Show Notes: linuxactionnews.com/245

The post Linux Action News 245 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/359

The post Death of the Mac | LINUX Unplugged 359 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/283

The post The Premiere Shell | LINUX Unplugged 283 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Ubuntu MATE 17.10 Alpha 2 — We’re not happy, proud, pleased or ambivalent to announce this alpha. No, not us. The is our most “Super” alpha ever and we’re ecstatic to present this fine release for your distro delectation. Ubuntu MATE 17.10 is brimming with new toys to play with.
• Uptake of Fedora 26 is really strong — It’s already surpassed F24 and those of you still on F23.
• Boltron preview — Fedora’s Modularity Working Group (and others) have been working for a while on a Fedora Objective.
• openSUSE Leap 42.3 — “By avoiding major version updates in the base system as well as the desktops, the upgrade to Leap 42.3 is a rather unadventurous matter,” said Ludwig Nussel, openSUSE Leap release manager.
• The death of Flash — Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.
• Some people don’t want it to die — Open sourcing Flash spec would be a good solution to keep Flash projects alive safely for archive reasons.
• Update on Debian Reproducible Builds Project — At the start of 2015 it was safe to say that Debian was fairly alone in the quest for reproducible builds, and a relevant number of developers were unconvinced by the effort’s goals. Thankfully, this is not true anymore.
• More on Mozilla’s Project Common Voice — Today’s speech recognition technologies are largely tied up in a few companies that have invested heavily in them.

The post Linux Action News 12 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

iOS 10.3.1 update prevents: attacker within range may be able to execute arbitrary code on the Wi-Fi chip

• What is a stack buffer overflow?

• What is a stack?

Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear

• NOT SO LONG ago, enterprising thieves who wanted to steal the entire contents of an ATM had to blow it up. Today, a more discreet sort of cash-machine burglar can walk away with an ATM’s stash and leave behind only a tell-tale three-inch hole in its front panel.

• The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.

• They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules

• In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.

Let’s Encrypt

• Using Let’s Encrypt within FreeBSD.org

Feedback

• Epiosode 311 & future topics

• SQLite

• New laws

• Privacy is Dead? and for FTC vs FCC

• Internet privacy

• Free DNS

Round Up:

• Smart TV hack embeds attack code into broadcast signal—no access required

• Spotify’s Love/Hate Relationship with DNS

• What Killed Adobe Flash?

Dan mentioned these URLs during the podcast:

• Adding a 10Gb NIC to an r610

The post Wifi Stack Overfloweth | TechSNAP 313 first appeared on Jupiter Broadcasting.

Bitcoin’s creator has been found again, we’ll cover what the media thinks they’ve figured out & what we really know.

Then, ‘In Patches We Trust: Why Security Updates have to get better’, a great batch of questions, a huge round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

WIRED thinks they found Bitcoin’s Creator Satoshi Nakamoto

• Since that pseudonymous figure first released bitcoin’s code on January 9th, 2009, Nakamoto’s ingenious digital currency has grown from a nerd novelty to a kind of economic miracle. As it’s been adopted for everything from international money transfers to online narcotrafficking, the total value of all bitcoins has grown to nearly $5 billion.
• Nakamoto himself, whoever he is, appears to control a stash of bitcoins easily worth a nine-figure fortune (it rose to more than a billion at the cryptocurrency’s peak exchange rate in 2014).
• In the last weeks, WIRED has obtained the strongest evidence yet of Satoshi Nakamoto’s true identity. The signs point to Craig Steven Wright.
• Gizmodo thinks it was actually two people
• A monthlong Gizmodo investigation has uncovered compelling and perplexing new evidence in the search for Satoshi Nakamoto, the pseudonymous creator of Bitcoin.

• According to a cache of documents provided to Gizmodo which were corroborated in interviews, Craig Steven Wright, an Australian businessman based in Sydney, and Dave Kleiman, an American computer forensics expert who died in 2013, were involved in the development of the digital currency.

• Wired’s “Evidence”

• An August 2008 post on Wright’s blog, months before the November 2008 introduction of the bitcoin whitepaper on a cryptography mailing list. It mentions his intention to release a “cryptocurrency paper,” and references “triple entry accounting,” the title of a 2005 paper by financial cryptographer Ian Grigg that outlines several bitcoin-like ideas.

• A post on the same blog from November, 2008 includes a request that readers who want to get in touch encrypt their messages to him using a PGP public key apparently linked to Satoshi Nakamoto. This key, when checked against the database of the MIT server where it was stored, is associated with the email address satoshin@vistomail.com, an email address very similar to the satoshi@vistomail.com address Nakamoto used to send the whitepaper introducing bitcoin to a cryptography mailing list.
• An archived copy of a now-deleted blog post from Wright dated January 10, 2009, which reads: “The Beta of Bitcoin is live tomorrow. This is decentralized… We try until it works.” (The post was dated January 10, 2009, a day after Bitcoin’s official launch on January 9th of that year. But if Wright, living in Eastern Australia, posted it after midnight his time on the night of the 9th, that would have still been before bitcoin’s launch at 3pm EST on the 9th.) That post was later replaced with the rather cryptic text “Bitcoin — AKA bloody nosey you be…It does always surprise me how at times the best place to hide [is] right in the open.” Sometime after October of this year, it was deleted entirely.
• In addition to those three blog posts, they received a cache of leaked emails, transcripts, and accounting forms that corroborate the link.

• Another clue as to Wright’s bitcoin fortune wasn’t leaked to WIRED but instead remains hosted on the website of the corporate advisory firm McGrathNicol: a liquidation report on one of several companies Wright founded known as Hotwire, an attempt to create a bitcoin-based bank. It shows that the startup was backed in June 2013 by $23 million in bitcoins owned by Wright. That sum would be worth more than $60 million today.

• Reported bitcoin ‘founder’ Craig Wright’s home raided by Australian police

• On Wednesday afternoon, police gained entry to a home belonging to Craig Wright, who had hours earlier been identified in investigations by Gizmodo and Wired,

• People who say they knew Wright have expressed strong doubts about his alleged role, with some saying privately they believe the publications have been the victims of an elaborate hoax.
• More than 10 police personnel arrived at the house in the Sydney suburb of Gordon at about 1.30pm. Two police staff wearing white gloves could be seen from the street searching the cupboards and surfaces of the garage. At least three more were seen from the front door.
• The Australian Federal police said in a statement that the raids were not related to the bitcoin claims. “The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney. This matter is unrelated to recent media reporting regarding the digital currency bitcoin.”
• The documents published by Gizmodo appear to show records of an interview with the Australian Tax Office surrounding his tax affairs in which his bitcoin holdings are discussed at length.
• During the interview, the person the transcript names as Wright says: “I did my best to try and hide the fact that I’ve been running bitcoin since 2009 but I think it’s getting – most – most – by the end of this half the world is going to bloody know.”
• Guardian Australia has been unable to independently verify the authenticity of the transcripts published by Gizmodo, or whether the transcript is an accurate reflection of the audio if the interview took place. It is also not clear whether the phrase “running” refers merely to the process of mining bitcoin using a computer.
• The purported admission in the transcript does not state that Wright is a founder of the currency, but other emails that Gizmodo claim are from Wright suggest further involvement he may have had in the development of bitcoin.
• The emails published by Gizmodo cannot been verified. Comment has been sought from Sinodinos on whether he was contacted by Wright – or his lawyer – in relation to bitcoin and its regulatory and taxation status in Australia.
• A third email published by Gizmodo from 2008 attributes to Wright a comment where he said: “I have been working on a new form of electronic money. Bit cash, bit coin …”
• WikiLeaks on Twitter: “We assess that Craig S Wright is unlikely to be the principal coder behind Bitcoin.” https://t.co/nRnftKPjm9”
• Additional Coverage: Freedom Hacker

In Patches We Trust: Why Security Updates have to get better

• “How long do you put off restarting your computer, phone, or tablet for the sake of a security update or software patch? All too often, it’s far too long”
• Why do we delay?
• I am in the middle of something
• The update might break something
• I can’t waste a bunch of time dealing with fixing it if it doesn’t work
• I hate it when they move buttons around on me
• Installing the update makes the device unusable for 20+ minutes
• “Patches are good for you. According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented by applying a security patch”
• “The problem is that far too many have experienced a case when a patch has gone disastrously wrong. That’s not just a problem for the device owner short term, but it’s a lasting trust issue with software giants and device makers.”
• We have all seen examples of bad patches
• “Apple’s iOS 8.0.1 update was meant to fix initial problems with Apple’s new eight generation mobile operating system, but killed cell service on affected phones — leaving millions stranded until a fix was issued a day later. Google had to patch the so-called Stagefright flaw, which affected every Android device, for a second time after the first fix failed to do the job. Meanwhile, Microsoft has seen more patch recalls in the past two years than in the past decade.”
• “Microsoft, for example, issued 135 security bulletins this year alone with thousands of separate vulnerabilities patched. All it takes is one or two patches to fail or break something — which has happened — to account for a 1 percent failure rate.”
• Users get “update fatigue”, If every time they go to use the computer, there is a new update for one or more of: Java, Flash, Chrome, Skype, Windows, etc.
• Worse, many drivers and other programs now add their own utilities, “update managers” and so on. Lenovo and Dell have both recently had to patch their “update managers” because they actually make your system more vulnerable
• Having a slew of different programs constantly nagging the user about updating just causes the user to stop updating everything, or to put the updates off for longer and longer
• “At the heart of any software update is a trust relationship between the user and the company. When things go wrong, it can affect thousands or millions of users. Just ignoring the issue and pulling patches can undermine a user’s trust, which can damage the future patching process.”
• “Customers don’t always expect vendors to be 100 percent perfect 100 percent of the time, or at least they shouldn’t,” said Childs. “However, if vendors are upfront and honest about the situation and provide actionable guidance, it goes a long way to reestablishing the trust that has been lost over the years.”

