Gli hacker stanno sfruttando attivamente la vulnerabilità CVE-2024-52875 scoperta in GFI KerioControl, un firewall per le piccole e medie imprese. Questa vulnerabilità critica CRLF Injection consente l‘esecuzione di codice remoto con un solo clic.

GFI KerioControl è una soluzione di sicurezza di rete tutto in uno che combina funzionalità firewall, VPN, gestione del traffico, antivirus e prevenzione delle intrusioni. La vulnerabilità, che colpisce le versioni 9.2.5-9.4.5, è dovuta alla gestione errata dei caratteri di avanzamento riga (LF) nel parametro “dest”, che apre la possibilità di manipolazione delle intestazioni e delle risposte HTTP.

Il 16 dicembre 2024, il ricercatore di sicurezza Egidio Romano (EgiX) ha pubblicato una descrizione dettagliata di del CVE-2024-52875. Ha mostrato come un problema inizialmente valutato come di basso livello potesse portare all’esecuzione di codice tramite risposte HTTP vulnerabili. Il JavaScript dannoso inserito nelle risposte può rubare cookie e token CSRF.

Utilizzando token di amministrazione rubati, gli aggressori possono scaricare file IMG dannosi contenenti script con diritti di root. Ciò consente di attivare la shell inversa tramite la funzionalità di aggiornamento di Kerio.

L’8 gennaio, la piattaforma di monitoraggio delle minacce Greynoise ha rilevato tentativi di sfruttamento di CVE-2024-52875 da quattro diversi indirizzi IP. Queste azioni sono considerate dannose e sono associate ad attacchi piuttosto che ad attività di ricerca.

Secondo Censys, online esistono 23.862 istanze ad accesso aperto di KerioControl, ma non si sa quante di esse siano vulnerabili.

GFI Software ha rilasciato la versione 9.4.5 Patch 1 per risolvere il problema. Si consiglia agli utenti di installare immediatamente la patch. Come misura temporanea, si consiglia di limitare l’accesso all’interfaccia web di gestione del firewall solo agli indirizzi IP attendibili, bloccare le pagine “/admin” e “/noauth” e ridurre i tempi di sessione per migliorare la sicurezza.

L'articolo Vulnerabilità critica in KerioControl: Con un solo Click gli hacker possono ottenere accesso completo! proviene da il blog della sicurezza informatica.

Much has been written about the demise of physical media. Long considered the measure of technological progress in audiovisual and computing fields, the 2000s saw this metric seemingly rendered obsolete by the rise of online audiovisual and software distribution services. This has brought us to a period in time where the very idea of buying a new music album, a movie or a piece of software in a physical, or even online, retail store has become largely impossible amidst the rise of digital-only media.

Even so, not all is well in this digital-only paradise, as the problems with having no physical copy of the item which you purportedly purchased are becoming increasingly more evident. From increases in monthly service costs, to items being removed or altered without your consent, as well as concerns over privacy and an inability to resell or lend an album or game to a buddy, there are many reasons why having the performance or software on a piece of off-line, physical media is once again increasing in appeal.

Even if the demise of physical data storage was mostly a trick to extract monthly payments from one’s customer base, what are the chances of this process truly reverting, and to what kind of physical media formats exactly?

The End Of Ownership

The concept of having audiovisual performances on physical media which you can play at will within the confines of your own abode is relatively new, first brought to the masses by inventions such as the phonograph, starting with wax cylinders, followed by shellac and vinyl records. This brought everything from concerts to stage performances to the home, where the proud owner of this piece of physical media could play it back on its corresponding playback device. This set the trend that would persist until the dominance of CDs.

Similarly, movies would at first be just something that you’d watch in the cinema, then you could catch it on broadcast TV along with an increasing number of series. Owning a copy of your favorite series or movie became possible with VHS, Laserdisc and so on. When home computer systems became prevalent, the software for them was found in magazines, on tapes, diskettes, CDs, etc., with in-store displays using their box art to entice potential buyers.

