Mediaboss Marketing

This story first appeared on CyberScoop.

Storm clouds are rising over the U.S. governments policy on software flawdisclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process.

Under the VEP, U.S. officials weigh the benefits of disclosing a newly discoveredflaw to the manufacturer which can issue a patch to protect customers or having the government retain itfor spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said.

We disclose something like 90 percent of the vulnerabilities we find, said Richard Ledgett, who retired April 28 as the NSAs deputy director. Theres a narrative out there that were sitting on hundreds of zero days and thats just not the case, he told Georgetown University Law Centers annualcybersecurity law institute.

On the contrary, he said, the process, led by the [White House National Security Council], is very bureaucratic and slow and doesnt have the throughput that it needs. He said itwas an issue NSA leaders had raised with both the previous administration and the Trump White House and that currenthomeland security adviser Thomas Bossert had promised to fix.

A zero day vulnerability is a newly discovered software flaw one the manufacturer has zero days to patch before it can be exploited. An exploit is a piece of code that uses a vulnerability to work mischief on a computer, for instance allowing a remote hacker to download softwareand seize control. Not all zero days are created equal, one of the architects of the VEP, former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop recently.

Some exploits might require physical access, or need other exploits to be pre-positioned. Some might even rely on known but widely unpatched vulnerabilities, he said. One of the reasons WannaCry spread so fast despite being relatively unsophisticated in design is that it utilizes a very powerful NSA exploit called EternalBlue.

EternalBlue was one of a large cache of NSA hacking tools dumped on the web last month by an anonymous group calling itself the Shadow Brokers an event that led to calls for the government to give up stockpiling vulnerabilities altogether.

That would be a mistake, Ledgett said, in part because even disclosed vulnerabilities can be exploited. Hackers can take apart the patch and reverse-engineer the vulnerability it is fixing, and then weaponize it with an exploit. Even when theres a patch available, Ledgett noted Many people dont patch, for all sorts of reasons. Large companies, for example, often have custom software that can breakwhen an operating system is updated.

The idea that ifyou disclose every vulnerability, everything would be hunky dory is just not true, he said.

Besides, the NSAs use of its cyber-exploit arsenal wasvery tailored, very specific, very measured, addedLedgett, agreeing that the VEP policy was in about the right place.

Indeed, he said, there was an argument to be made that Microsoft, which last weekend rushed out an unprecedented patch for discontinued but still widely used software like Windows XP, should bear some of the blame for not patching the discontinued products in March, when it patched its current products apparently in response to an advance warning from the NSA.

Daniel revealed theVEP in 2014, in response to suspicions that the NSA had known about the huge Heartbleed vulnerability in a very widely used piece of open-source software it hadnt, hesaid. But the policy has been in place since 2010, according to documents declassified in response to a Freedom of Information Act request from the Electronic Frontier Foundation an internet freedom advocacy group.

And Ledgett said the NSA had previously had a similar policy in place for decades. At the heart of the process, he said, is a balancing of how valuable the vulnerability in question is for the NSAs foreign intelligence mission, versus how damaging it might be U.S. companies or Americans generally, if it were discovered by an adversaryor revealed before it could be patched.

Ledgett said the new process balanced more or less the same factorsin more or less the same way although there were additional players like the State and Commerce Departments at the table in the National Security Council-led VEP.

The thing thats new since since 2014 is the risk of disclosure of a vulnerability, he said.

But former NSA director and retired four-star Air Force Gen. Michael Haydenpoints out two other things that have also changed affecting where NSA places the fulcrum in its balancing of offensive and defensive equities.

Far more often now the vulnerability in question is residing on a device that is in general use (including by Constitutionally protected US persons) than on an isolated adversary network, he wrote in a blog post for the Chertoff Group, where he now works.

He said that a comfort zone the NSA had previously enjoyed had also narrowed considerably. The comfort zone was called NOBUS, short for nobody but us. In other words,This vulnerability is so hard to detect and so hard to exploit that nobody but us (a massive, technological powerful, resource rich, nation state security service) could take advantage of it.