New APT group identified, known as Sofacy, or Fancy Bear

• “Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.”
• “Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.”
• “In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.
  While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.”
• This shows how APT attackers constantly evolve, and reserve their best exploits for use against high profile targets, using lesser quality exploits on lesser targets, to avoid the better exploits being discovered and mitigated
• “The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors.”
• “Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor. This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.”
• “This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll””
• The attackers have multiple levels of malware, and can cycle through them until something works, then use that to drop a payload that matches the quality of the target they are attacking
• “In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well. The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015.”
• “This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.”
• “Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day. At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.”
• Lateral movement is a more generic term for Island Hopping, moving around inside the network once you get through the outer defenses
• “Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”
• “As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.”

Feedback:

• Backup solution….. Help!

• Replicate to Freenas at in-laws

• ddos

• ZFS on the Desktop

Round Up:

• A journal for MD/RAID5 Fixes old Linux RAID issue?
• Adobe releases Flash patch for 79 different CVEs, 56 of which are use-after-frees. Adobe says none of the patched vulnerabilities are being exploited publicly. Adobe also patched a dozen memory corruption vulnerabilities, two heap buffer overflows, stack, integer and buffer overflow vulnerabilities, in additional to security bypass flaws and a type confusion vulnerability
• When Undercover Credit Card Buys Go Bad — Krebs on Security
• Microsoft moving Windows Server 2016 to per-core licensing (compared to current per-socket)
• Steam tightens trading security amid 77,000 monthly account hijackings
• On the CCA (in)security of MTProto, How Telegram’s crypto is not as good as standard crypto
• Adobe, Microsoft Each Plug 70+ Security Holes — Krebs on Security
• oclHashcat can now crack 8 different TrueCrypt ciphers for the price of 3
• Microsoft Patch Tuesday includes revoking *.xboxlive.com certificate after it was accidently leaked
• Interview about the ‘Crypto Wars’ with Matt Blaze, the man to killed the Clipper Chip by finding its flaws
• FBI admits it uses stingrays, zero-day exploits
• Cloud is outsourcing but it’s not outsourcing (as was)
• After UAE bank fails to pay ransom, attack dumps 10s of thousands of customers transaction histories online
• Cisco warns of one ‘Critical’, and a number of ‘High’ severity flaw in its routers and other devices
• More Than 80% of Mobile Apps Have Encryption Flaws, Study Finds
• An HTTP Status Code to Report Legal Obstacles
• Millions of embedded devices including routers, smart TVs, and cell phones, still have not patched uPNP bug from 2012, including 326 apps on the Google Apps Store, including some very popular apps
• 7 signs you’re doing devops wrong
• DN42, a massive dynamic VPN, specifically for testing and learning about routing protocols
• Funny KGB story

The post Finding Nakamoto | TechSNAP 244 first appeared on Jupiter Broadcasting.

A new trick up Fedora’s sleeve might be worth trying on your own Linux install, the new mini-pc revolution is here & the Raspberry Pi Zero brings it for $5. Adobe announces the death of Flash… Kind of. But we’ll share how to finish the job & truly banish flash from your Linux rig.

Plus open source gaming just got an upgrade, GIMP has some fancy & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Offline Media solution for the Rover / Bandwidth challenged.

• Emby? tablet/PC?

• Plex and Plex Pass on a tablet?

• rsync and vlc on a laptop?

• Amazon.com: Kingston Digital 5-in-1 Mobile Companion, Expanded Storage, 4640 mAh Battery Charger, and more for iOS and Android devices (MLWG2): Computers & Accessories

Follow Up / Catch Up

Warsow 2.0 Released With Better Graphics, CC-Licensed Game Assets

Warsow 2.0 adds a tutorial level to help new gamers, many graphical effects were revamped, weapon parameters were tweaked, new HUDs, and many other changes.

The Warsow 2.0 renderer is reported to be 30~50% faster for overall performance, reduced vRAM footprint for textures, KTX texture format support, support for the GLSL binary cache, multi-threading to speed-up map loading, and many other interesting changes.

GIMP 2.9.2 Released

with 2.9.2, you can already benefit from certain aspects of the new engine, such as:

• 16/32bit per color channel processing
• Basic OpenEXR support
• On-canvas preview for many filters
• Experimental hardware-accelerated rendering and processing via OpenCL
• Higher-quality downscaling

Additionally, native support for PNG, TIFF, PSD, and FITS files in GIMP has been upgraded to read and write 16/32bit per color channel data.

• GIMP 2.9.2 Released, How About Features Trivia?

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

F24 System Wide Change: Default Local DNS Resolver – devel-announce – Fedora List Archives

Plain DNS protocol is insecure and therefore vulnerable from various
attacks (e.g. cache poisoning). A client can never be sure that there
is no man-in-the-middle, if it does not do the DNSSEC validation
locally.

We want to have Unbound server installed and running on localhost by
default on Fedora systems.

• Against DNSSEC — Quarrelsome

Linux Academy

• Linux Academy | Linux and AWS Online Training

The Mini PC Roundup

Raspberry Pi Zero: the $5 computer – Raspberry Pi

Today, I’m pleased to be able to announce the immediate availability of Raspberry Pi Zero, made in Wales and priced at just $5. Zero is a full-fledged member of the Raspberry Pi family, featuring:

• A Broadcom BCM2835 application processor
  • 1GHz ARM11 core (40% faster than Raspberry Pi 1)
• 512MB of LPDDR2 SDRAM
• A micro-SD card slot
• A mini-HDMI socket for 1080p60 video output
• Micro-USB sockets for data and power
• An unpopulated 40-pin GPIO header
  • Identical pinout to Model A+/B+/2B
• An unpopulated composite video header
• Our smallest ever form factor, at 65mm x 30mm x 5mm

Raspberry Pi Zero runs Raspbian and all your favourite applications, including Scratch, Minecraft and Sonic Pi. It is available today in the UK from our friends at The Pi Hut and Pimoroni, and in the US from Adafruit

Kodi on the $5 Raspberry Pi Zero

Omega – Onion

Omega is an invention platform for the Internet of Things. It comes WiFi-enabled and supports most of the popular languages such as Python and Node.JS. Omega makes hardware prototyping as easy as creating and installing software apps.

Dimensions: 28mm x 42mm
OS: OpenWRT Linux
Processor: 400MHz
RAM: 64MB DDR2
Flash: 16MB
Wireless: 802.11 b/g/n
Ports: 18 GPIO
Language: Python, Node.JS, PHP, Ruby, Lua and more…

Wireless Raspberry Pi speaker | Linux User & Developer – the Linux and FOSS mag for a GNU generation

AirPlay uses Apple technology that was reverse-engineered in 2011, which means that third-party devices can now participate in the fun. AirPlay allows any Apple device to broadcast whatever is coming out of its speakers to an AirPlay receiver (which will be our Pi in this case). There is a way to send audio from PulseAudio to AirPlay receivers

GeekBox | by geekbuying the Pioneering Versatile Open Source TV Box

The RK3368 is an Octa Core 64bit, ARM Cortex-A53 processor with PowerVR G6110 graphics chip, 28nm processing design, Support OPENGL ES 3.1. RK3368 with super video capabilities, 4K×2K, H.265 and HDMI 2.0@60Hz output support.

TING

• Ting – mobile that makes sense

Adobe kills the ‘Flash’ name after twenty years

Adobe revealed that the Flash product will be called Adobe Animate CC from January’s update of the Creative Cloud suite. There’s no explicit mention of what the browser plug-in will be called, but presumably it will mirror the change of name.

Support Jupiter Broadcasting on Patreon

The post Raspberry Pi Does What? | LINUX Unplugged 121 first appeared on Jupiter Broadcasting.

With Mike’s move to Florida in progress he joins us via phone for a run through of the major JetBrains subscription hoopla, transitioning from a tester to a developer & that big poaching scandal comes to an expensive close!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Hoopla

How I went from a tester to a developer role

• How JetBrains Lost Years of Customer Loyalty in Just a Few Hours

Yesterday’s big news, at least for many developers, is that JetBrains – maker of popular tools like IntelliJ and ReSharper – is moving to a software-as-a-service subscription model for their products.

Previously, buying a JetBrains product got you a perpetual license and a year of upgrades. Once the license expired, any software you had received under that license would continue to work, but you would need to buy another license to get further upgrades. It was a simple model that worked just fine for many people, and most customers upgraded every year.

Starting November 2, though, that all stops. After that date, JetBrains will no longer sell these perpetual licenses. Instead, you can rent access to their software on a month-by-month basis.

• Introducing JetBrains Toolbox, easier access to your coding tools, more control and flexibility, and a lower entry price | JetBrains Company Blog

As of November 2, 2015, we will introduce JetBrains Toolbox—a collection of our popular desktop tools (IDEs, utilities and extensions) available on a monthly or yearly subscription basis. With JetBrains Toolbox, you can pick and choose one or more tools that best suit your current needs, or go for the ‘All products’ plan that comes with special savings. You decide what to put in your Toolbox and for how long.