Yet at all of this has effectively come to an end. LG recently announced that they’ll stop making new Blu-ray players, following the recent decision by Best Buy and other stores to quit selling Blu-rays and DVDs. Optical drives are now firmly considered a legacy feature on laptops and desktop systems, with only a subset of game consoles still featuring this feature and thus doubling as a Blu-ray player with compromises.

Unlike our parents and their grandparents, it looks like today’s generations will not leave behind a legacy of (physical) media that their children and grandchildren can peruse, often not even for books, as these are equally becoming tied into online subscription services. In this Digital Media Age, it seems that the best we can hope for is to temporarily lease an ethereal digital copy by the grace of media corporate overlords.

Digital Media Is Terrible

There are many reasons to mourn the death of physical media, with some pertinent ones laid out for DVDs and Blu-rays in this AV Club article by Cindy White:

• Permanence: you purchase the copy and as long as you take good care of it, it’s yours to do with as you please.
• Better quality: owing to the video compression of digital streaming services, you’ll get a worse audiovisual experience.
• Portability: you can take the physical media with you, lend it to a friend, or even sell it.
• Better for artists: the system of residuals with DVD/BD sales was much more fair to artists.
• Extras: DVD and BD releases would come with extra content, like soundtracks, behind the scenes, interviews, and much more.

Some are beginning to feel uneasy in the face of this dawning realization that before long all our movies, series, books, games and software will be locked behind what are essentially leasing services on our (ad-sponsored) smart TVs, smart phones, smart books and smart computers/consoles in increasingly barren rooms.

Take for example this article by Amelia over at IGN on physical vs digital media and ownership and the lack thereof. An aspect raised in it is preservation in general, as a streaming platform could decide to put the proverbial torch to (part of) its library and that would be the end of that content, barring any Digital Restrictions Management (DRM)-busting copies. Even so, Amelia finds it hard to ignore the convenience of watching something on these streaming services.

The lack of visual quality is a view that Henry T. Casey over at CNN Underscored shares, with over at The National Faisal Salah and William Mullally advocating for starting that physical media collection. The permanence argument is prevalent here, while the latter article pointing out the hopeful signs of a revival of physical media by smaller (boutique) distributors, but this leaves much of mainstream content firmly digital-only, including recent games like Alan Wake 2 which only got a physical version after fans insisted.

Shallow Libraries

The convenience of flicking on the smart appliance and tuning out on-demand without having to go to a store is a tempting feature that physical media cannot really compete with, yet there’s an argument to be made that physical media sales complement streaming, not unlike how those same sales complemented broadcast TV and cinemas in the past. In fact, as a corollary one could state that digital streaming services have replaced broadcast TV, rather than physical media. This would make the latter collateral damage, whether intentional or not.

A strong advantage of physical media is also that it’s not limited to being sold by a single store, while digital (streaming) services have very shallow libraries that can make finding a specific piece of content or game a complete nightmare. So the conclusion that people seem to be increasingly coming to is that while digital media isn’t bad by itself, there is a lot of value in physical media that we’re now at risk of losing forever.

Yet if CDs and Blu-rays are dying a slow death today, and the next Microsoft and Sony game consoles may not have an optical drive option any more, is there any hope for a physical media revival?

It’s The Business Model

As alluded to already, digital media-as-a-service will not go away, as it has too many advantages. Especially in terms of low distribution costs, as the logistics of physical media can get rather convoluted. Where the real business case for physical media may be is in the added value. This is something which is observed with a platform like Bandcamp, which is an online music distribution platform via which artists can sell their music and merchandise, including CDs or vinyl records.

All of which points to that the physical formats of the future will likely remain CDs, Blu-rays and even vinyl records and cassette tapes as the most popular formats. Meanwhile for video games on PCs at least there are stores like Good Old Games, who recently launched their Preservation Program that seeks to keep older titles playable on modern systems. This in addition to allowing customers to download the installer for any game they purchase and put it on any kind of physical media which they desire, courtesy of their lack of DRM.

Yet the ticking timebomb under this revival of physical media may be that good players are becoming scarce. Cassette tapes and records increasingly are being played on the same cheap mechanisms, like the Tanashin clones, that are still being churned out by factories in China as Sony and others have abandoned the market. Now it seems that optical drives are facing the same race to the bottom, until one day the only physical media players and readers can be found used for exorbitant prices.

