by Paul Arnote (parnote)
NSA Reverse Engineering Tool Ghidra Now Open Sourced
In a move that caught many by surprise, the United States National Security Agency, a.k.a. the NSA, has open sourced their reverse engineering tool, called Ghidra, according to an article on ItsFOSS. Yes, THAT U.S. agency that has vacuumed up everyone's data and denied every living being on the planet a right to privacy.
Written in JAVA, Ghidra runs on Windows, MacOS and Linux. The program will reverse engineer computer programs and output compatible C code to accomplish the same tasks. In essence, it's a decompiler. At the time of the release announcement, it was unknown which CPU architectures it was able to reverse engineer programs for. It is thought to -- at least -- work for x86, x64 and ARM architectures. While the program has a GitHub page that is currently serving as a placeholder page for the code, you will still (at this time) have to visit the aforementioned link to download the actual program.
There is an interesting discussion of the tool on Reddit. Joining in on the Reddit discussion are several who, in whatever their former capacity used to be, have used Ghidra in the past. The information they provide is quite telling about its capabilities. The commenters rank Ghidra right up there with high level commercial decompilers, like IDA Pro, Hex-Rays Decompiler, Binary Ninja, and Radare2.
So why open source the tool now? Well, that's an area of speculation. The public knows of the tool's existence, thanks to the leak of Vault 7 documents from the CIA on WikiLeaks in March, 2017. Open sourcing the tool will allow the open source community to not only help maintain it (free of charge, nonetheless), but the open source community can also help grow and enhance the tool's capabilities.
ANYTHING dealing with or coming from the NSA isn't without controversy. Not only is the agency one of the most hated in the world, but it is also one of the least trusted agencies the world over. Some commenters openly worried about back doors or "phone home" routines in the Ghidra software. The distrust and distaste for the NSA is certainly well earned by the agency.
As far as Linux is concerned, this isn't the first time NSA-born software has appeared. Back when Linux kernel 4.17 was being released, there was a fervor that swept among Linux users over the inclusion of the NSA encryption algorithm called Speck. Speck is a lightweight block cypher that Google wanted to include and use to encrypt Android files, via dm-crypt and fscrypt. Its original push was to be used as lightweight encryption of IoT devices.
As is usual, much suspicion surrounded the inclusion of Speck (and its companion cypher Simon) in the Linux kernel. Due to its history of abuse, any move by the NSA is met with intense suspicion and scrutiny. Speck was rejected by the ISO committee, due to concerns that the NSA had placed "backdoors" into the code, allowing spies and government agencies easy access to "encrypted" data. The inclusion of Speck was reportedly removed by Linux kernel 4.19.
In a 2013 article on The Register, it was reported that Linus Torvalds admitted to having been approached by U.S. "government men" to include a "backdoor" in Linux. He made this admission at a New Orleans LinuxCon question and answer session. He did so by shaking his head yes while supplying an emphatic NO as an answer to the question. He then shook his head NO and emphatically said NO, to answer the question of whether a backdoor exists in Linux.
Anti-Vaxxers Facing Social Media Crack Down
There's one topic that is extremely polarizing: vaccines. The vast majority of people support the routine administration of vaccines. But an ever growing group of people are buying into the "vaccines cause autism" argument. This is despite repeated studies by numerous healthcare organizations around the world that all show there to be no link between vaccines and autism. The World Health Organization (WHO) lists "vaccine hesitancy" as one of its 10 threats to global health in 2019.
But, the latter group, commonly referred to as "anti-vaxxers," has found a vehicle for their message on social media. After recent outbreaks of measles in various pockets throughout the U.S., the AMA (American Medical Association) and the AAP (American Academy of Pediatrics) have urged the CEOs of Facebook, Google, Pinterest, Twitter and YouTube to take steps to address vaccine misinformation on their sites.
As a result, YouTube has demonetized anti-vax videos. Facebook will demote pages and groups that share anti-vax information. The company will also stop search results for anti-vaxxer pages on its app and website. Similarly, anti-vaxxer content will no longer appear in Instagram's Explore page, or in the app's hashtag pages. Pinterest will no longer return search results for items related to vaccines, whether they are pro-vaccine or anti-vaccine views.
The anti-vax movement gained considerable steam after then British physician, Dr. Andrew Wakefield, published a paper in the British medical journal Lancet that linked vaccines to autism and bowel disease. In the 20+ years since, Wakefield has been discredited, has had the paper's "co-authors" rescind or withdrew their support for the "study's" interpretations, and has been "struck off the UK medical register for unethical behaviour, misconduct and dishonesty for authoring a fraudulent research paper that claimed a link between the measles, mumps and rubella (MMR) vaccine and autism and bowel disease." Additionally, "Wakefield is barred from practising as a physician in the UK, and is not licensed in the US. He lives in the US where he has a following, including prominent celebrity anti-vaccinationist Jenny McCarthy, who wrote the foreword for Wakefield's autobiography, Callous Disregard. She has a son with autism-like symptoms that she is convinced were caused by the MMR vaccine. According to Sunday Times of London's investigative reporter Brian Deer, as of 2011, he lives near Austin (Texas) with his family."
