Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

How Backblaze dealt with the hard drive shortage

• During the hard drive shortage that started a year ago, Backblaze found itself in a rather tight spot, in order to continue offering unlimited storage for $5/month, they needed more drives
• The price of a 3TB internal drive shot up from $129 to $349 overnight
• However external drives, were prices around $169, at least $100 cheaper than their internal counterparts (mostly because HP, Dell and Apple had bought up most of the supply of internal drives)
• BackBlaze fills about 50TB worth of drives per day, so they need a continuous supply of new drives
• Between November 2011 and February 2012, Backblaze farmed 5.5 Petabytes worth of hard drives from retailers, mostly consisting of external drives that needed to be removed from their enclosures
• The external drives incurred other costs, shucking the drives out of the enclosures, and recycling the leftover shells afterwards
• Many stores had ‘limit 2 per customer’ (I remember this well with my own drive buying), and BackBlaze employees employed many devious tactics to try to squeeze more out of each store, including pretending to be a grandmother buying drives for each of her grandchildren for Christmas
• Backblaze employees were banned from a number of CostCo and BestBuy stores, or asked to leave empty handed
• On Christmas Eve, the CEO of BackBlaze stopped at a friend’s house to pick up 80x 3TB drives his friend had acquired from an online site that forgot to limit the quantity he could order. It had taken the FedEx driver more than 30 minutes to unload all of the drives into the apartment. While loading them into his car, the BackBlaze CEO reflected that the drives he was loading into his car, were worth more than the car
• Backblaze still buys external drives when the price is right, ~$30 cheaper than internal drives, to cover the additional cost of preparing the drives
• The ‘shucked’ drives can usually not be returned for warranty replacement
• Additional Coverage
• Additional Coverage
• The backblaze storage pod 2.0

---

Russian spy ring relied on notepad and floppy disks

• Sub-Lt. Jeffrey Delisle pled guilty today on charges of breach of trust and two counts of communicating safeguarded information to a foreign entity
• The maximum sentence for ‘communicating safeguarded information to a foreign entity’ is life in prison
• Delisle was an Analyst at HMCS Trinity, an intelligence facility that tracks vessels entering and exiting Canadian waters via satellites, drones and underwater devices, it is located at the naval base in Halifax, Nova Scotia
• He would search for and copy sensitive materials from a secure computer at the base
• Copy/pasting the data into notepad, it would then save it to a floppy disk
• The floppy was then moved to a regular non-secure computer, where the data was transferred to a USB drive
• After taking the USB home, he would access a webmail account, and draft an email, but never send it
• His Russian handlers had the username and password to the email account, and would access it, and retrieve the stolen intelligence
• The emails were never sent, lessening the chance that they might be intercepted
• Delisle walked into the Russian Embassy in Ottawa in 2007 and asked to speak to someone from the GRU (Russian Military Intelligence), offering to sell the secrets he had access to
• He was paid $3000/month in prepaid credit cards
• the RCMP (Royal Canadian Mounted Police, Equivalent to the FBI in Canada) started investigating him after CBSA (Canada Border Services Acency) Officers alerted the Military when Delisle returned from a short trip to Brazil with a large amount of cash
• Additional CBC Coverage

---

SEC hands out first ever fine for ‘failure to protect customer data’

• In the spring of 2005, network traffic at the Florida officers of GunnAllen Financial had slowed to a crawl
• The company had outsourced its entire IT department to The Revere Group
• GunnAllen’s acting CIO, a partner at Revere Group, asked the manager of the IT team to investigate
• A senior network engineer had disabled the WatchGuard firewalls and routed all of the broker-dealer’s IP traffic–including trades and VoIP calls–through his home cable modem
• As a result, none of the company’s trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulation
• However, this did not appear in the final report from the SEC about the settlement with GunnAllen Financial, which was actually about other breaches of security and policy
• Some of the data that was routed through the engineering some connection include: bank routing information, account balances, account numbers, social security numbers, customers’ home addresses and driver’s license numbers
• “He’d purposefully break things, then come in in the morning and be the hero, I ended up key-logging all the servers, and I logged him logging in from home at 2:30 in the morning, logging on to BlackBerry servers and breaking them."
• Although required by the SEC to keep copies of all emails for 7 years, “There was a point in time for probably two months where no one’s email was logged. I brought it up in a meeting once and was told to shut up [by the acting CIO]”
• In 2008 FINRA (Financial Industry Regulatory Authority) fined GunnAllen $750,000 for a “trade allocation scheme” conducted by former head trader, in which profitable stock trades were allocated to his wife’s personal account instead of to the accounts of firm customers
• Employees at The Revere Group were afraid to report issues because other employees had been fired

