Show Notes: linuxactionnews.com/220

The post Linux Action News 220 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/219

The post Linux Action News 219 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/371

The post Cabin Fever | LINUX Unplugged 371 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/429

The post Curious About Caddy | TechSNAP 429 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/404

The post Prefork Pitfalls | TechSNAP 404 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/295

The post Stay and Compile a While | LINUX Unplugged 295 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/395

The post The ACME Era | TechSNAP 395 first appeared on Jupiter Broadcasting.

Episode Links:

linuxactionnews.com/77

The post Linux Action News 77 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/381

The post Here Comes Cloud DNS | TechSNAP 381 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

The post Linux Action News 34 first appeared on Jupiter Broadcasting.

Inspired by the Let’s Encrypt project, we break down the basics of SSL & how easy it is to set up on your Linux box now.

Plus hacking GRUB by hitting backspace 28 times, the Linux Foundation wants the Blockchain, without the Bitcoin and their bedfellows are concerning, the steady steps towards cross distro application bundles & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Linux Academy Apache and SSL Self Signed Certificates

Apache and SSL Self Signed Certificates

This course will detail how to install and configure Apache web services to answer for HTTPS connections. In addition, we will show how to generate a key file to use for obtaining a third party certificate and then use that key to generate a full self-signed certificate. Finally, we will configure our SSL VHOST to use that SSL certificate and verify its availability and content serving from an external location.

Let’s Encrypt

What is encryption

Asymmetric vs Symmetric Antenna

Symmetric encryption uses the identical key to both encrypt and decrypt the data. Symmetric key algorithms are much faster computationally than asymmetric algorithms as the encryption process is less complicated.

Asymmetric encryption uses two related keys (public and private) for data encryption and decryption, and takes away the security risk of key sharing. The private key is never exposed. A message that is encrypted by using the public key can only be decrypted by applying the same algorithm and using the matching private key.

Secure Socket Layer

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

Let’s Encrypt

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.
No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

This page describes how to carry out the most common certificate management functions using the Let’s Encrypt client. You’re welcome to use any compatible client, but we only provide instructions for using the client that we provide.

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate
  at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

• Welcome to the Let’s Encrypt client documentation! — Let’s Encrypt 0.2.0.dev0 documentation

• Caddy 0.8 Released with Let’s Encrypt Integration

Today, I’m very excited to announce Caddy 0.8! It features automatic HTTPS, zero-downtime restarts, and the ability to embed Caddy in your own Go programs.

— PICKS —

Runs Linux

George’s Hacked Acrua, Runs Linux

He’s been keeping the project to himself and is dying to show it off. We pace around the car going over the technology. Hotz fires up the vehicle’s computer, which runs a version of the Linux operating system, and strings of numbers fill the screen. When he turns the wheel or puts the blinker on, a few numbers change, demonstrating that he’s tapped into the Acura’s internal controls.

Desktop App Pick

Nuvola Player

Nuvola Player is a runtime for web-based music streaming services providing more native user experience and integration with Linux desktop environments than usual web browsers can offer. It tries to feel and look like a native application as possible.

Sent in by Rikai

Weekly Spotlight

GDriveFS

GDriveFS is an innovative FUSE wrapper for Google Drive developed under
Python 2.7.

DOUBLE SPOTLIGHT

Block Spoilers for Star Wars

Force Block is safer than ever! Now, in addition to our standard pattern matching logic which requires a critical mass of related keywords to initiate a block, we’ve added a handful of instant-blocking keyphrases, sourced from people who have seen the film via early screenings. One of our engineers took one for the team punching those in! Ironic, he could save others from spoilers… but not himself.

— NEWS —

You Can Break Into a Linux System by Pressing Backspace 28 Times. Here’s How to Fix It

The researchers, Hector Marco and Ismael Ripoll from the Cybersecurity Group at Polytechnic University of Valencia, found that it’s possible to bypass all security of a locked-down Linux machine by exploiting a bug in the Grub2 bootloader. Essentially, hitting backspace 28 times when the machine asks for your username accesses the “Grub rescue shell,” and once there, you can access the computer’s data or install malware. Fortunately, Marco and Ripoll have made an emergency patch to fix the Grub2 vulnerability. Ubuntu, Red Hat, and Debian have all issued patches to fix it as well.

