Ransomware technique uses your real passwords to trick you

A few folks have reported a new ransomware technique that preys upon corporate inability to keep passwords safe. The notes – which are usually aimed at instilling fear – are simple: the hacker says “I know that your password is X. Give me a bitcoin and I won’t blackmail you.”

Programer Can Duruk reported getting the email today.

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google) .

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear there is very little possibility that anyone has video of you cranking it unless, of course, you video yourself cranking it. Further, this is almost always a scam. That said, the fact that the hackers are able to supply your real passwords – most probably gleaned from the multiple corporate break-ins that have happened over the past few years – is a clever change to the traditional cyber-blackmail methodology.

Luckily, the hackers don’t have current passwords.

“However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” wrote researcher Brian Krebs. In short, the password files the hackers have are very old and outdated.

To keep yourself safe, however, cover your webcam when not in use and change your passwords regularly. While difficult, there is nothing else that can keep you safer than you already are if you use two-factor authentication and secure logins.

You can now stream to your Sonos devices via AirPlay 2

Newer Sonos devices and “rooms” now appear as AirPlay 2-compatible devices, allowing you to stream audio to them via Apple devices. The solution is a long time coming for Sonos which promised AirPlay 2 support in October.

You can stream to Sonos One, Sonos Beam, Playbase, and Play:5 speakers and ask Siri to play music on various speakers (“Hey Siri, play some hip-hop in the kitchen.”) The feature should roll out to current speakers this month.

I tried a beta version and it worked as advertised. A set of speakers including a Beam and a Sub in my family room showed up as a single speaker and a Sonos One in the kitchen showed up as another. I was able to stream music and podcasts to either one.

Given the ease with which you can now stream to nearly every device from every device it’s clear that whole-home audio is progressing rapidly. As we noted before Sonos is facing tough competition but little tricks like this one help it stay in the race.

[gallery ids="1671157,1671158"]

My favorite summer toy is the GDP XD emulator

People ask me all the time about my favorite gadgets and I rarely have any answers. I’ve been playing with stuff since 2004 and I’m pretty gadget-ed out. But this year I’ve finally found something that I really enjoy: the GPD XD, an Android-based gaming handheld that lets you play multiple emulators including an endless array homebrew and classic ROMS.

As an early fan of the Caanoo I’m always looking for handheld emulators that can let you play classic games without much fuss. The Caanoo worked quite well, especially for 2010 technology, and I was looking to upgrade.

[gallery ids="1670742,1670739,1670738"]

My friend bought a GDP and showed it to me and I was hooked. I could play some wonderful old ROMs in a form factor that was superior to the Caanoo and this super cheap, super awful 4.3-inch device that emulates like a truck.

The GDP, which has two joysticks, one four-axis button, four shoulder buttons, and a diamond of game buttons, is basically a Wi-Fi enabled Android device with a touch screen. It runs Android 7.0 and has a MTK8176 Quad-core+ processor and 4GB of memory. It comes with NES, SNES, Arcade, and Playstation emulators built in as well as a few home-brew games. You can install almost anything from the Google Play store and it includes a file manager and ebook reader. It also has a micro SD card slot, HDMI out, and headphone jack.

To be clear, the GDP isn’t exactly well documented. The device includes a bit of on board documentation – basically a few graphics files that describe how to add and upload ROMS and emulators. There are are also a number of online resources including Reddit threads talking about this thing’s emulation prowess. The original model appeared two years ago and they are now selling an updated 2018 version with a better processor and more memory.

GPD recently launched another handheld, the Win 2, which is a full Windows machine in a form factor similar to the XD. It is considerably more expensive – about $700 vs. $300 – and if you’re looking for a more computer-like experience it might work. I have, however, had a lot of fun with the XD these past few months.

So whatever your feelings regarding ROMs, emulators, and tiny PCs, I’m pleased to report that I’ve finally pleased with a clever and fun bit of portable technology.