---

Bug in facebook mobile app could expose your phone number

• A feature of the facebook mobile app allows you to compare your mobile contacts list against facebook, and find any people you have in your phone, but not on facebook
• A researcher exploited this feature by adding random phone numbers to his phone’s contact list and was able to determine many users’ mobile phone numbers, despite their privacy settings
• Facebook originally denied that this was an issue when he reported it to them, they claimed that rate limiting and privacy settings prevented the exploit
• The researcher posted proof , in the form of 100s of phone numbers (random digits blocked out to protect the innocent) with the corresponding person’s name
• Facebook has since tightened up the rate limiting
• TheNextWeb has an article on how to protect your phone number on facebook

---

TechSNAP viewer discovers IE flaw

• IE8 and IE9 in compatibility mode will sometimes mistakenly render plain text content as HTML
• This means that the ‘raw’ view of a pastebin of some javascript source code, could cause the browser to execute it, rather than display it
• A proof of concept is providers for you to test your browser

---

US congressional report says Huawei and ZTE are a security threat

• A draft of a report by the House Intelligence Committee said Huawei and another Chinese telecom, ZTE, “cannot be trusted” to be free of influence from Beijing and could be used to undermine US security
• The report recommends that the chinese hardware manufacturers should be barred from US contracts and acquisitions, due to the security implications of chinese controlled devices in sensitive US installations
• US set to reject UN ITU proposals for changes to Global Telecom systems, citing danger of increased foreign espionage
• The US fears nations like China and Russia will gain too much control and impose tracking and monitoring, and assert control over content and user information
• US says that ITU regulations are “not an appropriate or useful venue to address cybersecurity,”

---

Feedback

• More Info on digi-pass
  • PDF with more info
• Could provide some insight to GPG Keys?
  • Packages are signed by the GPG key of the person or group who created them
  • Your package manager maintains a list of the GPG keys you trust (the default is usually to trust official packages from your distro)
  • If you use 3rd party packages, you will get a warning
  • You must decide if you trust the 3rd party that signed the package, not to include an exploit in the package
  • If you trust the 3rd party, you can add their key to your allow list, and you will not receive the warning
  • It is unsafe to ignore the warning if you do not trust the source of the packages, especially if you are trying to install an official package
• Switching to Publicly Signed SSL?
  • Wildcard SSL certificates cover *.domain.com (something.domain.com, otherthing.domain.com)
  • This does not include *.something.domain.com
  • Covers future sub domains that you might create
  • There are also ‘UCC’ (Unified Communications Certificates) certificates, that allow you to enumerate many domains to be covered by a single certificate. Adding or removing a domain to the certificate requires it to be reissued
  • UCC certificates are expensive, but are popular for Exchange servers that must cover multiple domains
• Securing Cookies
• Darwin writes in with a note that in addition to limiting the length of your password, ‘Microsoft Account’ also prevents you using some special characters, including ‘space’

Round-Up

• iOS6 maps accidently reveal secret tiawanese military base
• ICANN wants the WHOIS database to contain accurate customer data, possibly even including the credit card used to purchase the domain, for 2 years after a domain expires. FTC says yes, EU says no
• RSA executive chairman Art Coviello has drawn strong reactions from Privacy advocates for his criticism of privacy advocates
  
• Cybercriminals offering ‘insurance’ from prosecution, claiming they specialize in bribing or intimidating Russian/Eastern European police
• Spreadsheet Blamed For UK Rail Bid Fiasco
• PGP Creators new project provides industrial-strength encryption for Android and iOS
• Google launches Civic Information API