Show Notes: linuxactionnews.com/225

The post Linux Action News 225 first appeared on Jupiter Broadcasting.

Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls

The post Make Ads GIF Again | TechSNAP 273 first appeared on Jupiter Broadcasting.

The state of the tech press is downright embarrassing, today we call out some examples of “click bait journalism” that plagues the tech news.

Amazon has a snailmail solution to your “big” data, LoopPay gets hacked, Lyft and Uber have a public spat & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Amazon Launches Snowball, A Rugged Storage Appliance For Importing Data To AWS By FedEx | TechCrunch
• Dell refreshes XPS 13 and XPS 15, and debuts XPS 12 tablet hybrid | Ars Technica
• Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay – The New York Times
• IP Address May Associate Lyft CTO With Uber Data Breach – Slashdot
• Support Tech Talk Today creating DAILY PODCASTS

The post Clickity Clack Content Crap | TTT 216 first appeared on Jupiter Broadcasting.

Freshly back from LinuxCon we update you on the stories of the day, the big players pushing Flash out the door & how forgetful scientists accidentally quadruple lithium-ion battery lifespan.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Ashley Madison’s $19 ‘Full Delete’ Option Made The Company Millions – BuzzFeed News
• Amazon puts another nail in Flash’s coffin – Digiday
• IAB Says HTML5 Is New Standard, Adobe Agrees | Digital – Advertising Age
• Forgetful scientists accidentally quadruple lithium-ion battery lifespan | Chips | Geek.com

The post Happy Little Accidents | TTT 205 first appeared on Jupiter Broadcasting.

Lead developer of Bodhi Linux, Jeff Hoogland, joins us to discuss this exciting distribution that showcases the Enlightenment desktop.

Plus Canonical could be going public, but what will that mean for the desktop? We debate. Firefox OS see’s a major course change ahead & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Jeff Hoogland of Bodhi Linux

• Project Manager and Lead Developer

Brought to you by: System76

DistroWatch.com: Bodhi Linux

Bodhi Linux is an Ubuntu-based distribution for the desktop featuring the elegant and lightweight Enlightenment window manager. The project, which integrates and pre-configures the very latest builds of Enlightenment directly from the project’s development repository, offers modularity, high level of customisation, and choice of themes. The default Bodhi system is light — the only pre-installed applications are Midori, Terminology, EFM (Enlightenment File Manager), ePhoto and ePad — but more software is available via AppCenter, a web-based software installation tool.

• Bodhi Linux 3.0.0 install and overview | the Enlightened Linux Distribution – YouTube

In this video i am going to show the installation process of Bodhi Linux 3.0.0 after that i am going to do a overview of the operating system and show some of the applications pre-installed.

Bodhi Linux is an Ubuntu-based distribution for the desktop featuring the elegant and lightweight Enlightenment window manager. The project, which integrates and pre-configures the very latest builds of Enlightenment directly from the project’s development repository, offers modularity, high level of customisation, and choice of themes. The default Bodhi system is light — the only pre-installed applications are Midori, Terminology, EFM (Enlightenment File Manager), ePhoto and ePad — but more software is available via AppCenter, a web-based software installation tool.

— PICKS —

Runs Linux

• The hunt for gravitational waves, runs linux

There is an article on Guardian explaining what is the experiment about https://www.theguardian.com/science/across-the-universe/2015/feb/12/the-hunt-for-gravitational-waves-could-be-nearing-success[1] .

On the video LIGO Generations we see the lab where they analyze results and we see all the lab run Ubuntu.

• The hunt for gravitational waves could be nearing success | Science | The Guardian

Here’s a date for your diary: 1 January 2017. It’s the day that physicists are predicting for a great scientific breakthrough: the first direct detection of gravitational waves.

It will be the equivalent of astronomers discovering a new sense. With telescopes, they can already see the universe. By detecting gravitational waves, they will be able to ‘listen’ to it as well. We would be able to ‘hear’ stars colliding with one another, the destruction of matter falling into black holes and the catastrophic detonation of distant massive stars.

Desktop App Pick

• LanguageTool

Submitted By Rikai

LanguageTool is an Open Source proof­reading program for English, French, German, Polish, and more than 20 other languages. It finds many errors that a simple spell checker cannot detect and several grammar problems.

