2020 Newsletter: 6/34 — PreviousNext — (Attach.)

Sydney Harbour
WEEKLY NEWSLETTER 3 - 8 FEBRUARY 2020

Hello and Welcome,

Meetings This Week:

No Meetings

Meetings Next Week:

Programming - Tuesday Feb 11th - 5:30 pm (6:00 pm meeting start) - 8:00 pm
Friday Forum - Friday Feb 14th - 9:30 am (10:00 am meeting start) - 12 noon
Communications - Friday Feb 14th - 1:00 pm - 3:00 pm
Web Design - Saturday Feb 15th - 1:30 pm (2:00 pm meeting start) - 4:00 pm

Current & Upcoming Meetings:

 7 2020/02/01 - 14:00-17:00 - 01 Feb, Saturday - Penrith Group
 8 2020/02/11 - 17:30-20:30 - 11 Feb, Tuesday - Programming SIG - L1 Woolley Room
 9 2020/02/14 - 09:30-12:30 - 14 Feb, Friday - Friday Forum - L1 Woolley Room
10 2020/02/14 - 12:30-15:30 - 14 Feb, Friday - Communications - L1 Woolley Room
11 2020/02/15 - 13:30-16:30 - 15 Feb, Saturday - Web Design - L1 Woolley Room
12 2020/02/18 - 09:30-12:30 - 18 Feb, Tuesday - Tuesday Forum - L1 Woolley Room
13 2020/02/25 - 17:30-20:30 - 25 Feb, Tuesday - Main Meeting - L1 Carmichael Room
14 2020/02/28 - 09:30-12:30 - 28 Feb, Friday - Digital Photography - L1 Woolley Room

ASCCA News:

“February 2020 Newsletter”:

From Nan Bosler:

Greetings all, the December and January break has been a difficult time for many of our members and we extend to you all our best wishes for a safe and happy New Year.

Many clubs have made time in January to plan for the coming year and do the inevitable maintenance of all club equipment and now the new term is about to begin.

No. 01 of Volume 22 of the ASCCA newsletter may be downloaded from the ASCCA website. Please share the newsletter and this covering message with all of your members.

  • As promised we share with you the winning photographs from the 2019 Digital Photography Competition. Thank you so much Joan Craymer for doing the two page layout. Isn't it hard to retire from ASCCA? Yes it will be held again in 2020!
  • Read about the Today at Apple Workshops which were held in both Victoria and New South Wales. 12-23 February are the dates for the NSW 2020 Seniors Festival; there are details of ASCCA sample courses, Newcastle's Digital Showcase of how life can be enhanced with technology and Stop, Look and Listen A Safety First Online program which will be powerful and informative with a touch of humour. It will be held in Dee Why on the Northern Beaches on 19 February.
  • Read carefully and consider if you are the perfect person to join the ASCCA Board as either treasurer or secretary.
  • Did you attend the Planning Ahead session at the 2019 Conference? Have you received the notes you requested? If not, then here is your answer.
  • Charlie Brown told us that he would have something special to share with us in the New Year. Well, he kept his promise. Safer Internet Day on 11 February is the perfect day to introduce an Aussie First, a World First, Charlie Brown will introduce his G-mee at Dee Why. See the booking link for this free event on page 5.
  • Welcome to new ASCCA Director, Rene Beeldman.
  • More shades of SWADE. SWADE began as the Seniors West Australian Digital Expansion project, an ASCCA initiated concept that has spread across more than half of the continent of Australia!

Fond regards, Nan.

Nan Bosler, AM
President

Australian Seniors Computer Clubs Association
Level LG, 280 Pitt St SYDNEY 2000
www.ascca.org.au
office@ascca.org.au
(02) 9286 3871


Tech News:

“New SHA-1 Attack”:

See the Blog Schneier on Security by Bruce Schneier. Posted on January 8, 2020 at 9:38 AM.

There's a new, practical, collision attack against SHA-1:

In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2 rather than 264.7, and chosen-prefix collisions with a complexity of 263.4 rather than 267.1. When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,and 45k US$ for a chosen-prefix collision, within the means of academic researchers. Our actual attack required two months of computations using 900 Nvidia GTX 1060 GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time preparing the attack).