After all, what use is physical media if you have no way to play it?

Featured image: Front panel of a GPO Brooklyn with cassette player (Credit: VSchagow, Wikimedia)

hackaday.com/2025/01/09/physic…

Nobody likes reading the fine print, least of all when you’re just downloading some 3D model. While printing a copy for personal use this is rarely an issue, things can get a lot more complicated when you make and distribute a derived version of a particular model.

Case in the point the ever popular 3DBenchy model, which was intended to serve as a diagnostic aid by designer [Creative Tools]. Although folks have been spinning up their own versions of this benchmark print for years, such derivative works were technically forbidden by the original model’s license — a fact that the company is now starting to take seriously, with derivative models reportedly getting pulled from Printables.

The license for the 3DBenchy model is (and always has been) the Creative Commons BY-ND 4.0, which requires attribution and forbids distributing of derivative works. This means that legally any derived version of this popular model being distributed on Thingiverse, Printables, etc. is illegal, as already noted seven years ago by an observant user on Reddit. According to the message received by a Printables user, all derived 3DBenchy models will be removed from the site while the license is now (belatedly) being enforced.

Although it’s going to be a bit of an adjustment with this license enforcement, ultimately the idea of Creative Commons licenses was that they set clear rules for usage, which become meaningless if not observed.

Thanks to [JohnU] for the tip.

hackaday.com/2025/01/09/3dbenc…

Da oggi, il Flusso IoC del CERT-AGID supporta anche il formato per ClamAV, l’antivirus open source ampiamente utilizzato in contesti accademici, istituzionali e aziendali. Questa nuova funzionalità è stata realizzata per soddisfare una valida proposta espressa dalla comunità dei sistemisti degli Atenei del GARR, che aveva evidenziato l’opportunità di aggiungere al flusso già disponibile un ulteriore formato personalizzabile e di facile utilizzo per aumentare il livello di protezione dei propri sistemi.

Il nuovo formato consente di utilizzare direttamente gli indicatori di compromissione (IoC) diramati dal CERT-AGID per individuare file sospetti nei sistemi protetti da ClamAV. La gestione delle firme è trasparente e altamente flessibile, come dettagliato nella documentazione ufficiale.

Le pubbliche amministrazioni già accreditate al Flusso IoC possono utilizzare subito il nuovo formato per ClamAV, semplicemente aggiungendo il parametro type=clamav all’URL ricevuto:

&type=clamav

Il servizio restituirà una lista testuale conforme al formato .hsb per ClamAV, omettendo la dimensione del file. Per questo motivo, viene utilizzato il carattere jolly *. Inoltre, per garantire la compatibilità con le versioni precedenti di ClamAV, è stato fissato un livello funzionale minimo pari a 73.
Esempio di Flusso IoC formato ClamAV
L'articolo CERT-AGID: Flusso IoC ora compatibile con ClamAV, la protezione open source si evolve! proviene da il blog della sicurezza informatica.

Under the guise of protecting free speech, an alarming alignment between government power and Big Tech’s corporate power is unfolding. Elon Musk and Mark Zuckerberg, while publicly claiming that they wish to protect free speech, are in fact aligning their corporate power with the political interests of the second Trump administration. Unsurprisingly, their claims have provoked alarm.

The politico-corporate bubble

What does it mean for global social media giants to be promoting “free speech” under Donald Trump? Are Meta and X now claiming that misinformation and disinformation are not a significant challenge; or that we should protect the speech of liars and frauds? The challenges of dealing with misconceptions and lies, especially when sponsored by state actors, are not at all trivial, and solutions are not easy to implement at scale.

At Meta, the appointment of Joel Kaplan, a Trump ally as their head of global affairs marks a significant shift in the company’s direction. Following this appointment, Zuckerberg announced changes at Meta in a video in which he addressed issues with the company’s approach to fact-checking and algorithmic moderation systems. Both of these issues warrant closer examination.

