Planet 2014-04-19 19:00 UTC


This week the PC-BSD team has ported over preload, which is an adaptive readahead daemon. It monitors applications that users run, and by analyzing this data, predicts what applications users might run, and fetches those applications and their dependencies to speed up program load times. You can look for preload in the next few days in edge packages and grab it for testing on your own system.

There is an early alpha version of the Lumina desktop environment that has been committed to ports / packages. Lumina is a lightweight, stable, fast-running desktop environment that has been developed by Ken Moore specifically for PC-BSD. Currently it builds and runs, but lacks many other features as it is still in very early development. Grab it from the edge packageset and let us know what you think, and how we can also improve it to better suit you as a user!

Other updates this week:

* Fixed some bugs in ZFS replication causing snapshot operations to take
far longer than necessary
* Fixed an issue with dconf creating files with incorrect permissions
causing browsers to fail
* Added Lumina desktop ports / packages to our build system
* PC-BSD Hindi translation 100% complete
* improvements to the update center app
* Update PCDM so that it will use “pw” to create a user’s home directory if it is missing but the login credentials were valid. This should solve one of the last reported issues with PCDM and Active Directory users.
* Bugfix for pc-mounttray so that it properly ignores the active FreeBSD swap partition as well.
* Another small batch of 10.x PBI updates/approvals.



Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.



Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling audit2allow, informing us that sysadm_t had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository but which needs to be pushed to the tree (which is my job, sorry about that). The problem however is when he added the policy – it didn’t work.

Even worse, sesearch told us that the policy has been modified correctly – but it still doesn’t work. Check your policy with sestatus and seinfo and they’re all saying things are working well. And yet … things don’t. Apparently, all policy changes are ignored.

The reason? There was a policy.29 file in /etc/selinux/mcs/policy which was always loaded, even though the user already edited /etc/selinux/semanage.conf to have policy-version set to 28.

It is already a problem that we need to tell users to edit semanage.conf to a fixed version (because binary version 29 is not supported by most Linux kernels as it has been very recently introduced) but having load_policy (which is called by semodule when a policy needs to be loaded) loading a stale policy.29 file is just… disappointing.

Anyway – if you see weird behavior, check both the semanage.conf file (and set policy-version = 28) as well as the contents of your /etc/selinux/*/policy directory. If you see any policy.* that isn’t version 28, delete them.



a last fitness post before eastern

Wednesday: Quer durch Utfort
Yesterday, I've cycled through Utfort, the nature way - was nice, sunny and warm :)

Komoot-11
Wednesdaytour 1
Wednesdaytour 2
Wednesdaytour 3
Wednesdaytour 4


Thursday: Kleine Runde
Today, the weather was worse. It was sunny, but again pretty windy. I've also forgot to take the Lumix with me, but as it was a short trip around the district and you've seen photos from those ways in previous posts, I think it's fine just to show the track.

Komoot-12

Over Eastern, I will have no time to ride my bike - I'm also not really sure, if this kind of posts are interesting for you. Let me know, via Twitter :)


The January-March, 2014 Status Report is now available with 41 entries.


Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).



py3status v1.4 via Planet Gentoo | 2014-04-16 10:18 UTC

I’m glad to announce the release of py3status-1.4 which I’d like to dedicate to @guiniol who provided valuable debugging (a whole Arch VM) to help me solve the problem he was facing (see changelog).

I’m gathering wish lists an have some (I hope) cool ideas for the next v1.5 release, feel free to post your most adventurous dreams !

changelog

  • new ordering mechanism with verbose logging on debug mode. fixes rare cases where the modules methods were not always loaded in the same order and caused inconsistent ordering between reloads. thx to @guiniol for reporting/debugging and @IotaSpencer and @tasse for testing.
  • debug: dont catch print() on debug mode
  • debug: add position requested by modules
  • Add new module ns_checker.py, by @nawadanp
  • move README to markdown, change ordering
  • update the README with the new options from –help

contributors

Special thanks to this release’s contributors !

  • @nawadanp
  • @guiniol
  • @IotaSpencer
  • @tasse


Dienstagstour durch Genend Dennis Klein | 2014-04-15 19:00 UTC

biking through an industrial area
Riding the same ways every day get a bit - boring. I planned a trip through "Genend", a relatively new industrial area on the very west part of Moers. Unfortunately, the weather was very bad, windy, a bit rain and very cloudy.

Komoot-10

Genend-2
Genend-3
Genend-4
Genend-5
The company I work for, KRZN, had some offices in the building on the right. But this was before I joined, which is meanwhile 1 1/2 years ago.


Genend-6
The red of this building is very intensive. Too bad, my little Lumix couldn't capture it - and the compression killed the rest.


Genend-7


I remember a time when I’d never been to a conference related to my passions. Once I went, things changed. I realized that making strong working relationships with others who share my passion is important. Not only does this solidify the community of which you are a member, it also helps you personally. Every conference [...]


Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.



In Anbetracht der aktuellen Heartbleed-Geschehnisse habe ich über meine persönliche Passwort-Misere nachgedacht. Nach einem bestimmten Namensschema hatte ich versucht, pro Website ein eigenes Passwort zu definieren, außerdem gab es noch ein simples Standard-Passwort, welches bei entsprechend vielen Webdiensten, die ich “nur mal ausprobieren” wollte hinterlegt war. Ihr kennt das.

Natürlich waren alle Passwörter aus Bequemlichkeit im Google-Chrome-Passwort-Manager gespeichert und wurden über mehrere Geräte synchronisiert. Dazu kamen noch iPad und iPhone mit einem eigenen Passwort-Speicher.

Das ist alles nicht schön und aus Security-Perspektive ziemlich fahrlässig.

Nach einem kurzen Experiment mit Lastpass habe ich mir gedacht, dass ich mich am wohlsten fühle, wenn ich die Hoheit über meine Passwörter selbst behalte. Außerdem möchte ich schon aus Prinzip meine Passwörter einer Open-Source-Software anvertrauen, wenn auch durch Heartbleed klar wurde, dass das nicht unbedingt ein Qualitätskriterium ist.