Weekly Spotlight

• Server Based Music Player

Submitted by Robert S.

Run it on a server connected to some speakers in your home or office. Guests can control the music player by connecting with a laptop, tablet, or smart phone. Further, you can stream your music library remotely. Groove Basin works with your personal music library; not an external music service. Groove Basin will never support DRM content.

Features

• Fast, responsive UI. It feels like a desktop app, not a web app.

• Dynamic playlist mode which automatically queues random songs, favoring songs that have not been queued recently.

• Drag and drop upload. Drag and drop playlist editing. Rich keyboard shortcuts.

Jupiter Broadcasting Meetup

Our Past Picks

These are the weekly picks provided by the Jupiter Broadcasting podcast, the Linux Action Show.

This site includes a separate picks lists for the “Runs Linux”, Desktop Apps, Spotlight Picks, Android Picks, and Distro Picks.

— NEWS —

​Mark Shuttleworth considering Canonical IPO

The decision won’t be entirely his. “I need to talk it over with my Canonical team.” He also said that the idea has been being seriously kicked around internally for the last several months.

Chromium Finally Gets HiDPI Support for Linux After Being Ignored for Three Years – Softpedia

“I’m happy to notice that High DPI is now fully supported in Chromium for Linux starting in Dev Channel. If you don’t have a HighDPI screen, you can still run chromium with the –force-device-scale-factor=2 switch to see how scaling works there,” wrote François Beaufort.

• Full HiDPI support in Chrome is now available in the main branch google-chrome as of version 43.0.2357.2-1 and works out of the box as tested with Gnome and Cinnamon.

Ads Based On Browsing History Are Coming To All Firefox Users

Mozilla has announced plans to launch a feature called “Suggested Tiles,” which will provide sponsored recommendations to visit certain websites when other websites show up in the user’s new tab page. The tiles will begin to show up for beta channel users next week, and the company is asking for feedback. For testing purposes, users will only see Suggested Tiles “promoting Firefox for Android, Firefox Marketplace, and other Mozilla causes.” It’s not yet known what websites will show up on the tiles when the feature launches later this summer. The company says, “With Suggested Tiles, we want to show the world that it is possible to do relevant advertising and content recommendations while still respecting users’ privacy and giving them control over their data.”

• Help Test Changes to New Tab in Firefox Beta

Mozilla gives up on its dream of a $25 Firefox smartphone | The Verge

CNET reports that in an email to employees sent out on Thursday, CEO Chris Beard made it clear that the company will soon be changing its mobile strategy. “We have not seen sufficient traction for a $25 phone,” Beard wrote. He went on to say, “We will focus on efforts that provide a better user experience, rather than focusing on cost alone.”

Intel takes on CoreOS with its own container-based Linux

In a detailed article at LWN.net, Intel engineer Arjan van de Ven described Intel’s aim to build a container system “where one can use the isolation of virtual-machine technology along with the deployment benefits of containers.”

The resulting system, Clear Containers, uses Linux’s kernel-native KVM hypervisor, but runs it in such a way that it avoids most of the startup time overhead typically associated with spinning up a KVM instance. Intel also claims it can leverage systemd and a few kernel-level memory-organization tricks to slim down and speed up the process even further.

Second stretchgoal reached and new builds!

We’ve got our second stretchgoal through both Kickstarter and the Paypal donations! We hope we can get many more so that you, our users, get to choose more ways for us to improve Krita. And we have got half a third stretch goal actually implemented: modifier keys for selections!

— FEEDBACK —

https://slexy.org/view/s2jsXnVEBh
https://slexy.org/view/s20aybvY3U
https://slexy.org/view/s21ziEEQ7p

Allan Jude has written the book on ZFS: FreeBSD Mastery: ZFS

ZFS Armistice | BSD Now 90

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Bodhi: Enlightened Linux | LAS 366 first appeared on Jupiter Broadcasting.

Is Amazon’s purchase of Twitch the first big move in the new Amazon vs Google war? We discuss the big acquisition from all the angles.

Huawei says Tizen is dead, the guy in charge of Cyber Security for Obama doesn’t know how to use a computer & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Amazon Buys Twitch, and Why it makes sense for Amazon to buy Twitch | The Verge

The company has since confirmed the news, and a press release states Amazon will pay $970 million in cash.

