Trying out Open Live Writer

This is Open Live Writer, an open source fork of the MSFT blog editor Live Writer. Open Live Writer is like Word for your blog. Open Live Writer is a powerful, lightweight blog editor that allows you to create blog posts, add photos and videos then publish to your website. You can also compose blogs […]

Original URL:  

Original article

Intel unveils 8 new Broadwell and Skylake processors

Intel Logo

US chip maker Intel has recently announced eight new processors, as it expands its Broadwell and Skylake families. The chips will be available for both desktop and mobile CPUs, the company added.

The new processors announced today include the Celeron 3855U, Celeron 3955U, Core i3-6098P, Core i5-6402P, Core i5-5200DU, Core i5-6198DU, Core i5-5500DU, and the Core i7-6498DU. Out of these, the two new desktop CPUs are the Core i3-6098P and the Core i5-6402P. Like previous processors with a “P” prefix, it is likely that these processors do not come with an integrated GPU. They have been priced at $117 (£79) and $182 (£122), respectively.

The four new mobile CPUs — Core i5-5200DU, Core i5-6198DU, Core i7-5500DU, and the Core i7-6498DU are dual-core SKUs with four threads. The D in the name is still a mystery.

According to CPU World, the Celeron 3855U and 3955U are both ULV dual-core processors and come with an integrated Intel HD 510 graphics and 2MB of L3 cache.

The company announced new processors the same day it announced the completion of the acquisition of Altera. According to the company’s press release, the acquisition will enable new classes of products in the IoT and datacenter businesses.

“Altera is now part of Intel, and together we will make the next generation of semiconductors not only better but able to do more”, said Brian Krzanich, Intel CEO. “We will apply Moore’s Law to grow today’s FPGA business, and we’ll invent new products that make amazing experiences of the future possible — experiences like autonomous driving and machine learning”.

Published under license from, a Net Communities Ltd Publication. All rights reserved.

Photo Credit: Rose Carson/Shutterstock

Original URL:  

Original article

Lazy Authentication Still the Norm


My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!

Tags: ISIS, TeaMp0isoN, PayPal authentication failures, Junaid Hussain

This entry was posted on Monday, December 28th, 2015 at 1:17 pm and is filed under A Little Sunshine, Ne’er-Do-Well News.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

Original URL:  

Original article

Faker.js – generate massive amounts of fake data in the browser and node


Build Status

npm version


Hosted API Microservice

  • Supports all Faker API Methods
  • Full-Featured Microservice
  • Hosted by

Help Support!

The mantainer of this project is currently running a Kickstarter campaign to help fund the very awesome open-source project.

If you like Faker.js, please support!



  var randomName =; // Caitlyn Kerluke
  var randomEmail =; //
  var randomCard = faker.helpers.createCard(); // random contact card containing many properties


var faker = require('faker');

var randomName =; // Rowan Nikolaus
var randomEmail =; //
var randomCard = faker.helpers.createCard(); // random contact card containing many properties



As of version v3.0.0 faker.js contains a super useful generator method Faker.fake for combining faker API methods using a mustache string format.


console.log(faker.fake('{{name.lastName}}, {{name.firstName}} {{name.suffix}}'));
// outputs: "Marks, Dean Sr."

This will interpolate the format string with the value of methods name.lastName(), name.firstName(), and name.suffix()