Deswegen bin ich nun zu folgender Lösung gekommen:

  • KeePass legt die Datenbank zuhause auf das Synology-NAS (Windows-Freigabe)
  • Auf einem zweiten Rechner wird diese via WebDAV direkt aus KeePass heraus geöffnet (Datei von URL öffnen)
  • Auf iPad und iPhone nutze ich KyPass, ebenfalls mit WebDAV-Integration
  • Die Integration in Google Chrome funktioniert mit ChromeIPass und KeepassHttp hervorragend. Hier empfehle ich, die Option “Request for unlocking if the database is locked” in den KeePassHttp-Optionen zu aktivieren und KeePass so einzustellen, dass es automatisch nach einiger Zeit und beim Sperren des PCs gesperrt wird.
  • ChromeIPass bietet hier einen bequemen Autofill-Mechanismus inklusive der Generierung neuer Passwörter, sodass man nun keine Ausrede mehr hat, dass sichere Passwörter umständlich sind.
  • Der integrierte Passwortmanager und “AutoSafe” sind natürlich deaktiviert

Alle Passwörter sind nun zufällige, 20-stellige Zeichenketten, bis auf wenige Ausnahmen die ich regelmäßig “tippen” muss.

Ich kann diesen Schritt nur jedem ans Herz legen, und wenn es nur dazu dient, mal alle seine Webdienste abzuklappern und Accounts zu löschen, die man nicht mehr benötigt.

flattr this!



In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

https://lastpass.com/heartbleed/

As I told The New York Times yesterday, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).

It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of Internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-Web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, e.g.). The SANS Internet Storm Center is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.

For those in search of more technical writeups/analyses of the Hearbleed bug, see this Vimeo video and this blog post (hat tip once again to Sandro Süffert).

Finally, given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.



Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

Credit: Heartbleed.com

Credit: Heartbleed.com

From Heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.



Around Moers City Dennis Klein | 2014-04-14 11:00 UTC

simply wanted to drive 10km
I planned this trip in Komoot and submitted it to my Moto G. Not that I would need a navigation as I've been grown up in Moers, but it's pretty nice to see how far I've come and the display.

Komoot-9

Around Moers City 1
Cycling straight ahead and for some km's, it's my standard "small" route (4.7km).


Around Moers City 2
This photo was taken when I hit the first waypoint, outside of the city limit. (Near van der Falk)


Around Moers City 4
Around Moers City 3
Around Moers City 5
Around Moers City 6
I was pretty happy when I hit the next waypoint. The cycle way is well build, but with an increase over a couple of km's, also, from now I will head into the city.


Around Moers City 7
Around Moers City 8
Funny place to park. It's a departure from the highway 40 (Moers-Zentrum).


Around Moers City 9
Around Moers City 10
"Bicycle friendly City in Northrhine-Westphalia"


Around Moers City 11
I haven't taken this photo accidently, but more on this topic much later ;)


Around Moers City 12
Have I already mentioned, that we have a lot of constructions going on in Moers lately? :S


Around Moers City 13
Around Moers City 14
Around Moers City 15
Around Moers City 16
Not far from home! \o/


Around Moers City 17
Did it! It was a great tour, but with a lot of head wind hitting me.


Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed Heartbleed. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys.

After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. There are currently no indications this has happened.

However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days. You need to take action if you have an account on one of the following sites:

  • blogs.gentoo.org
  • bugs.gentoo.org
  • forums.gentoo.org
  • wiki.gentoo.org

After 7 days, we will be removing all passwords to avoid abuse. For more information and the full announcement, visit http://infra-status.gentoo.org/notice/20140413-heartbleed.



Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”

ULTIPRO USERS TARGETED

I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”

PROTECT YOURSELF FROM TAX FRAUD

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.



Jungbornparkpassage II Dennis Klein | 2014-04-13 11:00 UTC

reloaded & extended
Todays trip was for the first ~4km the same as yesterdays trip, then I head towards another direction. Today, I've taken the Lumix with me ;)

Komoot 8
Btw. this is my first post written on Linux (incl. using Gimp instead of Photoshop for photo editing).


Jungbornparkpassage II - 1
Do you see the buildings in the background? I went to this school :)


Jungbornparkpassage II - 2
Jungbornparkpassage II - 3
Jungbornparkpassage II - 4
Seems like the battery usage is pretty low on the Moto G - with Komoot running with display turned on all the time, it just sucked out 4% after nearly 3km. Awesome. Now, a while after the tour, the battery is at 86% (Tour length was 32 minutes).


Jungbornparkpassage II - 5
Jungbornparkpassage II - 6
Yesterday, I went to the right, but today, I wanted a bit more km - so I headed left.


Jungbornparkpassage II - 7
This is a very strange sign (the one with the alien head). I "think" it means that children should be aware of the small streams running next to the fields. Honestly, I've never seen this sign anywhere else but in Moers so far.


Jungbornparkpassage II - 8
Jungbornparkpassage II - 9
This is really next to our home. They are building a Netto discounter. Damn! I had the hope that they would build a quality market like EDEDKA or REWE, but not such a crap...!


Trouble with vim powerline Dennis Klein | 2014-04-12 23:00 UTC

and how to fix the problem with one single font
I like the powerline idea. It makes vim looking good and the colored modes are very handy. But installing it is hard (at least if you don't use the right fonts).

On my laptop at work, I have it running fine, but tonight, I wanted to reproduce this experience on my Xubuntu on my private laptop - and bloody hell, it took 2h+ to get it to work.

First, you need to install powerline (I use pathogen, so I simply git cloned it to my bundle folder under ~/.vim). But that should not be the topic of this post. So, I had installed the plugin and all you get is this:

Powerline in vim - broken symbols

The trick is, that just a few of the "powerline fonts" are able to really change the symbols to "fancy". I just stumbled upon a Menlo font rebuild (direct download of the otf font!).

I copied it to my ~/.fonts folder, closed terminator, reopened it and bam - there it is:

Powerline in vim - fixed symbols

Of course, you have to have some settings in your .vimrc:
set encoding=utf-8
set t_Co=256
let g:Powerline_symbols = 'fancy'

I'm pretty happy, to have my nice looking vim back! I think the Menlo just shows the "fancy" symbols, because terminator is still set to "DejaVu Sans Mono for Powerline".

I've tested it on a test Hackintosh install with iTerm2, and indeed, just after installing the Menlos Powerline font, which I've linked above, the signs appeared.

Powerline in vim on Mac in iTerm2


Jungbornparkpassage Dennis Klein | 2014-04-12 09:00 UTC

such a nice place to drive through, and me fool forgot the Lumix
Riding through the nature yesterday has inspired me to ride another trip through it. Planning in Komoot was a bit hard today, but finally I'd set all the waypoints correctly - and then I drove into the wrong direction for the first few hundred meters, but got back on the track quickly ;)

Komoot 7
As mentioned in the 2nd headline, I forgot to take my Lumix with me - so, sorry folks, I have no photos for you today :(

P.S. The waterbottleholder worked fine ;) MacGyver tech won!


Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.

Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.

Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.

Other Updates / Bug Fixes:

* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete



Waterbottle mounted Dennis Klein | 2014-04-11 21:00 UTC

MacGyver way
Got a waterbottle today - of course for the bike ;)
The "installation" was, well - fun. I just could find one good position for this holder, and so far, it seems to be stable (and no, it does not interfere with the wheel). I call it "MacGyver" way ^^

Here's a photo:
Watterbootle, mounted


We're kicking off our Spring Fundraising Campaign! Our goal this year is to raise $1,000,000 with a spending budget of $900,000.

As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of how we've helped FreeBSD become the most innovative, realiable, and high-performance operating system. We are doing this by:
  • funding development projects,
  • having an internal technical staff available to work on small and large projects, fixing problems, and areas of system administration and release engineering,
  • providing legal support,
  • funding conferences and summits that allow face-to-face interaction and collaboration between FreeBSD contributors, users, and advocates,
  • and advocating for and educating people about FreeBSD by providing high-quality brochures, white papers, and the FreeBSD Journal.

We can't do this without you! You can help by making a donation today.

Help spread the word by posting on FaceBook, Twitter, your blogs, and asking your company to help. Did you know there are thousands of companies that wil match their employee's donations? Check with your company to see if you can automatically double your donation by having your company match your donation.

Thanks for your support!


Waldseetour Dennis Klein | 2014-04-11 12:00 UTC

First mini Mountain Bike tour
I was pretty happy to have a robust bike. The tour I've planned via Komoot (thanks for the awesome Twitter help!) was a circle around the Waldsee (a sea inside a forrest). It's the first navigated tour and it was a great experience :)

Waldseetour Komoot

Of course, I've also taken some photos!

Waldseetour 1
Waldseetour 2
Waldseetour 3
Waldseetour 4
It was steeper than it looks on the photos... :(


Waldseetour 5
Waldseetour 6
Waldseetour 7
What you see there on the hill in the background is called "Das Geleucht" (~the lightning) and is a landmark in memory of the coal mining centuries.


Waldseetour 8
A very small way - and a steep one, next to the sea.


Waldseetour 9


Live maps while cycling
As I am using Komoot excessive in the last days, I had the idea of getting a mount for my Moto G, so that I can see the current map and data. So, on Monday, when we were in the CentrO.[1], I asked at the local Saturn if they have such a mount. "No! Look at Amazon!" - Uhm. Ok. So I did and found this mount which was made for the Moto G. Just a few minutes ago, I got it via snail mail.

Here are some photos of the mount, mounted to my bike. Of course, I had to move the bell and the LED light (I always have lights turned on, at the bike and also when driving my car. I think the scandinavian idea is very good).

Mount Photo 1
The display is a little bit hard to see. Guess an AMOLED display would be much better in this situation, but it's ok, I guess. I will see after my first ride ;)


Mount Photo 2
Mount Photo 3

[1] The CentrO. is Europes seconds largest mall. It's pretty near to us (just a few kilometers via highway 42) and so, we visit it sometimes to do some shopping. Parking is free and there is the Coca-Cola Oase, which contains all kinds of (fast) food. But you better don't visit it on Saturdays, especially not in the weeks before christmas.



my way to use strong passwords and still use them in a comfortable way
So, here we go. Heartbleed is a small bug in OpenSSL. But it's used widely. From OpenVPN software, to webservers, having OpenSSL generated certificates to endless websites and applications, storing information using OpenSSL libs.

The consequence is to change ALL YOUR PASSWORDS. NOW! That may sound like a joke and even I thought: Oh dear, that's a lot of passwords for all the services and all the websites I registered since I use the internet back in 1996. But luckily, today, you have tools to help you. I am still switching pretty often between Linux and Windows and so, the obvious choice was KeePass2. It runs on all bigger platforms, incl. Android (Keepass2Android). Also, there's a great little AddOn called KeeFox for Firefox which connects to the local running KeePass2.

I generate my new passwords using KeePass2 itself. Thanks to KeeFox, this is quickly done (if you enable their toolbar). Bit before you start generating new passwords, you should make some settings to generate very strong passwords.

Open your KeePass2 and select from the menu "Tools" -> "Generate Password...".

KeePass2 password settings dialog

If you've made your settings (or have selected a profile), you can hit "Ok". This will generate a random, strong password in the folder you're currently in. Quickly delete this entry and also the garbage (you should always empty the garbage!).

Now, you can create stronger passwords using the KeeFox toolbar.

KeeFox generate password dialog
Sorry, German text, but you get the idea ;)


Mobile Access


So far, so good. But if you want to work with different computers or your mobile with Keepass2Android, you now need a way to store the kdbx database, where your mobile can reach it. My idea was to store it on a secret (as much as something on the internet could be secret ;)) WebDAV server which runs a new version of OpenSSL and has a fresh generated SSL certificate (talking of self-signed, of course). Have a good password for the WebDAV user, too!

On your mobile, you can select WebDAV (https) inside Keepass2Android to access this partical database kdbx file.


Windows & Linux Access


On your clients, you could work with WebDAV as well, or maybe (win)sshfs. I prefer the latter option and mount the folder which contains the kdbx database file on the server to a path in Linux or a drive letter in Windows. Opening KeePass2 on your client, you should now select this file and start generating strong passwords for all your accounts.


Drawbacks of this variant


Sure, there's a drawback in my way: You have to run (win)sshfs and KeePass2 all the time in the background AND it has to be unlocked. That could become a security problem in a company - so be aware of this!

Whatever you do, which tools or methods you use, just be sure to change your passwords NOW! The above shown is just an example how to create a comfortable way, but you see, comfort and security (once again) does not work very well together. If you are German reader, you might also want to read Seraphyns Post "Tabula Recta für sichere Passwörter".




The FreeBSD Journal Issue #2 is now available! You can get it on Google Play, iTunes, and Amazon. In this issue you will find captivating articles on pkg(8), Poudriere, PBI Format, plus great pieces on hwpmc(4) and Journaled Soft-updates. If you haven't already subscribed, now is the time!

The positive feedback from both the FreeBSD and outside communities has been incredible. In less than two months, we have signed up over 1,000 subscribers. This shows the hunger the FreeBSD community has had for a FreeBSD focused publication. We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD.