Amazon is clearly very keen to get into gaming. It created its in-house gaming studio back in 2012 and has made a few lightweight Facebook and mobile games since then. It signaled it was getting more serious with the acquisition of Killer Instinct developer Double Helix Games and hiring of Kim Swift, the designer behind the classic Portal game. The company’s new Fire TV offered a selection of games created by Amazon’s in-house team and even has a Amazon joystick you can buy separately, hinting at aspirations to compete with consoles like the Xbox and PlayStation.

For Twitch, being acquired was always about finding a partner that could help it keep up with its massive growth. As The Verge reported back in May, Twitch was being offered hundreds of millions in new funding from its previous investors, but felt that it simply couldn’t scale with capital alone. It needed a company with global infrastructure already in place that it could piggyback on. YouTube certainly fit the bill. But Amazon, with its Amazon Web Services (AWS), also has the kind of international presence to ensure Twitch can stream live video to millions across every continent. Twitch in turn could be the live-streaming platform that powers everything from gaming to concerts to sporting events that play on Amazon’s family of Fire devices.

Why would Twitch choose Amazon over Google? It wasn’t the money, with Amazon’s purchase price being equal or less than Google’s reported offer. Shear wouldn’t answer that question directly, but did provide detail on why Amazon was the best fit. “One of the things that really stood out about Amazon was their approach to acquisitions. We will be a wholly owned subsidiary and and I will remain CEO,” said Shear. “They have a long term vision about how to create big opportunities in the future by investing today.”

Reading between the lines a little, it sounds like Twitch felt at Google, it would have always been YouTube’s little brother. At Amazon, it has the chance to build something from scratch, as Amazon has no user-generated or live video offerings yet. A source familiar with the deal suggested Twitch felt Amazon would give it more autonomy and bigger role in growing the gaming business.

Amazon Pounces On Twitch After Google Balks Due To Antitrust Concerns

Google was unable to close the deal, said sources familiar with the talks, because it was concerned about potential antitrust issues that could have come with the acquisition. The Mountain View, Calif. company already owns YouTube, the world’s most-visited content streaming site, which competes with Twitch to broadcast and stream live or on-demand video game sessions. One source noted that because of the concerns, Google and Twitch could not come to an agreement on the size of a potential breakup fee in case the deal did not go through.

White House cybersecurity czar brags about his lack of technical expertise

Michael Daniel is the White House’s cybersecurity coordinator, the man who “leads the interagency development of national cybersecurity strategy and policy” for the president. And in a recent interview with GovInfoSecurity, he argued that his lack of technical expertise gave him an advantage in doing that job.

“You don’t have to be a coder in order to really do well in this position,” Daniel said, when asked if his job required knowledge of the technology behind information security. “In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.”

“You can get taken up and enamored with the very detailed aspects of some of the technical solutions,” he explained, arguing that “the real issue is looking at the broad strategic picture.”

As Princeton computer scientist Ed Felten points out, it’s hard to imagine senior policymakers with responsibility for other technical subjects making this kind of claim. Imagine a White House economic advisor arguing that experience in the weeds of economic research would be a distraction, an attorney general making that claim about time in a courtroom, or a surgeon general bragging about never having set foot in an operating room.

Huawei’s Head of Business Group Sees no Future in Tizen

In a recent interview with The Wall Street Journal at the company’s headquarters in Shenzhen, Richard Yu, the head of Huawei’s consumer business group, talked about the future of the global smartphone industry and how Huawei will compete against Samsung and Apple.

Mr. Yu: We have no plans to use Tizen. Some telecom carriers are pushing us to design Tizen phones but I say “no” to them. In the past we had a team to do research on Tizen but I canceled it. We feel Tizen has no chance to be successful. Even for Windows Phone it’s difficult to be successful.

We have no plans to build our own OS. It’s easy to design a new OS, but the problem is building the ecosystem around it.

No Show Tomorrow

The post Amazon Uncontrollably Twitching | Tech Talk Today 49 first appeared on Jupiter Broadcasting.

Angela and Chris talk about the different ways ads and in app purchases make it onto our mobile devices, what can be done about it, and how the community feels about it.