Linux is often thought of as a super secure operating system, but this is a good reminder to take physical security just as seriously as network security (if not more). Take extra care when your machine is around people you don’t know, especially if your system has sensitive data on it.

Description

A vulnerability in Grub2 has been found. Versions from
1.98 (December, 2009) to 2.02 (December, 2015) are affected.
The vulnerability can be exploited under certain circumstances,
allowing local attackers to bypass any kind of authentication
(plain or hashed passwords). And so, the attacker may take
control of the computer.

Grub2 is the bootloader used by most Linux systems including
some embedded systems. This results in an incalculable number
of affected devices.

As shown in the picture, we successfully exploited this
vulnerability in a Debian 7.5 under Qemu getting a Grub
rescue shell.

Am I vulnerable ?

To quickly check if your system is vulnerable, when the Grub
ask you the username, press the Backspace 28 times. If
your machine reboots or you get a rescue shell then your
Grub is affected.

Impact

An attacker which successfully exploits this vulnerability will
obtain a Grub rescue shell. Grub rescue is a very powerful shell
allowing to:

• Elevation of privilege: The attacker is authenticated
  without knowing a valid username nor the password. The
  attacker has full access to the grub’s console (grub
  rescue).

• Information disclosure: The attacker can load a
  customized kernel and initramfs (for example from a USB) and
  then from a more comfortable environment, copy the full disk
  or install a rootkit.

• Denial of service: The attacker is able to destroy
  any data including the grub itself. Even in the case that the
  disk is ciphered the attacker can overwrite it, causing a
  DoS.

Linux Foundation assembles gang to build a better Blockchain

The Linux Foundation has decided the time is right to apply its special brand of collaboration to the Blockchain, the distributed ledger technology behind Bitcoin and other cryptocurrencies.

The Foundation is talking up the blockchain as a supply-chain enhancer and electronic-transaction-speeder-upper, thanks to its provision of a distributed ledger that has no central point of control and therefore allows secure peer-to-peer information exchange.

Big companies desperately hoping for blockchain without Bitcoin is exactly like 1994: Can't we please have online without Internet??

— Marc Andreessen (@pmarca) December 18, 2015

• Wall Street’s New Distributed Ledger Blockchain | PYMNTS.com

there’s a big group of backers in the financial, tech and business industries that have taken the next step to making blockchain move forward without ties to bitcoin.

But as Webster pointed out in her column, “if we kill bitcoin that means we will also kill and bury the blockchain since bitcoin is what keeps the blockchain alive.” Because bitcoin is the method of transport used by the blockchain to move data between the miners, there’s a case for why bitcoin’s blockchain has stuck around.

But big banks like JPMorgan, along with the support of IBM and Intel want to bury that vision and resurrect their own vision for what they envision to be a more productive use case for the concept of a distributed ledger. This is like a blockchain, but sans the bitcoin.

The goal of the Open Ledger Project is not to work in the cryptocurrency space, but rather to leverage the technology behind the distributed ledger in order to streamline business tools that enable transactions and documents to move between parties faster. Another goal of the project would be to create open ledgers that can decide who can access that ledger.

XDG-App Continues Maturing For GNOME App Sandboxing

XDG-App has made much progress and is found in a “tech preview” state for GNOME 3.18 but it’s not until GNOME 3.20 and later where things will get more interesting. Alexander Larsson has provided a “Christmas 2015” update concerning the project for GNOME sandboxing.

Google’s killing Chrome support for 32-bit Linux, Ubuntu 12.04, and Debian 7

In an update posted to the Chromium-dev mailing list, Google’s Dirk Pranke wrote:

“To provide the best experience for the most-used Linux versions, we will end support for Google Chrome on 32-bit Linux, Ubuntu Precise (12.04), and Debian 7 (wheezy) in early March, 2016. Chrome will continue to function on these platforms but will no longer receive updates and security fixes.

We intend to continue supporting the 32-bit build configurations on Linux to support building Chromium. If you are usingPrecise, we’d recommend that you to upgrade to Trusty.”

Feedback:

Brought to you by: System76

• https://slexy.org/view/s20p9vkcTi

• https://slexy.org/view/s21mtiOvGQ

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Let's Encrypt: A New Hope | LAS 396 first appeared on Jupiter Broadcasting.

Ballmer calls out Microsoft’s bogus revenue numbers over Azure, & we expand on his point to discuss an overall trend towards “hero CEOs”.