Buckyballs are back

Years ago – six years ago, to be exact – a toy called Buckyballs came under attack by government officials intent on destroying fun. The Consumer Product Safety Commission banned the toys, which we noted were tiny rare earth magnets that were good for play but bad for a snack, because a few overzealous children swallowed one or two and found themselves in gastrointestinal distress.

The lawsuit against ZenMagnets, creators of Buckyballs, began as a “recall prior to record of injury,” something unprecedented in this space. That meant the company had to stop selling its magnets before anyone was actually injured, an odd position for a small company to be in.

Now, after six years of battle, Buckyballs are back. The company is now able to sell its biggest set, the Mandala and notes that the sets are not toys. They could cause intestinal pinching, writes the ZenMagnets team, and they recommend not leaving them around animals or small children. However, these odd and wonderful little toys are finally available for purchase. The kit now even comes inside a lockable box to ensure little hands can’t accidentally grab and eat them.

“We remain willing to work with the CPSC to develop the magnet safety standards for which we’ve already petitioned, and which will be more effective and reasonable than the all-ages, nationwide ban we succeeded in vacating in the Tenth Circuit,” wrote founder Shihan Qu. “As we’ve already been doing, Zen Magnets looks forward to providing not just the highest quality magnet spheres on the market, but also the safest in terms of sales methods and warnings. Now that the war on magnets is over, hopefully we can all focus towards the war on magnet misuse.”

“Magnets must be respected, but need not be feared,” he said. Truer words – besides these – were never spoken.

The future of Ethereum looks bright

In what amounted to one of the most far-reaching and interesting conversations at TC Sessions in Zug, Ethereum masterminds Vitalik Buterin, Justin Drake, and Karl Floersch spoke openly – and often candidly – about a bright future for Ethereum scaling and, more interestingly, their way to build teams that work.

“There’s definitely changes that we could have made into the protocol,” said Buterin when asked whether or not he would have changed anything if he could start Ethereum again. But, he said, “there are ways in which that the problem is fundamentally hard.” In other words, growth was the only option.

“The demand for using public blockchains is high and we need to up the stability in order the meet that demand,” he said.

Floersch discussed the problems associated with Ethereum in the context of “adversarial networks.”

The network, he said, should “penalize people who don’t provide guarantees” and he felt that the tools available to simulate economic actors – including bad actors – are still weak.

“We come up with ideas, try to formalize them, and implement them,” he said. But, he said, the simulations still aren’t available.

The team expects aspects of Ethereum 2.0 – namely the Casper upgrade and the addition of sharding – to begin rolling out in 2019. After that, said Floersch, Ethereum 3.0 would enable quantum secure systems i.e. systems that can withstand the power of quantum computers.

“We’ll push quantum secure updates before there are commercial quantum computers,” he said.

Ultimately, said Buterin, Ethereum runs because the team is so tightly knit thanks to a clear roadmap. He said Bitcoin has many heads and the gridlock created was dangerous.

“Can they agree? No. You have gridlock,” he said.

“Part of the reason is that the Ethereum community early on [continued] to promote the idea of the Ethereum roadmap,” he said. “I feel that the roadmap is part of the social contract.”

“People who buy into ethereum buy in knowing that these are the things that people are going to want to push it forward. There may be deadlock on what specific path the community should take,” he said. But, he noted the roadmap keeps everyone on the same path. Given the expansive popularity and reach of the technology, it’s a fascinating bit of team-building that should inform other open source and blockchain projects over time.

You can watch the entire panel below:

New malware highjacks your Windows clipboard to change crypto addresses

In what amounts to be an amazingly nefarious bit of malware, hackers have created an exploit that watches 2.3 million high-value crypto wallets and replaces the addresses in the Windows clipboard with an address associated with the hackers. In other words, you could paste your own wallet address – 3BYpmdzASG7S6WrpmrnzJCX3y8kduF6Kmc, for example – and the malware would subtly (or unsubtly) change it to its own private wallet. Because it happens in the clipboard most people wouldn’t notice the change between copying and pasting.