The Journal is guided by a dedicated and enthusiastic editorial board made up of people from across the FreeBSD community. The editorial board is responsible for the acquisition and vetting of content for the magazine.

You can find out more information about the Journal by going to https://www.freebsdfoundation.org/journal. Or, subscribe now by going to the following links for the device you'd like to download to:

amazon-apps-store





Available_on_the_Mac_App_Store_Badge

Google Button







Your subscriptions and the advertising revenue the Journal receives will help offset the costs of publishing this magazine. So, consider signing up for a subscription today! 

We know you are going to like what you see in the Journal! Please help us spread the word by tweeting, blogging, and posting on your FaceBook page. You can also help by asking your company to put an ad in the Journal. For advertising information contact freebsdjournal@freebsdfoundation.org.

And, don't forget you can support the Journal and FreeBSD by making a donation today!


Heute habe ich einige Zeit damit zugebracht, IntelliJ Idea 13.1 mit unserem Subversion ans Laufen zu bringen. Offensichtlich gibt es einige Bugs, die die Zusammenarbeit mit SVN 1.7 leider erheblich erschweren.

Eine der Möglichkeiten, diese Problematik zu umgehen ist, einfach einen Kommandozeilen-Client für SVN zu nehmen. IntelliJ kann diesen direkt einbinden (Settings -> Version Control -> Subversion -> General -> Use command line client). Unter Windows kann man hierfür zum Beispiel das Binary von SlikSVN nehmen. Damit hat man dann ein SVN-Binary, das man dort nutzen kann. Außerdem ist – bei aktuellem SVN – auch direkt eine Working Copy in Version 1.8 möglich.

Fast.

Denn ab jetzt kommt bei jedem Commit die Fehlermeldung “Could not Commit: wrong revision” (oder so ähnlich). Komisch … direkt mal untersucht: Commit wurde erfolgreich durchgeführt, Working Copy ist auch korrekt, trotzdem schmeißt IntelliJ diesen Fehler?

Ein wenig auf der Kommandozeile (aka: DOSBox) rumgespielt, den Quelltext der entsprechenden IntelliJ-Klasse angeschaut und dann dämmerte es so langsam …

Beim Nutzen des SVN Kommandozeilen-Clients wird die Rückgabe nach einem Commit geparst, um die neue Revision zu bestimmen. Anscheinend wird dabei angenommen, dass das Programm immer auf Englisch läuft und die Ausgabe daher “Committed revision 123″ lautet. SlikSVN installiert jedoch standardmäßig auch Übersetzungen mit – die Meldung lautet daher “Revision 123 übertragen”. Dies kann IntelliJ nicht korrekt interpretieren, deswegen wird die Fehlermeldung geschmissen. Also einfach die Übersetzungen von SlikSVN deinstallieren, dann klappt auch diese Kombination.

Ich weiß nicht, ob dies nur bei nicht-englischen Windows-Systemen auftritt, aber zumindest ist es etwas, was mich heute geschlagene drei Stunden meiner Zeit gekostet hat!



Nature Sightseeing Dennis Klein | 2014-04-10 19:00 UTC

little tour through the nature nearby
We've a lot of bike roads around the corner. Those are great to drive on, but they are all next to bigger roads. I wanted to enjoy the nature a bit more today, and so I had planned a little tour next to the small stream, called "Moersbach" (named after our wonderful city :)).

Komoot-5

Something I had not in mind: it makes awesome fun to ride the bad tracks, which are mainly made for walking. It's like a light version of cross biking ^^

Tour 10.4. 1
Tour 10.4. 2
Tour 10.4. 3
Tour 10.4. 4
Tour 10.4. 5
I admit, I love this restaurant you can see in the middle. Café del Sol. Their "Schnitzel del Sol" is awesome! Yummy!


Tour 10.4. 6
It's not as if there is nothing on the right, even if there is just a lonely arrow facing into this direction. It's the way to the city of Moers, 2 hospitals and some other important things. I'm really wondering about this shield.


Security and Tools via Planet Gentoo | 2014-04-10 09:51 UTC

Everybody should remember than a 100% secure device is the one unplugged and put in a safe covered in concrete. There is always a trade-off on the impairment we inflict ourselves in order to stay safe.

Antonio Lioy

In the wake of the heartbleed bug. I’d like to return again on what we have to track problems and how they could improve.

The tools of the trade

Memory checkers

I wrote in many places regarding memory checkers, they are usually a boon and they catch a good deal of issues once coupled with good samples. I managed to fix a good number of issues in hevc just by using gcc-asan and running the normal tests and for vp9 took not much time to spot a couple of issues as well (the memory checkers aren’t perfect so they didn’t spot the faulty memcpy I introduced to simplify a loop).

If you maintain some software please do use valgrind, asan (now also available on gcc) and, if you are on windows, drmemory. They help you catch bugs early. Just beware that sometimes certain versions of clang-asan miscompile. Never blindly trust the tools.

Static analyzers

The static analyzers are a mixed bag, sometimes they spot glaring mistakes sometimes they just point at impossible conditions.
Please do not put asserts to make them happy, if they are right you just traded a faulty memory access for a deny of service.

Other checkers

There are plenty other good tools from the *san family one can use, ubsan is maybe the newest available in gcc and it does help. Valgrind has plenty as well and the upcoming drmemory has a good deal of interesting perks, if only upstream hadn’t been so particular with release process and build systems you’d have it in Gentoo since last year…

Regression tests

I guess everybody is getting sick of me talking about fuzzy testing or why I spent weeks to have a fast regression test archive called playground for Libav and I’m sure everybody in Gentoo is missing the tinderbox runs Diego used to run.
Having a good and comprehensive batch of checks to make sure new code and new fixes do not have the uncalled side effect of breaking stuff is nice, coupled with git bisect makes backporting to fix issues in release branches much easier.

Debuggers

We have gdb, that works quite well, and we have lldb that should improve a lot. And many extensions on top of them. When they fail we can always rely on printf, or not

What’s missing

Speed

If security is just an acceptable impairment over performance in order not to crash, using the tools mentioned are an acceptable slow down on the development process in order not to spend much more time later tracking those issues.

The teams behind valgrind and *san are doing their best to just make the execution three-four times as slow when the code is instrumented.

The static analyzers are usually just 5 times as slow as a normal compiler run.

A serial regression test run could take ages and in parallel could make your system not able to do anything else.

Any speed up there is a boon. Bigger hardware and automation mitigates the problem.