That playing field is being leveled, not just by competing nation states but also by powerful private sector enterprises, he concluded, The NOBUS comfort zone is considerably smaller than it once was.

This week, bipartisan bills in both chambers sought to give the VEP a basis in law.Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., and Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, put forwardtheProtecting Our Ability to Counter Hacking Act, or PATCH Act.

Excerpt from:
Government not 'sitting on hundreds of zero days,' former NSA official says - FedScoop

Everyone is talking about WannaCry(pt), the latest ransomware worm that attacked over 150 countries across the globe. It hit hospitals, universities, businesses, a telco, train stations and more. Microsoft responded by releasing emergency security patches for Windows versions as far back as XP. To Microsoft's credit they had released a patch for the issue in February, well before this exploit hit, so those that did not update were the ones hit. The lesson here is to install your security patches when they are available.

The exploit was via a vulnerability in the SMB file share system. The bug was found after the NSA's EternalBlue tool was stolen, yes, the NSA was using the exploit. Initially the tool was used to hack into devices but this latest version was added to ransomware. The unlock cost is between US$300 (10,400 baht) to $600 regardless of the target. It also adds Doublepulsar, a backdoor that allows the machine to be remotely controlled, also stolen from the NSA. BitDefender sent an email saying I was already protected but many were not. The attack was stopped when a clever person in the UK found the kill switch. There are rumours that North Korea was behind this attack like they were with the big Sony hack a while back. Others are suggesting it was a much smaller group.

The potential next version of Android, or its replacement, called Fuchsia has been tested in an early development build. The need for such a product was triggered by Oracle's litigation against Google to get Android royalties. It is open source and you can find it on Github. Hotfix's Kyle Bradshaw compiled the most recent version and you can see what it looks like by searching for "Fuchsia OS Armadillo preview" on YouTube.

With the world moving away from the PC and towards the notebook many are looking for a solution for multi-monitor support. Modern notebooks are so thin they no longer have monitor ports but don't despair, there are many solutions to try. Thunderbolt ports support video, audio, standard data transmission and power. You will of course need a Thunderbolt compatible monitor. Another solution, for those with only one Thunderbolt or USB-C port, is to get a docking station. For older users, the options include a splitter cable, a splitter box and perhaps some USB-to-HDMI adaptors. If you have the right kind of notebook, e.g. a Razor, then you may even be able to use a proper graphics card inside an external box. Those that have tried or used multiple monitors rarely want to go back to one.

The MP3 or MPEG Audio Layer III format has been officially killed off by the Fraunhofer Institute, which did not renew the IP rights and ceased their licensing programme. No, MP3 is not gone, it has essentially become free. MP3 is still a popular format even though others like AAC variants and MPEG-H have more features, better audio quality and use less bandwidth. With the growth of memory on devices many also now use FLAC, a lossless format rather than MP3 which reduces information but "tricks" the ears into hearing all the sound. The most recent example is MQA that may be the basis for the next great streaming technology.

Since I didn't get the LG V20 phone I'm now looking at the Huawei P10 Plus. This is a 5.5-inch QHD+ phone with 6GB of memory and 128GB of storage for a fraction of the price of the Samsung S8. The Leica dual camera is very good and it comes with the latest Kirin 960 processor. It supports a microSD but you would have to be doing a lot of 4K recording to even need such an expansion of up to an additional 256GB. A 3,750mAh non-removable battery adds some extra life and it is Android 7. Unlocked versions are already available for as low as US$630 (21,750 baht) in some places.

I was at a presentation demonstrating the SQLServer on Linux recently and besides the fact that it installs quickly, the advantage of this is that you can set up a virtual machine on a Windows 7 PC and run the latest versions like 2016 or the newest 2017. For Red Hat, Ubuntu and SUSE the product is fully integrated and an update is a simple command line. In the demo using Oracle's free VM, an Ubuntu core virtual machine was created and then SQLServer installed, which was then accessible from the Windows SQL Server Management Studio. Apart from one step involving partitioning, it was all seamless and fast. There are plenty of tutorials on the internet to walk you through this.

