News Article | April 19, 2017
Here’s a challenge for you: you click on a link in your email, and find yourself at the website https://аррӏе.com. Your browser shows the green padlock icon, confirming it’s a secure connection; and it says “Secure” next to it, for added reassurance. And yet, you’ve been phished. Do you know how? The answer is in that URL. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A, Er, Er, Palochka, Ie. The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. The proof-of-concept domain was put together by Xudong Zheng, a security researcher who wanted to demonstrate the problem with the way domain names can be registered and displayed. For a long time, domain names could only be written in Latin characters without diacritics, but since 1998 it’s actually been possible to write them in other alphabets too. That’s useful if you want to register a domain name in Chinese or Arabic script, or even just correctly spelled French or German – anything that can be represented with the Unicode standard can be registered, even emoji – but it’s also opened up a whole new avenue of misdirection for malicious actors to take advantage of, by finding characters in other alphabets which look similar to Latin ones. “From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters,” Zheng writes. “It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘аpple.com’. It may not be obvious at first glance, but ‘аpple.com’ uses the Cyrillic ‘а’ (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.” Some browsers will keep an eye out for such tricks, and display the underlying domain name if they sense mischief. A common approach is to reject any domain name containing multiple alphabets. But that doesn’t work if the whole thing is written in the same alphabet. Apple’s Safari and Microsoft’s Edge both still spot that Zheng’s spoof domain is a fraud, but Google Chrome and Mozilla Firefox don’t, instead displaying the Cyrillic domain name. And though it may be obvious in the Guardian’s font that something’s up, the sans serif typeface used as standard by those browsers leave the two indistinguishable. Zheng says: “This bug was reported to Chrome and Firefox on January 20, 2017…The Chrome team has since decided to include the fix in Chrome 58, which should be available around April 25.” Mozilla, however, declined to fix it, arguing that it’s Apple’s problem to solve: “it is sadly the responsibility of domain owners to check for whole-script homographs and register them”. Google didn’t comment beyond referring to Zheng’s blogpost, and Mozilla didn’t comment at publication time but a spokesperson later said: “We continue to investigate ways to further address visual spoofing attacks, which are complex to fix with technology just in the browser alone.” Itsik Mantin, director of security research at Imperva, said that common advice to web users falls down when such simple attacks work. “In order to protect website users, forcing them to use strong passwords and to replace them frequently is insufficient, since in this case it would be completely ineffective to prevent the attack. Instead, he said, a better approach begins by assuming that phishing attacks will succeed: “Site administrators should assume that the credentials of some of their users were stolen (which in almost 100% of the cases will be true), and take adequate measures to identify account takeover, like irregular device, irregular geo-location or abnormal activity in the account.” Zheng himself offers advice to users: use a password manager, and try and spot phishing attacks before you click on any links. “In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, users should manually type the URL or navigate to the site via a search engine when in doubt.”
