on my Samsung S4 I have flashed and have been trialling RR Remix Lollipop 5.0.2 ROM

so far all good ....  

I have read that sending and receiving MMS is an issue in many instances, as posted before about "Stagefright" I now use TEXTRA messaging app 
so I do not see these issues by others
IMO I expect that it must be related to their default messaging app

RR Rom has some reported issues with battery life but on mine all is as good as stock (ohh and is a new battery)
my only and big BUG is that Xposed famework was not supported on sdk21 even with xposed v73 I could only get Xprivacy up and nothing else 
until I found xposed v74 on XDA which is now xposed-v79

a word from the wise... BACKUP BACKUP BACKUP!!

I perform all of my backups and flash new zips with TWRP 
I store backups on both external SD and FREE LIFETIME 50GB Mega Cloud Storage

January Android Security Patch For Android 6.0.1 Marshmallow Now Live, Factory Images Also Available




which is great if you  have a new Android from Santa but what about the average Joe??? hmmm
 
ok so my quick fix cost me about $3 (was free but when Stagefright made an entrance the once free .apk
dev said that the new cost was to aid in software further development which had been free for many years or was it
to simply cash-in.... anyways) I moved to Textra which is available from Playstore and is highly customisable for my go to SMS/MMS default Android messaging App

... WHY?? because it ALREADY has 'StageFright' protection built in from versions 3.1 on up to current release..

Apex Text to Speech

Quote:

Apex Text to Speech converter software can converting text contents from MS-Word, MS-Excel, PDF, eBook, HTML, Web Pages, Text file, etc into natural human voice in audio format. Just select any text phrase or paragraph from any source to listen audio by using start clipboard monitoring option. You can hear audio file anytime anywhere with MP3 player, audio player, iPod or any media player. You can listen and save any text content like news, article, blogs, RSS feed, stories, songs in Wav audio format without straining your eyes.

10 License

https://davescomputertips.com/dct-giveaw...lution-12/

Vibosoft Android SMS+Contacts Recovery 2.1.4.58

Quote:

Vibosoft Android SMS+Contacts Recovery lets you recover SMS and contact information from your Android device, featuring the ability to scan SIM cards and internal memory. With Vibosoft Android SMS+Contacts Recovery, you’ll be able to easily restore this critical information without damaging them.

- Directly detect and scan SIM card and phone's internal memory.
- Effectively retrieve lost text messages and contacts for all sorts of reasons.
- Preview SMS & contacts and restore them selectively.
- Apply to all Android phone brands, such as Samsung, HTC, LG, Motorola, etc.

Privacy Eraser Pro 4.7.2

Quote:

Privacy Eraser is an all-in-one privacy suite that protects your privacy by cleaning up all your Internet history and past computer activities. It supports popular web browsers, such as Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera.

With simply one click, Privacy Eraser can quickly erase Internet cache, cookies, browsing history, address bar history, typed URLs, autocomplete form history, saved passwords and index.dat files of your browser, Windows' run history, search history, open/save history, recent documents, temporary files, recycle bin, clipboard, taskbar jump lists, DNS cache, log files, memory dumps, error reportings and much more.

Quote:How to participate in the Giveaway?

Enter the giveaway from KeyCDN by Like, Tweet, Comment and spread the word. The more entries you get, the higher your chances are to win! Win 1 of 3, 1TB KeyCDN accounts to speed up your WordPress website.

Giveaway page:

http://www.comss.info/page.php?al=Advanc...Care_Pro_9

Quote:To receive a free license Advanced SystemCare Pro 9, follow these steps:

1. Download SystemCare 9.0.3 Advanced (37.8 MB Download now) and install it on your computer.
Supported OS: Windows 10 / 8.1 / 8/7 / Vista / XP (32/64-bit)
CAUTION: When installing the software offers additional components of Adware-not related to the core functionality - Remove extra tick or set Unchecky automatic locking promotional offers.