• All Products $ 19.90 /month

• kreay’s top comments on reddit )

My indie (personal) IntelliJ purchase was $100/year. Now it’s $120/year (except for the first-year upgrade hook of $10 off) and it now turns off after each year.

Don’t Build a Billion-Dollar Business. Really.

Apple, Google, and other tech giants will pay $415 million in poaching scandal settlement

Feedback

• Which direction?

• New Monitor

The post Subscription Lock-in | CR 169 first appeared on Jupiter Broadcasting.

Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS

The post Oracle's EULAgy #oraclefanfic | TechSNAP 227 first appeared on Jupiter Broadcasting.

The Hacking Team fallout continues with more zero day patches you need to install, a new attack against RC4 might finally kill it & how to save yourself from a DDoS attack.

Plus a great batch of your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Hacking Team fallout includes more Flash patches

• After a number of flash 0-days were found in the data stolen from “Hacking Team”, there has been a mad dash to fix the vulnerabilities before they are actively exploited further
• This resulted in nearly back-to-back Adobe Flash updates, confusing some users who thought they had already patched for the vulnerabilities
• Additional Coverage: Krebs
• Adobe Bulletin – July 8th, released 18.0.0.203
• Adobe Advisory – July 10th, Upcoming patch
• Adobe Bulletin – July 14th, released 18.0.0.209
• This has started quite a few conversations about Flash
• Facebook CSO wants Adobe to announce an EOL date for flash ~18-24 months from now
• Mozilla has taken the unusual step of disabling flash by default requiring click to activate
• Additional Coverage: BBC

New attack against RC4 cipher might finally kill it

• RC4 is one of the oldest ciphers still used as part of HTTPS
• It was often selected for its lower CPU overhead, but as processors got faster and ssl terminators offloaded the work, this became less of a reason to use RC4
• It looked like RC4 would finally die, but then attacks against SSL/TLS that only affected block ciphers emerged: BEAST, Lucky 13, and POODLE
• This propelled RC4 back up the priority list
• RC4 is also the most compatible cipher, older systems that do not support stronger crypto, all have RC4
• RFC 7465 proposed by Microsoft and others, was approved by the IETF and requires that RC4 not be used
• Researchers have presented a new paper at the USENIX Security conference that details a new attack against RC4
• RC4 is still widely used for HTTPS and also for some types of WiFi
• The flaw allows the attacker to steal cookies and other encrypted information in your HTTPS session
• This might allow the attack to impersonate / login as you on the site. Posting to your Twitter account, or initiating a transfer from your PayPal account.
• “The research behind the attack will be presented at USENIX Security. Summarized, an attacker can decrypt a cookie within 75 hours. In contrast to previous attacks, this short execution time allows us to perform the attack in practice. When we tested the attack against real devices, it took merely 52 hours to successfully perform the attack”
• “When the victim visits an unencrypted website, the attacker inserts malicious JavaScript code inside the website. This code will induce the victim to transmit encrypted requests which contain the victim’s web cookie. By monitoring numerous of these encrypted requests, a list of likely cookie values can be recovered. All cookies in this list are tested until the correct one is found.”
• Attack Method:
  • Step 1: Attacker injects code into victims HTTP stream, causing them to make known requests to a secure site with their cookie
  • Step 2: Attacker captures the encrypted requests going to the site secured with RC4
  • Step 3: Attacker computes likely cookies and tries each one until they successfully guess the correct cookie
  • Step 4: Profit, empty the bank account
• “To successfully decrypt a 16-character cookie with a success probability of 94%, roughly 9⋅2^27 encryptions of the cookie need to be captured. Since we can make the client transmit 4450 requests per seconds, this amount can be collected in merely 75 hours. If the attacker has some luck, less encryptions need to be captured. In our demonstration 52 hours was enough to execute the attack, at which point 6.2⋅2^27 requests were captured. Generating these requests can even be spread out over time: they do not have to be captured all at once. During the final step of the attack, the captured requests are transformed into a list of 2^23 likely cookie values. All cookies in this list can be tested in less than 7 minutes.”
• “In the paper we not only present attacks against TLS/HTTPS, but also against WPA-TKIP. Our attack against WPA-TKIP takes only an hour to execute, and allows an attacker to inject and decrypt arbitrary packets.”
• How does this compare to previous attacks? “The first attack against RC4 as used in TLS was estimated to take more than 2000 hours”
• Paper: All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS

Feedback:

• Anybody got recommendation for a DDoS protection service?
  • EuroBSDCon 2013 – Mitigating DDoS Attacks at Layer 7

• Wi-fi security

• Internet routing

• Linux Compatible KVM Crash Cart Adapter

Round Up:

• Pawn Storm APT group using first new Java 0-day exploit in 2 years
• Pawn Storm APT group adds TrendMicro IPs as C&C servers, no one is sure why. Could be DDoS, to get IPs blacklisted, etc
• Facebook security lead wants Adobe to say when it’s killing Flash
• HD Moore interview on the Social Engineering podcast
• FBI used Hacking Team services to unmask Tor user
• Netflix: Tracking Down Villains, finding servers that have more errors than their peers
• Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
• Defender’s Dilemma vs Intruder’s Dilemma

The post A Bias to Insecurity | TechSNAP 223 first appeared on Jupiter Broadcasting.

Juliet works as the Director of IT and Creative Services for Hearing Care Solutions. She made her way into the tech field because she likes money!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Hearing Care Solutions
• Petroglyph Games
• Spotify Music
  

Full transcription of previous episodes can be found below or also at heywtr.tumblr.com

