to transmit up to 50 new UHD channels, and live sports transmissions are already being tested as part of next year’s rollout. DirecTV already has the hardware in place, and according to Goswitz, the company wants to get ahead of cable companies and provide viewers with 4K content they can’t get from their cable companies. “I think the belief that there are technology challenges is a bit of a misinformed myth,” he said. “I think technology throughout the entire ecosystem is ready. But I think content is king; the plane is ready to take off and there is no king on board.” Goswitz went on to say that DirecTV is “moving into working with partners” to create more 4K content. Currently Netflix and YouTube have some 4K video ready to stream, but most companies continue to focus on hardware. Roku and TiVo recently came out with updated set-top boxes ready for 4K streaming, but they still have to work with the finite amount of 4K content available. Read 1 remaining paragraphs | Comments

See more here:
DirecTV will broadcast live 4K content by “early next year”

Thunderbird “a tax” on Firefox development, and Mozilla wants to drop it

Mozilla would like to drop Thunderbird from its list of projects. (credit: Andrew Cunningham) You might know Mozilla primarily for its Firefox browser, but for many years the company has also developed an e-mail client called Thunderbird. The two projects use the same rendering engine and other underlying technology, but Mozilla Executive Chairwoman Mitchell Baker has announced that Mozilla would like to stop supporting Thunderbird, calling its continuing maintenance “a tax” on the more important work of developing Firefox. “Many inside of Mozilla, including an overwhelming majority of our leadership, feel the need to be laser-focused on activities like Firefox that can have an industry-wide impact,” Baker writes. “With all due respect to Thunderbird and the Thunderbird community, we have been clear for years that we do not view Thunderbird as having this sort of potential.” Mozilla doesn’t plan to drop Thunderbird immediately, however—the current maintenance schedule will continue and Thunderbird users can continue to use the product. But the end goal for Mozilla, according to Baker, is to find “the right kind of legal and financial home” for the Thunderbird project, and “[separate] itself from reliance on Mozilla development systems and in some cases, Mozilla technology.” In other words, the company would like to give Thunderbird to people who will take care of it, freeing the Firefox team from having to worry about it. Read 1 remaining paragraphs | Comments

Apple’s A9X has a 12-core GPU and is made by TSMC

Enlarge / A die shot of the A9X. The ratio of GPU to CPU is becoming pretty insane. (credit: Chipworks via AnandTech ) Apple makes interesting chips for its mobile devices, but it doesn’t talk about them much aside from extremely high-level relative performance comparisons. That means it’s up to experts like the ones at Chipworks to open them up and figure it out, and they’ve partnered up with AnandTech to dig into the A9X in the iPad Pro. The most significant news is about the GPU, which is a 12-core Imagination Technologies PowerVR Series 7XT design. The company doesn’t generally offer a 12-core design, as shown in the chart below, but the architecture is designed to be easily scalable and it wouldn’t be the first time Apple had gotten something from a supplier that other companies couldn’t get. The standard A9 in the iPhone 6S and 6S Plus uses a 6-core version of the same GPU. Apple feeds that GPU with a 128-bit memory bus, something that it’s also included in other iPads to boost memory bandwidth and GPU performance. The Series 7XT lineup. The iPad Pro’s GPU falls somewhere in between the stock 8-cluster and 16-cluster designs. (credit: Imagination Technologies) Imagination’s chart for the Series 7XT GPU puts a hypothetical 12-core design in the same general performance neighborhood as an Nvidia GeForce GT 730M, a low-end discrete GPU that’s a bit slower than the stuff Apple is shipping in its high-end MacBook Pros. Our own graphics benchmarks place it a bit higher than that, but as some of you have pointed out , iOS may have a small advantage in some of these tests because of differences between the mobile OpenGL ES API in iOS and the standard OpenGL API used in OS X. Read 2 remaining paragraphs | Comments

The National Security Letter spy tool has been uncloaked, and it’s bad

It took 11 years to finally unveil what the FBI demands in a National Security Letter. How it evolved over the years is shown above. (credit: ACLU ) The National Security Letter (NSL) is a potent surveillance tool that allows the government to acquire a wide swath of private information—all without a warrant. Federal investigators issue tens of thousands of them each year to banks, ISPs, car dealers, insurance companies, doctors, and you name it. The letters don’t need a judge’s signature and come with a gag to the recipient, forbidding the disclosure of the NSL to the public or the target. Nicholas Merrill (credit: Wikipedia ) For the first time, as part of a First Amendment lawsuit, a federal judge ordered the release of what the FBI was seeking from a small ISP as part of an NSL. Among other things, the FBI was demanding a target’s complete Web browsing history, IP addresses of everyone a person has corresponded with, and records of all online purchases, according to a court document unveiled Monday. All that’s required is an agent’s signature denoting that the information is relevant to an investigation. “The FBI has interpreted its NSL authority to encompass the websites we read, the Web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs,” said Nicholas Merrill, who was president of Calyx Internet Access in New York when he received the NSL targeting one of his customers in 2004. Read 6 remaining paragraphs | Comments