It has practical applications:

We chose the PGP/GnuPG Web of Trust as demonstration of our chosen-prefix collision attack against SHA-1. The Web of Trust is a trust model used for PGP that relies on users signing each other's identity certificate, instead of using a central PKI. For compatibility reasons the legacy branch of GnuPG (version 1.4) still uses SHA-1 by default for identity certification.

Using our SHA-1 chosen-prefix collision, we have created two PGP keys with different UserIDs and colliding certificates: key B is a legitimate key for Bob (to be signed by the Web of Trust), but the signature can be transferred to key A which is a forged key with Alice's ID. The signature will still be valid because of the collision, but Bob controls key A with the name of Alice, and signed by a third party. Therefore, he can impersonate Alice and sign any document in her name.

From a news article:

The new attack is significant. While SHA-1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA-1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new collision privately reported their results.

Git, the world's most widely used system for managing software development among multiple people, still relies on SHA-1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA-1 certificates. SHA-1 is also still allowed for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.

Read more »

“Microsoft is giving some Edge features back to Chrome”:

Referred by Jeff Garland: See the Android Police article by Ryne Hager | Jan 27, 2020.

In late 2018, Microsoft finally gave up on its in-house browser engine for desktops, moving its Edge browser over to the now nearly ubiquitous Chromium: The basis of Chrome. The first releases landed a bit under a year ago, and now some of Microsoft's changes to Chromium are percolating upstream — that's a developer way of saying Microsoft is offering some of its tweaks back to Google, and it's integrating them back into Chromium where anyone running Chrome (and any other Chromium-based browsers) will also benefit from them.

The news comes courtesy of an eagle-eyed Redditor perusing Chromium bug reports, who spotted a communication regarding a small change in a tab context menu on Chrome. Turns out, a larger related change allowing you to move multiple tabs between windows is also planned, and Microsoft is behind it.

A very courteous exchange between a pair of developers at the two companies simply summarizes the new relationship we're seeing between Microsoft and Google when it comes to Chromium:

Comment 1: lgrey@chromium.org (Google)

"If you're still interested in upstreaming this from Edge, we'd be happy to take it :)"

Comment 2: jugal...@microsoft.com (Microsoft)

"lgrey@, sounds great! I'll take ownership of this issue then."

The subsequent patch, already merged upstream by Google, is the icing on the apparent bromance cake. It isn't the first patch submitted by a Microsoft employee to Chromium, nor is it the first patch accepted, but it is one of the first "big" features outside a bug fix or a workaround that we've seen, and The Verge notes that Microsoft has made over 1,000 smaller commits to Chromium over the last year, including a not-so-small tweak allowing Windows Hello login for 2FA.

One could argue that Microsoft and Google are becoming increasingly intertwined in recent years. Microsoft memorably announced its first Android-powered phone, the Surface Duo, late last year, which it claims is the beneficiary of a partnership with big G to "bring out the absolute best of Android." Hopefully, Microsoft's upstream changes to Chromium continue. Collaboration when it comes to code can only ever help both companies, and that's not to mention the benefits to consumers across platforms.

Read more »

“(New York) State Could Ban Gov't Ransomware Payments”:

See the Infopackets article by John Lister on January, 28 2020 at 01:01PM EST.

New York state senators want a legal ban on local governments paying ransomware demands. The bipartisanship move is based on the idea that paying up simply incentivises the attacks.

Ransomware is malicious software that encrypts files on a hard drive so that they become unusable. Cyber criminals then demand a hefty ransom to unlock the files.

Two state senators, one Democrat and one Republican, have each proposed broadly similar bills. They are currently in the committee stage and its likely that one will go ahead to a full vote of the New York State Senate.

Both bills are based on similar principles: that paying attackers to regain access costs taxpayer money and also encourages further attacks, raising the public costs in the long run.

In both cases, the proposed law would outright ban municipal corporations and other government entities in the state from paying a ransom after a cyber-attack.

Cities Could Get Funding Boost

The main difference is the timing and the associated measures. One bill would simply ban ransom payments, effective immediately.

The other bill would bring in the rule from the start of 2022. In the meantime, the state would allocate $5 million to a special fund to help local governments from cities down to villages to boost their cyber defenses.

