Install and Configure Oh My Zsh and use it in VSCode in Linux

If you use the simple Bash Terminal in your OS, you may want to give Zsh a try to use a faster and safer terminal with many more features. The simple Bash that exist in the common dist of Linuxes are not changed over years and just received some security fixes, but the community behind Zsh are improving it everyday and bring new useful plugins.

I use ‘Oh my Zsh’, Oh My Zsh is an open source, community-driven framework for managing your zsh configuration.

OhMyZSH in Yakuake

Installing it is easy, here we go:

First we install zsh itself:


sudo apt-get install zsh
Code language: JavaScript (javascript)

And then ‘Oh my Zsh’ framework

Via Curl:

sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
Code language: JavaScript (javascript)

Or via Wget:

sh -c "$(wget -O- https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
Code language: JavaScript (javascript)

During installation it will ask you if you want to make it your default terminal and you may answer yes.

Install the requirments:

sudo apt-get install fonts-powerline ttf-ancient-fonts
Code language: JavaScript (javascript)

Configure Oh My Zsh

You can configure Oh My Zsh to change how it update (Automate or asking), Enable/Disable Plugins, Setting Default user etc. Here is part of changes I’ve made, I’ve enabled some plugins and uncommented/changed some settings:

sudo nano ~/.zshrc
export PATH=$HOME/bin:/usr/local/bin:$PATH DEFAULT_USER=`whoami` DISABLE_UPDATE_PROMPT="true" export UPDATE_ZSH_DAYS=1 plugins=( bower composer git bundler dotenv osx vscode rake rbenv ruby ) if [[ -n $SSH_CONNECTION ]]; then export EDITOR='nano' else export EDITOR='atom' fi
Code language: JavaScript (javascript)

Installing Theme

There are many plugins installed by default, but I’ve found this nice theme that comes with some nice features and looks pretty useful:

sudo wget -P $ZSH_CUSTOM/themes/ http://raw.github.com/zakaziko99/agnosterzak-ohmyzsh-theme/master/agnosterzak.zsh-theme
Code language: PHP (php)

And then configure the theme in your ~/.zshrc file:
ZSH_THEME=”agnosterzak”

Change the default terminal in VSCode

OhMyZSH in Visual Studio Code Terminal

Ok so by now we have installed and configured Zsh and set it as default but still VSCode use the default Bash as the integrated terminal. So we want to change it to Zsh, but there are a problem, VSCode only support monospace fotns and cannot use the power-fonts we have installed. so we have to install some compatible fonts first.

My suggestion is Meslo from nerd-fonts package. You can download it from their repository: nerd-fonts/patched-fonts/Meslo/M/Regular/complete
Just download the mono version and install it via font manager in your OS.

Or if you wish to install it via command line:

git clone git@github.com:ryanoasis/nerd-fonts.git --depth 1 cd nerd-fonts sudo ./install.sh
Code language: PHP (php)

Now we can configure VSCode to use Zsh, Add the following lines to settings.json of VSCode or find them one by one in settings and apply them:

"terminal.integrated.shell.linux": "/bin/zsh", "terminal.integrated.shell.osx": "/bin/zsh", "terminal.integrated.fontFamily": "MesloLGM Nerd Font"
Code language: JavaScript (javascript)

Set permanent custom resolution for Ubuntu and KDE Using Xrandr and Xsetup

KDE Logo

After switching from Gnome and Unity to KDE, I had a problem with SDDM and it was that it could not detect correct resolution for my UltraWide monitor and set it to Full HD instead of 2560×1080. I had a similar problem in Ubuntu with another old monitor. Anyway that solution is same in both cases.

The solution for this problem is using Xrandr and Xsetup to set the correct resolution and make it permanent.

For example, in my case for 2560×1080 resolution and 50hz refresh rate, I used the following commands:

xrandr --newmode "2560x1080_50.00" 188.75 2560 2712 2976 3392 1080 1083 1093 1114 -hsync +vsync
xrandr --addmode HDMI-2 2560x1080_50.00
xrandr -s 2560x1080 -r 50

Note: you can get the right numbers for the first line of command using this:

cvt 2560 1080 50

Ok, we have the correct commands and resolution for our system, but problem is that we should run all these commands after every reboot and also these commands won’t apply to our login screen, so we should use Xsetup file to run the commands before loading the desktop manager, so we put above commands into Xsetup file.

The path for Xsetup file in KDE 5 (Kubuntu 18.04):

/usr/share/sddm/scripts/Xsetup

And for older versions of KDE:

/etc/kde4/kdm/Xsetup
/etc/kde3/kdm/Xsetup
/etc/kde/kdm/Xsetup

Done, now reboot your system and enjoy the correct resolution.