Algorithmic moderation

Firstly, the flaws of algorithmic moderation systems are well-documented. Open Rights Group campaigned against mandating these automated censorship tools during the debates on the Online Safety Act. We warned that governments could pressure social media companies to deploy algorithms in ways that align with political agendas, effectively enabling prior restraint censorship of content. However, simply removing one kind of unaccountable algorithmic moderation and replacing it with another, looser kind of moderation still leaves users disempowered and likely more vulnerable.

Furthermore, what content is promoted and why is just as important as what is removed, when we consider its impacts. All of the approaches suggested by Meta are top down and centralised;, as of today, we are forced to accept their rules if we want to engage with Meta’s products.

Subject to T&Cs

Secondly, Meta’s loosening of moderation rules are not a one way street to greater freedom of expression. Meta’s products serve a vast diversity of communities, and changes to limitations can be both positive and negative. There is a need to ensure civility between users, which is a legitimate and necessary aim for any online community, but is also incredibly hard to achieve when moderating at scale.

Meta’s content acceptability rules are designed to enable easy and swift decisions, but present arbtitrary hard lines (this not that) and are problematic as a result. For example, their restrictions on nudity and adult material have frequently caused problems, as have bans on “violent” material. However, changes designed to allow people to be more insulting or offensive could easly result in legitimising toxic behaviour. Many of the exclusions which have been removed look very likely to result in more hate speech, rather than more useful free speech.

This matters: for example, speech on Facebook denying the existence of the Rohingya as an ethnic group in Myanmar was a precursor to genocidal violence, and after being added to Meta’s exclusions, is now again permissable. Problems enforcing content rules at these extremes, especially in non-English language contexts are very serious, so presenting the problems of moderation as solely about over-enforcement while removing references to real world harms is not a good way to signal Meta’s direction of travel.

Decisions for change in moderation rules at scale need to be based on human rights principles alongside evidence of their likely impact, and should preferably interate slowly. Meta’s team needs to explain what evidence and human rights analysis lies behind their decision, and how they believe they will continue to ensure users’ safety. Making politically motivated announcements to present moderation changes has understandably undermined public confidence in their decision making.

Fact-checking to Community Notes

Thirdly, fact-checking panels—composed of experts appointed by centralized authorities—have their own limitations. These systems depend on trust in the appointing authority, raising the question: what happens if that authority abuses its power? And who oversees the fact-checkers – Quis custodiet ipsos custodes?

Community-driven solutions, such as the Community Notes feature offer a different approach but raise philosophical and ethical problem of the “tyranny of the majority”. In any case, while useful mitigations against misinformation, neither fact checkers nor community notes directly address the underlying reasons causing untrue and unreliable content to be created and spred. Some are about the platforms’ business models, and their desire to drive advertising engagement, through mechanisms such as recommendation algorithms, which tend to promote extreme content over more nuanced opinions.

Other reasons are about the society we live in today, and may be very hard to address – such as the desire to seek simple explanations, social alienation, to the failure of politics to produce a sense of fairness. High spending domestic or foreign actors deliberately attempt to manipulate these concerns. The problems generated by bad actors with deep pockets need more fundamental actions, which are the responsibility of governments to co-ordinate.

Big Tech / Big Media

The immediate concern generated by the realignment of social media’s corporate and political interests by figures like Musk and Zuckerberg has familiar parallels. Historically, media companies were criticised for similar behaviour. It was once said that winning a general election in the UK required the backing of the Murdoch news empire. Today, Musk, the world’s richest man, has acquired Twitter (now X) and uses it as a platform to amplify his worldview including directly attacking the UK government. Big Tech’s platform power has become a political weapon, enabling figures like Musk to attack politicians, while on occasions still suppressing journalistic free expression.

Zuckerberg, meanwhile, speaks of previous political pressures to censor content and a new political direction under the Trump administration. Yet his past compliance with such pressures and current alignment with the new presidency reveal a troubling pattern. Whereas Musk uses his platforms to impose his perspective, Zuckerberg appears to have aligned Meta (who own four of the most popular social media platforms Facebook, Instagram, Messenger and WhatsApp) with the prevailing political climate in order to ensure that Meta is better able to maintain their dominance and model of surveillance capitalism.