News Article | April 17, 2017
New Pulse Train Hat for the Raspberry PI computer CNC Design Limited launch a new Add-on Hat for the Raspberry PI computer that will make motor control easy, fast and accurate. The Pulse Train Hat is an add-on board for the Rapsberry PI computer and allows clean, fast and accurate pulses to be created using simple ASCII commands. There are many hardware designs where a variable frequency pulse is needed, but one that is the most popular is for driving stepper/servo motors that use pulse and direction lines. Motors like this are found in machines such as 3D Printers, CNC machines, Robot Arms and not to mention the other endless motion control and automation machines. Controlling motors may seem simple, but when you get down to detailedcontrol, it can all become very confusing and a big learning curve. With the new Pulse Train Hat (PTHAT) add-on for the Raspberry PI and a newdedicated support site http://www.pthat.com , we plan to make that task very simple and allow everyone to easily create their automation product. Name of Media Contact: Sean Hegarty Title of Media: Contact: Director Company Name: CNC Design Limited Contact Phone: Number +44 (0)1637 881520 Contact E-mail: email@example.com Product Website URL: http://www.pthat.com Company Website URL: http://www.ukcnc.net
News Article | May 1, 2017
Browser manufacturers are always releasing updates intended to improve usability and security. Most changes are benign but some can produce havoc, even if well-intentioned (like blocking java applets when accessing critical internal sites). The latest version of Google Chrome (58), released on April 20, includes a new checking mechanism for secured websites (which are accessed using https). This check analyzes the SSL certificate used by the site to encrypt traffic, and will produce a warning if the certificate does not include the common name of the website (e.g. website.company.com) as a subjective alternative name (SAN), which is a fancy word for alias. This check can be suppressed on Windows systems (for a temporary basis at least), and I'll explain how to do so below. The warning appears as follows: Users must then click "Advanced" to be able to continue to access the website: Clicking the Proceed to... link will permit access to the site. Certificates issued by a Trusted Certificate Authority such as Entrust or Verisign (and which are generally applied to public-facing websites) should be fine, but expect to start seeing this error if you use Chrome with internal websites that utilize self-signed certificates or certificates issued from an internal certificate authority. What is a subject alternative name? As I said, a subjective alternative name (SAN) is like an alias which can permit the use of multiple server or host names by a single certificate. Let's say you have a website with a common name of website.company.com. The website can direct traffic to one of two sites you run; a primary site in Boston (boston.company.com) and a secondary site in Los Angeles (la.company.com). You'd like each site to be able to handle traffic if the other one is unavailable, so you issue an SSL certificate for company.com with two SANs: boston.company.com and la.company.com. In this scenario, however, Chrome will issue the above error if your SSL certificate doesn't include a SAN of website.company.com as that is the common name to which you are connecting. Why did Google make this change? At first glance this may seem illogical. If Google is trying to protect users against spoofed websites, couldn't malicious website operators just add the common name as a SAN and circumvent the issue? Well, they could, but in this case it's not going to work. In the first place, they can't add someone else's common name to their certificate because no public certificate authority will allow that. Chrome 58 doesn't even check the common name of the site when accessing it, but focuses exclusively on the certificate by looking at the ASCII code involved and not the actual characters. You see, different character sets in different languages can appear similar but are actually viewed as separate entities by a computer. This can allow fake domains to be registered using another name or set of characters to fool visitors. Chrome 58 mitigates this issue by requiring a SAN matching the common name, which won't match those look alike characters. How can this be resolved? For a single user this is probably a manageable, but annoying, issue. Once I proceeded to a site I did not get the prompt again, although I saw a red security warning associated with the certificate when I returned to the site. For an entire company, however, a fix should be put in place or else the IT department is going to get a LOT of calls (which is probably better than users blithely ignoring security warnings, if you think about it logically). If you're a system administrator, you could always downgrade Chrome installations, but I don't recommend it. You will miss out on other security upgrades down the line. If you're getting this error when accessing internal sites, the best bet is to roll up your sleeves and update the SSL certificates for those sites to include the common name of the website as a SAN. You can buy yourself some time with Windows systems, at least. It's possible to implement or deploy a registry key to suppress this prompt (make sure you know what you're doing when editing a system registry!) Create a REG_DWORD subkey called EnableCommonNameFallbackForLocalAnchors and give it a value of 1: You can also create a custom registry (.reg) file and populate it with the data below: Double-clicking this file and answering yes will automatically add this information into the system registry. It's a bad idea to send such a file to users to ask them to run it (Outlook will likely block it anyhow) so push this out via Active Directory Group Policy, enact the setting via SCCM (if applicable) or arrange a script to install this. Please note it's necessary to restart Chrome for this change to take effect. However, this fix will only remain valid through version 65 of Chrome, so you should still plan to update any SSL certificates you have administrative authority over. Security controls of this nature can generate confusion and frustration, but it's important to keep in mind that for the most part they are well-thought-out and necessary. Google's intention here is to protect users, but probably some sort of advanced warning (such as a message prompt in Chrome 57 that Chrome 58 would include this feature) would make sense next time.