Officials Split Over Tactics

If either bill passed it would be the first such law in the US. TechRader notes that the US Conference of Mayors, which represents leaders of cities with populations of at least 30,000, passed a resolution last year agreeing not to pay ransom demands. However, that's not legally enforceable. (Source: techradar.com)

Several major cities including Baltimore, Atlanta and New Orleans have been attacked by ransomware in recent years, though they didn't pay up. At least two small cities in Florida have paid ransoms, largely by claiming on specialist insurance policies. In other cases, rumors suggest officials have paid the scammers but kept the payment a secret to avoid encouraging similar attacks. (Source: cnet.com)

Read more »

“Update: Avast kills Jumpshot data-collection business after privacy concerns mount”:

See the PCWorld article by Mark Hachman Senior Editor, PCWorld | JAN 30, 2020 12:26 PM PST.

Avast said that information collection is opt-in, and an opt-out option will be added soon. As it turns out, though, that wasn't good enough.

Avast said Thursday that it will wind down its data-collection service, Jumpshot, in response to concerns that it was collecting personal information about users from its free antivirus programs without the full knowledge and consent.

Avast and its subsidiary AVG, caught selling customer data to corporate clients last year, were supplying the information to Jumpshot, which in turn resold the data to corporate clients. Ondrej Vlcek, chief executive of Avast, said Friday that violated Avast's corporate mission.

"Avast's core mission is to keep its users safe online and to give users control over their privacy," Vlcek said in a statement. "The bottom line is that any practices that jeopardize user trust are unacceptable to Avast. We are vigilant about our users' privacy, and we took quick action to begin winding down Jumpshot's operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company."

It's not clear, however, if this means that Avast will stop collecting personal information. Avast's statement also says that "all Avast products' core functionality will continue to perform as usual and users will see no change."

The joint report by Vice's Motherboard and PCMag had built upon reports by Adblock Plus creator Wladimir Palant, who reported in October, 2019 that the Avast Online Security Extension as well as the AVG Secure Browser spy on users, harvesting their information.

Palant alleged that the information — which included a unique user ID, the page you visited, whether you'd visited that page before, and other information — could be provided to third parties, and suggested that Jumpshot could be a possible destination. (Avast acquired Jumpshot in 2013, and a statement on the company's website says that it "provides insights into consumers' online journeys by measuring every search, click and buy across 1,600 categories from more than 150 sites, including Amazon, Google, Netflix, and Walmart.") At the time, the news caused browser makers like Google to remove both from its web store, though the extensions have since returned.

...

When installing the free Avast antivirus software, users are given the option to uncheck virtually all of the optional modules that the software installs: password storage, disk cleanup, and more. By default, the Avast security browser extension and SafePrice browser extension have a check mark next to them, showing that they will be installed. Those can be unchecked and not installed.

Out of curiosity, PCWorld unchecked every option. The Avast software reported that the installation process completed, and Windows Security reported that the Avast software was installed. However, we weren't able to open the Avast software itself, including its dashboard.

There's an old adage: When you're not paying for the product, you're the product. For now, this seems to be the case with Avast's antivirus software.

This story was updated at 12:25 PM on Jan. 30 with details about how Avast was winding down Jumpstart.

Read more »

“What Is Smishing, and How Do You Protect Yourself?”:

See the How-To Geek article by CHRIS HOFFMAN | @chrisbhoffman | JANUARY 24, 2020, 6:40AM EDT.

You're probably familiar with email-based phishing, where a scammer emails you and tries to extract sensitive information like your credit card details or social security number. "Smishing" is SMS-based phishing — scam text messages designed to trick you.

What Is Smishing?

By now, almost everyone has encountered phishing scams that arrive via spam emails. For example, someone might claim to be from your bank and request you provide account information, social security numbers, or credit card details.

Smishing is just the SMS version of phishing scams. Instead of a scammy email, you get a scammy text message on your smartphone. "SMS" stands for "short message service" and is the technical term for the text messages you receive on your phone.

The new text message package delivery scam is a perfect example of smishing. People are receiving text messages claiming to be from FedEx with a tracking code and a link to "set delivery preferences."

If you tap that link on your phone (and you shouldn't), you'll end up on a fake Amazon site (a phishing site) with a fraudulent "free reward." The site will request your credit card information for "shipping fees." If you provide payment details, you'll be billed $98.95 every month.

...