While most would argue that these moves by the tech giants are the best moves and in the best interest of the community at large, this does present a "slippery slope" type of situation. Do we squelch the views and voices of those expressing ideas that are different from our own, or that are not in line with the majority opinion du jour? At what point do we draw the line? Indeed, this is a very difficult situation. If public opinion shifts, how long will it be before YOUR views and voices come under attack?
YouTube's mission statement starts out, "Our mission is to give everyone a voice and show them the world." While they are not taking down the anti-vaxxer videos, they have demonetized them. YouTube has recently came under fire for similarly squelching the voices of conservative and populist viewpoints, while promoting more progressive and leftist viewpoints.
Facebook has similarly been accused of the exact same thing in the not too distant past, and the complaints continue to this day. Facebook has even enlisted the infamous "Snopes.com" website to "fact-check" information presented on Facebook, despite Snopes being widely perceived as having or supporting decidedly leftist and progressive viewpoints.
Yes, it is a slippery slope, indeed.
A Password Free Web?
The World Wide Web Consortium (W3C) and the FIDO Alliance today announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure-- and usable--for users around the world.
W3C's WebAuthn Recommendation, a core component of the FIDO Alliance's FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can -- and should--turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.
"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences," said Jeff Jaffe, W3C CEO. "W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site."
A user-friendly solution to password theft, phishing and replay attacks
It's common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren't simple to use and suffer from low opt-in rates.
With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues with traditional authentication:
- Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
- Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys (typically plugged into an available USB port), or their personal mobile device.
- Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.
- Scalability: websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.
"Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web," said Brett McDowell, executive director of the FIDO Alliance. "With this milestone, we're moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet."
For services providers and vendors ready to get started with FIDO2 specifications and browser/platform support, the FIDO Alliance has provided testing tools and launched a certification program. Currently, there are many FIDO2 Certified solutions available to support a wide variety of use cases, including FIDO Certified Universal Servers that support FIDO2 and all prior UAF and U2F devices for full backward compatibility with the full range of certified FIDO authenticators.
Visit the FIDO Alliance website for more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program.
50 Years Later: Boy Who Stole Life Magazine With Beatles Cover, Returns It To Library
Fifty years ago, at the height of Beatlemania, a young Ohio boy named Brian saw a copy of Life magazine. On its cover was the Fab Four. He stole that copy of Life magazine to make it his own.
But somewhere around the end of February and the beginning of March, he decided to give that stolen copy of the magazine back to the library. He sent it to them, along with a note that read:
"Hello. I stole this magazine from the Parma Ridge Road library when I was a kid. I'm sorry I took it. I've enclosed a check for the late fee."
Accompanying the note was a check for $100, despite that fact that over five decades have passed. Even though his "real" fine would have been somewhere in the neighborhood of $1,800, the library caps the maximum fine at $100, which he remitted.
The library took the time to write Brian back:
"To the Beatles fan who "borrowed" this copy of Life magazine in 1968: Thank you for returning it this week and clearing your conscience."
Now Is The Time To Add More Memory Or A SSD
Marketplace factors have made this the ideal time to finally add that extra memory you want to your computer, or to add that SSD you always dreamed of having. Having just purchased a used laptop from eBay that had a SSD installed in it, I can vouch for the speed increase running PCLinuxOS. The laptop, with an Intel i5 processor and 8GB RAM literally is screaming fast, especially when coupled with my favorite lightweight desktop, Xfce.
According to one TechRepublic article, prices for PC DRAM, the memory chips that make up (SO)DIMM memory modules that we use in our computers, have fallen 30% in the first quarter of 2019. This represents the biggest decline in prices since 2011. The falling prices are a direct result of Intel not being able to keep up with demand, as they moved from a 14nm process to a 10nm process. The transition has not been particularly smooth for Intel, prompting the delays in shipping adequate numbers of Ice Lake CPUs to keep up with demand among computer manufacturers. As it stands now, DRAM suppliers are sitting on six weeks worth of inventory.
At the consumer level, buyers can expect to see significant discounts on current, top-line memory products. For example, a 32GB DDR4 SODIMM module currently runs around $225, down from the $300-$450 prices seen a year ago. DDR3 memory modules aren't likely to see as much discount, since most manufacturers are focused on producing the newer memory configurations.