Thanks to:

Direct Download:

HD Download | Mobile Download | MP3 Download | YouTube

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Torrent Feed | iTunes Feeds

— Show Notes: —

The Apple Seed:

• Apple In App Purchases Consumer info: https://support.apple.com/kb/ht4009

• Apple In App Purchases Developer info: https://developer.apple.com/in-app-purchase/

How to turn off in app purchases:

• iOS:  https://ipod.about.com/od/iphonehowtos/qt/Turn-Off-In-App-Purchases-Iphone.htm

• Disable on Android: https://www.littlegreenrobot.co.uk/tutorials/how-to-disable-in-app-purchases-on-android/

• Google Play: https://support.google.com/googleplay/answer/1061913?hl=en

• Amazon: https://www.amazon.com/gp/feature.html?ie=UTF8&docId=1000788541

The Good, The Bad, The Ugly:

• https://www.androidauthority.com/in-app-purchases-good-bad-ugly-truth-324604/

• https://developer.android.com/google/play/billing/billing_overview.html

The Flaw:

• Hacker Releases Tools for Bypassing Apple\’s In App Purchase Mechanism  

• iOS Workaround Enables Free In-App Purchases

All Things Considered…

• “Inboxes”

• Great App Recession | Coder Radio 45  

Mike shares his results from taking is paid app free, in the app store. The discussion goes into the extreme price pressure developers face in app stores compared to even 5-7 years ago.

JB NEWS:

LAS 300 hit and exceeds its goal of 754 shirts sold! Also see the coin!
https://teespring.com/las300
https://instagram.com/p/k2uEcEEaiL/
https://instagram.com/p/lIxWIoEaqo/ ← size comparison pic

Mailsack!

Sean writes:

Chase, it had no business being that hot, and the lid was defective.

Simon writes:

Hello JB Crew,

My wife and I are planning to switch from Verizon to Ting (Yeah!) My wife is excited to get the Note 2 and I\’m thinking about the Nexus 5 (good hardware and price).

Chris, I know you have the Nexus 5 and I wanted to get your take on it. I\’m particularly interested in its \”creepy\” factor in light of all the data collection. I know this is an issue near and dear to your heart and I respect your opinion.

Thanks for the great shows, I listen to them all, and look forward to a great and bright future in 2014.

Owlsa

Check out the Shirt Pictures: https://instagram.com/jupiterbroadcasting

Find FauxShow!

Facebook: https://www.facebook.com/thefauxshow
Twitter: https://www.twitter.com/angerz
G+: https://www.gplus.to/fauxshow
Subscribe to Jupiter Signal: https://www.bit.ly/jupitersignal
Jupiter Radio: https://jblive.info
Affiliates Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/jupiterbroadcasting/
Affiliates Chrome Extension: https://chrome.google.com/webstore/detail/bjekemhblnilimncanbehhjijdpjgimj
Donations: https://original.jupiterbroadcasting.net/donate
Shows & Shownotes: https://original.jupiterbroadcasting.net/show/fauxshow/

The post In App Mayhem | FauxShow 167 first appeared on Jupiter Broadcasting.

Michael Hall from Canonical joins us to discuss his personal views on what he’s coined the new 80/20 rule for open source. Are the consumers of open source the biggest hurdle to projects becoming sustainable?

Plus Valve might looking at your DNS history, getting young users to try Linux, and your feedback!

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• HowTo Linux Show… Website?!

• GNU/Linux for the younger generation

• Chris thinks Internet savvy younger Linuxers will find the resources for the adults and adapt. They just need to be encouraged and told self education is not a bad thing.

• Comments about the last LUP show…

• Linux in school

• Valve, VAC, and trust

There are a number of kernel-level paid cheats that relate to this Reddit thread[1] . Cheat developers have a problem in getting cheaters to actually pay them for all the obvious reasons, so they start creating DRM and anti-cheat code for their cheats. These cheats phone home to a DRM server that confirms that a cheater has actually paid to use the cheat.

VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result.

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers\’ client machines.

Michael Hall: A new 80/20 rule for open source Upstream Liaison

• A new 80/20 rule for open source | Michael Hall

Put simply, this rule says that people will tend to appreciate it more when you give them 20% of something, and resent you if you give them 80%. It seems completely counter-intuitive, I know, but that\’s what I was seeing in all of those conversations. People by and large were saying that the reason Canonical and Mozilla were being judged so harshly was because they already did most of what those people wanted, which made them resented that they didn\’t do everything.