News Article | April 20, 2017
Life on the internet can be tough. It's easy to feel alone and adrift in this troll-infested digital hellscape. And that's exactly why you need the Electric Love Potato in your life. Inspired by virtual assistants like Microsoft Word's Clippy (only with more purpose and utility), this high tech Potato lives on your desktop and keeps you company through a constant stream of compliments, over-sharing of its rich Potato culture in the form of Potato poetry and ASCII art. And—like any overly co-dependent companionship—it also has a never-ending need for your attention. Creator Nathalie Lawhead, AKA alienmelon, calls the Electric Love Potato a "screenmate" because unlike Clippy, it's much more akin to a virtual pet that needs nurturing in the tradition of Tamagotchi or Nintendogs. You can "pet," "hug," "brush," "water," or, if you're a sick bastard fueled by hate and the suffering of innocents, even "shame" it. Having released the original digitized vegetable friend two years ago, Lawhead updated the Electric Love Potato (Two Point OH!) with some new features. Among them is the option to take up less screen space in SMALLtato mode (which also enables the Potato's adorably squeakier voice). While the Electric Love Potato is supposedly engineered to provide "cutting edge virtual companionship" in the background while you go about your regular online activities, its cuteness will inevitably take precedent over anything else you've got going on (bug or a feature? You decide). Also, considering that you must save Gerald the Potato from a constant threat of an invasive malware species, it gets tough to keep your potato friend alive while, say, also writing a Motherboard article.
News Article | April 20, 2017
Homograph attacks, which involve substituting Unicode with regular ASCII letters to fake a domain name, have been around since the early 2000s. Modern web browsers are built to detect homograph attacks, but software engineer Xudong Zheng figured out a way to beat the filters. The problem is a serious one, but thankfully is only a problem in Google Chrome, Firefox, and Opera. Want to know if you're vulnerable? Head over to this website Head over to Zheng's blog and check out his proof of concept link to a fake Apple domain. What you would see if you were protected would be the real domain name: Because it's named with Unicode substitutions for a, p, l, and e it displays as a completely legitimate domain name—it's even secured with HTTPS. Zheng discovered that when a domain is named with a set of Unicode letters from a single language (typically Russian) it bypasses the filters in Chrome, Firefox, and Opera. If you're reading this you speak the native language of the internet: English. Since its inception internet domain names have used the English alphabet, which is a problem for those who don't speak or use a computer in English. See: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research) Enter Punycode, a method of representing Unicode characters using ASCII letters. The domain xn—80ak6aa92e is Punycode for Apple, for example, all without needing to type the U+XXXX format of Unicode letters. The most common way to fool a web browser is to replace English letters with homographs from a different alphabet. Russian Cyrillic is the most commonly used because there are several Unicode letters that are identical to their english counterparts. Check out the Go app that Zheng created to illustrate the concept: Just hit Run at the top and look at the output below the code. All a cybercriminal needs to do is register the Punycode homograph domain, replicate the look of Apple's website, and wait for an unsuspecting user to click on a link in an email that looks completely legitimate. Windows users should be encouraged to use Internet Explorer with one caveat: Be sure Russian and other Cyrillic alphabet languages are turned off in active system languages. Google released a hotfix to Chrome yesterday that fixes the issue—check your browser to see what the current version is. If it isn't 58.0.3029.81 update it right away. See: There's a new Gmail phishing attack going around, and it's fooling everyone (TechRepublic) Firefox users need to do a bit of manual work to protect themselves, but it is possible by following these steps: Opera users are, unfortunately, out of luck: There's currently no known fix. Hacking and phishing attempts are getting more sophisticated all the time, and it's safe to assume that if someone with good intentions reveals a flaw, someone with malicious intent has probably figured it out as well.