Finally for this week, Cray the supercomputer people are moving to supercomputing as a service model, which given how everything else is going should come as no surprise.

Read the original:
Thank the NSA for latest global ransomware - Bangkok Post

Flickr photo by she_who_must and used under a CC BY-NC-ND 2.0 license.

Volunteer translators have madethe open-source social network platform Diaspora*available in some of the most commonly used languages on the internet, such as Chinese, Japanese, Spanish, and Portuguese. But take a look at the list of languages with 100% of the site's terms and phrases translated, and one language in particular stands outamong the rest: Occitan.

Occitan is a Romance language spoken in Southern France and parts of Spain, Monaco, and Italy. The number of speakers in the region vary from source to source, but it is clear that the figure is declining. The Occitan language has severaldialects, but a Standard Occitan is emerging that takes into account the different variants. According to UNESCO's Atlas of the World's Languages in Danger, the dialects Provenal, Auvergnat, Limousin, and Languedocien are classified as severely endangered, and the other two dialects, Gascon and Vivaro-Alpine, are classified as definitely endangered.

A small team of translators, who decided that Diaspora* would be another important place to promote the language, have brought Occitan to thesocial network.

Quentin Pags, who speaks the Lengadocian dialect on which Standard Occitan is based,is one of the members of the translation team and also collaborated on the Occitan translations of other platforms, such as Jitsi Meet, Wallabag, Framadate and Mastodon. He shared his experiences with Rising Voices in a short interview.

Rising Voices (RV): Why is it important to you that Diaspora* is available in Occitan?

Quentin Pags (QP): So people can start using it and it gives visibility to the language. I dont like when people decide that one language has more value than another. In my opinion, every language is as equal as the next. That is why it is important to me that Occitan is available as a complete language. Even though the Occitan language is not one of the most used languages on Diaspora*, by being an open-source project, the translation work can be reused for other projects that may use the same terminology and phrasing.

RV: How did you start this localization project?

QP: I decided to start the translation of Diaspora* because it was included in a list of alternative open-source platforms compiled by a French association called Framasoft through its campaign called De-Google-ify the Internet. From that list, I also helped to translate Jitsi Meet, Wallabag, Framadate, and now the new social network platform called Mastodon. For the translation of Diaspora, the team consisted of three people and we primarily communicated via email.

RV: What were the biggest challenges for translating Diaspora* into Occitan?

QP:You might expect that a challenge for translation would be a lack of vocabulary or something like that. But it wasnt about that, it was about finding people to review the translated texts and to help collaborate with the work. The Occitan language has good flexibility to create new words. So on the one hand, I wish there were more of us to translate, but on the other hand, there was just a few of us, so we could check that a word was translated in the same way everywhere. For the word reshare, you may find some instances where it is displayed as repartejar and other places as tornar partejar. I could change them, but as they both mean the same and both are correct, I decided to leave both.

RV: Do you have a sense of the activity of communities using Diaspora* in Occitan?

QP: Somehow people still havent tried this social network. I wish people used tools that are available in Occitan, but at the moment it seems that only a few people value the availability of the language as a strong draw. In the case of Diaspora* in Occitan, it would be a really good way to gather people that want to support the language and so we can collaborate in other projects together. In my opinion working for the language has to be done in Occitan so as to be coherent. That is why I prefer to use open-source software because I know that if I have some time, I can contribute and give my language other chances to be seen and used by people.

Originally posted here:
Diaspora* and Other Free Software Are Available in the Occitan Language, Thanks to Volunteer Translators - Global Voices Online

8 of the best antivirus options to protect your Mac Share This Your guide to the best antivirus and security software for Mac 2017, offering good system performance and peace of mind

If you've got a Mac and are wondering whether you need an antivirus, and which Mac antivirus you should choose, you've come to the right place. Here, we reveal the 8 best AVprograms for macOS and Mac OS X in 2017.