Precision

While gdb is already good in getting you information out of gcc-compiled data apparently clang-compiled binaries are a bit harder. Using lldb is a subtle form of masochism right now for many reasons, it getting confused is just the icing of a cake of annoyance.

Integration

So far is a fair fight between valgrind and *san on which integrates better with the debuggers. I started using asan mostly because made introspecting memory as simple as calling a function from gdb. Valgrind has a richer interface but is a pain to use.

Reporting

Some tools are better than other in pointing out the issues. Clang is so far the best with gcc-4.9 coming closer. Most static analyzers are trying their best to deliver the big picture and the detail. gdb so far is incredibly better compared to lldb, but there are already some details in lldb output that gdb should copy.

Thanks

I’m closing this post thanking everybody involved in creating those useful, yet perfectible tools, all the people actually using them and reporting bugs back and everybody actually fixing the mentioned bugs so I don’t have to do myself alone =)

Everything is broken, but we are fixing most of it together.



kleine Mittwochstour Dennis Klein | 2014-04-09 18:00 UTC

another short trip around Utfort
Luckily, my good old Lumix from 2007 was fully charged now. As we came back a bit later from a shopping tour in Venlo, I decided to keep the bike trip a bit shorter than yesterday.

Here's the trip over on Komoot:
Komoot4

I have also uploaded all photos to Komoot, if you click the link (screenshot) above, you can see where the photos were taken :)

Photos from the trip:
Tour 1
Tour 2
Tour 3
Oh look! I've accidently captured a part of my bike ^^


Tour 4
Tour 5
Tour 6
Heading towards the city of Moers.


Tour 7
Tour 8
Moers is very famous for their never ending street constructions :/ A good reason to drive to the city by bike than by car.


Tour 7
Tour 8


If you want to get all definitions for all stored procedures in MSSQL server, you can try this nice statement:

CREATE TABLE #x(db SYSNAME, s SYSNAME, p SYSNAME, c nvarchar(max));

DECLARE @sql NVARCHAR(MAX) = N'';

SELECT @sql += N'INSERT #x SELECT ''' + name + ''',s.name, p.name, q.definition
  FROM ' + QUOTENAME(name) + '.sys.schemas AS s
  INNER JOIN ' + QUOTENAME(name) + '.sys.procedures AS p
  INNER JOIN ' + QUOTENAME(name) + '.sys.sql_modules as q on p.object_id=q.object_id
  ON p.schema_id = s.schema_id
  WHERE q.definition like ''%[def%'' ESCAPE ''\'';
' FROM sys.databases WHERE name like 'db%'

EXEC sp_executesql @sql;

SELECT db,s,p,convert(xml,'<xml><![CDATA[' + cast(c as varchar(max)) + ']]></xml>') FROM #x ORDER BY db,s,p

DROP TABLE #x;

Replace “[def” by the contents of the stored procedure if needed and replace “db” by a filter for the desired database names.

Thanks to (as usual) Stackoverflow.

flattr this!



Many users have asked us about the recent OpenSSL Heartbleed bug.  This only applies to users of PC-BSD 10.0, users of 9.x and earlier will not be effected.

A patch has gone out this morning to correct the issue, which includes the following FreeBSD security advisories:

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:05.nfsserver.asc

By running the graphical “System Updater” you can apply the bug fixes, or via “freebsd-update” at the command-prompt. After applying this fix, please reboot and the systems version should now show 10.0-RELEASE–p9



Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog:

“From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.”

Microsoft offers free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

ADOBE

Adobe fixed at least four vulnerabilities in Flash, all of them critical. The company says it is not aware of any exploits in the wild against the flaws. The latest version is v. 13.0.0.182 for Windows, Mac and Linux systems. The Adobe advisory for the Flash update is here.

This link will tell you which version of Flash your browser has installed. IE10/IE11 for Windows 8.0/8.1 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 34.0.1847.116 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you use Adobe AIR (required by some desktop software products such as Pandora, e.g.,), you’ll need to make sure that’s updated as well. AIR usually does a good job of checking for new versions on startup. If you’re not sure whether you have AIR installed or what version it’s at, see these directions. The latest version is 13.0.0.83, and is available for manual download here.

flash13-0-0-182



something goes terrible wrong
Yes, I also thought: Amazon Prime with Lovefilm for a year for just 30€ is a good thing. Let's do this! So we did.

On the first day, I scrolled through the movie list of "Prime", watching out for good movies and added them to my watchlist.

A few days later, I wanted to watch a movie that I had added from the "Prime" area to my watchlist. Suddenly, it should cost a few €!? What? First I thought it was a mistake I made, when adding this particular movie[1] to the watchlist - maybe I have just added a non-Prime movie to it. I checked the other movies from my watchlist and a few others also have a price tag now. Bummer. That's cheating! I did NOT watch those movies, not because I'm to greedy to pay 4€ for a good movie, but because I feel cheated.

A similar situation happens if you watch series. Because to much commercials on TV, I decided not to watch "Two and a half men" (Season 9+[2]) on this linear medium. But Amazon Prime has Season 9, ready to watch and it's free for Prime members. So we watched it. When we watched the last episode and were ready to jump to Season 10, I looked for it via the search function on our Sony BluRay-player which has an amazon prime/lovefilm app built-in. I found Season 10 and wanted to start watching this 2 years old episodes, when I saw the price tag. Fancy - why is Season 9 free for Prime members and Season 10 (and 11) is payware?

This whole concept of Amazon seems to be the cheat people by accidently buying stuff. Moving movies around between Prime (free) and regular (payware) feels like getting cheated.

I say: Amazon, Prime = all content free or I will not continue using this service. That's it. I wonder if Watchever or other streaming services have both built-in: "free" and "payware".

I've just talked to Marco who explained, that this happens because of licenses with the film companies. Honestly? If this is such a problem, I think Video on Demand as streaming will not survive for long. Nothing is guaranteed and you maybe suddenly can't watch the next episode of a series the next day, because their license has ended.

[1] Die Wolke, a movie based on a novel that I read as teenager.
[2] You know, the season after Charly Sheen as Charly Harper, with Ashton Kutcher as Walden Schmidt. Also funny, but I personally like Charly seasons better ;)



TOC added Dennis Klein | 2014-04-08 20:00 UTC

a separate site that lists all posts, ever written
I thought it makes sense to have a special site that lists all posts, which are stored in this blog. I personally find it a bit annoying to go through the sites. Well, this is in my mind a good solution :)

Where do you find it? Well...