Google Chrome in Ubuntu keeps detecting network change

Recently I had problem with my Ubuntu, Whenever I tried to open a website my Chromium told me that a Network Change has been detected and after 1-2 reload that sites would load and sometimes failed to load fully.

After looking up for that problem, I found out many other people had same problem and it has something to do with “avahi-daemon”.

Solution

According to the links I found in Ubuntu forums, this problem comes from IPv6 in Ubuntu and disabling that service will fix it, I tried it and it worked:

# create the long-life config file
echo "net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee /etc/sysctl.d/99-my-disable-ipv6.conf

# ask the system to use it
sudo service procps reload

# check the result
cat /proc/sys/net/ipv6/conf/all/disable_ipv6

All the world’s a Stagefright

Stagefright

Here’s how security vulnerabilities are supposed to be handled. One, a researcher discovers an issue. Two, the people who make the software find a solution. And three, the solution is then made available, ideally by automatic update. That’s what Windows does, and what Apple does. It isn’t always as fast as it should be, but at least once the fix exists it’s available almost instantly.

Here’s how it works with Android.

  1. A researcher discovers a vulnerability.
  2. Google says “la la la can’t hear you” for a year or so.
  3. After lots of media coverage Google says it’ll fix the hole.
  4. Google creates a fix and promises to bring it to the Nexus range in two or three months.
  5. Google gives the fix to manufacturers who say they’ll roll it out at some point, maybe, when they get round to it.
  6. The manufacturers get round to it and submit their version to the phone networks, who say they’ll totally bring it out at some point, oh yes siree!
  7. The vulnerability that the fix will eventually fix evolves so that the fix doesn’t fix it any more.
  8. Google says “la la la can’t hear you”.

Read the whole story at: The Times of India

Facebook farewells flaky SHA-1

FacebookFacebook has set the date: on September 30, the ancient and creaking SHA-1 hashing algorithm will make its tumbril trip and get the chop.

SHA-1, designed by the NSA in 1995, is a one-way algorithm: a block of data is turned into a message digest. The digest can’t be turned back into the original message, but serves as a digital signature confirming the authenticity of (for example) the software you’ve downloaded.

And it’s long been on the end-of-life list, because it’s vulnerable to collision attacks – different blocks of data can present the same SHA-1 hash, allowing malware to verify as if it were authentic.

From October 1, The Social NetworkTM says, third-party apps signed with SHA-1 will no longer be able to connect to Facebook.

As Facebook’s Adam Gross blogs, the move is in line with the Certificate Authority and Browser Forum’s intention to sunset SHA-1 by January 2016.

“We’ll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections”, Gross wrote.

Facebook recommends that “applications, SDKs, or devices that connect to Facebook” be checked for SHA-2 support, to avoid user irritation.

The migration hasn’t been without its detractors. Earlier this year, infosec bods told The Register the shift poses challenges. If users see disruption – for example, too many “insecure site” warnings – they fear that trust in the Internet will be undermined.

Cross-posted from TheRegister

What you need to know about BERserk and Mozilla

The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.

The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products.  Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS.  Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.

nss-1024x686

What users can do immediately

Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla.

Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.

Ensuring that privacy and integrity be maintained is core to what we do at Intel Security.  As this issue unfolds we will continue to provide updates on effective countermeasures and proper mitigation strategies.

Read the whole story at McAfee Blog

Symantec to Overhaul Its Norton Security Line

Symantec_logo_horizontal_2010-1Symantec is overhauling its Norton security software, going from nine products to just one as the company turns its attention to smartphones and connected devices.

 

The new product, called Norton Security, doubles down on the company’s renewed focus on subscription models. In its most recent quarter, when Symantec reported a $236 million profit on a 2% gain in revenue to $1.74 billion, the company said it planned to optimize the Norton business while streamlining product support.

Norton Security, which goes on sale Sept. 23 and costs $80 a year, will combine all of the antivirus, spyware, spam-monitoring and other features scattered across various versions of Norton AntiVirus, Norton Internet Security and Norton 360. It most closely resembles the Norton 360 Multi-Device offering that previously had cost $100 a year but is now $70.

The new product can be used across a family’s Windows and Mac computers, as well as their smartphones running iOS and Android. It includes other services, such as a password keeper, and offers cloud-backup storage starting at an additional $10 a year for 25 gigabytes.

norton-2015

 

The one-size-fits-all approach to PCs makes sense for Symantec at a time when security concerns are broadening beyond the traditional battlegrounds to smartphones, tablets and other connected devices, Fran Rosch, Symantec’s executive vice president in charge of the Norton business, said in a briefing with The Wall Street Journal.

People who want a premium version of Norton Security and Antivirus on an Android phone today have a choice: pay $30 for an in-app purchase, or buy the larger subscription and log in as a premium user. (People using iOS can’t buy the premium version through the app.)