2. Activate the Pro-version in the menu "Enter a code", using the following license code:
05DBF-ACC7F-A2439-B1B84

Terms of action
- It is 1 user license for home use.
- The license is valid until 28 June 2016.
- You get free upgrades during the license period.
- No free technical support.
- The program can be set and reset the re-registration.

http://www.comss.info/page.php?al=AVGInt...y20131year

Quote:Free license AVG Internet Security 2016 1 year
The offer is valid if you install the anti-virus for the first time.
To receive a free license AVG Internet Security 2016 1 year, follow these steps:
1. download AVG Internet Security 2016 - 211 MB / 231 MB (x64).
Supported OS: Windows 10 / 8.1 / 8/7 / Vista / XP 32 | 64-bit
2. Run the setup and paste the license code in the "Enter License Number":
IBY9X-ESYXT-W4BZQ-QI4WX-A9LI7-INRS3

Giveaway page: http://www.comss.info/page.php?al=IObit_...older_free

expire 10-01-2016

To receive a free license IObit Protected Folder, follow these steps:

1.   download IObit protected folder  (3.0 MB ) and install it on your computer.

Runs on windows 10, windows 8.1, Windows 8, Windows 7, Vista and XP (32-bit and 64-bit)

To enable the Russian language, go to Options> User Interface. For Current Language list, select the "Russian".

2. Activate using the license code:

F3625-4F693-68196-66BB9

Quote:What's Best?

Which antivirus should you choose? You have a wealth of options. Kaspersky Anti-Virus (2016) and Bitdefender Antivirus Plus 2016 invariably rate at the top in independent lab tests. A single subscription for McAfee AntiVirus Plus (2016) lets you install protection on all of your Windows, Android, Mac OS, and iOS devices. And its unusual behavior-based detection technology means Webroot SecureAnywhere Antivirus (2015) is the tiniest antivirus around. (Yes, 2015. We'll test the next version as soon as it's ready.) We've named these four Editors' Choice for commercial antivirus, but they're not the only products worth consideration. Read the reviews of our top-rated products, and then make your own decision.

Annual Payment Plan

Use this coupon code during purchase: 
Coupon code: ED6-G6P-A6Y

Can be used on up to 5 devices (PC, Laptop, Smartphone etc.) ,all servers and countries included.

Price originally: 109.99$
Now: 69.99$

Now for only 19.99$

https://www.software-of-the-month.com/?p...iate=27037

Coupon code: 7LJ-538-TSP
Can be used on 1 device (PC, Laptop, Smartphone etc.) ,all servers and countries included.
69.99$  NOW: 34.99$   FOR 1 YEAR

Use the coupon code to get the discount

http://technopro360.com/advanced-systemc...isans.html

Researchers showed authentication and impersonation attacks against protocols that still support MD5 in some of their components

The old and insecure MD5 hashing function hasn't been used to sign SSL/TLS server certificates in many years, but continues to be used in other parts of encrypted communications protocols, including TLS, therefore weakening their security.

Researchers from the INRIA institute in France have devised several attacks which prove that the continued support for MD5 in cryptographic protocols is much more dangerous than previously believed.
They showed that man-in-the-middle attackers can impersonate clients to servers that use TLS client authentication and still support MD5 hashing for handshake transcripts. Intercepting and forwarding credentials through protocols that use a TLS channel binding mechanism is also possible.
The same will apply in the future to the SHA-1 hashing function which is currently being phased out from digital certificate signing.
Their attacks are dubbed SLOTH, which stands for Security Losses from Obsolete and Truncated Transcript Hashes, but is also a comment on the overly slow pace of phasing out legacy and insecure algorithms like MD5 from protocols.