TOC


I’m pleased to announce those latest mongoDB related bumps. The next version bump will be for the brand new mongoDB 2.6 for which I’ll add some improvements to the Gentoo ebuild so stay tuned ;)

mongodb-2.4.10

  •  fixes some memory leaks
  • start elections if more than one primary is detected
  • fixes issues about indexes building and replication on secondaries
  • chunk size is decreased to 255 KB (from 256 KB) to avoid overhead with usePowerOf2Sizes option

All mongodb-2.4.10 changelog here.

pymongo-2.7

  • of course, the main feature is the mongoDB 2.6 support
  • new bulk write API (I love it)
  • much improved concurrency control for MongoClient
  • support for GridFS queries

All pymongo-2.7 changelog here.



Dienstagstour Dennis Klein | 2014-04-08 13:00 UTC

completed the first 10km+ trip
Yesterday, I've planned a trip via Google Maps. I wanted to ride this by the end of the week, but I was in the mood to drive it today.

Dienstagstour Plan
The trip was a bit exhausting to be honest. What "killed" me was a little hill with a very steep gain. (Point C in the GMaps screenshot above). Here's the trip screenshot:

Dienstagstour
It was a pretty windy trip and on the first and second part of this rectangle, I had a steep wind blowing into my face. Ugh! The breaks in the speed diagram over on Komoot shows where I made a quick break for photos or had to wait for the traffic light to become green.

Benjamin asked me to take photos on my next ride, so here are three photos I've taken at this trip. A classic selfie with my moronic looking helmet (well, security first, right?) and a radar trap. The fun thing behind the radar trap is, that the police measures speed in the whole country. A so called "Blitzmarathon".

Selfie & Radar Trap
The third photo was taken from a bridge above the highway 42. I drive this highway nearly every day back home after work.

A42
I admit, those photos are not very good and the bad quality of the Moto G camera does not make them better. Guess the next time, I will put on my rucksack and take my Sony Alpha a300 with me ;) So much for Fitness for today.


3 to 1 1/2 Dennis Klein | 2014-04-08 07:00 UTC

moved all my websites to the new server
So far, I had two web hostings. A small Hosting Pro account over on domainFACTORY and a small sized KVM server at Netcup. I added the KVM server last year, because domainFACTORY had some limitations that bugged me - for example, a PHP script is just allowed to run 90 seconds. Running longer than that, the PHP script would be killed. A bad thing, for my weather service and also for my (meanwhile closed[1]) ctrltweet business twitter service.

I first had a very small KVM on Netcup, which was just ~5€/month. I quickly installed irssi[2] and screen[3] on it and also eJabberd, which is a Jabber server.

This was back in 2012. A few months ago, after seeing this small system running a lot in swap, I decided to upgrade. So I ordered the next better one. Meanwhile, Netcup has increased the hardware, so I got 4 whopping GB of RAM for my KVM and 100GB of HD. I reinstalled everything from scratch, which took a few days. There was only one self coded webservice I hosted on this machine - an image uploader.

Last week, I had the idea (before I found out how to fix the Baikal issues), to install a Windows Server 2012 R2 with Exchange 2013 to get rid of Baikal and get a working Mail/Calender/Contacts server. Well, it went terrible wrong. In that moment, my wife told me, that since I stopped the Apache2 module for against DoS attacks, everything now works fine on her Moto G & her eM Client installation.

Let me be honest. I was already at 10€ per month with the newer KVM server. This newer one has 5x the HD space (hello Seafile :D), it has 2x (and faster) Xeon cores and the RAM is 8GB. For "just" 6€ more per month. I calculated and being unhappy with the domainFACTORY webhosting, I decided to move not only my blog from the old KVM server, but also ALL the websites I manage. This feeling of freedom :> Awesome. So today, just 5 days since I ordered the new "L" server, it runs Ubuntu Server LTS and NOT Windows Server. I've moved all important websites like this blog, my wifes blog, my weather service and some others to my server and made it as secure as possible (just mentioning fail2ban).

The old server was moved via a snapshot. This was pretty easy. I had to shut it down, create an offline snapshot, export it and log in to the other server. Because both servers run on the same account, I could easily select the snapshot and import it to the new server, which took a few minutes. After powering up, all I had to do is to create a seconds harddisk. Instead of increasing the primary harddisk, I decided to split the 500GB and create a second disk with 400GB and mount it to /storage. This was done quickly. Finally, all DNS entries were changed and after a few hours, everything was migrated successfully. I was able to shut down the "old" server.

I currently pay 9,99€ at domainFACTORY for my hosting package. They have (or had?[4]) a fantastic service and I was willing to pay for a good service and good quality. But since I've ordered this package years ago, I changed my job and since November 2012, I'm hired as sysadmin and work all the day with Linux systems, so today, I've a much better understanding how to configure a server and how to secure it. domainFACTORY is a service that I told my mother to host on, if any error occures, we could call them and say: "Please fix it.". I also host all our eMails on domainFACTORY and it works fine and I don't want to change this now, so I asked them if I could downgrade my account to "Mail only" (another, much smaller package). They answered my mail quickly and replied that I could. What they did not answer (after 2 more mails) was my question if I could downgrade without losing my current mails. I really cannot risk that and I don't want to, so I will have to make a backup before I downgrade. The new, smaller package would just cost me around 2€ per month. Plus the 16€ at Netcup, I'm 2€ below my previous costs with much better hardware :D yey!

That's why I will go from 3 to 1 1/2 (while 1/2 is the mail package and 1 is the KVM server).

[1] ctrltweet was shut down, because Twitter has changed the API again and again and with newer (and less) available tokens and rate limits, it did not make sense to develop it anymore.
[2] irssi is a console based IRC client (IRC = Internet Relay Chat).
[3] screen is a session multiplexer that allows you to run several sessions next to each other, but the maybe most important idea behind screen is, that you can start a job, and detach the screen session. When you come back, you can re-attach it and check if the job is done meanwhile. I use it mainly for backup tasks and of course I also let my chat programm (weechat meanwhile, instead of irssi) run inside screen. screen is old, not updated since a couple of years and eats RAM for breakfast - I should switch to tmux ;)
[4] domainFACTORY had an outstanding service, and then they were bought by HostEurope, a giant in Germany. Since that day, the replies on eMails got "standard". I just got standard answers (copy & paste I guess) and noone seems to care about the details of my question anymore :/ - that's sad. domainFACTORY was never cheap, no, they were a bit more expensive than the others, but the service was superb. Well, was...