API Methods

  • address
    • zipCode
    • city
    • cityPrefix
    • citySuffix
    • streetName
    • streetAddress
    • streetSuffix
    • streetPrefix
    • secondaryAddress
    • county
    • country
    • countryCode
    • state
    • stateAbbr
    • latitude
    • longitude
  • commerce
    • color
    • department
    • productName
    • price
    • productAdjective
    • productMaterial
    • product
  • company
    • suffixes
    • companyName
    • companySuffix
    • catchPhrase
    • bs
    • catchPhraseAdjective
    • catchPhraseDescriptor
    • catchPhraseNoun
    • bsAdjective
    • bsBuzz
    • bsNoun
  • date
    • past
    • future
    • between
    • recent
    • month
    • weekday
  • fake
  • finance
    • account
    • accountName
    • mask
    • amount
    • transactionType
    • currencyCode
    • currencyName
    • currencySymbol
  • hacker
    • abbreviation
    • adjective
    • noun
    • verb
    • ingverb
    • phrase
  • helpers
    • randomize
    • slugify
    • replaceSymbolWithNumber
    • replaceSymbols
    • shuffle
    • mustache
    • createCard
    • contextualCard
    • userCard
    • createTransaction
  • image
    • image
    • avatar
    • imageUrl
    • abstract
    • animals
    • business
    • cats
    • city
    • food
    • nightlife
    • fashion
    • people
    • nature
    • sports
    • technics
    • transport
  • internet
    • avatar
    • email
    • userName
    • protocol
    • url
    • domainName
    • domainSuffix
    • domainWord
    • ip
    • userAgent
    • color
    • mac
    • password
  • lorem
    • words
    • sentence
    • sentences
    • paragraph
    • paragraphs
  • name
    • firstName
    • lastName
    • findName
    • jobTitle
    • prefix
    • suffix
    • title
    • jobDescriptor
    • jobArea
    • jobType
  • phone
    • phoneNumber
    • phoneNumberFormat
    • phoneFormats
  • random
    • number
    • arrayElement
    • objectElement
    • uuid
    • boolean


As of version v2.0.0 faker.js supports over 27 different language definition packs.

The default language is set to English.

Setting a new locale is simple:

// sets locale to de
faker.locale = "de";
  • de
  • de_AT
  • de_CH
  • el_GR
  • en
  • en_AU
  • en_BORK
  • en_CA
  • en_GB
  • en_IE
  • en_IND
  • en_US
  • en_au_ocker
  • es
  • es_MX
  • fa
  • fr
  • fr_CA
  • ge
  • it
  • ja
  • ko
  • nb_NO
  • nep
  • nl
  • pl
  • pt_BR
  • ru
  • sk
  • sv
  • tr
  • uk
  • vi
  • zh_CN
  • zh_TW

Individual Localization Packages

As of vesion v3.0.0 faker.js supports incremental loading of locales.

By default, requiring faker will include all locale data.

In a production environment, you may only want to include the locale data for a specific set of locales.

// loads only de locale
var faker = require('faker/locale/de');


npm install .
make test

You can view a code coverage report generated in coverage/lcov-report/index.html.

Projects Built with faker.js

Fake JSON Schema

Use faker generators to populate JSON Schema samples.


Run faker generators from Command Line.

Want to see your project added here? Let us know!


Meteor installation

  meteor add practicalmeteor:faker

meteor usage, both client and server

  var randomName =; // Rowan Nikolaus
  var randomEmail =; //
  var randomCard = faker.helpers.createCard(); // random contact card containing many properties

Version Release Schedule

faker.js is a popular project used by many organizations and individuals in production settings. Major and Minor version releases are generally on a monthly schedule. Bugs fixes are addressed by severity and fixed as soon as possible.

If you require the absolute latest version of faker.js the master branch @ should always be up to date and working.


Matthew Bergman & Marak Squires

faker.js – Copyright (c) 2014-2015
Matthew Bergman & Marak Squires

faker.js was inspired by and has used data definitions from:

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
“Software”), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.


Original URL:  

Original article

Linode is suffering on-going DDoS attacks


The maintenance on Xen Linodes due to the embargoed XSAs was completed as scheduled.

Dec 19, 15:14 UTC

In progress

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Dec 13, 02:00 UTC


Linode has received several Xen Security Advisories (XSAs) that require us to perform updates to our host servers. In order to apply the updates, hosts and the Linodes running on them must be rebooted. The XSAs will be publicly released by the Xen project team on December 17th, therefore we must complete the updates before that date.

These security advisories only affect Xen Linodes. KVM Linodes are not vulnerable and do not require a reboot. Any customer that upgrades to KVM prior to the maintenance can avoid it entirely.

These updates are required to protect the security and safe operations of not only our infrastructure, but yours as well. We understand that a disruption with such limited notice is inconvenient, and we hope you understand that these measures are warranted due to the severity of the XSAs.

Each host server will be assigned a maintenance window in which the reboot will occur. The maintenance schedule is still being worked out on our end, however we can tell you that all maintenance windows will start Sunday December 13th at 9 p.m. EST and will be completed before December 17th.