You can skip ahead to see our pick of the 8 best Mac antivirus options, or continue reading for more general buying advice, explanation of how we test and answers to all of your Mac security questions.

A hoary old question; for more discussion of this topic, read Do get Macs get viruses?

Plenty of Mac aficionados will tell you that Apple computers are inherently secure and don't require protection. We'd argue that they are wrong - or a bit overconfident, at least.

Macs are generally more secure than their Windows brethren for two reasons. On the technical side, macOS is a Unix-based operating system. As a Unix-based operating system macOS is sandboxed.

It's like having a series of fire doors: even if malware gains access to your Mac, it is unable to spread to the heart of the machine. Macs are not unhackable, but they are more difficult to exploit than Windows PCs.

The second reason is that, right now, there are far fewer Macs than there are Windows PCs. Fewer targets, and these are harder to hack. Is it any wonder that cybercriminals focus on the Windows world?

All malware these days exists to make money, and the criminals who create and share itare not doing so because they want to work hard. They pick off the lowest-hanging fruit, and that is unprotected Windows PCs.

However, Macs are not entirely safe either; in fact, reports from early in 2017suggest that Macs are becoming less secure.

Business Insider even argues, rather contentiously, that Macs are now more vulnerable to viruses and attack than Windows PCs, although you'll note that the sitebases this on a chart that groups all versions of Mac OS X together (215 vulnerabilities in 2016) but separatesWindows 10 (172 vulnerabilities) and Windows 8.1 (154). So make of that what you will.

Additionally, threats such asransomwareare on the rise, and have recently hit huge organisations including the NHS. Cyber security is more important than ever, and a good antivirus is the best place to start if you want to stay safe. Read next: How to remove Mac antivirus software

For any security software to be effective and worth the install it has to be able to prevent malware from infecting your computer. Mac antivirus is no different. We look for anti-malware properties that prevent known and unknown threats from having their way with your Mac. We use AV-Test.org's own testing data to ascertain the effectiveness of each antivirus in this respect.

But security is only half the story. In order for an antivirus to work effectively it also needs to be unobtrusive. AV-Test also looks at the impact of these pieces of software on your system: in layman's terms, how much the antivirus slows down your Mac, if at all.

For each of the security solutions we outline over the following slides, we have tested their ability to keep your Mac safe, and balanced that against the impact on your Mac's performance.

You'll see that even though the best free antivirus programs are good at protection, they tend tohurt your Mac's speed much more than paid-for software. So you need to balance cost against performance impact when selecting a product.

This is one of several in-depth Macworld articles dealing with Mac security. General advice can be found in our Mac security tips; and those who have been hit by a malware attack should try How to remove Mac viruses.

Our number-one best antivirus for Mac is Bitdefender Antivirus for Mac. In AV-Test's lab, Bitdefender Antivirus for Mac blocked 100 percent of the threats thrown at it. Even more impressively, it had a lower than 10 percent system impact, meaning that you won't even know it's protecting you (but believe us, it definitely is). You can read more about Bitdefender Antivirus for Mac here.

Here are Bitdefender's UK prices:

UK Mac owners can buy Bitdefender Antivirus for Mac here. There is also a free 30-day trial if you want to try before you buy.

In the US, Bitdefender Antivirus for Mac costs:

US Mac owners can buy Bitdefender Antivirus for Mac here.

Another paid-for Mac antivirus:say hello tothe excellent ESET. This 29 tool offers 100 percent threat detection, and scores reasonably highly in speed tests. You can save up to 25 percent by going for a two-year licence, and there are various cost-saving options for multiple Mac households up to 59 for a four-Mac licence. And there is a 30-day trial.

To find out more about ESET Antivirus for Mac, click here.

In AV Test's most recent research, only four of theantivirus packages tested managed to detect 100percent of the malware thrown at it. AVG is one of those(as are Bitdefender and ESET, numbers one and twoin this chart). AVG has a bigger impact on performance than our two front-runners, though, which is why it's down in third place.

There's a free version available with limited capabilities; the Pro version, which includes full protection, costs 49.99. Confusingly, there is also a free trial of Pro, which is well worth trying.