MD5 dates back to 1992 and is used for hashing -- the process of taking an input and generating a unique cryptographic representation of it that can serve as an identifying signature. Unlike encryption, which is reversible, hashing is supposed to only work one way. It's built on the premise that no two inputs should result in the same hash, or signature.
If the algorithm allows two inputs to match the same hash, then it is vulnerable to a so-called collision attack. This means that an attacker can take a legitimate file, like a certificate, modify it, and still present it as valid because it has the same hash as the original.
MD5 signatures have been known to be insecure and vulnerable to practical collisions since at least 2005 and their use for signing SSL/TLS server certificates has been phased out. However, support for the algorithm was kept in other parts of the protocol where its use was still considered safe due to other factors.

Most of the encrypted Web is based on server authentication, where the client verifies the server's certificate to make sure that it's talking to the right website and not a rogue one served by an attacker who can intercept and modify network traffic. But there are also implementations of TLS client authentication, where the server verifies the client's certificate, such as with certain banking applications or virtual private networks.

During client authentication, the client signs a hash of the connection handshake transcript with its own certificate. In the case of TLS up to version 1.1 the transcript hash was generated using a combination of MD5 and SHA1, but starting in TLS 1.2 the client and server can negotiate the hashing algorithm based on what they support.

TLS 1.2 allows stronger hash functions like SHA-256 and SHA-512, but also supports MD5. So, if a man-in-the-middle attacker can trick the client to authenticate with a server under his control, he can then impersonate that client to the real server by negotiating MD5 hashing and using what the INRIA researchers call a transcript collision attack.

"We find that the TLS libraries in Java (SunJSSE) and on Akamai Servers support RSA-MD5 signatures for both client and server authentication," the INRIA researchers said in a blog post that explains their findings. "Even implementations that do not advertise support for RSA-MD5, such as NSS (before version 3.21), BouncyCastle (Java before version 1.54, C# before version 1.8,1), PolarSSL/mbedTLS (before 2.2.1), GnuTLS (before version 3.3.15), and OpenSSL (before version 1.0.1f) surprisingly accept RSA-MD5 signatures."

The researchers determined that to find a collision for a client impersonation attack on TLS, the attacker would need to compute 2^39 hashes, which is quite practical and would take several hours on Amazon EC2 instances. In fact, during their proof-of-concept attack, they found the collision is just one hour using a workstation with 48 CPU cores.

Another attack that the researchers demonstrated is credential forwarding. This defeats a mechanism known as tls-unique which binds credentials to the TLS channel used to transmit them. This means that a man-in-the-middle attacker shouldn't be able to capture credentials from a TLS connection and relay them to a legitimate server in order to authenticate, because that would open a different TLS channel.
 
Channel binding with tls-unique is used in SCRAM, the default authentication protocol for XMPP (Extensible Messaging and Presence Protocol); Token Binding, which is designed to protect HTTP cookies and OAuth tokens; and the FIDO universal authentication framework.

A generic collision that could defeat channel binding would require 2^48 keyed-hash message authentication code (HMAC) computations, the researchers found. In their proof-of-concept attack, they found the collision in 20 days on a workstation with 4 Nvidia Tesla GPUs, but they believe the time can be significantly reduced with parallelization across many more GPUs.

Attacking TLS server authentication, which is what's used in most HTTPS (HTTP Secure) implementations, is also theoretically possible, but fortunately it's much harder than attacking client authentication. That's because the server signature does not cover the whole handshake transcript, at least in TLS 1.2.
That's good news, because according to Internet scans, 30 percent of HTTPS servers are currently willing to send RSA-MD5 server signatures and are theoretically vulnerable. If the attack would have been more practical, it would have been devastating to Web security.
Due to these findings, the editors of TLS version 1.3, which is currently only a draft, have removed all use of MD5 signatures from the protocol. OpenSSL, Mozilla NSS, GnuTLS, BouncyCastle, PolarSSL/mbedTLS already have patched versions available that disable the use of such signatures. Oracle Java clients will be fixed in the next critical patch update.
The researchers have warned that SHA-1, which is also known to be theoretically vulnerable to collisions, could lead to similar problems in the future if it's not removed from TLS 1.2 implementations in a timely manner.
"If practical collision attacks on SHA1 appear, then many constructions in TLS, IKE, and SSH will be breakable," they said. "So, if you can afford to do so, get rid of MD5 and SHA1 in all your protocol configurations."