But the majority of our discussion this week is around the open sourcing of Swift, what Apple got really right & what areas still really need improvement.

Plus the real possibility of replacing your laptop with a large tablet, starting your first app the “easy way” vs the “hard way” & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

• Coder Radio SWAG for the Holidays

Show Notes:

Hoopla:

Ballmer: Microsoft’s cloud revenue numbers are “bullshit”

_Rather than reporting these figures, Microsoft has reported its annualized revenue run rate—a hypothetical value that describes what the company’s revenue ___would___be if the current level of sales were sustained over the full year

• Impact of your show on me

Swift.org – Welcome to Swift.org

We are excited by this new chapter in the story of Swift. After Apple unveiled the Swift programming language, it quickly became one of the fastest growing languages in history. Swift makes it easy to write software that is incredibly fast and safe by design. Now that Swift is open source, you can help make the best general purpose programming language available everywhere.

• Swift open source · Jesse Squires

Not only is Swift on GitHub, but the Swift team will be working completely in the open. Apple did a spectacular job with the release. Not only do we have the source code, but we have the entire commit history for each project, a very detailed view into the Swift team’s development process, and access to the Swift evolution process. Everything you need to know is on Swift.org.

• initial checkin, nothing much to see here. ·

initial checkin, nothing much to see here.

• Package Manager

The Swift Package Manager is a tool for managing the distribution of Swift code.
It’s integrated with the Swift build system
to automate the process of downloading, compiling, and linking dependencies.

TL;DR: Apache 2.0 License + Full Standard and Core Libraries included + Compiler + copyright owned by the contributor (i.e. no assignment or CLA) + good community structure and documentation + code of conduct.

Saying goodbye to Carousel and Mailbox

We’re committed to making the transitions from these products as painless as possible. We’ve posted more information on the Carousel blog and the Mailbox blog, and we’ll be communicating details directly to users of both apps in the coming days. Mailbox will be shut down on February 26th, 2016, and Carousel will be shut down on March 31st, 2016.

• Mailbox Cost Dropbox Around $100 Million

The post-pivot startup cost the storage company “well over” $50 million, according to multiple sources. And we’ve heard that that the price was around $100 million in cash and stock.

Feedback:

• First mobile app done right

The post Open Season on Swift | CR 182 first appeared on Jupiter Broadcasting.

After the last straw Noah dumps Gmail, shares his battle and solution & Chris runs down five great open source Gmail alternatives.

Plus why Dell stopped shipping the XPS 13 in Europe, a big update to a Linux video editor, the news of the week & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

Open source webmail clients for browser-based email

Gmail has enjoyed phenomenal success, and regardless of which study you choose to look at for exact numbers, there’s no doubt that Gmail is towards the top of the pack when it comes to market share. For certain circles, Gmail has become synonymous with email, or at least with webmail. Many appreciate its clean interface and the simple ability to access their inbox from anywhere.

But Gmail is far from the only name in the game when it comes to web-based email clients. In fact, there are a number of open source alternatives available for those who want more freedom, and occasionally, a completely different approach to managing their email without relying on a desktop client.

Let’s take a look at just a few of the free, open source webmail clients out there available for you to choose from.

FastMail: Fast, reliable email

FastMail is the choice of over 100,000 individuals, families and businesses. We deliver the highest standards of security, privacy and reliability for your email, calendars and contacts, backed up by our exemplary 15-year track record.

• How to set up a photo gallery | FastMail

• How to set up chat (instant messaging) | FastMail

KolabNow

With over 108 billion business emails sent daily, email is the backbone of professional communication. Kolab provides the email, contact and file sharing functionality that empowers enterprise communication.

Looking for a fully featured collaboration and communication platform? Seeking the convenience of the cloud, without having to worry about who else might have access? Want to ensure that your data is stored only in a single legislation, with highest barriers to data disclosure? Kolab Now is that service.

Safeguard your professional and personal data with Kolab Now. Enjoy the world’s world’s best privacy legislation and terms of service that put you first. All of this with a feature set that is complete to allow you to run your entire business collaboration.

DarkMail

Silent Circle and Lavabit are developing a new way to do email with end-to-end encryption. We welcome like-minded organizations to join our alliance.