How to Protect Yourself From Smishing Scams

You should be on guard for scammy text messages, just as you should watch out for malicious emails. All the standard tips for dealing with phishing emails apply to smishing, too:

  • Look at the source of the text message. For example, if Amazon always texts you a delivery alert from a specific number and a new message arrives in that conversation, that suggests it's real. However, scammers can fake (spoof) the number a text message is from, just as they can fake caller ID on a phone.
  • Be alert for anything suspicious. If you receive a delivery alert from a new number — especially if you weren't expecting a delivery — that alert is potentially suspect. We recommend you avoid opening the links in any potentially dangerous text messages.
  • Avoid entering information after tapping a link in a text message. For example, if you get a "fraud alert" that says it's from your bank, don't tap the link in the message and sign in. Instead, go to your bank's website directly or call your bank on the phone and ask if the alert message was legitimate.
  • Don't send sensitive information in response to strange texts. Whether someone texting you claims to be a legitimate business or sends a message like "Hey, this is your wife, I just got a new phone — what's your social security number again?", it's a good idea to contact that business or person directly to ensure you aren't talking to an impersonator trying to trick you.
  • Watch out for things that are "too good to be true," like "free" rewards that need your credit card number for some reason.
  • Don't download and install any software sent to you via a text message or email.

Read more »


Fun Facts:

“Primes in Arithmetic Progression”:

The primes 2, 3, 5, 7, 11, 13, 17, etc. have long fascinated mathematicians.

Any simple formula is very appealing.

Like "3, 5, 7, 9 (not prime)" was an AP starting at 3 with common difference 2.

That sequence didn't last very long.

It's easy to find others that last a little longer, like "7, 13, 19, 25 (whoops)".

Try "11, 17, 23, 29, 35 (whoops, again)".

Looks like we'll have to go higher and longer for a decent progression.

The best place to look for these sequences is in the Online Encyclopedia of Integer Sequences. [ Yes, there is an Online Encyclopedia for these things. ]

The following sequence shows the longest arithmetic progression of primes with difference 210 and minimal initial term:

{199, 409, 619, 829, 1039, 1249, 1459, 1669, 1879, 2089}

For a more impressive sequence, this shows Benoît Perichon's 26 primes in arithmetic progression:

{43142746595714191, 48425980631694091, 53709214667673991,
58992448703653891, 64275682739633791, 69558916775613691,
74842150811593591, 80125384847573491, 85408618883553391,
90691852919533291, 95975086955513191, 101258320991493091,
106541555027472991, 111824789063452891, 117108023099432791,
122391257135412691, 127674491171392591, 132957725207372491,
138240959243352391, 143524193279332291, 148807427315312191,
154090661351292091, 159373895387271991, 164657129423251891,
169940363459231791, 175223597495211691}

COMMENTS

Longest known arithmetic progression of primes as of Jan 14, 2012.

Discovered on Apr 12 2010 by Benoît Perichon using software by Jaroslaw Wroblewski and Geoff Reynolds in a distributed PrimeGrid project.

PrimeGrid's primary goal is to advance mathematics by enabling everyday computer users to contribute their system's processing power towards prime finding.

In 1837, the German mathematician Dirichlet proved that any arithmetic progression where the first term and the (non-zero) common difference are co-prime contained infinitely many primes.

The Green-Tao arithmetic progressions theorem

In number theory, the Green-Tao theorem, proved by Ben Green and Australia's Terence Tao in 2004, states that “the sequence of prime numbers contains arbitrarily long arithmetic progressions”. In other words, for every natural number k, there exist arithmetic progressions of primes with k terms.

Oh well, Perichon's result above shows that we've made it to 26. Still some way to go.

Ed.


Bob Backstrom
~ Newsletter Editor ~

Information for Members and Visitors:

Link to — Sydney PC & Technology User Group
All Meetings, unless specifically stated above, are held on the
1st Floor, Sydney Mechanics' School of Arts, 280 Pitt Street, Sydney.
Sydney PC & Technology User Group's FREE newsletter — SubscribeUnsubscribe
Go to Sydney PC & Technology User Group's — Events Calendar
Changing your e-mail address? Please e-mail your new address to — newsletter.sydneypc@gmail.com
DISCLAIMER: This Newsletter is provided "As Is" without warranty of any kind.
Each user or reader of this Newsletter assumes complete risk as to the accuracy and subsequent use of its contents.