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network interviewing interesting women in technology. Exploring their roles and how they are successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: Angela, today we’re interviewing Juliet Meyers who is a friend of mine, and she works for Hearing Care Solutions as an IT and web manager. She wears a lot of hats, and we get to talk about a whole bunch of that in the show.
ANGELA: And I hear she likes money.
PAIGE: I have heard that.
ANGELA: SO, before we get into the show, I want to tell you about how you can support this show. If you like this show, you can go to patreon.com/jupitersignal. That is how you support the whole network. Today represents Tech Talk Today. It is a show that we put on as a thank you for the people that subscribe to our network. By subscribing, you support the shows of the network, not just one in particular. And, as I mentioned, Tech Talk Today is the thank you show. You can also look forward to some interviews because we will be at Linux Fest Northwest this weekend, and it is going to be amazing. We hope to get some interviews and just some good content to talk about in a future show.
PAIGE: Women’s Tech Radio will be there along with most of the other hosts of the Jupiter Broadcasting Network, so come by and say hi if you’re there.
ANGELA: Yep, it’s in Bellingham, Washington.
PAIGE: And we started our interview today by asking Juliet to explain what she’s into in IT now.
JULIET: Hi there. My name is Juliet and I’m really excited to be on the show today. I’m the director of IT and creative services for a hearing aid company, and my role is to support all of our WordPress sites, of which there are multiple, desktop support as well as doing all the Photoshop, managing all the social media. I’m really a jack of all trades for my company, on top of trying to manage my VM ware boxes. I really run the gamut between doing more local box stuff as well as some of the server stuff, and as well, of course, running around and chasing people down through the internet for various different tasks, things like that. And, it’s a really varied role and I’ve learned a ton in the last couple of years, so I’m really, really excited to get to talk a little bit about it today.
ANGELA: So, any hats. I think that is a common theme of a lot of our interviews. IT can’t be pegged down to just one particular task. It’s not a button pushing job, that’s for sure. Like, not one single tasks. Can you elaborate on the social media aspect of what you do?
JULIET: One of the things that I do, I do a lot of the SEO installs for our various different websites, and then I also deal with some of the social media aspect. Social media is something that I have worked with throughout my last four jobs. I was a super early Twitter adopter. I think my Twitter handle is from 2007, my original one. I got to watch social media evolve. I used to be a community manager actually, for a company that went from having one million users to 13 million users.
ANGELA: Wow.
JULIET: Yeah, that was an experience. I’ve got some war stories from that. I used to work for a group called MapMyFitness and so I had the pleasure of watching them grow from an angel invested company all the way through to three rounds of VC funding and they actually got bought out by Under Armor in the last year, after I departed the company, but I really got to see social media as it started to grow. Back when they were just starting the F5 conferences, things like that.
PAIGE: So, do you enjoy your social media role?
JULIET: I do. The demographic that I work for is actually 55 and over, so a lot of the social media that I do presently is more answering questions and kind of directing people to the website. So, you know, we don’t have — we have more of a passive social media presence at the moment than we do an active one, where you might see in a startup or a tech firm.
ANGELA: Now, does that mean that the hearing aide company, I mean obviously mainly is geared towards elderly, but do you offer children’s hearing aids and young adults?
JULIET: We can, mostly we do a lot of Medicare and Medi-Cal, Medicaid.
ANGELA: Oh, okay, sure. Right.
JULIET: So, the majority — we have done children’s aids, but they are the rare exception, not necessarily the rule. But we do have some individuals who come in through Facebook every now and again, but it’s important for SEO and SEM to have those social media links and to push your blog. We get a lot of blog traffic, actually, through a couple of our different sites. So, that’s been really interesting to see. Obviously that’s a big deal in terms of your SEO rating.
ANGELA: Right. You know, interestingly enough, even though elderly is your target demographic, it’s probably their kids helping them –
JULIET: Yep, exactly.
ANGELA: – getting the hearing aids. So, yeah, it’s definitely not all for not.
PAIGE: That’s interesting, because I was actually going to ask. It’s fascinating to me that you’re even getting questions on social medial about stuff.
JULIET: We do. You know, it’s funny, if you talk to — obviously you’ve got kind of the newer end of social medial, but the kids now, like the tweens, you early 20s looks at Facebook as the old people network.
ANGELA: Oh my gosh, no way.
JULIET: I kid you not. I kid you not.
PAIGE: No, that’s true.
JULIET: It breaks my heart. I remember when — I mean, obviously you guys do too — when Facebook and Myspace started hitting the scene.
ANGELA: Yeah.
PAIGE: Well, when Facebook first came out you had to have a .edu to even get on.
JULIET: That’s correct.
PAIGE: You had to be in college.
JULIET: Exactly, which is why I didn’t join initially, because I thought that was elitist.
ANGELA: Yeah, exactly. Yeah, I’m like no, Myspace is fine.
JULIET: Right. I had two Myspace profiles, one for my radio persona and then one for me, because I used to work in radio. I used to be cool.
ANGELA: That’s news to me.
JULIET: But, it’s really fascinating to see — because both of my parents are well over 55 and they both have Facebook pages. They both use them to connect with family. So Facebook is not what it once was. I mean, what it is, one in six people on the planet has a Facebook.
ANGELA: Geez.
PAIGE: Yeah.
JULIET: I think I read that statistic somewhere on the internet, which means it has to be true.
PAIGE: Statistics don’t lie.
ANGELA: As long as it was @fact on Twitter I think you’re good.
JULIET: Right.
ANGELA: I believe everything that one says, no.
JULIET: Clearly you should. And I believe everything Reddit tells me, so we’re about even.
ANGELA: Right.
PAIGE: So, you’ve talked some about SEO, and for those in the know, what does SEO mean/stand for?
JULIET: SEO is Search Engine Optimization. You’ll also occasionally read SEM, which is Search Engine Marketing. What that is, is basically trying to kick Google in a way that Google likes to be kicked to put your webpage up at the top.
PAIGE: Okay, and is that a skillset like you went to college for to learn search engine marketing or whatever?
JULIET: No. Yeah, right, no. I’ve been out of college a while. So, my degree is actually in broadcast journalism. My background is in television and radio. I know of organically — that’s a fun word — fell into this area of tech. My journey kind of started — I left Las Vegas and CBS in 2009 and actually got a job here in Denver working as a quality assurance tester. My background for QA is actually in video games. I worked for Petroglyph Studios for a number of years (inaudible) out of Las Vegas. And I think they have a new game out. They always have a new game out. I don’t recall what it is, but — Grey Goo, I think is the name of it. Anyway, I started doing quality assurance and testing for MapMyFitness in software and I ended up moving into their customer service division, which included all of — there was 12 employees when I started and I think it was around 100 when I departed. So, I ended up in customer service and became their CSR Manager, and that meant I was doing all of the software testing and then doing all of the releases on Facebook, all of that fun stuff on Twitter, and through all of their different marketing channels. So, I kind of learned about SEO and SEM in the field as it was becoming more prevalent around 2010. So, I just got very lucky in that I got to grow up with the position and kind of grow into SEO marketing. It was a huge part of what we did for MapMyFitness, because everything had to be very geotagged. Which is to say, I live in Austin, Texas, and I want to find all of the great runs or cycling routes. And so, everything that we did for that company was very, very built into — we actually had a great development team — everything was very, very stringently built into the code to encourage people to, when they Googled trail Austin, Texas, that’s what would come up. So it’s a marriage of marketing as well as an agile development team, and I mean that more in the actual term of agile, not just the developmental style.
PAIGE: Obviously, you didn’t start in tech, and you’ve kind of wound up in tech. What was that moment like or kind of the transition? Why the transition? What kind of spurred you to get out of radio to move over to do QA?
JULIET: I like money.
PAIGE: I can understand that story.
ANGELA: I like money.
JULIET: Yeah, that’s really the base part of it. I was living in Las Vegas and I worked for NPR for a number of years, and that was absolutely fantastic. It was a great experience, and I did a lot of different things for them, and then decided that I wanted to travel a little bit more. So, I wandered off to Guam for six months. Came back to the United States and just kind of wanted to get back into radio, but I wanted to get back into commercial radio. Commercial and non-profit radio are very, very different, and I wanted to live that lifestyle, but part of the joy and detriment of radio is that it is a lifestyle. You are literally eating, sleeping, and breathing radio. I mean that is — that’s all of it. So, I went back to school, go another set of certifications and got into it. Had a great time, met some really interesting people, did some interesting things, and then decided that I didn’t want to work three jobs to support my radio habit, because the only way you can truly support yourself in radio is if you have the morning show or you are the afternoon drive show and/or have an wealthy spouse. So, I worked four jobs, 70 hours a week to support the radio habit.
ANGELA: Oh my gosh. Wow.
JULIET: Yeah, I loved it though. I mean, it was great. I did it for a number of years, and it was fantastic, but then I kind of was starting to stare down the barrel of my 30s and a buddy of mine said hey we have an opportunity, why don’t you come out to Denver and I said I really would like to stop working like a crazy person.
ANGELA: Okay, so I have a question.
JULIET: Sure.
ANGELA: In my background, I worked for five years at a medical supply company, and I started in the shipping department and worked my way up. Then I moved to purchasing, and then I moved upstairs to customer service, and then I kind of just became the operations manager without the title.
JULIET: Oops.
ANGELA: Oh, it’s fine. It’s because there was an operations manager, but anyway, the point is, I had to learn all about the billings aspects and all the different — have you had to learn that and has that been an adjustment? Do you enjoy it? What is your level of participation?
JULIET: I love my job right now. Every day is different for me. It’s fantastic. I get to — you know, from the little things of why doesn’t my printer work to, oh God, oh God, it’s on fire, why are the servers not responding. Oh God, Oh God, please help. Crisis management is something I’m very accustomed to when you work in radio and there is flooding happening, or you have to suddenly change things, or someone says a naughty word on the air. There are a series of fire drills that go with that. And then I jumped directly from that particular pan right back into the fire, which is to say a startup. And anybody who has worked in a startup knows what that comes with. It is like a four letter word. I still had PTSD from something called the Tour de France. So, crisis management is something that I live for, I’m very comfortable in, and I’m very lucky that the company I work for now is actually run and managed by women. All of our executives — the majority of our executives, excuse me, are women who are exceptionally skilled in their field. They’re visionaries in their field and are absolutely fantastic. So, you know, I’ve been given the opportunity to really learn how to use a VM ware machine. Obviously, my background was not necessarily in that. I have an extensive Photoshop background, so I’ve gotten to learn more about CSS. I’ve gotten to really get to know WordPress in a very intimate fashion, because we do a lot of — we are very agile in our website development here. So, we make a large number of changes, and so it’s my job just to never say no. So, I’m sure you guys understand where that goes.
PAIGE: That is the IT magic, right? Never say no.
JULIET: Right. So, my job is to say yes and get it done as (inaudible) and with pizazz and a smile on my face, and I absolutely love the company I work for. I cannot say enough good things about them. They take great care of their team members, and empower their executives and their management to make those decisions that are going to make the company better. We are doing something amazing. We are really helping people get hearing aids, because it’s a bloated market. People can pay up to 3,000 — Three, four, $5,000.00 per hearing aid and we offer them for significantly less, so I get to go home feeling good about what I do.
PAIGE: Yeah, that’s huge is when your job feels like it makes a difference. What is the hardest part for you? You like the crisis. It seems like you like the learning and the job. What are your pain points with IT?
JULIET: I have learned a lot, but there are still some things that I don’t necessarily understand. You know, when something doesn’t work, I use an Asterisk phone system and I don’t program in Asterisk, in fact, I don’t program much in anything, except maybe HTML. I’m a WordPress jockey, I’m not a dev. So, when I run into something where I’m going — my problem is maybe, you look at a problem and you know it’s above your skill level, and it’s that moment of I need to get everything back online and back okay, but I’m not exactly sure how to do that. Fortunately, we have a wonderful offsite IT team that I can call on and say hey guys, this is above my pay grade, so what’s broken. And they’re fantastic. They’ve actually been great tutors and have been very helpful. So, it’s been a really, really good experience. But definitely my challenges are when I come across something where I just have absolutely no idea. I had to teach myself Active Directory. I had to teach myself how to deal with a Microsoft Exchange server. I have several things that run on SQL. While I’ve done a ton of SQL quarries, which I hate by the way, if I had to choose one thing to hate, I’m going to go with SQL quarries.
PAIGE: That’s not a bad choice.
JULIET: Yeah, I don’t feel like it is. I think my biggest challenge — I don’t — I think if I worked in a different company that had a different management — I think if I had a different management team my experience would be very different. I remember in other companies there’s that jockeying for tech supremacy, or who knows the most things about X, Y, and Z. And I have an incredibly supportive management team. I think probably dealing with the Mac is probably my least favorite. Fortunately, my boss, the COO of the company is fantastic and speaks Mac more fluently than I do.
PAIGE: Yeah, that tech superiority, I’ve definitely run into that. I think one of the biggest problems I had when I was working in IT was the IT culture where what you know is what makes you valuable, so sharing what you know is not necessarily a good move on your part. And so kind of breaking down those walls of, hey let’s make this information open, it’s all online anyway now guys. Like, we have to be a team.
ANGELA: Yeah.
JULIET: Stack overflow is your friend.
PAIGE: But especially with geek culture, what you know and how smart you are is how valuable you are. Kind of breaking those barriers down is very difficult in some of these older (inaudible) IT departments. So, that’s really cool that you found a space that that’s not the case. Very rare.
JULIET: I’m so protective of my company, because they have been so good to me, but it is rare. And you find that, I think, more in male dominated culture. In some of my previous companies, and I won’t name names, people were retained because of the knowledge that they have, or because they built something that was vital. Even though they had no business being in the company anymore. They were jaded. They were bitter. They were upset.
PAIGE: Yeah.
JULIET: But they were retained because they had a certain skillset or because they had coded something that only they knew how it worked. Because you run into that technical debt issues if you want to try and fix that particular code base.
ANGELA: That’s a great term for it, technical debt.
JULIET: I did not come up with that term. I stole that from someone else. It’s a buzzword.
PAIGE: It’s a perfect duplication of the word though. It is that, you know, you have to pay back this technical debt or you have to deal with some jerk. Your choice.
JULIET: Yep.
PAIGE: And most companies are going to choose the jerk, because it’s cheaper.
JULIET: Yep, it’s so expensive to bring on new people, especially at that level.
PAIGE: It is really fascinating once you dig into HR management at all, is like the most expensive part of people is onboarding. We are very, very expensive to onboard.
ANGELA: Oh yes.
JULIET: Yep.
PAIGE: Your productivity in most companies doesn’t hit its normal until at least six months in.
JULIET: Yep. And it’s a miserable place to be in. I mean, fortunately we’re not bringing any high-end tech people out there, but even my call center representatives or any of that kind of middle management section, it’s a long time before they’re onboard. And we find that here, even though we’re not an overwhelmingly technical company.
PAIGE: You’ve talked a lot of about learning a lot of different things on the job. What are you favorite resources?
JULIET: My boss.
PAIGE: Nice.
JULIET: Honest to God, she’s my favorite resource.
PAIGE: So, that one on one kind of mentorship almost, is really super valuable for you?
JULIET: You know, being able to sit down and talk to somebody who — because her background is actually in — she did a ton of QA work. She’s done project management. She’s extremely valuable and she knows the business so, so well. The team here is absolutely the best resource that I have. My peers are fantastic. My bosses are fantastic. That’s really a great resource. But, in terms of tech, if I run into something that I have no idea on or my boss has no idea on, but it’s still my responsibility, and it’s not something I can hand off to our offsite folks, Skype and G Chat to be perfectly frank. I have a huge network of friends who are developers, who are DBAs who I’m still in contact with. And so when I run into something that I just can’t seem to crack, I will absolutely reach out to them. Either they’ll direct me to a blog or they’ll direct me to something that they’ve worked on, or they’ll simply write the SQL query for me.
ANGELA: Yay.
PAIGE: So, you’re living the, your network is your net worth?
JULIET: Yes. And that is true in my personal life as well. My skillset is my Verizon network. I’ve got friends who spent the last few years working in WordPress, and so when I run across something that’s rough like that, really it’s your ability to use Google. How good is your Google-Fu. If you don’t have a network to reach out to, how good is you Google-Fu?
PAIGE: Alright, so one more question on that. How do you get over that fear of asking questions, because I think a lot of people that we talk to kind of have that initial fear. And a lot of people that I talk to who are just getting into software are like, you know, I don’t want to sound dumb, or I don’t want to feel like a burden. What kind of let you have that transition to not feel that way?
JULIET: I spent a lot of time interviewing people. I’m an extrovert, unlike most of my comrades in tech. I know there is a lot of introverts in this field, and it makes sense because you truly geek out about this stuff. Like, I could I could sit here and talk about Google algorithms for hours, but I think it’s — getting over that hurdle for me is understanding that I didn’t start out in this field. I accept that here are, I know nothing John Snow. I — there is a lot of kind of — there’s a lot of sections of this that I know nothing about, and I’m okay with that. But the only way to learn is to ask. And more importantly, most tech folks, if you ask them, they’ll talk ad nauseum (sic) about this stuff. They absolutely love to goob about it. I have a lot of experts in various (inaudible). Like, I’ve got people who work for cloud storage companies who could talk endlessly. I’ve got a buddy who’s an evangelist for Solid Fire, one of the cloud companies out in Boulder, Colorado, because that’s where all the cool tech things are these day, apparently. So, it’s human nature. Folks like to talk about what they do for a living. They like to talk about tech. Really, just asking them, they’re happy to yammer about it.
PAIGE: Yeah, the one thing that I’ve found is that most geeks are introverts, which is always hard to deal with, but they have passions and that’s what makes us geeks. Being passionate about something is why we call it geeking out on something. So, if you can kind of find those people in your network or meet those people at meetups, and find their geeky thing. You’re like, oh that’s the thing I need to know about.
ANGELA: And then they turn extravert, just momentarily.
JULIET: Yeah.
PAIGE: You just pull the string on a little toy that talks and it just goes. Very cool. Actually, I think that’s actually an interesting thing that you brought up is the art of the interview. I think, you know, I got really super into radio and the PRN stuff, and I love the art of the question. I think kind of setting that, as a geek, because I geeked out on it, I feel like I was able to incorporate that skill too. I would also recommend if you’re feeling like you don’t even know how to start a conversation, check out interviewing.
JULIET: Listen to NPR for a few hours, Morning Edition or Fresh Air.
PAIGE: Yeah, totally.
I had one other question as we wrap up.
JULIET: Sure.
PAIGE: What software piece do you spend the most of your day in? What are your tools of the trade for your job?
JULIET: Photoshop I think is at the tippy, tippy top. What is Chrome for $500 Alex. I love Chrome. I love the extensions on that. I’ve got CSS viewer, I cannot live without. I cannot live without that plugin, oh my God.
PAIGE: You’ve got to try Firebug, Juliet, I’m telling you.
JULIET: Oh, if I’m in Firefox and I’m QA’ing, Firebug 100 percent.
PAIGE: Oh, they put Firebug in Chrome now too.
JULIET: Really?
PAIGE: Yeah.
JULIET: Oh, I need that. I need that a lot. I thought I could only use it in Firefox so I have both browsers. So, if I’m doing QA work or something is not working, Firebug is absolutely my go to.
PAIGE: Yeah, awesome dev tools.
JULIET: So good. So good. There’s a couple of other ones that I use. Really, the Adobe suite, because I do a lot of PDF conversions, so In Design, I spend a lot of time in In Design. Obviously, WordPress, WordPress, and more WordPress. I can’t live without Dropbox. Microsoft Office, they’ve done some cool stuff with PowerPoint recently. I know it’s really rare to actually give props to Microsoft for anything, but I really do love PowerPoint, as well as Excel. But yeah, I think Photoshop and Chrome are really where I spend the majority of my day. There are so many good resources just (inaudible) as it is. That’s really where I spend a lot of my time. And I can’t live without Spotify, just for the record.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember, you can contact us using our contact form at www.jupiterbroadcasting.com , which is also where you can go to the show’s dropdown and look at all the Women’s Tech Radio episodes that have been released. There you will also find the transcription of the episodes, which you can also find at www.heywtr.tumblr.com.
PAIGE: You can also check us out on iTunes or follow us on Twitter at heywtr. If you have a moment, take the time to leave a review on iTunes and let us know what you think of the show. Thanks for listening.