Security researchers at BleepingComputer have found similar hijackers in the wild but this latest version is actively watching valuable wallets and trying grab bitcoin as they enter the accounts. Below is an example of the malware at work.

The malware runs a massive, 83MB DLL file that masquerades as a Direct X service. Inside the DLL is a 2.5 million line text file full of bitcoin addresses. In the above test when cutting and pasting from an HTML page into WordPad you’ll notice that the accounts are subtly modified in each case while leaving the beginning of the address unchanged.

Multiple anti-virus engines are now tagging this DLL as dangerous and you should be safe as long as you keep your virus protection up to date. But, as BleepingComputer notes, the only way to be sure your BTC is safe is to meticulously check each address you paste. They write:

As malware like this runs in the background with no indication that it is even running, is it not easy to spot that you are infected. Therefore it is important to always have a updated antivirus solution installed to protect you from these types of threats.

It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them. This way you can spot whether an address has been replaced with a different one than is intended.

Hackers took over the Gentoo Linux GitHub repository

Popular Linux distribution Gentoo has been “totally pwned” according to researchers at Sophos, and none of the current code can be trusted. The team immediately posted an update and noted that none of the real code has been compromised. However, they have pulled the GitHub repository until they can upload a fresh copy of the unadulterated code.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the GitHub Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised,” wrote Gentoo administrators. “This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.”

None of the code is permanently damaged because the Gentoo admins kept their own copy of the code. Gentoo stated that the compromised code could contain malware and bugs and that users should avoid the GitHub version until it is reinstated.

“The Gentoo Infrastructure team have identified the ingress point, and locked out the compromised account,” wrote the admins. “Three Github repositories containing the Gentoo code, Musl, and systemd. All of these repositories are being “reset back to a known good state.”

Thousands of cryptocurrency projects are already dead

Two sites that are actively cataloging failed crypto projects, Coinopsy and DeadCoins, have found that over a 1,000 projects have failed so far in 2018. The projects range from true abandonware to outright scams and include BRIG, a scam by two “brothers,” Jack and Jay Brig, and Titanium, a project that ended in an SEC investigation.

Obviously any new set of institutions must create their own sets of rules and that is exactly what is happening in the blockchain world. But when faced with the potential for massive token fundraising, bigger problems arise. While everyone expects startups to fail, the sheer amount of cash flooding these projects is a big problem. When a startup has too much fuel too quickly the resulting conflagration ends up consuming both the company and the founders and there is little help for the investors.

These conflagrations happen everywhere are a global phenomenon. Scam and dead ICOs raised $1 billion in 2017 with 297 questionable startups in the mix.

There are dubious organizations dedicated to “repairing” broken ICOs including CoinJanitor from Cape Town but the fly-by-night nature of many of these organizations does not bode well for the industry.

ICO-funded startups currently use multi-level marketing tactics to build their business. Instead they should take a page from the Kickstarter and Indiegogo framework. These crowd-funding platforms have made trust an art. By creating collateral that defines the team, the project, the risks, and the future of the idea you can easily build businesses even without much funding. Unfortunately, the lock ups and pricing scams the current ICO market uses to incite greed rather than rational thinking are hurting the industry more than helping.

The bottom line? Invest only what you can afford to lose and expect any token you invest in to fail. Ultimately, the best you can hope for is to be pleasantly surprised when it doesn’t. Otherwise, you’re in for a world of disappointment.

Lies, damn lies, and crypto analytics

For the past twelve years I’ve followed the rise of the startup – defined as a small business with global ambitions – from my perch at TechCrunch. During that period I watched business reporting change from a sleepy backwater on the back of the Sports section into a juggernaut, a force that controls the global conversation. Why? Because business reporting became war reporting and the battles fought were between VCs, businesses, and ideas that changed the world.

In that period, VCs rose from glorified bank tellers to rock stars. Incubators popped up to socialize nervous founders and turn them into capital F Founders and the path for startups became a codified journey from failure to success.