To bring the world our unique end-to-end encrypted protocol and architecture that is the ‘next-generation’ of private and secure email. As founding partners of The Dark Mail Technical Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the world’s first end-to-end encrypted ‘Email 3.0’ throughout the world’s email providers. Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind.

— PICKS —

Runs Linux

Shanghai Subway Runs Linux

Hi guys, For 5 years I’m living in Shanghai and I suddenly discover that ubuntu is running the streaming tv in the Shanghai’s subway ! Here’s few links for the pictures

https://i.imgur.com/DFynJVU.jpg

View post on imgur.com

View post on imgur.com

https://i.imgur.com/EBbfytP.jpg

a link to the incredible expansion of the shanghai’s subway
https://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/SHM_evolution_mid.gif/400px-SHM_evolution_mid.gif

Sent in by Dasti

Desktop App Pick

Lighttable

• Connects you to your creation with instant feedback and showing data values flow through your code.

• Easily customizable from keybinds to extensions to be completely tailored to your specific project.

• Try new ideas quickly and easily. Ask questions about your software, to give you a more profound understanding of your code.

• Embed anything you want, from graphs to games to running visualizations.

• Everything from eval and debugging to a fuzzy finder for files and commands to fit seamlessly into your workflow.

• An elegant, lightweight, beautifully designed layout so your IDE is no longer cluttered.

LightTable in Action

Weekly Spotlight

Flowblade 1.2

Flowblade 1.2 is the ninth release of Flowblade.

• Flowblade has now been ported to GTK3.

• The process was not as straight forward as one might think but eventually everything worked out. There always seemed to be just one more little change in API that required all instances to be fixed by hand. Luckily there was a conversion script available that did most of the grunt work to get things going.

• We did get something in return. A small but percipteble responsiveness improvement was gained probably because GTK3 provides a Cairo widget for creating custom widgets that is now used instead of the project specific Cairo widget that was used before. GTK3 also seems to render widgets a bit crispier.

• I really hope that major API breaking version jumps for widget toolkits are avoided as much as possible. Projects with large interface and small man power can really suffer here.

• There were some other major developments during the cycle too:

• All rendering was moved out of process as the in-process rendering was found to not work correctly in same cases.

• Dark theme support was improved. It is now possible to use a dark theme just by setting a preference if the GTK3 theme used has a dark variant available.
• Small screen support has been upgraded. The application now works better on 768px height screens.

Spokane Roadtrip Meetup

— NEWS —

Dell XPS 13 Developer Edition No Longer Available for Sale in Europe

“Unfortunately Europe has already run through their forecasted inventory (they sold better than we expected). The US still has inventory on hand. Because there will be a next gen coming out we won’t be getting any more of this model. Thanks for the support!” wrote Dell’s Barton George on his website. He’s the same guy who announced that the XPS 13 was brought back to the shop a while back.

Mozilla: data stolen from hacked bug database was used to attack Firefox

Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.

Attack code exploiting Android’s critical Stagefright bugs is now public

The critical flaws, which reside in an Android media library known as libstagefright, give attackers a variety of ways to surreptitiously execute malicious code on unsuspecting owners’ devices. The vulnerabilities were privately reported in April and May and were publicly disclosed only in late July. Google has spent the past four months preparing fixes and distributing them to partners, but those efforts have faced a series of setbacks and limitations.

We Did It!! (Mycroft was successfully funded!) – YouTube

We have successfully funded our Kickstarter campaign! Let us thank you and learn about whats in store for they Mycroft team! Remember to check out our Kickstarter at: https://mycroft.ai/kickstarter

• Mycroft: An Open Source Artificial Intelligence For Everyone by Joshua Montgomery

Feedback:

• Vote on the Mobile Studio Name

• https://slexy.org/view/s290nhkjD6

• https://slexy.org/view/s20iHMJWRL

Road Trip Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Gmail in the Black Tank | LAS 382 first appeared on Jupiter Broadcasting.

Why boring technology might be the better choice, Google revokes & China chokes, why you want to create an account at irs.gov before crooks do it for you.

