Earlier this week Facebook revealed a rather interesting ecommerce offering that is aimed at small-to-medium businesses in particular – Facebook Shops.
For those unfamiliar with the platform, it allows any Facebook or Instagram business profile to be turned into a virtual storefront and essentially operate as a fully fledged online shop.
With ecommerce being hotly debated this month locally, as well as many businesses suffering as a result of the COVID-19 pandemic and lockdown, it could prove a worthwhile option for SMEs to look into moving forward.
At the time Facebook Shops was said to be rolling out globally in a phased approach, starting in the United States on 19th May, with no word on when South African businesses could try it out.
That changed today though, as Facebook provided us with feedback on the Shops platform’s local status.
To that end, the company plans to test out Facebook Shops with a select number of businesses next month.
“Shops are available globally, but it is in its early days and will be rolled out in phases and will be more widely available in the coming months. We expect to start testing with businesses in SA in June,” a spokesperson told Hypertext.
Unfortunately there is no further detail as to when in June, and what businesses will be used in the testing. Given that Facebook has shown how the platform would work for smaller businesses which specialise in selling physical products directly to customers, it seems like those will likely be the ones which fit the bill for the test phase next month.
Given the lockdown regulations currently in place (alert level 4), we also asked Facebook what kinds of measures must be adhered to. Unsurprisingly, the firm said local businesses planning to use Facebook Shops will need to be fully compliant with regulations.
“Facebook Shops should be used in adherence with all local regulations,” the spokesperson added.
As such it looks like businesses will need to ensure they can properly handle and sanitise any of the goods they plan to sell via the platform, given the fact that lockdown is here for the next few months at least.
Either way, it is an intriguing platform, and could offer struggling businesses another digital option to stay afloat.
We’ll have to wait to see if the test phase in June yields such a result.
Linux on the desktop has had more than its fair share of troubles. Sure, the Linux desktop has long been a favorite of top-flight developers, system administrators, and loyal fans. But, when it comes to the mass audience, Linux has only about 1% of users. One major company, however, still believes in the Linux desktop: Microsoft.
At Microsoft Build, its virtual developers’ conference, Microsoft CEO Satya Nadella announced that Windows Subsystem for Linux (WSL) 2.0 would soon support Linux GUIs and applications. Specifically, this will enable programmers to develop native and cross-platform programs with tools like GNOME Builder, KDevelop, and Emacs. Besides supporting Linux GUI programs, you’ll be able to run Linux and Windows GUI applications simultaneously on the same desktop screen.
This has been coming for some time. Four years ago, Microsoft introduced WSL, which brought the Linux Bash shell to Windows 10. With Bash and WSL, you can run most Linux shell tools and popular Linux programming languages.
As time went on, Linux became ever more a first-class citizen on the Windows desktop. Multiple Linux distros, starting with Ubuntu, were followed by Red Hat Fedora and SUSE Linux Enterprise Desktop (SLED). Then, Microsoft replaced its WSL translation layer, which converted Linux kernel calls into Windows calls, with WSL 2. This update came with Microsoft’s own Linux kernel running on a thin version of the Hyper-V hypervisor.
Now, Microsoft is taking one more major step forward by making the full Linux desktop experience available to Windows 10 users. It had been possible to run Linux GUI applications even with WSL’s first generation, but it wasn’t easy. You had to run an X Server on Windows 10 and then connect it to the Linux application. Now, Microsoft promises that running Linux GUI applications on WSL will be as easy as running them on native Linux.
BUILD 2020 Microsoft builds a supercomputer for training massive AI models More developer tools coming for ‘Project Cortex’ knowledge-management service Build brings announcements for cloud data, analytics services Fluid Framework is open sourced Meet Microsoft Cloud for Healthcare Chromium-based Edge to get sidebar search Azure Stack Hub adds management, machine learning updates Unifying Win32, UWP Windows apps with ‘Project Reunion’ Everything announced and then some That said, WSL 2 is meant primarily for programmers. For example, the other new major feature announced at Build was Nvidia CUDA and DirectML support for GPU accelerated applications and development tools, such as Kubeflow on microk8s, Canonical’s easy-to-run Kubernetes cluster program.
You can, of course, also try to run Steam-powered games on WSL as well. After all, developers just want to have fun.