The free version of the Android app scans downloads for malware, while the full version includes antitheft controls, backup, call blocking and an app monitor that looks for suspicious or “unnecessary” activity, such as personal data getting uploaded to the cloud.

While Symantec is putting all of its Norton products under one PC roof, it will continue to have separate smartphone apps that perform specific tasks.

Norton apps are available for iOS, but Mr. Rosch said Symantec isn’t focusing on iPhones and iPads. The way Apple controls its mobile OS and app distribution makes the platform less of a security challenge, he said. There is more opportunity on Android, which is considered a more “open” OS.

Perhaps the best news for consumers: As part of the transition, Symantec is easing back on preinstalled promotional software that many PC buyers have come to label “junkware.” Mr. Rosch says the placement isn’t worth the cost. To make the same profit as it does on one direct-subscription sale, he said, Symantec needs to convert about five of the trial software users. The company declined to say how much it pays to place trial versions of its software on PCs.

That doesn’t mean Symantec is walking away from its core PC audience. It is working on a touch-friendly Windows 8 app, which could give Norton more visibility in Microsoft’s Windows App Store. Thirty percent of Norton’s users are running the software on Windows 8—but only in the classic desktop version, not the touch-friendly version, the company said.

The other area Symantec is turning its attention to is the “Internet of Things,” Mr. Rosch said. Symantec is working with manufacturers to lock down the connected devices they build. Tiny gadgets built for specific purposes usually don’t have the horsepower or battery juice to scan for viruses, Mr. Rosch said, but Symantec has software that can help “white list” appropriate programs to safeguard them from malware.

Symantec isn’t completely ruling out an Internet of Things product of its own in the future, Mr. Rosch said. It already prototyped a “home security system” device—complete with a camera—but isn’t ready to release it at this time.

symant_hq

New Facebook scams in 2014

So many Facebook scams in 2014 have been a little worrying even though at first they all seem innocent enough, but these are social scams to lure users in to gain money or access to computers.

One particular Facebook scam this year was the “Robin Williams goodbye video”, which was apparently made before his death. This fake BBC News video is a scam and no such video exists.

The “Robin Williams goodbye video” started to circulate on Facebook and asks users to share the video before they can watch it, DO NOT click on it. There is no video so no point on sharing it, Symantec explains in detail that when Facebook users click on the video it asks them to either fill out a survey or install an application. When the survey is complete the scammers gain money for each one completed.

Robin Williams goodbye video

 

Do not open any app offering to change your Facebook’s color because it is a scam. The Facebook color blue may be getting a little boring for some and may like a change; this is where a new web app could come in handy.

If you come across the “Facebook color changer” or “Facebook Colour Changer” DO NOT open this at all, it will hijack peoples Facebook accounts. It has already been reported it has accessed over 10,000 FB accounts so far; this is malicious software done in two steps. The first step process is when users click to allow the app access to the users Facebook profile, the second step is where the first step has been declined and asks the user to download anti-virus software.

 

Facebook profile color changer scam

If anyone has followed the tutorial video on how to use the “Facebook colour changer” it is advised to change passwords immediately, you should also remove the app from your profile from the Facebook app settings.

Another Facebook scam will trick users and then access accounts, in a nutshell you basically hack yourself. It cleverly lures Facebook victims into believing they can access anyone’s account using three simple steps. The scam starts of by asking users to open Facebook in a web browser then visit the person they wish to hack, with a few simple steps such as right-clicking anywhere on the page after doing the above and then via the pop-up menu select “Inspect Element”. Once this has been done it will open an HTML editor, it is within this editor users are instructed to copy-paste a string of code provided – The code does not work, never has and never will.

Whilst on the subject of Facebook scams we recommend you keeping an eye on these ones, anything to do with these please do not click on them. 1) A Facebook app that allows you to see total profile views and visitors, 2) There is another scam titled ‘Rihanna sex tape with her boyfriend’, 3) Free-T-shirts when you Check my status update (Just another scam), 4) You can check if a friend has deleted you.

The above are only a few Facebook scams, there are thousands but these are more recent. Do NOT click on anything you are not sure about, especially when it says share this video to view it (Unless it is a trusted website).

What Facebook scam have you come across lately?

How NBC’s Russian Hack Actually Happened, According to the Security Expert Who Set It Up

http://www.youtube.com/watch?v=waEeJJVZ5P8

A couple days ago, NBC News ran a report pegged to the Sochi Olympics about Russian hacking. In it, correspondent Richard Engel uses a “brand new” smartphone to test out the Russian internet while hanging out in a Moscow cafe. “Almost immediately,” he says in the segment, “we were hacked.” Naturally, as the security consultant NBC hired for the segment explained today, it’s not true.