Evening Sports Dennis Klein | 2014-04-07 18:00 UTC

just completed my second trip with the bike
As I wrote in yesterdays post, I mainly write about this topic to motivate myself to keep it going. Today, I wanted to do a little bit longer trip than yesterday with bigger differences in the height. While it was 20m down and 10m up in yesterdays trip, (it was 20m/20m for sure, I just hit the "start tour" button a few m too late), today it was 30m/30m. A bit more height, a bit longer (6,12km).

Enough written - here's the trip, recorded via Komoot, again :)

Evening Sports

PS. If you wonder why the above is a screenshot and not an iFrame, that Komoot generates, it's about the speed. It was my goal to create a blazing fast blog, when I build it. The iFrame slows it down too much. That's not acceptable ;)


Miniflux Dennis Klein | 2014-04-07 08:00 UTC

a lightweight, open source, web based RSS reader
When Google has shut down their Google Reader service months ago, I installed (like many others) the TinyTiny-RSS reader. It has a lot of options, but I never got into it. Too much options I don't need nor want to use. My wife also has an account on this particular installation, but also she never really used to it.

While reviewing the Apache log in the last days, I stumbled upon Miniflux. I never heard of it honestly, but a quick search showed the website just mentioned. This looks nice. After a quick ride on their demo system, I was sure - this will become my RSS reader of choice. The setup was amazingly easy. Everything was working after less than 5 minutes.

Miniflux on my server
I moved a few of my subscriptions over to Miniflux (manually, because it's a good moment to sort them).

I'm quiet happy with Miniflux and I can highly recommend it, even though - there's one little downsite: There is only one (1) user - so I can not setup a second user for my wife and let her use it. Maybe I've missed something, but it was not mentioned in the Miniflux FAQs how to do this. In our situation, I don't say it's a big problem. I can quickly setup another installation on her own domain ;)

sangyye just pointed to their roadmap which cleary highlights multi user support. Awesome! :)

I've put the following cronjob to the crontab to make sure, all RSS feeds will be updated every hour:
0 */1 * * * cd /var/www/miniflux && php cronjob.php >/dev/null 2>&1




Hello all,

Following up with my AArch64/ARM64 on Gentoo post, in the last months Mike Frysinger (vapier) has worked in bringing arm64 support to the Gentoo tree.

He has created the profiles and the keyword, along with keywording a lot of packages(around 439), so props to him.

Upstream qemu-2.0.0-rc now supports aarch64/arm64, so I went ahead and created a stage3 using the new arm64 profile. Thanks to Mike I didn’t had to fight with a lot of problems like in the previous stage3.

For building I just had to have this in my package.keywords file:

=app-text/opensp-1.5.2-r3 **
=dev-util/gperf-3.0.4 **
=sys-apps/busybox-1.21.0 **
=app-text/sgml-common-0.6.3-r5 **
=app-text/openjade-1.3.2-r6 **
=app-text/po4a-0.42 **
=dev-perl/Text-CharWidth-0.40.0 **
=dev-perl/SGMLSpm-1.03-r7 **
=dev-util/intltool-0.50.2-r1 **
=dev-perl/XML-Parser-2.410.0 **
=dev-perl/Text-WrapI18N-0.60.0 **
=sys-apps/coreutils-8.22

And in my package.use file:

sys-apps/busybox -static

coreutils-8.21 fails to build, 8.22 built fine. And building busybox with USE=”static” still fails.

Also I’ve just found out that USE=”hpn” on net-misc/openssh makes the client segfault. Not sure if its because of qemu or because the unaligned accesses hpn had aren’t happy on arm64. So if you plan to use the ssh client in the arm64 chroot, make sure you have USE=”-hpn”

By the way, app-arch/lbzip2 seems to fail to run here, not sure if its because of qemu or it simply doesn’t work on arm64. It segfaults.

You can download it from: http://gentoo.osuosl.org/experimental/arm/arm64

I’ve also starting to upload some binary packages: http://tinderbox.dev.gentoo.org/default/linux/arm64/

Also, if someone wants to give us access to arm64 hardware, we would be really happy :)

 




Losing weight Dennis Klein | 2014-04-06 08:00 UTC

changing what I eat and when I eat since a month, adding sports now
I'm not really sure why I post this to my blog, maybe just because to give my blog a more personal and not just a steril theme. However, I weight a bit too much, that's nothing new, but since month, I'm working on a change. Way back, around 4 weeks ago, I was sick. Very sick, a flu that kicked me out of my shoes. You know, something that you get every 5-10 years or so.

Sitting at my doc, I asked him about those "stuff" you can get from Amazon to make you loose weight pretty fast, called Almased here in Germany. He told me to keep my freaking fingers of this sh*t. All you gonna loose is water, which your body needs. I should rethink what I eat and HOW I eat and think about doing some sports. Yikes. I'm really not a sporty person and beside skiing and playing billiard or bowling, I hate sports. Months ago, September last year, I went to a gym around the corner and for 2 months, I was there on a regular base (2 times a week), but then, my son was born and I really wanted to be home quick after work and share time with wifey and the kid. That was in November. Oh dear - I guess you already have an idea - I was not there since then.

So I made a plan to reduce my weight without to much sport activity and started with the food. I admit, those days, I was back (for the 3rd time) on Cola - drunk not much of it, but enough to have a bad conscience. This got eleminated from my daily food list at first. Also, I ate a toast every morning at work and then another one around noon. Back home, (5pm+) I had dinner with my wife and kid (haha - well, if you call milk a dinner for him). Of course, I was not really against sweet stuff and also drunk a lot of ice tea and way too less water.

What I've done was changing my food the same day when I came back from the doc. I bought some cereal (Müsli!), and had this for breakfast. Until today, I had Müsli every morning and meanwhil, I got really used to and like it. Of course, with fresh milk. I also carried the Müsli in a small plastic cuppa to work and the milk in a small thermos jug to work. My co-workers were smiling about my and my "new health" in the first few days, but they got used to it. We normally do a breakfast at 9:30 - 10:00 and then I stop eating until I get home (~16:30 - ~17:30, depends). Then I do have dinner with the family and stop eating for the day. At 18:00 should be the last time to eat anything. When I got hungry after 18:00, I eat cuke with a little bit of salt or carbohydrate less food like a sausage or some chicken stuff (you know, those little pieces you normally put on your toast). Not much, but a bit against the hunger.

Drink-wise, I changed from Cola & Multi-Vitamin-Drinks to water. Pure water - at least 1,5l at work and a lot more after work (docs say, you should AT LEAST drink 2l/day!). I don't drink coffee (hate the taste), so I was off coffeine quickly and I admit, it was hard in the first two weeks, but meanwhile, I'm back wide awake ;).