WSL 2 will be generally available in Windows 10 version 2004, a major Windows 10 update that will be released shortly. GPU support for developer tools will be available in Windows Insiders Fast Ring builds in a few months. Linux GUI application support will come later this year.
This 2004 version of WSL 2 is based on the 4.19.81 long-term support Linux kernel. You’ll find, based on my tests with advanced releases, that WSL 2 boots very quickly. It can do this because its thin Hyper-V hypervisor preloads a great deal of Linux into RAM. Microsoft wants WSL 2 to look and feel like an integrated Windows application, rather than an add-on.
WSL 2 is much faster than its immediate ancestor. As Craig Loewen, Windows Developer Platform Program Manager, wrote, “WSL 2 delivers full system call compatibility with a real Linux kernel and is 3-6x faster compared to earlier versions of WSL.” I’ve seen that kind of speed from my Windows 10 box running WSL 2 in the Fast Ring.
On Windows 10, Linux files are kept on a 256GB virtual disk. This uses the Linux native ext4 file system. WSL 2 uses the 9p file system protocol for file Windows and Linux transactions.
With Windows 10 version 2004, it’s easier than ever to install WSL on any version of Windows with the wsl.exe command even when the WSL optional component hasn’t been installed. Later, wsl.exe will make it simple to install a specific Linux distribution and version, such as Ubuntu 20.04 or Arch Linux 2020.05.01.
WSL 2.0, in Windows 10 version 2004, already works well. With the forthcoming new additions, it will work better than ever.
2020, the year of the Linux desktop? Maybe not. 2020, the year of the Linux desktop on Windows? Yes.
While much of the world is focussed on the COVID-19 pandemic, the US Senate recently voted to expand its surveillance powers. As part of a reauthorization of the Patriot Act, law enforcement agencies such as the FBI and CIA can continue to look through the browsing history of American citizens without the need for a warrant.
Although it was arguably created with good intentions, some believe this is just the beginning of governments around the world using the coronavirus pandemic to usher in new surveillance measures. Some have even suggested that the Patriot Act enables those in power to spy on their political opponents without consequence.
An increasing number of techies are browsing the web through a VPN to prevent their ISP from tracking their online habits for these very reasons. But in this case, the FBI could request logs from your VPN provider, too. The smartphones and smart speakers armed with microphones, cameras, and tracking abilities can suddenly feel quite sinister. Are we paranoid? Or are there dark forces at work that don’t necessarily have our best interests at heart?
Do you take the red pill or the blue pill? In these uncertain times, movies such as 1984 and 12 Monkeys are beginning to feel like documentaries. As a result, many are beginning to question the illusion of their freedom. In the 1999 film, The Matrix, the character Morpheus offers the protagonist Neo the choice between taking a blue pill that will restore his experience of reality or a red pill that will reveal its true nature. Here in 2020, Elon Musk urged his 34 million followers to take the red pill.
Those that obliged quickly learned that there are now more CCTV cameras in London than in Beijing. The US government can spy on their browsing history and internet habits without a warrant while remaining quarantined in their home. Further research reveals any opinions that dare to drift from the official narrative are labelled as fake news or disinformation and removed immediately and even as a method of censoring dissent.
As 24-hour rolling news channels attempt to control the narrative and spread fear, are governments really using the moments to increase surveillance powers? Many protesters believe that authorities are taking it a step further by using social distancing to curtail free speech. The further down the rabbit hole you dare to go, the world feels more confusing.
British filmmaker Adam Curtis highlighted in 2014 that this confusion is not an accident and actually a part of a new system of political control called nonlinear warfare. But the vast amounts of data on every member of the global community is now changing the political landscape again.
Is data the new nuclear power? If you look back and join up the dots, it was Clive Humby, the mastermind behind the Tesco Clubcard, that first declared that data was the new oil in 2006. But it was TED speaker, James Bridle, who argued it was actually a new nuclear power that could do harm. Silicon Valley has already infamously used personal data to take advantage in nefarious ways, and now governments appear intent on doing the same.
Edward Snowden once said that “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” He went on to add, “When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’”
Cloudflare recently reported that internet usage surged by 40 percent in Seattle during the pandemic’s peak period. From the comfort of their homes, users continued to endlessly scroll down newsfeeds and distracted themselves with escapist entertainment. But we all need more than mindless repetition, three-word slogans, and agreeing 100% with the narrative and policies of our governments.