Now we’re seeing the same thing happen in ICOs. But something is wrong. The startups coming out of the ICO craze aren’t being judged on the character of their founders, on their technologies, or their probability for success. They are being judged, quite simply, on quantitative metrics that interrogate a token with one question: “When Lambo?”

This is the wrong approach. Token-based startups must receive the same level of socialization and scrutiny as the old VC-based startup vetting process. But something is different, and it’s an important difference.

In the old VC model a group of men – and it was mostly men for a long time – would stand in judgement over an idea. If any number of arbitrary points of risk appeared they would smile and say “No” to the founder, sending them down the road for another “No.” Unless you were plugged in professionally, went to https://techcrunch.com/2015/05/15/clunk/, or had your own cash, seed to even late stage investment wasn’t available and the resulting https://twitter.com/kteare/status/391689067370278912 of undercapitalization sunk countless startups.

Now, however, something new is afoot. While it’s always nice to look at tokens in comparison with other tokens, this sort of quantitative masturbation can easily hide a multitude of sins. Due diligence on token-based companies must be done, but it must be done through the wisdom of crowds. Instead of trying to impress one dude in a fleece vest and chinos on Sand Hill Road a founder must impress the world. They must tell a true, human story of actual value and explain their product without mumbling and hand waving. And they have to do it again and again.

Cryptocurrencies were supposed to bring us an egalitarian age of decentralized decision-making and a mathematical certainty. But the founders forgot one thing: humans offer no mathematical certainty. Instead of looking at numbers, these startups must be assessed on the basis of their value to humanity, on their technical ability to solve a real problem, and on their understanding of human-to-human interaction. The future isn’t a number. Instead, the future is a many-to-one investigation of a startup and the decision – by the decentralized crowd – whether or not to continue funding.

Again, if your primary driver is greed then by all means check out a chart that compares TRON to TRON. It’s your right. But if your goal is to make startups that will drive us deep into the future, then the old ways are best. A lot of things are about to change.

A few years ago I spoke to Deepak Chopra about his vision for a global voting system. In short, he was working on a way to take the global temperature. If a politician wanted to spend money on a road or, god forbid, go to wore, they could put the question to the crowd via their cellphones. One vote per person, defined by biometric controls. This pie-in-the-sky idea is slowly coming to fruition and I think it’s going to be very exciting. And it will find its perfect home in the future of startup funding.

The age of centralized decision-making in which analytics were used to help make seat-of-the-pants decisions is over. Now we enter a new world and the folks used to the old ways should probably watch out. After all, when the crowd speaks even VCs listen.

New technique brings secrets out of old daguerreotypes

Daguerreotypes – photos made with a process that used mercury vapors on an iodine-sensitized silvered plate – break down quite easily. The result is a fogged plate that that, more often that not, is completely ruined by time and mistreatment. However researchers at Western University have created a system that uses synchrotrons and “rapid-scanning micro-X-ray fluorescence imaging” to scan the plates for eight hours. The system shot an X-ray 10×10 microns thick at “an energy most sensitive to mercury absorption.” This, in turn, showed the researchers where the mercury

Kozachuk used r to analyze the plates, which are about 7.5 cm wide, and identified where mercury was distributed on the plates. With an X-ray beam as small as 10×10 microns (a human scalp hair averages 75 microns across) and at an energy most sensitive to mercury absorption, the scan of each daguerreotype took about eight hours. The team published their findings in Scientific Reports.

“It’s somewhat haunting because they are anonymous and yet it is striking at the same time,” said Madalena Kozachuk, a PhD student in Western’s Department of Chemistry. “The image is totally unexpected because you don’t see it on the plate at all. It’s hidden behind time. But then we see it and we can see such fine details: the eyes, the folds of the clothing, the detailed embroidered patterns of the table cloth.”

The technology promises to improve the methods of conservation for old photographs and should bring many previously unusable daguerreotypes back to life.