Not doing any sports, I already lost a few kilos. Not as much as I would like, but on my LibreOffice sheet, it looks promising and the diagram (haha, what did you expect? I'm a nerd! :D), the trends are going down. Here's a screenshot (without numbers):

Weight
The last measurement is from this morning, around 7:30. It was not as much as expected and this has frustrated me, so I decided to do some early-morning sports. I put my clothes on and went to our shelter and grabbed my bike and went to a little tour around our district. With my Moto G, I recorded the track. I cycled ø17km/h and the track was "just" 4,7km. Not really far, but for the first trip this year, I think it's ok. I tell you, I can feel my thights ;)

Here's the trip, recorded with Komoot:
Komoot
Hopefully, by sharing this sensible theme with my readers, I motivate myself to keep on with doing sports and reducing my weight quicker. My goal? Well, if I hit ~75kg, I would be very happy and proud. And you know what? I will reach this goal, sooner or later, but I will!


In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale? 

-Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.

True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.

-Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.

This publication has never stated that there was a breach of 200 million records. But it is true that KrebsOnSecurity.com was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator – had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.

A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.

If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: Databreaches.net has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).

Original story:

Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? 

Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.

“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.

For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.

“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.

In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.

Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.



Royal TS Dennis Klein | 2014-04-05 22:00 UTC

No! Not that burger, the cool multi-remote-session application
What sounds like a burger name is a multi-session application for your Windows or Mac. It's a remotecontrol that let you combine all different kinds of remote access. If you want to connect to a Linux or UNIX system via SSH, to a Windows Server or Client via RDP or via VNC to a Mac, this application combines it all.

Even if have some test Windows servers running on my ESXi, I focus on ssh sessions in this review. The reason is quiet simple: this is what I use on a daily base.

Royal TS main screen
The application itself is pretty complex and has a lot of options to configure your sessions. For example, you can dial in with given credentials (login & password) or even key files. You can also login without any given usernames or passwords, which makes it a bit more secure. But sure, in that case, you will have to type those stuff everytime you connect.

I guess the main idea behind this application is not just to have a central point to connect to any of your servers (or clients), but I think even more important is the layout. At work, or even at home, I always have a bunch of open terminals. Normally, the Linux/UNIX application terminator. And believe me, those terminals are cluttered, laying above each other and spread over the screen. The workflow is not the best, I admit, and I think I could speed up myself by using a more efficient way for dealing with the sessions. Even when I am on Windows, I run mintty from the Cygwin Project and it's the same here.

In my mind, there are a few ways to solve this "problem". It's not really a problem, but it drops the efficiency. Yes, especially terminator allows me to tile the window and have multiple sessions next to each other. However, it just supports ssh. And this is where it falls short. At work (and sometimes also private), I have to deal with Linux (ssh) and Windows Serves (RDP) the same time. Having both sessions in the same application helps a lot to make the workflow better.

Royal TS folders
Back to Royal TS. They'd implemented a very nifty idea to manage even much much sessions. You can create folders, say "office A". Inside this folder, you add all your servers which are located in that office. Maybe the administrator (of course, not you ;)) was so easy and gave all those systems the same credentials. No problem. With Royal TS, you can quickly give the whole office the same credentials and all sessions are able to use those to connect. Of course, noone would ever do this, right?

So, while having a folder "office A", you could now also add "data center B", or "rack 123", or "firewalls" - you get the idea. It's a REAL good idea to have the option to sort your connections with folders. This makes it easy to find them again.

Royal TS setup
The performance of ssh is outstanding. I've set up my main server (Linux, via SSH) with the terminal implementation which is based on Rebex.net. (I've no idea what this means). Unlike mintty + mosh that I used before, I don't have any lags with the ssh session. Believe me - there must something go pretty wrong if a connection with such a small bandwidth usage and with mosh on top is so slow.

Royal TS color settings
Of course, Royal TS does support proxy servers, which is pretty handy from time to time. Also, you can modify the colors of your ssh session. There are three default color sets. Unfortunately, I have not found a way to create my own color set and save it.

Royal TS color recodring
Another fantastic feature is "recording". You can make a kind of video of an ssh session. Royal TS does not only record in an ordinary movie format. No! It does save in a very small ANS-file format and with Royal TS, you can later on review your session. This is an very very good idea if you do something dangerous on your server, or something which is complicated. You have a "video" to review and to note how the hell you got it to work. In some situations, I whish I would had such videos on my servers & clients before! Oh - and don't be afraid, even full screen apps are recorded. I've tried it with htop and all what I've seen in the session was 1:1 recorded. Even vim session would be stored.

Using the CSV import function, you can quickly import a bunch of servers to your system. Another great idea. This will save you a lot of time, especially if you run Royal TS on different systems. You cannot just import CSV files, but also (makes sense ;)) export to CSV.

So far, this application is awesome, but there is one thing, I dislike. Ribbons. Seriously, I hate ribbons, but in Royal TS, they are part of the program and are very important, so you have not much choices but using them. Luckily, you can minimize them.

There are much more features. More than I could describe here. For the features, check their website. I think the price of 25€ is very fair for such a good program.


Resumé
On a Windows system, I would always use this software instead of fighting more with mintty. I can highly recommend it, especially for people who are working with more than just a few servers.

Many thanks to code4ward.net for providing me with a free license to be able to test all features.


"smart" software via Planet Gentoo | 2014-04-05 10:29 UTC

1) Grab webbwrowser
2) Enter URL
3) Figure out that webbrowser doesn't want to use HTTP because ... saturday? I don't know, but ass'u'me'ing that some URLs are ftp is just, well stupid, because your heuristic is whack.

Or, even more beautiful:
$ clementine
18:02:59.662 WARN  unknown                          libpng warning: iCCP: known incorrect sRGB profile 
Bus error


I have no idea what this means, so I'll be explicitly writing http:// at the beginning of all URL I offer to Firefox. And Clementine just got a free travel to behind the barn, where it'll get properly retired - after all it doesn't do the simple job it was hired to do. Ok, before it randomly didn't play "some" music files because gstreamer, which makes no sense either, but open rebellion will not have happy results.

I guess the moral of the story is: Don't misengineer things, clementine should output music and not be a bus driver. Firefox should not interpret-dance the URLS offered to it, but since it's still less retarded than the competition it'll be allowed to stay a little bit longer.

Sigh. Doesn't anyone engineer things anymore?