The technology that was developed to unite us, must never divide us. The problem is that some are using the global pandemic as an opportunity to make a power grab. Personal data and browsing habits that are run through algorithms, as well as databases can be used to build a profile of who we are and predict our future actions. As a result, global citizens increasingly become more cautious with how they act online in case it is misconstrued or used against them.
A quick look on a Facebook newsfeed will reveal that many of your friends cannot be bothered to research anything important, but they will take a 15-minute quiz to find out what kind of vegetable they are. In a digital world where every form of communication, transaction, and movement can be monitored, we can no longer afford to sleepwalk our way through life.
It is often said that technology works best when it brings people together, but it currently feels like we are losing our way. Binary thinking is resulting in polarization and driving a wedge between communities rather than uniting them. Authorities asking users to film non-compliant citizens and turn people against each other during a crisis is beginning to feel a little too reminiscent of an Orwellian nightmare for comfort.
A new hope Future generations will be affected by what we do next. But there is hope. When Mayor Bill de Blasio urged New Yorkers to use the technology on their smartphones to snitch on social distance rule-breakers, communities united in flooding the service with dick pics and memes. The scale of the response forced the city to shut down the service temporarily.
Is there evidence that mass surveillance programs enable governments to protect citizens and save lives? Or do they run the risk of being used as a tool to discredit anyone that authorities deem to be a threat? These are all debates that we should all be having. Contrary to popular belief, the future doesn’t belong to those that mindlessly obey every instruction. Being armed with a curious mind and the need to ask questions should be a good thing.
It’s very easy to feel comfortable consuming content from an echo chamber that spoon-feeds your opinions back to you. But this world is a stark contrast to Apple’s Think Differently campaign in 1997 that celebrated the crazy ones, the misfits, the rebels, the troublemakers, and the round pegs in the square holes that wanted to change the world for the better.
So, will you choose to take the red pill or the blue pill?
**The following essay was written by Eric Hughes and published on March 9, 1993. “A Cypherpunk’s Manifesto” was originally published on activism.net and is reprinted here on *Bitcoin.com for historical preservation. The opinions expressed in this article are the author’s own. Bitcoin.com is not responsible for or liable for any opinions, content, accuracy or quality within the historical editorial.**
If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to.
Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.
Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy.
Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one’s identity with assurance when the default is anonymity requires the cryptographic signature.
We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor’s younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor.
We must defend our own privacy if we expect to have any. We must come together and create systems, which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.
We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.
Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can’t get privacy unless we all do, we’re going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don’t much care if you don’t approve of the software we write. We know that software can’t be destroyed and that a widely dispersed system can’t be shut down.
Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation’s border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.
For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one’s fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals.
The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.
One common scamming trend over the years has been to call people claiming to be from a famous company like Microsoft in order to gain remote access to their computer and extort cash ranging from a few to hundreds of dollars.
They do this by convincing users of malware or something more serious existing on their system which needs to be removed. Many such scammers operate from call centers located in other countries far away making it difficult for law enforcement agencies to crack in on them.
However, in the latest, we’ve seen a United Kingdom-based vigilante hacker taking action giving us great insight into how these tech support scammers and their infrastructure functions.
The hacker who goes by the name of Jim Browning shared a series of videos on his YouTube channel that details his exploits and how the whole hack worked. Additionally, BBC Panorama and another YouTuber named Karl Rock has also released a report coordinating with Browning.
Firstly, he traced these fake tech support scammers (call agents) to be from call centers in India and then went on a rather daring way to attack them. He did so by allowing them to establish a remote connection to his own computer giving them the view that they had conned him.
However, instead, he used that very established connection to attack the scammers back, something they would have not imagined. Although we don’t know the technical specifics of how he accomplished this reverse attack vector, we do know that it helped him gain access to CCTV cameras located in the vicinity of the call center based in Kolkata along with records of almost 70,000 calls.
The footage from the hacked CCTVs showed the entire routine of the staff operating there with workers hanging around and sitting on their workspaces just like you would find in any normal workplace. The conversations of workers trying to convince potential victims can also be heard.
In fact, a quote of Steve Jobs can be found muralled on a wall as shown in the image below, quite ironic considering the nature of their work. What’s even more surprising is that this is not some slum out of which they are operating, the building as seen from outside CCTV footage is well furnished and appears to host a modern looking office.