The consultant, Kyle Wilhoit, a senior threat researcher at Trend Micro, set the record straight today in a blog post on the Trend Micro site and an accompanying white paper. He explained that Engel’s report, while not completely inaccurate, was edited in a misleading way and the implications were overblown.

It was the perfect amalgamation of Russian stereotypes and fears: The subtext is that low-grade security infrastructure, built probably by the same bribe-laden goons that put two toilets together in Sochi, has been completely overrun by evil Russian hackers all to prey on the poor visitors to the backwards country.

“Malicious software hijacked our phone before we even finished our coffee, stealing my information and giving hackers the ability to record my phone calls,” says Engel in the segment, incredulous. The implied follow-up to the report is obvious: Not only is Russia so inept that it hosted the Winter Olympics at a beach, you can’t even walk into the country without getting spied on!

The irresistible mix of the “Russia is sketchy” storyline with Sochi and the specter of Cold War-era spycraft (how about those hotel shower cameras?) sent the report bounding around the internet. “Report: Nearly all visitors to Sochi Winter Olympics will be hacked,” reads a perfectly representative headline, while NBC’s own post about it says Sochi is “‘open hunting season for hackers.”

Nevermind the fact that Engel was actually in Moscow, which is about a 1,000 mile drive from the shores of Sochi. And ignore the fact that malware was only downloaded to Engel’s devices after deliberately clicking on the same kind of malware-laden crap everyone in the world knows to avoid. It was too good a story to pass up.

But a story it was. Things started to unravel last night when a post on the Errata Security blog claimed that the story was “100% fraudulent.” Instead, argues the writer Robert Graham, the story was simply a reminder not to click on clearly hostile websites, like the fake Olympic sites Engel visited. “Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network,” he writes. “100% of the story was about visiting websites remotely.”

sochi-hack-2014
One of the malicious websites visited in the NBC report. Image: Kyle Wilhoit/Trend Micro

 

Today, Wilhoit explained that every attack involved a user interaction, could have happened anywhere, and happened on brand new devices without OS updates. Rather than a story about visitors being immediately hacked upon visiting Sochi, the story was about using internet best practices and not opening suspicious emails—which is hardly groundbreaking.

How did it happen? Wilhoit lays it out clearly (emphasis mine): “While all three devices looked like they had been compromised with no user interactions that was just not the case. Incorrect impressions may have been formed due to the editing process; no zero-days were used and all infections required plenty of risky behavior to succeed.”

Wilhoit’s white paper has in-depth explanations of the hacks observed on the test equipment—a Galaxy S4, Lenovo ThinkPad, and MacBook Air—but again, the caveat is clear. “As in most malware attacks, user activity of one form or another is required for an infection to affect devices,” he wrote. “The case studies presented in this paper do not differ in that the user has to do something because no compromise automatically occurs.”

So while Engel’s report wasn’t 100 percent false—the tested equipment was indeed compromised—the malware attacks were absolutely not immediate, and were absolutely not endemic to Sochi. Such infections could have happened to anyone in the world, and could have come from anywhere in the world, because they involved fooling around on compromised sites on the open web.

How does a tale about internet best practices—a legitimately good thing to remind people of—turn into a Sochi hacking story based in Moscow? After Graham’s report dropped, NBC told Business Insider that nothing was fraudulent about the report, and that it was clear that it happened in Moscow and that it was designed to model what an average user would do. It’s as yet not clear how NBC will respond to Wilhoit’s report; I’m waiting on a response to an email inquiry, and will update when possible.

However, it does seem pretty apparent that NBC dressed up a hacking story—which I can say from experience are not easy to tell in video form, especially to a broad audience—by pegging it to Sochi. Teaching travelers about internet security is a smart, valuable service. But by focusing so heavily on the Sochi angle, and suggesting that hacks are immediate—an assertion that, beyond the control of NBC, was also amplified and distorted in the media echo chamber—the report ended up missing the mark.

via: vice.com

Gates spends entire first day back in office trying to install Windows 8.1

gates

REDMOND, WASHINGTON (The Borowitz Report)—Bill Gates’s first day at work in the newly created role of technology adviser got off to a rocky start yesterday as the Microsoft founder struggled for hours to install the Windows 8.1 upgrade.

The installation hit a snag early on, sources said, when Mr. Gates repeatedly received an error message informing him that his PC ran into a problem that it could not handle and needed to restart.

After failing to install the upgrade by lunchtime, Mr. Gates summoned the new Microsoft C.E.O. Satya Nadella, who attempted to help him with the installation, but with no success.

While the two men worked behind closed doors, one source described the situation as “tense.”

“Bill is usually a pretty calm guy, so it was weird to hear some of that language coming out of his mouth,” the source said.

A Microsoft spokesman said only that Mr. Gates’s first day in his new job had been “a learning experience” and that, for the immediate future, he would go back to running Windows 7.