Mailsack:

• Linux Trivia

• Retrieving data from a partition

• Ddrescue – GNU Project – Free Software Foundation (FSF)

The post Neckbeard Entitlement Factor | LINUX Unplugged 28 first appeared on Jupiter Broadcasting.

Facebook just paid out their biggest bug bounty yet, we’ll tell you about the flaw was so major it warranted a $33k bounty. Plus it’s been a bad week for Chrome security…

Then it’s a big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

Facebook pays out biggest bug bounty ever, $33,500 after researcher gets ‘keys to the kingdom’

• Reginaldo Silva, a Brazilian security researcher, found a remote execution flaw in Facebook and was able to perform various functions including coping the /etc/passwd file, getting him a list of the users that exist on the system, and could have changed the URL for the Google OpenID provider, in order to execute MitM attacks on users logging in to Facebook using their Gmail accounts
• The original flaw was found in September 2012, when the researcher discovered an XXE (XML External Entity) bug in a Drupal blogs OpenID provider
• After finding the flaw in OpenID, he tried the attack successfully against StackExchange
• Later he also tried it against Google, while it worked, he was not able to read any files or make any network connections. For this he received his first bug bounty, $500 from Google
• During the original investigation, he could not find a valid Facebook OpenID endpoint
• Some time later, while investigating the Facebook password reset system, he discovered they still used OpenID for Gmail users to reset their passwords
• Using the newly discovered endpoint, he still was not able to launch his attack, because Facebook only communicated with Google, and for the attack to work he needed to communicate with his malicious OpenID provider
• After more reading of the OpenID spec, he found what he was looking for and was able to cause Facebook to contact his server, parse his malicious XML and cause Facebook’s servers to run code of his choosing
• From this he was able to get a copy of the /etc/passwd from the server
• Researcher’s Blog Post
• Facebook Security Team Blog Post
• Facebook Extends Bug Bounty Program

Security companies remove information about target breach from the Internet

• One we had previously covered:
• “On Dec. 18, a malicious software sample was submitted to ThreatExpert.com, a Symantec-owned service. But the public report the service generated vanished. “
• However, as is often the case with the internet, someone (Krebs ftw) had a copy of the report and posted it
• “iSight Partners, a Dallas-based cybersecurity company that is working with the U.S. Secret Service, published a series of questions and answers on its website related to the attacks on point-of-sale devices at U.S retailers. That too vanished on Thursday.”
• “Intel-owned McAfee redacted on Tuesday a blog post from last week that contained technical detail similar to the ThreatExpert.com report”
• When queried, a Symantec spokeswoman said “we took the initiative to remove it because we didn’t want the information to compromise the ongoing investigation.”
• Alex Holden, founder of Hold Security, who worked with Brian Krebs on the Adobe breach, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers
• “I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”
• As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, only Target and high-end retailer Neiman Marcus have acknowledged the attacks.

Adware vendors buy Chrome Extensions to send ad- and malware-filled updates

• While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners.
• This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
• Ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens.
• Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions.
• Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
• A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension.
• One morning, the extension author got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.
• A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links.
• This isn’t a one-time event, either. About a month ago, I had a very simple Chrome extension called “Tweet This Page” suddenly transform into an ad-injecting machine and start hijacking Google searches.
• Google has stated that Chrome’s extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose.
• Chromium Blog: Keeping Chrome Extensions Simple

• FauxShow Sticker Awards

Feedback:

• Allan’s home network setup
  • VLAN A – Home network (upstairs), plus hidden WiFi SSID, only has access to personal ZFS server
  • VLAN B – Office network, WiFi, connections machines work
  • VLAN C – Management network, switches, IPMI, PDUs etc
  • VLAN D – Guest Wireless
  • VLAN E – DMZ for servers
  • Personal ZFS server has separate interfaces on VLAN A and B
  • FreeBSD PF Firewall is only machine that can route between the VLANs
  • DMZ is not used yet, will be once 1000mbps unmetered Fibre connection arrives
  • Gear Used: Netgear GS724T 24port gig-e switch.
• Dropbox De-dupe BS
  • How Tarsnap Works
• Authentication for Linux
• IBM SMartCloud Mini War Story
• jupiterbroadcasting on Instagram
• BSD Now tutorial contest, win a hand-made FreeBSD Pillow