News Article | May 25, 2017
GreenLink Networks, provider of Business VoIP Services from Cloud Phone Systems to SIP Trunking Services (offered exclusively through a network of authorized channel partners throughout the U.S.), was recognized as Best Revenue Generator at the Columbus, Ohio 2017 ASCII Group IT SMB Success Summit. The ASCII Group is a membership-based community of independent MSPs, VARs and Solution Providers. The awards are voted on by the attending solution providers, and honor the industry sponsors in multiple Best of Show categories. “It is exciting to see the ASCII IT Community recognize our commitment to creating financially beneficial MSP partnerships,” said Jhovanny Rodriguez, Vice-President and Co-founder of GreenLink Networks, “it is the philosophy we built GreenLink around.” As MSP co-founders Mayron Herrera and Jhovanny Rodriguez struggled to find a VoIP vendor that prioritized flexibility, reliability and commitment to their customers and partners. These core beliefs are reflected in GreenLink Networks’ products and services, and in their award recognized partner program which includes: the commitment to their partners with high commission for the life of the account; bonuses every 25 extensions sold; and 100% FREE services to the partner’s entire organization. “The Revenue Generator Award highlights our commitment to the channel and to our partners,” said Mayron Herrera, CEO and Co-Founder, GreenLink Networks. To learn more about GreenLink Networks, please visit http://www.greenlinknetworks.com. Founded by Managed IT Service providers Mayron Herrera and Jhovanny Rodriguez, GreenLink Networks is a Channel Only provider of Business VoIP Services with a generous partner program. The portfolio of VoIP services includes Cloud Business Phone Service, SIP trunking and SIP to PRI/Analog services. GreenLink Networks is compatible with multiple handset brands, offers flexible procurement options including purchase, rentals or use of existing IP enabled phones. For more information visit http://www.GreenLinknetworks.com.
News Article | May 11, 2017
DBeaver is an open source universal database manager that's previously been written about on TechRepublic. However, the software has grown since 2011, and there are two important features of DBeaver that deserve to be highlighted. Before we take a look at them, let's quickly recap what I consider to be the main pros (and cons) of this tool today. DBeaver supports a whole screenful of databases, from MySQL and PostgreSQL to SQLite and Microsoft Access. This is a multi-platform application that — besides the usual Linux, Mac OS, and Windows — also runs on venerable UNIX systems like Solaris, AIX, and HP-UX. Clean entity-relationship diagrams are available (Figure A). The internal SQL editor, with its autocompletion and database-specific syntax highlighting, facilitates creation, analysis, and debugging of complex queries. When dealing with MySQL databases, you may also process the results of those queries in the same interface normally used to show the raw tables. As far as the graphic interface goes, its main (if not only) drawback is that it's so packed of stuff that it's easy to miss or overlook something. I confess that, when I started using DBeaver, I didn't know how to add records to a table without writing SQL code. The answer was right in front of me (Figure B), but I had missed it among all the other commands. On the same topic (and while you're still looking at Figure B), that window displays one record per row — but in practice, it will display only parts of your tables. You can scroll, of course, but with that layout, you'll only immediately see the few columns that actually fit inside the window. Sometimes, it's much more productive to see all the fields of only one record at a time (Figure C). So, how do you switch back and forth from one display mode to the other? The simple but very efficient answer is to just press the Tab key. I only discovered this by chance, when I hit that key by mistake. Of course, the bottom line here is to schedule some time to investigate and play with the DBeaver interface before your actually start using it. The first feature of DBeaver that deserves specific coverage is its templates. These are what some other applications would call macros or shortcuts. I'm talking about all of those snippets of SQL code that you use frequently, maybe in different databases, and re-typing all of them could waste significant amounts of time. Any such snippet can and should become a DBeaver template, even if it isn't really made of completely static, constant code. The tab of Figure D, which you can open by clicking on Windows | Templates, shows all the templates available in the current context (that is, for a certain database driver or plugin) and lets you create new ones. Whenever you are working in the SQL editor and need the code corresponding to some template, just type its name and press Tab. DBeaver will automatically insert all of the code associated to that template in the current query, prompting you to enter values for any variable that you had included in its definition. You are welcome to ask for template examples and share yours with other DBeaver users on the DBeaver forum. The DBeaver we have today can import data from CSV files and save tables or query results in several formats, including: CSV, SQL "Insert" statements, raw tables, XML, or HTML files (Figure E). To export the result of your queries as tables that are immediately reusable in any web page, right-click on the Results view, select Export Resultset, and then click Export to HTML. Leave the Extraction settings to their default values and click on the Images box to include graphics if your database contains such data. The next and final step of the export procedure defines name and encoding of the HTML file. The first setting can basically be whatever you like, but pay attention to the other. UTF-8, which is its default value, is the right choice, in theory, and it should not create problems. However, I've seen several website management systems unable to display the HTML correctly that's generated straight from MySQL databases (*). Therefore, if you have records with non-ASCII characters, try to convert them to HTML first. It only takes one minute, and it will show you if there's something in your DBeaver or database configuration that should be tweaked. (*) This doesn't necessarily mean that there is an error in the database client. The database itself may have been created with non-standard character encoding setting. Do you use DBeaver for managing your databases? Share your experience in the discussion thread below.