Transcribed by Carrie Cotter – transcription@cotterville.net.

The post Network Is Your Net Worth | WTR 23 first appeared on Jupiter Broadcasting.

Some critical security news, then Microsoft expands Cortona, Apple is a little creepy, Google ends sales on the Nexus 5 & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Adobe Flash Update Plugs 11 Security Holes — Krebs on Security

The newest, patched version is 17.0.0.134 for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.134.

Exclusive: Microsoft’s digital assistant to head to Android, Apple devices | Reuters

“This kind of technology, which can read and understand email, will play a central role in the next roll out of Cortana, which we are working on now for the fall time frame,” said Eric Horvitz, managing director of Microsoft Research and a part of the Einstein project, in an interview at the company’s Redmond, Washington, headquarters. Horvitz and Microsoft declined comment on any plan to take Cortana beyond Windows.

Epic Google snafu leaks hidden whois data for 280,000 domains | Ars Technica

The 282,867 domains counted by Cisco Systems’ researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom.

Tim Cook offered Steve Jobs his liver, and other revelations from new biography | Cult of Mac

After discovering that he shared a rare blood type with his sick colleague, and undergoing a battery of tests at a hospital “far from the Bay Area, since he didn’t want to be recognized,” Cook offered his liver to Jobs — only for Steve to turn it down.

Google is done selling the Nexus 5 | The Verge

A Google spokesperson told The Verge today that “while some inventory of Nexus 5 still exists (with our retail and carrier partners), our focus is on the Nexus 6 at this time.”

The post RIP Nexus 5 | Tech Talk Today 144 first appeared on Jupiter Broadcasting.

The internet of dangerous things is arriving but what about taking care of the devices we already have? We’ll discuss!

Plus details on critical updates from Adobe, the surprising number of Gas Stations vulnerable to exploitation via the internet, your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Flash Updates

• On January 22nd Adobe released an emergency patch for Flash Player to resolve the zero day vulnerability that we discussed last week
• Adobe released Flash Player 16.0.0.287 on the 22nd
• It turns out that this fix did not completely close the vulnerability, and the exploit kit quickly worked around the fix and continued to exploit the vulnerability
• Adobe issued a security advisory (different than an bulletin) about the issue
• On January 27th, Adobe released Flash Player 16.0.0.296 in another bulletin
• The latest release, 16.0.0.296 fixes both CVE-2015-0311 and CVE-2015-0311
• The researcher who originally discovered the exploits in the wild, has also pointed out that the 2015-0311 flaw is being used outside of the exploit kit now as well
• FireEye also discovered the 2015-0311 vulnerability being exploited in a different way

Gas Stations vulnerable to exploitation via the internet

• “An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7
• “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
• While doing research, HD Moore found that more than 5000 gas gauge devices are connected to the internet with no authentication. The automated tank gauges generally only have a serial port.
• “Approximately 5,800 ATGs (Automated Tank Gauge) were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
• Some of the devices have TCP/IP interfaces, and those that do not can be connected to a serial server, a common device in the IT industry, then be connected to the internet. Most serial servers do offer the ability to require a password to access the port, however this feature is often not enabled, and is not very secure
• “Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” the researcher said. “Less-secure alternatives include applying source IP address filters or setting a password on each serial port.”
• Another example of taking devices that were not meant to be put on the internet, and then doing so, without taking into account the security implications. Even with a password and source IP filtering, these devices should not be directly connected to the Internet. That is what VPNs are for
• Additional Coverage – ITWorld

The internet of dangerous things

• Krebs talks about the trends in Distributed Denial of Service Attacks
• Krebs cites data from Arbor networks, and their subsidiary Prolexic, which Krebs uses to protect his site, which was under constant attack from various sources throughout December
• The point needs to be raised that a growing number of these attacks are sources from ‘Internet of Things’ type devices, small consumer devices with an embedded operating system that receives no updates after it ships
• The attacks against Sony and Microsoft over Christmas used exploited routers, but a growing number of other devices could be vulnerable, especially in light of things like the new Linux Ghost vulnerability
• We have seen viruses attacking NAS and other types of storage devices, and I am sure it will not be long before the first attack against set-top boxes like the Boxee and Roku.
• “As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.”
• “Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks.”
• It has been over a year since these amplification vulnerabilities were patches, but there are still many systems being exploited to perform these attacks
• “According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.”
• “According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.”
• While analyzing the data from the dump of the Lizard Stresser database, Krebs found that one of the most popular targets for attack were small personal minecraft servers
• Krebs: “Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.”

Feedback:

• Click to play usefulness?

• Recommendations to Build or to Buy SAN?

• How can I explain password security to others if I am not an expert myself?
  • What is a cryptographic hash

Round Up:

• Highly critical “Ghost” allowing code execution affects most Linux systems
• German data center with no air
• Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
• Making a disk array that will survive 4 years with 99.999% reliability, with no human interaction
• Canada Casts Global Surveillance Dragnet Over File Downloads
• Using gas to blow open an ATM
• Deploying tor relays | Mozilla IT
• NANOG reacts to LizardSquad taking credit for outage at Facebook, Instagram, Hipchat, Tinder, and Myspace
• iTunes Connect Issue Logging Developers Into Other Accounts
• Verizon ends expansion of its FiOS network, will focus on building out existing locations
• Internet Crime Complaint Center issues advisory about business email scam
• Oxford university puzzles over 175 year old dry pile battery that is still ringing a bell

The post Internet of Problems | TechSNAP 199 first appeared on Jupiter Broadcasting.

Belkin users go offline all over the world due to a router design flaw, Facebook has a private chat app in the works, Adobe spies on you & Comcast gets a customer fired for complaining about their service.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Borked Belkin routers leave many unable to get online | Ars Technica

Owners of Belkin routers around the world are finding themselves unable to get online today. Outages appear to be affecting many different models of Belkin router, and they’re hitting customers on any ISP, with Time Warner Cable and Comcast among those affected. ISPs, inundated with support calls by unhappy users, are directing complaints to Belkin’s support line, which appears to have gone into meltdown in response.

The reason for the massive outages is currently unknown. Initial speculation was that Belkin pushed a buggy firmware update overnight, but on a reddit thread about the problem, even users who claim to have disabled automatic updates have found their Internet connectivity disrupted.

Update: Belkin has given us the following statement:

Starting approximately midnight on October 7, Belkin began experiencing an issue with a service configured in certain Belkin router models that causes a failure when it checks for general network connectivity by pinging a site hosted by Belkin.

If your service has not yet been restored, please unplug your router and plug it back in after waiting 1 minute. Wait 5 more minutes and the router should reconnect. If you have any further issues, please contact our support at (800) 223-5546.

Facebook Readies App Allowing Anonymity – NYTimes.com

The company is working on a stand-alone mobile application that allows users to interact inside of it without having to use their real names, according to two people briefed on Facebook’s plans, who spoke on the condition of anonymity because they were not authorized to discuss the project.

The point, according to these people, is to allow Facebook users to use multiple pseudonyms to openly discuss the different things they talk about on the Internet; topics of discussion which they may not be comfortable connecting to their real names.

There are many unknowns as to how the new app will interact, if at all, with Facebook’s main site. It is unclear if the app will allow anonymous photo sharing, or how friend interactions and existing friend connections will work.

Adobe spies on reading habits over unencrypted web because your ‘privacy is important’ • The Register

Adobe confirmed its Digital Editions software insecurely phones home your ebook reading history to Adobe — to thwart piracy.

And the company insisted the secret snooping is covered in its terms and conditions.

Version 4 of the application makes a note of every page read, and when, in the digital tomes it accesses, and then sends that data over the internet unencrypted to Adobe.

Adobe explained that the data it collects is for digital rights management (DRM) mechanisms that may be demanded by publishers to combat piracy, and gave a detailed list of what and why it needs such specific information:

• User ID: The user ID is collected to authenticate the user.
• Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
• Certified app ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
• Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
• Duration for which the book was read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
• Percentage of the book read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.

Additionally, the following data is provided by the publisher as part of the actual license and DRM for the ebook:

• Date of purchase or download
• Distributor ID and Adobe content server operator URL
• Metadata of the book provided by publisher (including title, author, publisher list price, ISBN number)

Complain About Comcast, Get Fired From Your Job – Slashdot

When you complain to your cable company, you certainly don’t expect that the cable company will then contact your employer and discuss your complaint. But that’s exactly what happened to one former Comcast customer who says he was fired after the cable company called a partner at his accounting firm. Be careful next time when you exercise your first amendment rights.

• From the article:

At some point shortly after that call, someone from Comcast contacted a partner at the firm to discuss Conal. This led to an ethics investigation and Conal’s subsequent dismissal from his job; a job where he says he’d only received positive feedback and reviews for his work.

Comcast maintained that Conal used the name of his employer in an attempt to get leverage. Conal insists that he never mentioned his employer by name, but believes that someone in the Comcast Controller’s office looked him up online and figured out where he worked.
When he was fired, Conal’s employer explained that the reason for the dismissal was an e-mail from Comcast that summarized conversations between Conal and Comcast employees.

But Conal has never seen this e-mail in order to say whether it’s accurate and Comcast has thus far refused to release any tapes of the phone calls related to this matter._

The post Comcast Carries Grudge | Tech Talk Today 72 first appeared on Jupiter Broadcasting.

A major Xen flaw forces the “cloud” to reboot, we share the details. ComputerCop malware pitched as saving the children turns out to be major spyware.

Plus a big Adobe Linux support rant, the Mac botnet that reads reddit & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Rackspace Joined Amazon in Patching, Rebooting Cloud Servers

About a quarter of Rackspace’s 200,000-plus customers were impacted when the cloud provider had to patch a flaw in the Xen hypervisor.
Rackspace, like cloud competitor Amazon Web Services, was forced to reboot some of its servers after patching them to fix a security flaw in some versions of the XenServer hypervisor.

The cloud provider had to patch an untold number of servers in its global data centers over the weekend and then reboot them, which caused disruption to about a quarter of Rackspace’s more than 200,000 customers, according to President and CEO Taylor Rhodes. The issue was further complicated by a tight deadline—the vulnerability was first discovered early last week, and a patch wasn’t worked out with Xen engineers until late Sept. 26.

AWS started sending out letters to its customers Sept. 24 informing them that there was an issue, but assured them that the problem was not related to the Bash bug that arose last week as a threat to systems running Unix and Linux. Officials instead let them know that the problem was with the Xen hypervisor, and that a patch was being worked on.

• Security bug in Xen may have exposed Amazon, other cloud services [Updated] | Ars Technica

The bug, introduced in versions of Xen after version 4.1, is in HVM code that emulates Intel’s x2APIC interrupt controller. While the emulator restricts the ability of a virtual machine to write to memory reserved specifically for its own emulated controller, a program running within a virtual machine could use the x2APIC interface to read information stored outside of that space. If someone were to provision an inadvertently buggy or intentionally malicious virtual machine on a server using HVM, Beulich found that VM could use the interface to look at the physical memory on the physical machine hosting the VM reserved for other virtual machines or for the virtualization server software itself. In other words, an “evil” virtual machine could essentially read over the shoulder of other virtual machines running on the same server, bypassing security.

• XSA-108 – Xen Security Advisories

EFF: Security software distributed by cops is actually spyware in disguise

Various schools, libraries and ordinary American families might have been using a “security” software called ComputerCOP for years. After all, they probably got their copy from cops, attorney’s offices or other branches of law enforcement, which tout it as a way to protect children online.

One of the main feature of ComputerCop is a keylogger called KeyAlert. Keyloggers record all keystrokes made on a computer keyboard, including credit card information and username and password combinations. KeyAlert’s logs are stored unencrypted on Windows computers, and on Macs they can be decrypted with the software’s default password. The software can also be configured so that trigger words email an alert to the computer’s owner.

KeyAlert must be installed separately from the rest of the ComputerCop software, but not all versions of ComputerCop have been distributed with it. There’s no way to configure KeyAlert for a particular user, so it’s possible to use it against anybody using the computer — not just kids.

“When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email,” the EFF report said.

According to the foundation, law enforcement agencies typically buy between 1,000 and 5,000 copies of ComputerCOP for a few dollars per piece — and yes, they use taxpayer dollars for the purchase. Within the past two years for instance, several Attorney’s Offices, including San Diego’s, bought 5,000 pieces for 25 grand.

• ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families | Electronic Frontier Foundation

Adobe Pulls Linux PDF Reader Downloads From Website – OMG! Ubuntu!

As flagged by a Reddit user who visited the Adobe site to grab the app, Linux builds are no longer listed alongside other ‘supported’ operating systems.

Adobe is no stranger to giving penguins the brush off. The company stopped releasing official builds of Flash for Linux in 2012 (leaving it to Google to tend to), and excluded Tux-loving users from its cross-platform application runtime “Air” the year before.

All is not lost. While the links are no longer offered through the website the Debian installer remains accessible from the Adobe FTP server.

China pre-orders 2 million iPhone 6 handsets in just 6 hours

The iPhone 6 and 6 Plus were delayed in China as the result of trouble for Apple securing the necessary regulatory approvals from the country’s Ministry of Industry and Information Technology. In its absence, rival company Samsung rushed to release their new flagship handset in the country.

Despite China’s absence, however, Apple’s eagerly-anticpated handsets sold 10 million+ units in their opening weekend alone.

According to new reports coming out of China, both retailers and carriers have taken in a massive 2 million reservations just six hours after putting the iPhone 6 and 6 Plus on earlier-than-expected pre-order.

New Mac botnet malware uses Reddit to find out what servers to connect to

Mac users should beware of some new malware spreading, that tries to connect infected machines with a botnet for future exploitation. As detected by Dr Web, the malicious worm (dubbed Mac.BackDoor.iWorm) first checks whether any interfering applications are installed on the Mac.

If it is clear, it calls out to Reddit posts to find the IP addresses of possible servers to callback too. Although these posts have been deleted, it’s not hard for the people behind the exploit to repost them at a later time. Once connected to the botnet, the infected Mac can be literally instructed to perform almost any task the hackers want, such as redirect browsing traffic to potentially steal account credentials for instance.

Dr.Web estimates over 15,000 distinct IP addresses have been connected to the botnet already. Although 15,000 IPs does not directly translate into 15,000 separate infected users, it is indicative of a rather large base for a Mac worm.

The post ComputerCop Malware | Tech Talk Today 69 first appeared on Jupiter Broadcasting.

eBay and PayPal split & we speculate what the big picture might look like going forward. Adobe brings Photoshop to Chromebooks, Phoneblocks gets closer to reality & we bring the Kickstarters of the week in front of the judge.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

eBay and PayPal are splitting up | The Verge

Citing a “rapidly changing global commerce and payments landscape,” eBay has just announced plans to separate its business into two distinct and independent companies: eBay and PayPal. Spinning off PayPal is seen as a way to refocus both companies on the “enormous opportunities” before them and to ensure that they move to grasp them as quickly as possible. Current eBay Marketplaces chief Devin Wenig will become the new eBay Inc. CEO when the restructuring is completed in the latter half of next year, while American Express executive Dan Schulman has been recruited to helm the new PayPal. He joins today as president and CEO-designee.

The separation of eBay, whose focus is facilitating online commerce, and PayPal, who wants to be seen as the leader in online payments, is something that activist investor Carl Icahn has been pushing for both publicly and behind the scenes.

Adobe brings Creative Cloud to Chromebooks starting w/ ‘Project Photoshop Streaming’ beta | 9to5Google

Google announced a new partnership with Adobe today that will see the companies bring Adobe’s suite of popular Creative Cloud apps to Chromebooks. Initially, Adobe will launch just the Photoshop app as a beta and make it available to only its education customers.

Project Photoshop Streaming is identical to the Photoshop you’d install locally with a few notable exceptions. This build can be accessed from any Chrome browser (Windows only) or Chromebook and does not require a full download and install. In other words, this is the same build of Photoshop you’d typically download and install from Creative Cloud, however, instead of being installed on your local machine, it is running in a virtualized environment so can be accessed from any Chrome browser or Chromebook. Because this version of Photoshop is running in a virtualized environment, you open, save, export and recover files from/to your Google Drive rather than your local file share. Also this Beta version of the virtualized environment does not have support for GPU consequently GPU dependent features are not yet available (coming soon). This build also does not yet support for print.

PHONEBLOKS.COM • PROJECT ARA NEWS

The first fully functional prototype will be shown at the second Ara developer conference, in December.

Project Ara will use a modified version of Android L, developed in collaboration with Linaro. Thanks to this version, the modules, except the CPU and the display, will be hot swappable. This means you can change them without turning the phone off. The modules will be available on a new online store, like Play store.

Ello | wtf

Ello is a simple, beautiful, and ad-free social network created by a small group of artists and designers.

We originally built Ello as a private social network. Over time, so many people wanted to join Ello that we built a public version of Ello for everyone to use.

Kickstarter of the week: iScent – Smell Your Ringtone by Qblinks — Kickstarter

iScent is a Bluetooth 4.0 atomizer which works with your phone, allowing you to use a custom scented mist as your ringtone or music.

BNOUS ROUND: HAVEN: The Stronger Smarter Home Lock by Haven Smart Lock — Kickstarter

Deadbolts have gone digital, but this hasn’t made them more secure. Inspired by a break-in, HAVEN is a stronger, smarter home lock.

The post eBay Auctions Paypal | Tech Talk Today 67 first appeared on Jupiter Broadcasting.

Microsoft’s big announcement is moments away, and we round up the expectations and potential surprises from the event. Plus Popcorn time gives users a built in VPN, Crypto ransomware for Android and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Headlines

How to Watch Microsoft\’s E3 Show Live, and What to Expect

Microsoft\’s E3 event is its biggest opportunity to distinguish the Xbox One from the PlayStation 4 and help close the gap on Sony\’s sales lead. Still, with a newly-appointed CEO and Phil Spencer now heading the company\’s Xbox division, there\’s no telling what Microsoft has in store

\’Popcorn Time\’ Gives Users Anonymity With a Free Built-In VPN

One of the Popcorn Time forks has included a free VPN option in its software, allowing users to hide their IP-addresses from the public, This feature is a response to copyright trolls, who regularly send settlement requests to users who pirate movies via BitTorrent.

“WARNING Your phone is locked!” Crypto ransomware makes its debut on Android

Security researchers have documented another first in the annals of Android malware: a trojan that encrypts photos, videos, and documents stored on a device and demands a ransom for them to be restored.

Google Chrome overtakes Microsoft\’s Internet Explorer as most-used US web browser

A report released by Adobe Digital Index (ADI) analyzing the market share of web browsers has shown Google\’s freeware is up 6 percent year-over-year, trouncing Internet Explorer – once a lone internet leader – which is sitting at 30.9 percent.

Support Tech Talk Today creating DAILY PODCASTS

Feedback:

• Twitter / jphilipz: @ChrisLAS please add rss feeds

Unfilter Shirt: Unfilter Episode 100 Shirt! | Teespring

Hosts:

Guest:

• Twitter Nunes

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post E3 Pre-Show | Tech Talk Today 5 first appeared on Jupiter Broadcasting.

Microsoft and Adobe have a boatload of emergency fixes, the Replicant project finds a nasty backdoor in popular Android devices & the exploit that weaponize your webcam that’s one attachment away.

Plus a great big batch of your questions, and our answers. All that and much, much more!

Thanks to:

— Show Notes: —

• GroffTheBSDGoat
• Twitter
• Google+
  • GoatBoF

Microsoft and Adobe release flood of critical patches

• “Microsoft: eight bulletins, two critical – addressing 13 issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework”
• The first critical issue that involves IE MS14-029 we’re learning about for the first time today. Researchers with Google’s Security Team have already spotted limited instances of one of the vulnerabilities (CVE-2014-1815) being targeted, which means this should probably be No. 1 on users’ patching agendas.
• The batch of patches also includes a second critical security update for IE MS14-021 that addresses a previously disclosed vulnerability in versions 6 through 11 of the browser.
• “Missing from the updates are patches for vulnerabilities dug up at March’s Pwn2Own hacking competition, including three IE vulnerabilities that bypassed sandboxes and compromised the underlying system”
• “In a blog entry yesterday the company pointed out that it has extended its requirement for consumer customers to update to 8.1 from today until June 10 but that after that date, like it promised, those who haven’t updated will not receive security updates.”
• “Adobe: released two updates today, fixing critical issues in Reader and Acrobat XI (11.0.06), Strung together the wrong way, they could cause a crash and potentially let an attacker take control of an affected system.”
• “Along with a surprise Flash issue. The Flash Player update involves version 13.0.0.206 of the software and earlier versions for Windows, Macintosh and Linux. The issues were not previously made clear in a security bulletin but address vulnerabilities discovered by Keen Team and other researchers that could result in arbitrary code execution and ultimately let an attacker take control of the affected system.”
• Adobe also released a minor security hotfix for Adobe Illustrator CS6 today, fixing a stack overflow vulnerability – something also marked critical by the company – that could lead to remote code execution.