Round Up:

• Network Solutions, the original domain name registrar, appears to be automatically enrolling customers in a $1850/year “WebLock Security Service”, you must call to opt-out
• FreeBSD 10.0-RELEASE Announcement
• Developer finds Chrome eavesdropping bug
• Target restarts push for Chip&Pin protected cards (Common in Europe and Canada) after failed adoption 10 years ago
• IBM says goodbye to x86 forever, sells server lines to Lenovo
• Backblaze publishes reliability numbers of different models of hard drive
• The Most (and Least) Reliable Hard Drive Brands
• Researchers tell Congess Healthcare.gov is insecure, researchers able to get 70,000 records in only 4 minutes
• Kids, this is story of How I Met… my VPS hacked.
• 16 Million German users infected with malware that steals passwords, email addresses and other sensitive data
• More from last week, a Documentary on the first trans-atlantic telephone cable
• How a DNS query works Get DNSMadeEasy Hosting
• EasyDNS wins case and blocks London Police takedown order, domain transered

The post Tarnished Chrome | TechSNAP 146 first appeared on Jupiter Broadcasting.

In just the last week the situation in Cyprus has gone from outrageous to disastrous. We’ll break it down, and discuss the impacts the world changing event could have on the global economy.

And – Did you know the Internet is currently undergoing the “largest attack in history” that’s according to the BBC, and why the FBI has disclosed Real-Time Gmail Spying Powers as a “Top Priority” for 2013.

Plus Mayor Bloomberg begins personally financing a $12 Million Dollar Ad Campaign for Gun Checks, our follow up, your feedback, and much much more.

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

Pay With Bitcoin

— Show Notes —

Global internet slows after “biggest attack in history”

• BBC News – Global internet slows after ‘biggest attack in history’

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.

• Cyberattack on anti-spam group Spamhaus has ripple effects

Spam-fighting organization Spamhaus said Wednesday that it had been buffeted by a massive distributed denial-of-service (DDoS) attack since mid-March, apparently from groups angry at being blacklisted by the Geneva-based group.

“It is a small miracle that we’re still online,” Spamhaus researcher Vincent Hanna said in an interview.

FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013

• Andrew Weissmann: FBI wants real-time Gmail, Dropbox spying power.

That’s because a 1994 surveillance law called the Communications Assistance for Law Enforcement Act only allows the government to force Internet providers and phone companies to install surveillance equipment within their networks. But it doesn’t cover email, cloud services, or online chat providers like Skype. Weissmann said that the FBI wants the power to mandate real-time surveillance of everything from Dropbox and online games (“the chat feature in Scrabble”) to Gmail and Google Voice. “Those communications are being used for criminal conversations,” he said.

Mayor Bloomberg Unveils $12 Million Ad Campaign for Gun Checks

• Mayor Bloomberg, NRA, gun legislation – latimes.com

New York Mayor Michael R. Bloomberg, a fierce proponent of restrictions on firearms, said he will bankroll a $12-million TV advertising blitz in 13 states to pressure individual senators from both parties during the two-week congressional recess.

Thanks for Supporting Unfilter:

Make Good: Sorry if we gave the wrong impression about ‘MERICA raw-dogging it in Iraq.

• US news media has devolved to ‘carnival act’

Chris Hedges, author, columnist and former Pulitzer-Prize winning journalist for The New York Times spoke with RT about how FCC deregulation during the Clinton administration allowed a handful of corporations to dominate US media.

Thanks to

• Damon L
• Trevor J
• Benjamin M
• Richard G – Who nailed the last $7.99 for now!
• Rusty switched to bitcoins, tip of the hat to our first bitcoin supporter!

• Thanks to our 59 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Cyprus’ Gone Wild

• Cyprus controls expected to hit foreign transactions

With banks due to reopen on Thursday after nearly two weeks, Finance Minister Michael Sarris said capital controls will be “within the realms of reason” and a business leader said he had been told they would affect only international transactions.

• Cypriot Youth Rise Up In Pictures: “They Just Got Rid Of All Our Dreams”

They’ve just gotten rid of all our dreams, everything we’ve worked for, everything we’ve achieved up until now, what our parents have achieved,"

• Cyprus central bank ousts CEO of troubled Bank of Cyprus

CEO Yiannis Kypri said he was summoned to the Central Bank early on Wednesday and asked to submit his resignation.