We will have the maintenance schedule defined within the next few days. Each Linode’s maintenance window will be communicated to you via email and will also be visible within the Linode Manager. Unfortunately, due the logistical demands of this effort, your assigned windows are not changeable and the host reboots are mandatory.

During the maintenance window Linode instances will be cleanly shut down while we perform the updates. Your Linode will be inaccessible during this time. A two-hour window is allocated, however the actual downtime can be much less. After the maintenance, each Linode will then be booted. See our Reboot Survival Guide for tips and hints on configuring and testing that your Linode services boot properly.

Stay tuned for more information.

Dec 10, 17:35 UTC

Original URL:  

Original article

Show HN: Build a React Native real-time chat app in 5 minutes (without Xcode)

Build a real-time chat app with Siphon

We’re going to build a simple real-time chat application using React Native.
Follow the quickstart tutorial first if
you haven’t yet set up your machine to use Siphon.

Install the command-line tool

Create a new Siphon app

Navigate to a suitable directory (anywhere is fine) and type the following
command to create a new app:

$ siphon create chat-app

You can call it anything you like, but for the rest of this tutorial we will refer to the app as chat-app.

A new directory containing the basic app template will be created on your local machine and the files will be pushed to our servers.

Open up the Siphon Sandbox app on your iOS device and tap the new app icon to run it.

Add a simple user interface

We’re going to alter the template app that we just created. Open up the file called
chat-app/index.ios.js in your favourite editor.

Lets add a minimal user interface ready for sending and receiving chat messages.
Remove the contents of that file and paste in the following code:

'use strict';

var React = require('react-native');
var {
} = React;

var App = React.createClass({
  getInitialState: function() {
    return {
      messages: []
  handleSubmit: function(event) {
    // Does nothing yet.
  render: function() {
    return (
   => {
              return {m}

AppRegistry.registerComponent('App', () => App);

Later we’ll use a websocket to connect to the server
and append incoming messages to the messages state, but
for now the UI is going to look quite empty.

Save the file and push your changes to Siphon:

$ siphon push

The app will reload itself and you should see something like this:

Receiving chat messages with a websocket

We’re going to use the WebSocket class
provided by React Native to send and receive chat messages.

First we will only log incoming messages to the console. Add these two methods to your
App class definition:

componentDidMount: function() {
  console.log('Connecting...'); = new WebSocket('wss://'); = function(event) {
    if ( != 'ping') {
      console.log('Received: ' +;
  }.bind(this); = function() {
    console.log('WebSocket error: ', arguments);
componentWillUnmount: function() {;

After the App component gets rendered, its going to
open up a socket and start printing incoming messages to the console.

Open up a separate terminal window and leave it streaming the logs from your app:

$ cd chat-app
$ siphon logs

Now save the file and switch back to the other terminal window to push the changes:

$ siphon push

You should see some log output in the new terminal window. If there are other Siphon users
currently chatting, you may see some incoming messages in the logs.

We set up a shared Node.js chat server at
When you’ve finished the app, you get to chat to everyone else taking this tutorial too!

Mutating state with incoming chat messages

Let’s make a small change so that incoming chat messages are displayed in the UI.
Replace the definition of componentDidMount with this one:

componentDidMount: function() { = new WebSocket('ws://'); = function(event) {
    if ( != 'ping') {
        messages: [].concat(this.state.messages)
  }.bind(this); = function() {
    console.log('WebSocket error: ', arguments);

Push your changes and run the app in the sandbox:

$ siphon push

Any incoming chat messages will now be displayed visually.

Sending chat messages

Lets hook up the component so that it
broadcasts its contents to the chat server when we hit send.

Replace the empty definition of handleSubmit with this one:

handleSubmit: function(event) {
  console.log('Sending: ' + event.nativeEvent.text);;
  this.refs.textInput.setNativeProps({text: ''});

Now when you hit send, it sends the message across the websocket that we created earlier and then
clears the contents of the .

Push your changes and open the app. It should look like this:

Complete source code for this app is
available on GitHub.

That’s the end of the tutorial, thanks for following along.

Next up

Read the FAQ

Original URL:  

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: