08 May 2017

Intel chip vulnerability lets hackers easily hijack fleets of PCs

Security researchers say exploiting the vulnerability requires little technical expertise, and can result in a hacker taking full control of an affected PC.

By Zack Whittaker for Zero Day | May 7, 2017 for ZDNet

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The "critical"-rated bug, disclosed by Intel last week, lies in a feature of Intel's Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer's keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser -- accessible even when the remote PC is asleep -- that's protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.


Systems -- including desktops, laptops, and servers -- dating back as early as 2010 and 2011 and running firmware 6.0 and later are affected by the flaw.

But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers.

Since the disclosure, monitors have seen a spike in probing activity on the two affected ports.


The chipmaker has also published a discovery tool to determine if machines are affected.

24 March 2017

Atlassian acquires Trello for $425M

Posted Jan 9, 2017 by Frederic Lardinois (@fredericl)

Source: TechCrunch

Atlassian today announced that it has acquired project management service Trello for $425 million. The vast majority of the transaction is in cash ($360 million), with the remainder being paid out in restricted shares and options. The acquisition is expected to close before March 31, 2017.

This marks Atlassian’s 18th acquisition and, as Atlassian president Jay Simons noted when I talked to him last week, also it largest. Just like with many of Atlassian’s other acquisitions, the company plans to keep both the Trello service and brand alive and current users shouldn’t see any immediate changes.

Trello launched in the TechCrunch Disrupt Battlefield in 2011 and in 2014, it was spun out of Fog Creek Software as a stand-alone company. With Trello, Atlassian is acquiring one of the fastest growing project management services. It now has about 19 million users and just under 100 employees, all of which will join Atlassian.

15 December 2016

WebP: A new image format for the Web

WebP is a modern image format that provides superior lossless and lossy compression for images on the web. Using WebP, webmasters and web developers can create smaller, richer images that make the web faster.

WebP lossless images are 26% smaller in size compared to PNGs. WebP lossy images are 25-34% smaller than comparable JPEG images at equivalent SSIM quality index.

Lossless WebP supports transparency (also known as alpha channel) at a cost of just 22% additional bytes. For cases when lossy RGB compression is acceptable, lossy WebP also supports transparency, typically providing 3× smaller file sizes compared to PNG.


28 November 2016

GIT: Comparación de metodologías de trabajo

Traducido del documento original en inglés "Comparing Workflows." Traducción por Alejandro Egas e ideaPort LLC con autorización de Atlassian.

La variedad de posibles metodologías de trabajo hace difícil saber por dónde empezar cuando se implementa Git en el lugar de trabajo. Esta página ofrece un punto de partida revisando las metodologías de trabajo más comunes de Git para equipos al interior de empresas.

Mientras lees, ten en cuenta que estas metodologías de trabajo están diseñadas como directrices generales y no como reglas estrictas. Queremos mostrar lo que se puede hacer para que tú tomes, mezcles y acoples aspectos de distintas metodologías de trabajo adecuándolas a tus necesidades individuales.

Metodología de Trabajo Centralizada

La transición a un sistema de control de versiones distribuido puede parecer una tarea de enormes proporciones, pero no es a fuerzas necesario cambiar la metodología de trabajo ya existente para sacar provecho a Git. Tu equipo puede desarrollar sus proyectos tal como lo hace con Subversion.

Sin embargo, el uso de Git en el trabajo de desarrollo evidencia varias ventajas con respecto a SVN. La primera es que cada desarrollador recibe su propia copia local del proyecto completo. Este entorno aislado le permite a cada desarrollador trabajar independiente de todos los demás cambios que se hagan al proyecto. Pueden añadir commits a su repositorio local y olvidarse por completo lo que se esté desarrollando en el resto del proyecto hasta que les resulte conveniente.

La segunda ventaja es que Git da acceso a un robusto modelo de ramas (branchs) y fusión (merging). A diferencia de SVN, las ramas de Git están diseñadas para ser un proceso seguro para la integración de código y para compartir los cambios entre repositorios.

Cómo funciona

Al igual que en Subversion, la metodología de trabajo centralizada utiliza un repositorio central como punto de entrada único para todos los cambios del proyecto. En lugar de trunk, la rama de desarrollo por defecto se llama master, y todos los cambios son agregados como commits a esta rama. Esta metodología de trabajo no requiere de ninguna rama aparte de master.

Para empezar, los desarrolladores deben clonar el repositorio central. Luego, en sus propias copias locales del proyecto, se editan los archivos y se agregan commits tal como se hace en SVN. Sin embargo, estos nuevos cambios son guardados de manera local. Están completamente aislados del repositorio central. Esto le permite a los desarrolladores aplazar la sincronización con upstream hasta que lleguen a un punto conveniente.

Leer más...

Git: Comparing Workflows

Source: Atlassian Git Tutorials. Read it in Spanish: En español.

The array of possible workflows can make it hard to know where to begin when implementing Git in the workplace. This page provides a starting point by surveying the most common Git workflows for enterprise teams.

As you read through, remember that these workflows are designed to be guidelines rather than concrete rules. We want to show you what’s possible, so you can mix and match aspects from different workflows to suit your individual needs.

Centralized Workflow

Transitioning to a distributed version control system may seem like a daunting task, but you don’t have to change your existing workflow to take advantage of Git. Your team can develop projects in the exact same way as they do with Subversion.