“The reason I was given was that, based on the resolution decree recently passed by parliament and upon demands of the troika, an administrator had been appointed at the Bank,” Kypri said in a written statement.

• Have The Russians Already Quietly Withdrawn All Their Cash From Cyprus?

No one knows exactly how much money has left Cyprus’ banks, or where it has gone. The two banks at the centre of the crisis – Cyprus Popular Bank, also known as Laiki, and Bank of Cyprus – have units in London which remained open throughout the week and placed no limits on withdrawals. Bank of Cyprus also owns 80 percent of Russia’s Uniastrum Bank, which put no restrictions on withdrawals in Russia. Russians were among Cypriot banks’ largest depositors.

• Russia Loses Out as Cyprus Reaches Deal

“I think the Russians were understandably disappointed with this turn of events. They have had a long, successful and happy history and association and this has come partly as a shock despite the fact that many of these things had been rumored,” Cyprus’ finance minister, Michael Sarris, said early on Monday in Brussels.

• Europe threatens Cyprus with bankruptcy in power struggle with Russia

On Thursday the European Central Bank told Cyprus yesterday to find funding to secure a €10 billion ($12.9 billion) European Union (EU) bailout by Monday, or face a cut-off of ECB credit and the bankruptcy of Cyprus’ banks and government.

• The Cypriot government should instead have learned from Iceland

The Cypriot government should instead have learned from Iceland: taken over the banks, isolated the bad loans, protected deposits, imposed losses on the wealthy, and used a publicly owned banking sector to rebuild the domestic economy. That would have offered its citizens a better future, almost certainly outside the eurozone. But it would have also encroached on private capital’s privileges and clearly couldn’t be tolerated.

• Protests in Cyprus over bailout deal – YouTube

Protests have followed the agreement which called for Popular Bank, the country’s second biggest bank, to be closed down and the imposition of austerity measures.

US’ System Setup to Protect the Bankers?

• SEC Nom’s HUGE Conflict of Interest – Protect The Bankers? – YouTube

U.S. attorney nominated by President Barack Obama to lead the SEC. Her financial disclosures say that upon leaving New York-based Debevoise & Plimpton LLP, the law firm will give her $42,500 a month in retirement pay for life, or more than $500,000 a year."*

Mary Jo White, Obama’s nominee who will likely be confirmed as head of the SEC- the government agency in charge of regulating the banks- may not have the people’s best interests at hand. She’ll be paid a “retirement for life” from her former white-collar defense law firm that defends bankers.

China’s navy holds landing exercises near disputed islands

• China navy seeks to wear out Japanese ships in disputed waters

“The operational goal in the East China Sea is to wear out the Japanese Maritime Self Defence Force and the Japan Coast Guard,” said James Holmes, a maritime strategy expert at the Newport, Rhode Island U.S. Naval War College.

• China’s navy holds landing exercises near disputed islands

China’s increasingly powerful navy paid a symbolic visit to the country’s southernmost territorial claim deep in the South China Sea this week as part of military drills in the disputed Spratly Islands involving amphibious landings and aircraft.

• Chinese navy exercises ‘surprise’ neighbours – YouTube

Military tension is rising elsewhere in Asia. A Chinese naval taskforce has reached the southernmost part of the South China Sea, which it claims as its own – to the annoyance of neighbouring nations.

Fed pushes big bro drones despite public outcry in US

• Smile & Wave! Fed pushes big bro drones despite public outcry in US – YouTube

It appears the sky is the limit for U.S. law enforcement, with aerial surveillance drones set to be used domestically. But Capitol Hill has met some firm resistance to the plans. RT’s Gayane Chichyakyan reports on the attempts to fight back against the federal project.

Feedback:

• zSpaceman Updates His Bingo Board Even Better for Printing!

• With new high tech color technlogy

• Black and White

• For Chase – Peter Griffin – You know what really grinds my gears?

• Thanks to Joel who also emailed in a clip!

• Kicking out the UN Inspectors was all Bush Needed

• IRS Star Trek Parody… WTF Guys?

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

The post Cyprus Gone Wild | Unfilter 43 first appeared on Jupiter Broadcasting.