News Article | May 9, 2017
Companies that do business online are missing out on billions in annual sales thanks to a bug that is keeping their systems incompatible with Internet domain names made of non-Latin characters. Fixing it could also bring another 17 million people who speak Russian, Chinese, Arabic, Vietnamese, and Indian languages online. Those are the conclusions of a new study by an industry-led group sponsored by the International Corporation for Assigned Names and Numbers (ICANN), the organization responsible for maintaining the list of valid Internet domain names. The objective of the so-called Universal Acceptance Steering Group, which includes representatives from a number of Internet companies including Microsoft and GoDaddy, is to encourage software developers and service providers to update how their systems validate the string of characters to the right of the dot in a domain name or e-mail address—also called the top-level domain. The bug wasn’t an obvious problem until 2011, when ICANN decided to dramatically expand the range of what can appear to the right of the dot (see “ICANN’s Boondoggle”). Between 2012 and 2016, the number of top-level domains ballooned from 12 to over 1,200. That includes 100 “internationalized” domains that feature a non-Latin script or Latin-alphabet characters with diacritics, like an umlaut (¨), or ligatures, like the German Eszett (ß). Some 2.6 million internationalized domain names have been registered under the new top-level domains, largely concentrated in the Russian and Chinese languages, according to the new study. Many Web applications or e-mail clients recognize top-level domains as valid only if they are composed of characters that can be encoded using American Standard Code for Information Interchange, or ASCII. The problem is most pronounced with e-mail addresses, which are required credentials for accessing online bank accounts and social media pages in addition to sending messages. In 2016, the group tested e-mail addresses with non-Latin characters to the right of the dot and found acceptance rates of less than 20 percent. The bug fix, which entails changing the fundamental rules that validate domains so that they accept Unicode, a different standard for encoding text that works for many more languages, is relatively straightforward, says Ram Mohan, the steering group’s chair. The new research suggests that the potential economic benefits of making the fix outweigh the costs. Too many businesses, including e-commerce firms, e-mail services, and banks, simply aren’t yet aware that their systems don’t accept these new domains, says Mohan. Things are improving, though. In 2014, Google updated Gmail to accept and display internationalized domain names without having to rely on an inconvenient workaround that translated the characters into ASCII. Microsoft is in the process of updating its e-mail systems, which include Outlook clients and its cloud-based service, to accept internationalized domain names and e-mail addresses. It’s not just about the bottom line, says Mark Svancarek, a program manager for customer and partner experience at Microsoft, and a vice chair of the Universal Acceptance Steering Group. To let millions of people be held back from the Internet because “the character set is gibberish to them” is antithetical to his company’s mission, he says. Acceptance of non-ASCII domains is likely to spur Internet adoption, since a large portion of the next billion people projected to connect to the Internet predominantly speak and write only in their local languages, says Mohan. Providing accessibility to these people will depend in many ways on the basic assumptions governing the core functions of the Internet, he says. “The problem here is that in some ways this is lazy programming, and because it’s lazy programming, it’s easy to replace it with better programming.”