Ending monopolies

The solution to these abuses of power lies in dismantling Big Tech’s monopolistic grip on the Internet. As we have argued repeatedly, this requires shifting power to social media’s users, through greater use of competition powers and enforcing data protection rights. The aim has to social media plurality – just as we aim for media plurality in traditional media.

Over the past year, users have increasingly abandoned platforms like X in favor of alternatives such as Mastodon, the Fediverse, and BlueSky. However, many users remain trapped in Big Tech’s “walled gardens” because their content, connections, and networks are deeply embedded within them. How often do we stay on Facebook or X simply because a specific relative, organisation, or journalist we follow remains active there? Writ large, these “network effects” make Big Tech heavily entrenched, for users, organisations and advertisers.

Competition

Political leaders concerned about misinformation and Big Tech’s abuses of power (and our privacy and personal data) should take concrete steps to promote fair competition online. Encouraging decentralised social media models, such as the Fediverse, where communities host their own content independent of any single corporate entity, could be a crucial step forward. Interoperability standards that allow seamless communication across platforms could further reduce Big Tech’s stranglehold. Other measures can be taken to allow alternative prioritisation and moderation engines, even within centralised systems, as envisaged by BlueSky.

Legislation

Likewise, greater enforcement of data protection law could begin to dismantle the unfair abuse of personal data, to engage in profitable but unlawful profiling of users, and to harvest their data to build Artificial Intelligence products that are further designed to cement Big Tech monopolies.

The alternative looks dire. Measures that concentrate on the symptoms of the social media mess – like the Online Safety Act – at best can only deal with the most problematic content. At worst, they result in safe online spaces closing down because they face inappropriate levels of compliance risks. With a resurgent Trump administration, even measures like the UK’s OSA and the European Digital Services Act will be under pressure through trade related threats made to the UK and EU about their approach to US corporations. The underlying agenda will be to promote a changed information environment, that favours Trump’s allies, whether in the US or Europe; this is only possible because social media’s power is concentrated and monopolistic.

Breaking these monopolies and fostering diverse, user-driven platforms is essential to ensuring a free and fair society.

Free expression online

Defend Online Speech

Find Out More

Become a member
Join the movement

openrightsgroup.org/blog/musk-…

Ahoy Pirates,

We are pleased to invite you to the Pirate Parties International General Assembly, January 2025.

The meeting will take place on Saturday, January 11th, starting at 12:00 UTC. If needed we will also meet on Sunday, January 12th.

Several groups will meet in physical locations, including at the Berlin Pirate office at Pflugstraße 9, but the conference will be entirely online on JITSI: jitsi.pirati.cz/PPI-Board with a backup of BBB bbb.piratensommer.de/b/gre-cnw… and a final backup of Mumble.

There is no deadline for motions, so feel free to put forward any ideas and/or your candidates at any time. All proposals should be submitted on our Discourse Forum: ga.pp-international.net/c/2025…

There is no deadline for registering delegates and each PPI member may have up to 6. Please register your delegates by email: board@pp-international.net.

Because this is the start of the year assembly, there will also be elections of PPI Officers. The following positions in PPI will be up for election in January:

-1 Chairperson
-5 Board members (4 for two years and 1 for 1 year, clarification may follow on the exact number and length of positions pending an onsite review of the statutes)
-(No limit) Alternate board member
-3 Lay auditors
-6 Court of Arbitration members

Please submit your nominations for PPI officers on the Discourse forum.

Do not hesitate to reach out to the PPI board if you have any questions, suggestions or concerns. We look forward to meeting with you again!

We hope to see you there.

The following is the provisional agenda:

Jan. 11 2025

Time is in UTC

12:00: Delegates accreditation

13:00: Opening of the General Assembly

13:30: Formalities–Meeting chair, secretary, acceptance of agenda

14:00: Reports–Board, Treasurer, CoA, Lay Auditors, Keynote Speech

15:00: Lunch

16:00: New Member Applications (if any)

17:00: Budget proposal

17:30: Election of Board positions

18:00: Other Motions

19:00: Break

19:30: Other Motions, continued

20:00: Any Other Business

20:30: End of GA

Day 2 will be scheduled if necessary

pp-international.net/2025/01/p…