To find out more about AVG for Mac, click here.

Symantec's Norton Security didn't perform as well in AV Test's recent tests as it did back in December, so we've had to bump it back from its number-two position. It offered 99.17% detection - which is still great - but when there are threealternatives that scored 100% it makes it more difficult to recommend. It's also not the fastest option available.

Norton Security retails for 49.99 for a single Mac. Step up to 59.99 and you can protect up to five devices, which can include Windows PCs and smartphones as well as Macs, which is pretty cool... albeit arguably a little pointless on the smartphone front. You can get further discounts by buying a two-year licence.

To find out more about Norton Security, click here.

Kaspersky will set you back 39 a year for the full internet security suite for Macs. In return you get 99.17% percent threat detection from the antivirus, as well as anti-spyware, safer banking software and the rest. Oh, and there is a 30-day trial.

The catch? Greater impact on system performance than some of the better products we list in this story, although not by much.

To find out more about Kaspersky Internet Security for Mac, click here.

This is our pick of the free Mac antivirus offerings.

Sophos Anti-Virus requires of you only that you cough up some personal details. And even though itcosts you nothing, the software detects 99.17% percent of threats.

It does have a minor impact on performance, however. That may be enough for you to notice the difference, depending on what spec machine you have. The paid products above it in our chartare better, but Sophos is a compelling product.

To find out more about Sophos, click here.

Another free antivirus for Mac, and another that successfully protected its test Mac, Avira Free Antivirus 3.2 is in at number sevenonly because it had more of a system overhead than productsabove.

According to AV-Test's lab Avira will keep your Mac safe, for free, but you may pay for it in terms of system performance.

To find out more about Avira Free Antivirus, click here.

A Mac security freebie, Avast detects 100 percent of threats. But this tool had a significant performance impact during tests. If you can stand that, it is a good free option. But there are better.

To find out more about Avast Mac Security - Free, click here. See also:best Mac antivirus.

Visit link:
Best Mac antivirus 2017 - Macworld UK

JF Finigan 6:35 a.m. MT May 23, 2017

A few cosmetic items does not make an AR-15 a "weapon of war," columnist Joanna Allhands says.

About 400 people gathered Wednesday, April 26, 2017, for the Michigan Second Amendment March at the State Capitol. Pro-gun and legal gun ownership activists met with legislators to discuss gun right issues, to show the political strength of Michigan's legal gun owners.(Photo: MATTHEW DAE SMITH | Lansing State Journal)

Robert Robbs Man up, Brnovich, and get Tucson's gun case out of our court on May 19 never says if Mr. Robb has a problem with Tucson (theoretically) destroying guns in the future, but reminds me of a friends question during a conversation about guns. (The friend has some nice guns and strong opinions.)

(Rephrased with multiple strong expletives deleted.) Is it possible to support the Second Amendment without being a prototypical junior jackass? I think I can answer that.

Back in the day, before the crazies were told by Wayne LaPierre and Charlton Heston that there was a Constitution and Second Amendment thereto, sportsmen owned guns, seasonally hunted birds and big game and participated in sundry activities with their guns.

There was little in the way of gun legislation issues. For example, there was no legislation (as was proposed recently) to require selling guns to the insane if they wanted one. Nope. No siree. Not a bit of it. Nor was there legislation prohibiting the destruction of guns in Tucson.

Unlike today, however, even Republican state legislators had at least an average IQ. No one was waiting for a house to house invasion by the feds to take away peoples guns.

The short answer:People still exist who agree with the Second Amendment, who own firearms and support gun safety training and practices - without wearing cheap camo to the grocery store, without engaging in panic gun buying encouraged by Wayne LaPierre, who dont pass incredibly stupid and unnecessary gun legislation.

But, then, there are also many more of the others.

JF Finigan, San Tan Valley

Read or Share this story: http://azc.cc/2rd6OjV

Here is the original post:
Letter: Can you support the Second Amendment without being a nut? - AZCentral.com