News Article | May 11, 2017
Creating an entire operating system from scratch is not a task that programmers bother with under normal circumstances. This isn't to say most programmers aren't capable of creating an OS — I think many could do it, given enough time. Linux was "just a hobby" of Linus Torvalds, who sat down and, over the span of several months, wrote the Linux kernel in August 1991. Another project that started as one programmer's hobby in 1993 has, through brief periods of development and longer periods of being shelved, culminated in a new, stable operating system called TempleOS. According to the author, Terry Davis, it's "an x86_64, multi-tasking, multi-cored, public domain, open source, ring-0-only, single-address-map (identity-mapped), non-networked, PC operating system for recreational programming." It ships with its own complier, and modified version of C++ ("more than C, less than C++") called "HolyC," and file system "Red Sea," along with FAT32 support. It also has 8-bit ASCII support and a 2D and 3D graphics library, all of which run at 640x480 (VGA) with 16 colors, and outputs all sound through one-voice PC speaker. The entire project is self-hosting, so you can compile your own distribution inside TempleOS. At present, all of that, plus extensive documentation and demos, all happen in 121,691 lines of code; demos use 22,242 lines, and the examples for the music organ composing software is 4,292 lines. Ignoring that, TempleOS fits in fewer than 100,000 lines, "as God intended," according to Davis. The demos are impressive, though as one would expect considering the size of TempleOS and the limitations of VGA graphics, they are rather barebones. A fully-3D first person shooter called Castle Frankenstein exists in 594 lines of code, complete with a villain and a potted plant. (The potted plant is more creative than the shipping crate trope.) Perhaps more impressive is Eagle Dive, a flight simulator of an eagle diving for fish, in full 3D, at 30 frames per second. You might be wondering why Davis created the OS. The reason seems to be twofold. First, his vision for TempleOS is something akin to a modern Commodore 64: It's simple to understand, manipulate, and work within. In essence, it's an educational tool for programming experiments. Drawing a line onscreen in TempleOS and on the Commodore 64 is about as equally complex for the end user. It's barebones by design — you have direct access to the hardware, and you can do what you like with it, within the limitations of the hardware. This is a laudable goal, and one solution to the complexity of programming modern computers that programmers, hardware designers, and educators are seeking to solve. Most famously, the Raspberry Pi is the modern answer to the lack of cheap educational development hardware. Second, the motivation is rather personal to Davis. If you haven't noticed the litany of Biblical references like HolyC and Red Sea and the primary persistent resident task Adam, the entire OS is, in essence, a platform for offerings to and communications with God. To that extent, one of the more prominent bundled programs is After Egypt, in which one walks up the mountain (Labeled Mt. Horeb) to talk to God, but must first dodge sheep and trees in order to find the burning bush, which in VGA, is represented by something that resembles a ball of fuzz that randomly redraws and switches colors (all 16 of them). Once you reach the burning bush, you can use what Davis calls a "high-speed stopwatch," which is linked to a wordlist to generate pseudo-random text, as an "oracle," which Davis defines as being like an Ouija board or Christian tongues (Ouija is a trademark of Hasbro, Inc.). The results are as random as one can expect with a lookup function from a predefined wordlist — the software isn't attempting to assemble syllables or morphemes into a generated language, nor does it attempt to fit English grammatical conventions. As a result, a representative example is as follows: Not a comma, semicolon, period, or (my favorite) em dash to be seen, but the end result is intended to be incomprehensible. To that end, it appears to be a success. Davis is a very open and very opinionated person. He graduated from Arizona State University with a 3.63 GPA in December 1992 and started his IT career at Ticketmaster in 1990, working on its VAX OS. His SAT score is 1440. His rants vary from what is on the BBC to politics to users on OSDev and more. He has spent the last 10 years on disability, throughout which he has been working on TempleOS or a previous incarnation of it (the OS was previously known as SparrowOS or LoseThos). According to Davis, he has been diagnosed with schizophrenia, does not live independently, and does not drive a vehicle. TempleOS is a testament to the dedication and passion of one man displaying his technological prowess. It doesn't need to be anything more. What's your first impression of TempleOS? Do you think you'll compile your own distro in TempleOS? Share your thoughts in the discussion.