The image below is taken from a drone flown by Karl Rock. This is the ‘Sonit Tower‘ building where the entire tech support scam call center was operating from.
An interesting thing here to note is that despite all the evidence gathered, Browning’s work here would not be legally compliant considering he took the law into his own hand. Someone who does so can thereby be prosecuted and hence this may be one reason that the vigilante does not reveal his real identity.
Instead, law enforcement agencies recommend a more coordinated approach such as when we saw Avast team up with French authorities back in September 2019 to take down the Retadup botnet. Nonetheless, the entire topic of hacking back is a hotly contested one and hence we may see changes in the legislation governing it in the future.
Raided
However, the good news is that this particular scam call center has been raided by police and its owner Amit Chauhan has been arrested as well. More on his arrested is available in the video shared by Karl Rock.
For users to avoid being victims of such scammers, it is common sense that can prove to be the most effective here. Under no circumstances do well-reputed companies demand payments and access to one’s computer in a way that would place user security at risk.
Therefore, one should remain vigilant and in the case that you actually do need any help cleaning up your computer, visiting an authorized service agent of either the company itself or any third party service is preferable rather than trusting a random stranger behind a phone call.
Day after day, our lives are increasingly becoming reliant on the Internet and technology more than ever. We use computers in the form of PCs, tablets, mobile phones, and wearable devices, and every traditional gadget from an alarm clock to the refrigerator is becoming smart.
We use Google and other search engines to navigate the Internet, and we depend on the Internet to store information and retrieve it on demand. I have recently found myself hopelessly lost in a city while trying to remember directions without using digital maps, and I always check for prices online before shopping offline.
Our lives are highly dependent on the Internet.
The all-seeing eye Carrying a mobile phone with me means that Google knows where I am every day. They know where I work because that’s is where my phone is during the day, they know where I live because I spend the night there, and they know the entertainment joint that I frequent on Saturdays. They know that the place that I go and spend some time every Sunday morning must be where I go to church, and they know the people I met since they see the devices meeting together.
I trust a browser to help me remember my passwords, with the hope that those passwords I store there are a secret between only me and the browser. I give Apps on my phone permission to read my messages, assuming that they will read only if necessary, only to realize that some of them spend time analyzing the SMS that I have received.
Terms & Conditions apply Navigating the online space is simple on the surface, but a complicated exercise when we dig deeper.
Take the example of the ‘Terms & Conditions’ segments that we encounter on many websites, applications, software and many other digital tools we use. Do we read that text? No. Do the writers of these T&C expect us to read them? No. The documents are usually unnecessarily long, written in the smallest font possible, and using complicated terms which a layperson would likely not understand. We have little option other than checking the ‘Accept’ box. Even when browsing any website, we encounter the notorious pop-up ‘This site uses cookies… Click here to accept,’ and we always accept without a second thought, not knowing what cookies are.
Artificial Intelligence Artificial Intelligence is making matters more complex.
Amazon’s Alexa is a device that is always listening to all that you are saying, while Google has a similar feature on Android phones which can be activated by saying ‘Ok Google.’ When you imagine that someone is listening to everything you say, knows all your passwords, knows every web page you visit, knows where you are at any moment, knows all the people you chat with, and the content of those chats; you only hope that person is God alone.
However, unfortunately, there are many ‘gods’ doing that.
Why collect data? What do do digital technology companies do with all the data that they have?
Governments have always used the data they have to do government work. They spy over the bad guys (sometimes the good guys) and do intelligence. Big Tech is only interested in using the data to make money primarily through sharing the data with third parties. Thus, Facebook will see you chat with someone on WhatsApp, then they recommend that you add them as friends on Facebook.
Google will see you searching for the pregnancy test kit, and know that they can now start showing you maternity dress ads. Mobile lending apps read your M-PESA messages and use that to determine how much money they can loan you. Information is a powerful tool, and he who has it rules the day.
The new order What are the new realities that we should wake up to? We are seeing more people get concerned about the data being held by tech firms, and new laws and legislation governing the use of collected data.
Tech firms and users need to guard all the Personally Identifiable Information (PII) that they collect, as well as the metadata that can be used to identify a person through their behaviors. There is also a need to ensure that data is encrypted appropriately, both when the data is in transit and when it is seated somewhere in a server.
However, an important part is also to ensure that data is used only for the intended purposes. Another good practice is to ensure people who collect data for whatever purpose collect the least amount of data possible, and do not hold it longer than necessary.