Open Source Android fork Replicant finds and closes backdoor

• While working on Replicant, a fully free/libre version of Android, they discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system.
• This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone\’s storage. On several phone models, this program runs with sufficient rights to access and modify the user\’s personal data.
• Today\’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network.
• These systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device\’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator\’s network, making the backdoors nearly always accessible.
• A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.

Heartbleed certificate regeneration done wrong in large number of cases

• Netcraft did a survey of SSL certificates to see how Heartbleed affected SSL certificates
• There are 3 required steps to properly replace the SSL certificate
  • Generate a new private key
  • Get issued a new certificate with the new key
  • Revoke the old certificate so it can no longer be used
• They found that 43% of certificates had been reissued
• However they found that only 20% of certificates had been revoked (meaning 23% replaced their certificate but did not revoke the old one, so the old one can still be used by an attacker to perform a man-in-the-middle attack)
• Worse, they found that 7% of certificates had been reissued with the SAME private key, meaning if the private key was stolen, the new certificate is compromised as well
• So in total, only 14% of sites had taken all three steps required to replace their possibly compromised certificates

Feedback:

• Stumble into an exploit, get a job offer. Thanks Jupiter Broadcasting.

• ssh root login for zfs send

  • Allan’s WIP FreeBSD Handbook article to resolve said problem
  • Allan’s fork to zxfer tool to make zfs replication easier

• Disk setup in FreeNAS

  • 6.3.12 Replacing a failed drive

• DevOps

• Second Opinion on security concerns

• Test Google Fiber – use my iperf server!

• Net neutrality

Round Up:

• ‘Blackshades’ Trojan Users Had It Coming — Krebs on Security 97 arrested linked to malware used to capture nude pictures of Miss Teen USA
• Malware Hunting with Mark Russinovich Troubleshooting with Mark Russinovich
• Another Internet Explorer Zero Day Surfaces
• How to properly use traceroute to troubleshoot the internet
• CVE-2014-1761 – Flaw in MS Office RTF parser allows attckers to execute arbitrary code, exploited in the wild since March 2014
• EXE2DOC tool turns any executable into a MS Work Doc exploit
• Emory Accidentally Sends Reformat Request to All Windows PCs
• Sailor hacked 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University while aboard aircraft carrier USS Harry S. Truman
• Why You Should Ditch Adobe Shockwave — Krebs on Security
• James Mickens at Monitorama 2014
• Who owns the media?
• Facebook and CMU design system to detect fake SSL certificates. Of 3.5 million SSL connections made to Facebook during a four-month period starting last December, the team determined that 6,845, or 0.2 percent, used a phony certificate.
• eBay compromised, forcing password reset on all accounts
• Do they mean “hashed” when they say “encrypted”?
• BSDCan: LibreSSL – the first 30 days – slides
• BSDCan: LibreSSL – the first 30 days – video

The post Attachments of Mass Destruction | TechSNAP 163 first appeared on Jupiter Broadcasting.

Adobe’s latest flaw has being exploited by an advanced persistent threat, we’ve got the details, Heartbleed follow ups, and getting started with Virtualization.

Plus our thoughts on the fate of net neutrality, your questions, our answers, and much much more!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

Adobe releases patch for critical Flash flaw affecting all OSs

• A new exploit has been discovered that works against all versions of Adobe Flash Player
• This is a zero-day exploit, meaning that even a fully patched computer can be exploited
• Adobe has since released the fix, and users are encouraged to apply the patch as soon as possible
• The attack used two different exploits, one general exploit against Flash and the other exploiting a flaw in Internet Explorer
• One of the malware files was detected by Kaspersky using a heuristic signature, but the other was new
• The exploits slightly alter the attack methodology if Windows 8 or newer is detected, to work around mitigations provided by the OS
• The first bit of malware (movie.swf) was generic, downloading more malware from a URL and running it
• The second bit of malware (include.swf) was very specific, targeting “Cisco MeetingPlace Express Add-In version 5”
• “This add-in is used by web-conference participants to view documents and images from presenter\’s screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system”
• This suggests that the malware was written with a very specific target in mind, rather than designed to target the general Internet
• The malware was hosted on an official Syrian government website, although it appears that the site may have been compromised to store the files there
• Kaspersky was not able to examine the payload of the second exploit because the files had already been taken down from the website, and there is evidence to suggest there was a 3rd payload (stream.swf)
• “We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”
• “It\’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.”
• CVE-2015-0515
• Adobe Security Bulletin
• Additional Coverage – ARS Technica
• Additional Coverage – Krebs on Security
• Since IE uses a separate version of Flash from other browsers (Firefox, Chrome, Opera, etc), Windows users will need to apply the patch twice, one to their browser and once to IE, which is used as a component in many other applications including Skype and Steam

Exploit used in the wild against all versions of Internet Explorer 6 through 11

• As part of the same attack from the previous story, an exploit for all versions of Internet Explorer was found
• The exploit was used as part of a watering hole attack
• CVE-2014-1776
• This was to be the first of many 0day exploits that will not be fixed on Windows XP, however Microsoft issued a statement and released the update for Windows XP , inspite of the fact that it is no longer supported

[Heartbleed Followups]

• The heartbleed bug was used to attack and compromise a number of blackhat and underground forums – Many sites were compromised, upgraded OpenSSL but did not revoke SSL certificates or reset passwords
• US-CERT issues advisory warning business and users to update their Apple AirPort devices that are vulnerable to Heartbleed
• CERT has issued an advisory about the NetSSL library failing to properly validate wildcard certificates
• Whitehouse comments, says they did not know about Heartbleed before hand
• Even heartbleed can’t convince people to change their passwords and stop reusing passwords
• Android 4.1.1 has not received OpenSSL patches yet

Feedback:

• Kids WiFi

• Looking for virtualization advice

• XP in a VM

• What advice do you have to help tech geeks find their dream job?

• Suggestion for Brett for backup

• Mondo Rescue – Disaster recovery solution

Round-Up:

• Sony\’s 185TB data tape puts your hard drive to shame
• CERT issues advisory about Toshiba Point-of-Sales systems using weak hashing algorithm for passwords
• SanDisk Announces 4TB SSDs, 8TB & 16TB SSDs to Follow
• Phishers hack email accounts and divert home loan funds
• AOL Finally Admits They Were Hacked
• MIT students raise half million dollars to give every undergraduate student $100 in bitcoins next semester in an effort to build the first true cryptocurrency economy
• FCC chairman \’won\’t hesitate\’ to regulate broadband like a utility if proposed rules fail
• What the internet might look like without Net Neutrality
• Netflix researching “large-scale peer-to-peer technology” for streaming
• This trend shows with Net Neutrality is important — Sonic.net comments on net neutrality
• CISPA 3.0 introduced to the senate
• AT&T’s possible acquisition of DirecTV increases net neutrality concerns

The post Not Neutrality | TechSNAP 161 first appeared on Jupiter Broadcasting.

You won\’t believe how cheap a botnet is these days, then we play a game from your leaked Adobe passwords.

Plus we answer uber batch of your questions, and our answers all that much much more, on this week’s episode of TechSNAP!

Thanks to:

Show Notes:

Cost of stolen identities at all time low due to excessive supply

• There is so much supply of stolen identities that the going price for a US identity has fallen to a record low $25
• Foreign identities are worth only $40
• Credentials for a bank account with between $70,000 and $150,000 costs a mere $300
• \”Fullz,\” or personal identities, went for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011 when Dell SecureWorks last studied pricing in the underground marketplace.
• Now those IDs are 33 to 37 percent cheaper.
• Pricing trends are interesting, says Raj Samani, CTO of McAfee. But they also can be misleading, he says, because prices are all over the map.
• “You can have varying prices depending on the sources you go to.\”
• McAfee in its June cybercrime study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, for instance, he says.
• Dell SecureWorks found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.
• The cost of getting a website hacked runs from $100 to $300, with more experienced black hat hackers charging more for their services. In an interesting twist, the researchers found that these attackers stipulated that they don\’t hack government or military websites.
• Doxing services—where a hacker steals as much information as they can about a victim or target via social media, social engineering, or Trojan infection—ranges from $25 to $100.
• Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.

Adobe top passwords crossword

• For once, we can have a little fun with a major site being compromised
• The website is a crossword puzzle, made up of some of the top passwords that have been bruteforced or guessed from the ‘encrypted’ Adobe database
• The ‘clues’ are peoples password hints
• Because Adobe did not use a ‘salt’, all users who had the same password, had the same encrypted password, so by combining the password hints of all of the users with the same password, it gets much easier to guess common passwords
• It seems many people use names of people they know, parents and grandparents using children seems excessively prevalent
• Top 100 actual passwords

Feedback:

• Setting up a pfsense/FreeNAS box. FreeNAS within pfsense, or vice versa?

• Back that *** up

• How to reaching my home-server without port-forwarding

Submit your best of stories for the end of the year special

• Stories from 2013 that Went BIG or went BUST?

Round Up:

• Stories from 2013 that Went BIG or went BUST? : techsnap

• Windows 8.1 on 3711 floppy disks

• Kevin Mitnick: How to Troll the FBI
• Hacking sprees against government agencies a widespread problem List of Agencies includes US Army, DoE, and DHHS, vector was Cold Fusion (same as the Adobe hack)
• GitHub resets user passwords following rash of account hijack attacks
• [Video] Brendon Gregg @ LISA13 – Blazing Performance with Flame Graphs
• Without a disruptive technology, experts warn Super Computing will plateau
• My SaaS vendor told me this is a bullet proof vest
• Fun with .bashrc

The post Password Decryption Games | TechSNAP 138 first appeared on Jupiter Broadcasting.