Continued here:
The National Security Letter spy tool has been uncloaked, and it’s bad

Hey Reader’s Digest: Your site has been attacking visitors for days

Enlarge (credit: Malwarebytes ) An active hacking campaign is forcing Reader’s Digest and many other websites to host malicious code that can surreptitiously infect visitors with malware and linger for days or weeks before being cleaned up. Reader’s Digest has been infected since last week with code originating with Angler, an off-the-shelf hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack scripts, researchers from antivirus provider Malwarebytes told Ars. People who visit the site with outdated versions of Adobe Flash, Internet Explorer, and other browsing software are silently infected with malware that gains control over their computers. Malwarebytes researchers said they sent Reader’s Digest operators e-mails and social media alerts last week warning the site was infected but never got a response. The researchers estimate that thousands of other sites have been similarly attacked in recent weeks and that the number continues to grow. “This campaign is still ongoing and we see dozens of new websites every day being leveraged to distribute malware via the Angler exploit kit,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in an e-mail. “This attack may have been going on for some time but we noticed a dramatic increase in infections via WordPress sites in the past couple of weeks.” Read 3 remaining paragraphs | Comments

See the article here:
Hey Reader’s Digest: Your site has been attacking visitors for days

Tesla Model X production starts in earnest, pricing revealed

(credit: Tesla) Several months ago we found out pricing for the fully loaded “Signature” edition Tesla Model X electric SUV. Now, we’ve got a better idea of what the cheapest Model X will set you back: $80,000 before any options and tax rebates or incentives. That’s for the 70D, which has all-wheel drive (a motor for each axle) and a 70kWh battery (pricing for the 90D and P90D haven’t been announced). That’s $5000 more than the equivalent Model S sedan , which hits 60mph a little quicker and has a slightly longer range than the SUV but not the same funky rear doors. The distinctive Falcon wing doors are Tesla’s approach to making an SUV with all the utility of a minivan; that was how Elon Musk described the design brief back in September. By opening up and out, they’re supposed to give better access to the rear seats while taking up less space than a traditional door. There are three different interior layouts. The base 70D is a five seater, but there’s also a six seat version (three rows of two) for an extra $3000 and seven seats are yours for $4500. Tesla released the pricing information for the 70D Model X at the same time it told customers with preorders that they can begin configuring their vehicles. Screenshots of the online configurator provided by Tesla to Ars state that Model X deliveries will begin in early 2016, starting with range-topping P90D orders. “Lesser” 90D Model Xs follow by mid-year, with 70D deliveries before 2017. Read 1 remaining paragraphs | Comments

View article:
Tesla Model X production starts in earnest, pricing revealed

TrueCrypt is safer than previously reported, detailed analysis concludes

(credit: Khürt Williams ) The TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts is safer than some studies have suggested, according to a comprehensive security analysis conducted by the prestigious Fraunhofer Institute for Secure Information Technology. The extremely detailed 77-page report comes five weeks after Google’s Project Zero security team disclosed two previously unknown TrueCrypt vulnerabilities . The most serious one allows an application running as a normal user or within a low-integrity security sandbox to elevate privileges to SYSTEM or even the kernel. The Fraunhofer researchers said they also uncovered several additional previously unknown TrueCrypt security bugs. Despite the vulnerabilities, the analysis concluded that TrueCrypt remains safe when used as a tool for encrypting data at rest as opposed to data stored in computer memory or on a mounted drive. The researchers said the vulnerabilities uncovered by Project Zero and in the Fraunhofer analysis should be fixed but that there’s no indication that they can be exploited to provide attackers access to encrypted data stored on an unmounted hard drive or thumb drive. According to a summary by Eric Bodden , the Technische Universität Darmstadt professor who led the Fraunhofer audit team: Read 4 remaining paragraphs | Comments

View article:
TrueCrypt is safer than previously reported, detailed analysis concludes