Even with regulations and best practices, the concept of privacy is way much different from what it used to be. It is a new world.
With many countries now into their second month of lockdown due to the coronavirus pandemic, people all around the world now consider entertainment platforms as essential services.
This week, for example, Netflix announced that it had signed up 15.77 million new subscribers during the last three months, more than double the 7 million it previously expected. Disney’s streaming platform Disney+ has also hit the jackpot, doubling its subscriber base to 50 million since February.
As one might expect, piracy levels have gone up too. Interest in pirate sites increased in March and a global surge was evident in early April, increasing broadly in line with countries’ lockdown measures.
One of the many tools contributing to this surge is Popcorn Time. After storming the scene in 2014 and impressing with its ground-breaking Netflix-style interface, it drew an audience of millions. Since then improvements to its multiple variants have been incremental rather than ground-breaking but one Popcorn Time fork has now released Popcorn Time Kids, an app that only presents family-friendly content to the user.
According to the team behind the app, they recently noticed a surge in demand, something they attribute to people being in quarantine.
“The amount of love and thankfulness we’ve received from our millions of users in recent weeks was overwhelming! And taking the risk of sounding corny – they really touched us. We understood suddenly how much this project meant not only to us, but to millions of people from all over the world,” a developer told TF.
“Out of all the enthusiastic responses, we received thousands(!) of emails from parents asking for something so obvious, a family-friendly version of Popcorn Time!”
The resulting Popcorn Time Kids software is essentially a version of the regular app but with filters that aim to remove all content unsuitable for the younger viewer.
“Popcorn Time Kids provides a more contained environment for kids and is designed to help parents and guardians keep their kids entertained as they spend most of their time at home. PT Kids library is filled with a variety of the best family-friendly movies and shows from the broader universe of content on Popcorn Time,” the team add.
While there have been Kodi-addons that have catered directly to a younger audience in the past, it is relatively unusual to see an app targeted directly at children. In a way, of course, the app seems designed to appeal to adults who might enjoy not having to keep worrying about the type of content their kids might be viewing.
Popcorn Time Kids will no doubt prove attractive to a certain subset of users but being BitTorrent-based, it comes with the usual caveats. While streaming copyrighted content can be illegal depending on jurisdiction, users will be uploading at the same time, an act that is illegal almost everywhere on the planet. The threat can be mitigated with a VPN but ensuring that stays on in the hands of a seven-year-old sounds like Russian roulette.
There can be little doubt that plenty of broke and perhaps now unemployed parents will find this kind of app attractive but there is no doubt that copyright holders will not. In many respects then, it’s business as usual, even in these remarkable times.
Who needs to conduct a sophisticated cyber attack to bring down a country’s Internet service when all you need is a shovel?
There were news stories this week in the London Guardian and the Wall Street Journal (here and here) regarding a 75-year old Georgian woman by the name of Aishtan Shakarian who was scavenging for copper accidentally damaged with her shovel the international fiber-optic cable carrying 90% of Armenia’s Internet traffic. While some Armenian telecom companies were able to switch to connections running through Iran, most of the 3.2 million citizens of Armenia were without Internet service for up to 12 hours, as were some portions of Georgia and Azerbaijan.
According to the Wall Street Journal:
“The Georgia section of the international cable, commonly called the country’s West East fiber-optic backbone, is laid underground along railway tracks and operated by Georgia’s state railway company and its partners. The line comes to Georgia from Bulgaria, crossing the Black Sea to the Georgian port of Poti. It later forks into Armenia and Azerbaijan.”
The cable is supposed to be heavily protected, says the Guardian article, but “landslides or heavy rain may have exposed it to scavengers,” it reports. When Ms. Shakarian, dubbed the “the spade-hacker” by the local media, cut into the cable, she set off alarms signals which helped police locate her. Ms. Shakarian was arrested, but a severe jail sentence is unlikely given her age, the stories say.
In 2008, submarine cables off Egypt were damaged twice (see here and here) which disrupted Internet, data and telephone communications across Europe and the Middle East. Also in 2008, a backhoe operator severed a fiber-optic cable causing a major land line, mobile phone and Internet shutdown for more than one million people in Queensland and Northern New South Wales, Australia.
Update 14 Apr 2011
Not much new about this incident, but there is this a story here from earlier this week published by the Sydney Morning Herald that states the woman, Aishtan Shakarian, who is accused of damaging the fiber-optic cable, denies doing it. Ms. Shakarian is quoted as saying that she isn’t strong enough to have damaged the cable:
“I did not cut this cable. Physically, I could not do it.”
The Morning-Herald says that the Georgian Interior Ministry notes that all claims of innocence aside, Ms. Shakarian “has already confessed to cutting the cable.”
The Herald also states that “.. Georgian Railway Telecom insists that the 600-kilometre cable has ‘robust protection’ …”
Have you ever heard the computer security advice, “Don’t open attachments”? This is solid advice, but unfortunately for journalists, activists, and many other people, it’s impossible to follow. Imagine if you were a journalist and got an email from someone claiming to work for the Trump Organization with “Donald Trump tax returns.pdf” attached. Are you really going to reply saying, “Sorry, I don’t open attachments” and leave it at that?
The truth is, as a journalist, it’s your job to open documents from strangers, whether you get them in an email, a Signal or WhatsApp message, or through SecureDrop. Journalists also must open and read documents downloaded from all manner of websites, from leaked or hacked email dumps, or from any number of other potentially untrustworthy sources.
Dangerzone, a new open source tool that First Look Media just released at the Nullcon 2020 hacker conference in Goa, India, aims to solve this problem. You can install dangerzone on your Mac, Windows, or Linux computer, and then use it to open a variety of types of documents: PDFs, Microsoft Office or LibreOffice documents, or images. Even if the original document is dangerous and would normally hack your computer, dangerzone will convert it into a safe PDF that you can open and read.
You can think of it like printing a document and then rescanning it to remove anything sketchy, except all done in software.
PDFs and office documents are incredibly complex. They can be made to automatically load an image from a remote server when the document is open, tracking when a document is opened and from what IP address. They can contain JavaScript or macros that, depending on how your software is configured, could automatically execute code when opened, potentially taking over your computer. And finally, like all software, the programs you use to open documents – Preview, Adobe Reader, Microsoft Word, LibreOffice, etc. – have bugs, and these bugs can sometimes be exploited to take over your computer. (You can reduce your risk of getting hacked by always installing your updates, which fix the bugs that software vendors are aware of.)
For example, if an attacker knows about a security bug in Microsoft Word, they can carefully craft a Word document that, when opened using a vulnerable version of Word, will hack your computer. All they have to do is trick you into opening it, perhaps by sending you a convincing enough phishing email.
This is exactly what Russian military intelligence did during the 2016 US election. First, they hacked a US election vendor known as VR Systems and got their client list. Then they send 122 emails to VR Systems’ clients (election workers in swing states) from the email address vrelections@gmail.com, with the attachment New EViD User Guides.docm.
If any of the election workers who got this email opened the attachment using a vulnerable version of Word in Windows, the malware would have created a backdoor into their computer for the Russian hackers. (We don’t know if anyone opened the document or not, but they might have.)
If you got this email today and opened New EViD User Guides.docm using dangerzone, it will convert it into a safe PDF (New EViD User Guides-safe.pdf), and you can safely open this document in a PDF viewer, without risking getting hacked.
Inspired by Qubes TrustedPDF
I got the idea for dangerzone from Qubes, an operating system that runs everything in virtual machines. In Qubes, you can right-click on a PDF and choose “Convert to TrustedPDF”. I gave a talk called Qubes OS: The Operating System That Can Protect You Even If You Get Hacked in 2018 at the Circle of HOPE hacker conference in New York. I talk about how TrustedPDF works for about 2 minutes starting at 9:20:
Dangerzone was inspired by TrustedPDF but it works in non-Qubes operating systems, which is important, because most of the journalists I know use Macs and probably won’t be jumping to Qubes for some time.
It uses Linux containers to sandbox dangerous documents instead of virtual machines. And it also adds some features that TrustedPDF doesn’t have: it works with any office documents, not just PDFs; it uses optical character recognition (OCR) to make the safe PDF have a searchable text layer; and it compresses the final safe PDF.
How does dangerzone work?
Dangerzone uses Linux containers (two of them), which are sort of like quick, lightweight virtual machines that share the Linux kernel with their host. The easiest way to get containers running on Mac and Windows is by using Docker Desktop. So when you first install dangerzone, if you don’t already have Docker Desktop installed, it helps you download and install it.