SOURCE

A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
The HTTPS Bicycle attack can result in the length of personal and secret data, such as passwords and GPS co-ordinates, being exposed from a packet capture of a user's HTTPS traffic.
The attack – discovered by security researcher Guido Vranken (and summarised below) – refocuses attention on topics such as encryption, authentication, privacy and most specifically password security.
It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application).
The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle.
Carl Leonard, principal security analyst at security tools firm Raytheon|Websense, commented: “End users may expect their passwords to remain secret when they interact with a website that uses encryption, but HTTPS Bicycle shows this may not be the case. Knowledge is power to an attacker, and even small pieces of information can lead to a later, more refined attack.”
Determining even the length of a password can narrow down the range of possibilities and therefore make subsequent brute force assaults more effective, continued Leonard: "The undetectable nature of this attack means it's vital that webmasters consider using strong passwords and two-factor authentication to eliminate the single point of failure. End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future

SOURCE

Updated It was inevitable. Trend Micro says it has spotted crooks abusing the free Let's Encrypt certificate system to smuggle malware onto computers.
The security biz's fraud bod Joseph Chen noticed the caper on December 21. Folks in Japan visited a website that served up malware over encrypted HTTPS using a Let's Encrypt-issued cert. The site used the Angler Exploit Kit to infect their machines with the software nasty, which is designed to raid their online bank accounts.
The use of encryption shields the malware from network security scanners while in transit, and the certificate helps legitimize the malicious site.
Before installing a Let's Encrypt certificate, the attackers compromised an unnamed web server, created their own subdomain for the server's website, and obtained a free HTTPS certificate for that subdomain.



The crims installed the cert on the compromised server, and then hosted a booby-trapped advert from that subdomain, Chen explained today. The ad also contained anti-antivirus code.
Chen is critical of Let's Encrypt's policy that it's "not a content filter," saying certificate authorities have a role to play in stopping attacks like this – and that it needs to do more than just check certificates against Google's safe-browsing API. He feels there should be mechanisms in place to prevent unauthorized cert registrations for domains and their subdomains.
Let's Encrypt's Josh Aas, executive director of the Internet Security Research Group, told The Register his organization's policy – articulated in this blog post from October 2015 – still stands.
"We think the certificate ecosystem is not the appropriate mechanism to police phishing and malware on the web. Other mechanisms like Safe Browsing, SmartScreen, or in this case the advertising network's internal controls, are both more effective and more appropriate," he told The Register in an email.
"We do check the Google Safe Browsing API for phishing status before issuing certs, but we do not take action after that. It would be impractical and ineffective. We will not be revoking the certificates in question, but it looks like the sites in question have been taken down."
Essentially: secure your own servers, rather than rely on Let's Encrypt to mind the shop for you

source

Allows you to keep your computer up-to-date by downloading the latest patches and security updates.You can use WSUS Offline Update to easily download patches and updates for your Windows and Office without going through the whole procedure on Microsoft's Windows Update website.

Using WSUS Offline Update, you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection.
Using WSUS Offline Update, you can update any computer running Microsoft Windows safely, quickly and without an Internet connection.

What is New:
- Fix: DoUpdate.cmd script contained invalid installation file name for .NET Framework 4.6.1

Homepage:
http://download.wsusoffline.net/

Download:
http://download.wsusoffline.net/wsusoffline1031.zip

 
What is Rufus?
Rufus is a utility that helps format and create bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc.
 
When to be used?
It can be especially useful for cases where:

• you need to create USB installation media from bootable ISOs (Windows, Linux, UEFI, etc.)
  
  
• you need to work on a system that doesn't have an OS installed
  
  
• you need to flash a BIOS or other firmware from DOS
  
  
• you want to run a low-level utility