Show Notes: linuxunplugged.com/456

The post Our Linux Regrets | LINUX Unplugged 456 first appeared on Jupiter Broadcasting.

Using encryption is a good thing, but its just the start, we’ll explain. Plus how one developer totally owned the Uber app.

Then it’s a great batch of your questions & our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OPSEC (Operational Security) for Activists and Journalists

• Using encryption is a good thing, but if you need to hide from advanced adversaries, like foreign governments you are protecting against or reporting on, you need more than just encryption to make sure you don’t get “disappeared”
• The FBI has identified people even when they were using tor
• “The only protection against communication systems is to avoid their use.” —Cryptome [32], Communications Privacy Folly, June 13, 2012
• Anti-forensics [33] is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.
• Especially important secret government messages are still passed by courier, even the government doesn’t trust crypto 100%
• “Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [44] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.”
• “Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag”
• “If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. When Edward Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.”
• “In summary, expect security tools to fail, compartmentalize to contain damage and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.”

How I accessed employee settings on the Uber app

• While debugging an upcoming app, Nathan Mock an iOS Engineer, “accidentally” got a closer glimpse into Uber’s iOS app internals.
• Using Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. You are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, he noticed a request made every 5 seconds.
• One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices.
• Upon inspecting the response, he discovered the key isAdmin, which was set to false for his particular account. Charles allows you to define rewrite rules, so he rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. He perused through the app with the new value applied… lo and behold, he stumbled upon the Employee Settings screen from the About screen
• Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.
• If a malicious developer wanted to get a forbidden feature or functionality past the review team, it is possible to hide the feature behind a “switch”, turning it off during the review process only to enable it after approved, all server side. If their purpose is to control the feature set of apps that get into the store, it can be bypassed through this type of client-server configuration architecture. Apple certainly has the power to take an app down once they make the discovery but before they make that discovery, it is out in the wild.
• As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only.
• Uber recently suffered a data breach that leaked information about 50,000 drivers
• The breach apparently occurred on May 13 2014, was not discovered until September 17 2014, and was not announced until February 27 2015.
• “Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert”
• It turns out, Uber might have accidently stored sensitive database keys on a public github page, is sueing Github to get the IP address of those who accessed the information

Feedback:

• iSCSI Question

• What software is used for the video link on Techsnap (between Allan and Chris)

• Freebsd 10.1 on aging iMac G4

Round Up:

• Iran implicated in hack on US Casino
• How NGINX plans to support HTTP/2 and why it won’t be happening very soon
• This guys light bulb performed DDoS on his entire Smart House
• Intel announces new socketed i7 with Iris Pro graphics, and new i7 NUC
• MySQL 5.7 will include an HTTP server built in, to provide JSON API to access data
• Skylight – looking inside a new SMR (Shingled Magnetic Recording) drive while it is running
• The IT department is dead, Long live the IT department
• War Story: Building a ZFS Foot Cannon
• New Pharming attack targets home routers

The post An Uber Mess | TechSNAP 205 first appeared on Jupiter Broadcasting.

The classic battle flairs up this week, and the guys discuss how an over controlling sysadmin can slow down an important project, and why that problem seems to be so much worse in business.

Plus the market is still hot for Java, but don\’t discount Python or C#, making a big career change, and the standard for replacing your own inhouse tools.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• About C#/.NET
• Software Craftsmanship.
• Needs to replace in house tool, not sure which language to use.
• The new hotness: C++11?!
• Feedback on Windows
• You Asked for a Microsoft Windows Plug
• Digital Ocean

Handy Tool:

• TLDRLegal – Compare Open Source Licenses

The post Ops vs Dev | CR 84 first appeared on Jupiter Broadcasting.