When dangerzone starts containers, it disables networking, and the only file it mounts is the suspicious document itself. So if a malicious document hacks the container, it doesn’t have access to your data and it can’t use the internet, so there’s not much it could do.
Here’s how it works. The first container:
Mounts a volume with the original document
Uses LibreOffice or GraphicsMagick to convert original document to a PDF
Uses poppler to split PDF into individual pages, and to convert those to PNGs
Uses GraphicsMagick to convert PNG pages to RGB pixel data
Stores RGB pixel data in separate volume
Then that container quits. A second container starts and:
Mounts a volume with the RGB pixel data
If OCR is enabled, uses GraphicsMagick to convert RGB pixel data into PNGs, and Tesseract to convert PNGs into searchable PDFs
Otherwise uses GraphicsMagick to convert RGB pixel data into flat PDFs
Uses poppler to merge PDF pages into a single multipage PDF
Uses ghostscript to compress final save PDF
Stores safe PDF in separate volume
Then that container quits, and the user can open the newly created safe PDF.
Here are types of documents that dangerzone can convert into safe PDFs:
PDF (.pdf)
Microsoft Word (.docx, .doc)
Microsoft Excel (.xlsx, .xls)
Microsoft PowerPoint (.pptx, .ppt)
ODF Text (.odt)
ODF Spreadsheet (.ods)
ODF Presentation (.odp)
ODF Graphics (.odg)
Jpeg (.jpg, .jpeg)
GIF (.gif)
PNG (.png)
TIFF (.tif, .tiff)
It’s still possible to get hacked with dangerzone
Like all software, it’s possible that dangerzone (and more importantly, the software that it relies on like LibreOffice and Docker) has security bugs. Malicious documents are designed to target a specific piece of software – for example, Adobe Reader on Mac. It’s possible that someone could craft a malicious document that specifically targets dangerzone itself. An attacker would need to chain these exploits together to succeed at hacking dangerzone:
An exploit for either LibreOffice or GraphicsMagic
A container escape exploit in the Linux kernel
In Mac and Windows, a VM escape exploit for Docker Desktop
If you opened such a malicious document with dangerzone, it would start the first container and begin the conversion process. While it was converting the original document (say, a docx file) into a PDF using LibreOffice, it would exploit a vulnerability in LibreOffice to hack the container. Then, it would exploit a vulnerability in the Linux kernel to escape the container, and from there attempt to take over the computer.
If you keep Docker Desktop updated and regularly update the container that dangerzone uses, such attacks will be much more expensive for attackers.
Dangerzone is open source
This tool is still in early development, so there may be bugs. If you find any, please check the issues on GitHub and open one if your issue doesn’t exist. Please start discussions and make pull requests if you’d like to get involved.
Internet speeds should be back to normal for South Africans, one day earlier than expected and just in time for your weekend streaming binge.
The Ile D’Aix vessel has completed its repair work on the undersea cable break of the West African Cable System (Wacs), says the South African National Research and Education Network.
Likewise, the SAt-3 system is back online as well.
South African’s internet should be back to normal thanks to speedy repair work done by the Ile D’Aix vessel at the cable break of the West African Cable System (Wacs) – just in time for a lockdown weekend binge.
The South African National Research and Education Network (NREN) confirmed that the cable had been repaired on Saturday morning.
WACS Outage Update: We have had final confirmation that the WACS repairs are complete and everything is according to specification. This matter is now resolved from an SA NREN perspective.798:54 AM – Apr 4, 2020Twitter Ads info and privacy40 people are talking about this
A second, different break of the South Atlantic Telecommunications (SAT-3) undersea cable was fixed by the Leon Thevenin vessel on Thursday.
This brings to an end another set of unusual circumstances where two undersea cables broke at the same time, resulting in slow internet across the country. Earlier this year, South Africans also suffered slow internet after an unusual double cable break.
The latest outage inconvenienced South Africans who are trying to work from home, after the country went into lockdown to stem the spread of coronavirus, more than a week ago.
The Sat-3 fault was located in a similar area to the previous break in January, which was apparently caused by a short circuit. This was due to intense pressure from being trapped under heavy sediment carried by the flow of turbulent waters from the Congo River into the submarine canyon where the cable runs.
Wacs and SAT-3 are segments of a 25 000km undersea cable which connects Africa to Europe.