However, using Git to power your development workflow presents a few advantages over SVN. First, it gives every developer their own local copy of the entire project. This isolated environment lets each developer work independently of all other changes to a project—they can add commits to their local repository and completely forget about upstream developments until it's convenient for them.

Second, it gives you access to Git’s robust branching and merging model. Unlike SVN, Git branches are designed to be a fail-safe mechanism for integrating code and sharing changes between repositories.

How It Works

Like Subversion, the Centralized Workflow uses a central repository to serve as the single point-of-entry for all changes to the project. Instead of trunk, the default development branch is called master and all changes are committed into this branch. This workflow doesn’t require any other branches besides master.

Developers start by cloning the central repository. In their own local copies of the project, they edit files and commit changes as they would with SVN; however, these new commits are stored locally—they’re completely isolated from the central repository. This lets developers defer synchronizing upstream until they’re at a convenient break point.


26 July 2016

Your wireless keyboard is giving up your secrets

Flaws in wireless keyboards let hackers snoop on everything you type

Many popular, low-cost wireless keyboards don't encrypt keystrokes.

By Zack Whittaker for Zero Day | July 26, 2016 -- 13:30 GMT (06:30 PDT) 

Source: ZDNet http://www.zdnet.com/article/millions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack/?ftag=TRE17cfd61&bhid=25967687726448640586564689554337

This nondescript USB dongle can be used to spy on wireless keyboards from hundreds of feet away. (Image: Bastille)

Your wireless keyboard is giving up your secrets -- literally.

With an antenna and wireless dongle worth a few bucks, and a few lines of Python code, a hacker can passively and covertly record everything you type on your wireless keyboard from hundreds of feet away. Usernames, passwords, credit card data, your manuscript or company's balance sheet -- whatever you're working on at the time.

It's an attack that can't be easily prevented, and one that almost nobody thought of -- except the security researchers who found it.

Security firm Bastille calls it "KeySniffer," a set of vulnerabilities in common, low-cost wireless keyboards that can allow a hacker to eavesdrop from a distance.

Here's how it works: a number of wireless keyboards use proprietary and largely unsecured and untested radio protocols to connect to a computer -- unlike Bluetooth, a known wireless standard that's been tried and tested over the years. These keyboards are always transmitting, making it easy to find and listen in from afar with the right equipment. But because these keystrokes aren't encrypted, a hacker can read anything on a person's display, and directly type on a victim's computer.

The attack is so easy to carry out that almost anyone can do it -- from petty thieves to state-actors.

Marc Newlin, a researcher at the company who was credited with finding the flaw said it was "pretty alarming" to discover.

"A hacker can 'sniff' all of the keystrokes, as well as inject their own keystrokes on the computer," he explained on the phone this week.

The researchers found that eight out of 12 keyboards from well-known vendors -- including HP, Kensington, and Toshiba -- are at risk of eavesdropping, but the list is far from exhaustive.

The scope of the problem is so large that the researchers fully expect that "millions" of devices are vulnerable to this new attack.

Worst of all? There's no fix.

"I think a lot of consumers reasonably expect that the wireless keyboard they're using won't put them at risk, but consumers might not have a high awareness of this risk," he said.

Ivan O'Sullivan, the company's chief research officer, admitted that the ease of this attack had him unsettled. "As a consumer, I expect that the keyboard that I buy won't transmit my keystrokes in plain-text."

"We were shocked. And consumers should be, too," he said.

This isn't the first time wireless devices have put their users at risk. Bastille was the company behind the now-infamous MouseJack flaw, which let hackers compromise a person's computer through their wireless mouse. Even as far back as 2010, it was known that some keyboards with weak encryption could be easily hacked.

Over half a decade later, Newlin said he was hopeful that his research will make more people aware, but he doesn't think this problem "will be resolved."

"Most of the vendors have not responded to our disclosure information," he said. "Many of the vendors haven't responded past an acknowledgement, or they haven't responded at all to our inquiries."

Though not all wireless keyboards are created equal and many are not vulnerable to the eavesdropping vulnerability, there is an easy fix to a simple problem.

"Get a wired keyboard," the researchers said.

20 July 2016

The procrastinator's guide to free Windows 10 upgrades

The year-long free upgrade offer for Windows 10 ends in a matter of days. If you're on the fence, it's decision time. Here's how to streamline the upgrade process to make it fast, simple, and nearly foolproof.

By Ed Bott for The Ed Bott Report | July 20, 2016 -- 17:39 GMT (10:39 PDT)

You have only a few days left to claim your free upgrade.

Time is running out.

If you have a PC that's currently running Windows 7 or Windows 8.1, you qualify for a free upgrade to Windows 10. But that offer ends in a little over a week, on July 29, 2016, which means it's decision time.

You can stop right here if you're certain you don't want the upgrade. Just say no to the upgrade prompt and the nagging will stop at the end of this mon you're reasonably certain you'll want to upgrade in the next year, you should claim your upgrade now, then roll back to your current operating system. (Details here.)

For those who are ready to make the leap before the closing bell rings, here's how to do it with the maximum safety and minimum hassle.

1. Create an image-based backup of your current Windows installation.

This step is optional but highly recommended. Everyone should have a full backup anyway, and this is as good an excuse as any to make that happen. Both operating systems that support the free Windows 10 upgrade include the Windows 7 Backup tool, which has this capability built in.