Meanwhile, NAND flash memory, used in the construction of SSDs and flash memory cards, has seen its prices fall pretty dramatically, according to another TechRepublic article. Probably the most dramatic example of this is that you can now buy a 512GB SATA SSD for the same price that you could have purchased a 256GB SATA SSD a year ago. Because of the lower prices, computer market analysts expect SSD and NVMe devices to fully occupy half of the market share by the end of 2019.
If/when your replace your rusted platter HD with a SSD, prepare to say hello to longer battery life (thanks to lower power consumption of SSDs when compared to traditional HDs), and faster overall computer response (thanks to memory reads being faster than reading data from a rotating platter of rust). The full potential of SSD and NVMe devices won't be realized, however, until the throughput rate of the SATA interface is increased. Current SATA throughput rate is currently limited to approximately 550MB/s, far slower than either device is capable of producing.
Want To Prevent Catching The Flu?
At least here in the U.S., this past flu season has been a lot milder than last year's. The annual flu vaccine given at the beginning (or slightly prior to) the current flu season was a quadrivalent vaccine that included protection against Influenza A H1N1, the predominant strain that was responsible for influenza in the early part of the flu season. This is the same strain of influenza that was responsible for the 1918 Spanish Flu epidemic. Over the years, H1N1 appears to have mutated to become less severe and less virulent.
However, the late flu season has seen a rise of H3N2 Influenza A cases -- and which was not included in the quadrivalent annual flu vaccine. Be careful to not confuse actual influenza with what most people call the "stomach flu." The former is a respiratory virus, and causes severe viral pneumonia in its victims. The latter is a gastrointestinal virus, complete with fever and muscle aches, but causing intense vomiting and diarrhea. The latter is typically caused by norovirus, which is usually the same culprit for all those people getting sick on cruise ships that you hear about. It typically lasts 24 to 72 hours before running its course.
So, how do you help protect yourself from contracting the flu? Keep in mind that the virus can be breathed in when someone in close proximity to you coughs or sneezes (as it's very easily spread via airborne droplets). BUT, it can also live on surfaces, and if you come into contact with those surfaces and then touch your nose, eye(s) or mouth, you can still become infected. Hugging, kissing and shaking hands can also facilitate the spread of influenza from person to person.
That is why the Washington Post ran an article detailing that merely washing your hands frequently for at least 20 seconds can go a long way to helping prevent catching influenza. This means PROPER hand washing. The five-second get them wet and pray method will NOT work. So, let's review proper hand washing.
First, 20 seconds is about how long it takes for you to sing the ABC's song at a casual pace. Or, just sing the "Happy Birthday To You" song -- twice. Second, use plenty of soap and insure that you are soaping and rubbing the fronts and backs of your hand, around your nails and cuticles, and between your fingers. It doesn't matter if you use hot or cold water. If water isn't available, alcohol-based hand sanitizer will work just fine.
Roundup At The PCLinuxOS Corral
LAST MONTH, we told you about some security issues with Amazon's Ring doorbell. Well, one month later, the Jerusalem Post has exposed further security issues with the device. In the latest news, video of someone you know or expected at your door can easily be inserted, replacing the video of the actual person standing at your door. The fault is the same as we reported last month: Ring's unencrypted video feed. If that doesn't scare the bejeezus out of you and make you leary of using these unsecure devices, then nothing will.
Some hackers actually make their living chasing down bugs in programs. There are hackers that have made well over $1 million per year by cashing in on software bug bounty programs. So, one TechRepublic article asked the question: do bug bounties help open source security? The answer, was yes.
Hey ... what about that old USB flash drive you have? Have you ever purchased a used flash drive? Have you ever lost a flash drive you typically carry in your pocket? You better be careful, because the contents of that flash drive can reveal a lot more about you than you think. In fact, 67% of used flash drives contain recoverable data from its previous user, according to a study commissioned by Comparitech, and conducted by University of Hertfordshire researchers. They purchased 200 used flash drives from eBay, second hand shops, and live auctions -- 100 from the UK and 100 from the U.S. So what did they find? They found intimate, private and sensitive files, including nude photos, business documents, wage slips, business documents, private memos, tax statements, receipts, and medical records, among other things. The researchers only used publicly available software that can be downloaded from the web.
So, what can you do to secure your data? First and foremost, encrypt the data on your flash drive. The inconvenience may be worth it. This way, should you ever lose it, you won't have to worry about your data falling into evil hands. If you're looking to sell a previously used flash drive, take the time to irreversibly erase all previously stored data. Fortunately for Linux users, this is a simple task of running the dd command on the drive. Use the following format for the command: dd if=/dev/urandom of=/dev/sdX bs=1M, where sdX is the drive designation of the flash drive. When done properly, there is less than 0% chance of retrieving data that was stored on the drive.