Plus your great IT questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Why you should choose boring technology

• The basic premise is that in building technology, specifically web sites and web services, there is often a bias towards using the latest and greatest technology, rather than the same old boring stuff
• This often turns out to bite you in the end. Look at people who based their site or product on FoundationDB, which was recently bought and shutdown by Apple
• Look at one of the most popular sites on the internet, Facebook, originally written in PHP and MySQL, and still largely remains based on those same old technologies
• “The nice thing about boringness (so constrained) is that the capabilities of these things are well understood. But more importantly, their failure modes are well understood.”
• “Anyone who knows me well will understand that it’s only with a overwhelming sense of malaise that I now invoke the spectre of Don Rumsfeld, but I must.“
• “When choosing technology, you have both known unknowns and unknown unknowns”
• The Socratic paradox
• A known unknown is something like: we don’t know what happens when this database hits 100% CPU.
• An unknown unknown is something like: geez it didn’t even occur to us that writing stats would cause GC pauses.
• “Both sets are typically non-empty, even for tech that’s existed for decades. But for shiny new technology the magnitude of unknown unknowns is significantly larger, and this is important.”
• The advantage to using boring technology is that more people understand how it works, more people understand how it fails, more people have come before you, tried to do something similar to what you are doing
• You won’t find the answer on Stack Overflow if you are the first person to try it
• “One of the most worthwhile exercises I recommend here is to consider how you would solve your immediate problem without adding anything new. First, posing this question should detect the situation where the “problem” is that someone really wants to use the technology. If that is the case, you should immediately abort.”
• People like new toys and new challenges
• Businesses should try to avoid new costs, and new risks
• Adding a new technology is not a bad thing, but first consider if the goal can be accomplished with what you already have

Google revokes CNNIC root certificate trust

• On March 20th Google security engineers noticed a number of unauthorized certificates being used for gmail and other google domains
• The certificates were issued by a subordinate CA, MCS Holdings
• “Established in 2005, MCS (Mideast Communication Systems) offers Value Added Distribution focusing on Networking and Automation businesses.”
• MCS Holdings makes Firewalls and other network appliances
• MCS got its subordinate CA certificate from CNNIC (Chinese Internet Network Information Center)
• “CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.”
• Google added the MCS certificate to its revocation list so it would no longer be trusted
• “CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system”
• Google accepted the explanation as the truth, but is unsatisfied with the situation
• “This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.”
• CNNIC has specific obligations it must fulfill in order to be a trusted CA
• The CA/Browser Forum sets the policies agreed upon for signing new trusted certificates
• Mozilla has an existing policy that enumerates the possible problems and their immediate and potential consequences
• “Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
• CNNIC has released an official statement calling Google’s actions “unacceptable”
• Mozilla is considering similar actions:
• Reject certificates chaining to CNNIC with a notBefore date after a threshold date
• Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs
• Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
• If CNNIC’s re-application is unsuccessful, then their root certificates will be removed
• The Mozilla community feels that CNNIC needs more than a slap on the wrist, to ensure other CAs (and Governments) get the message that this type of behaviour is unacceptable
• Google reiterates the need for the Certificate Transparency project
• “Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.”
• Additional Coverage – Ars Technica

Signup for an account at irs.gov before crooks do it for you

• “If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.”
• “Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.”
• “Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.”
• The fraudster filed the new return using nearly identical data to the correct information that the victim had filed the previous year
• The victim suspects that the fraudster was able to use the irs.gov portal to view his previous returns and extract information from them to file the fraudulent return
• The fraudster files a corrected W-2 to adjust the withholding amount, to get a bigger refund
• The story goes on into details about the case, including the college student that was used as a money mule
• “The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.”
• In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.
• In Canada, to get access to your CRA Account, a passcode is mailed to you, at the current address the government already has on file for you
• In order to gain access to your account, you also must answer more specific questions than just KBAs, usually including things like “the number from line 350 of your 2013 tax return”

Feedback:

• I heard Allan likes ZFS

• ultimate travel router?

• Linux Server Management

• freenas backup sanity check

Round Up:

• Facebook successfully tests laser internet drones
• “Not Invented Here” is bad, but “Never Invent Here” is worse
• A Few Thoughts on Cryptographic Engineering: Truecrypt report
• Personal details of a number of world leaders were accidently emailed to Asian Cup organizers by Australian immigration department, the leaders were not notified of the disclosure
• New Firefox version says “might as well” to encrypting all Web traffic
• Firefox contains mp3 playback vulnerability, could lead to code execution
• N.J. school district’s ‘bitcoin hostage” problem caused by weak passwords, firewall holes | NJ.com
• Vulnerable hotel Wifi puts guests at risk
• What every stackoverflow question looks like
• Vulnerability in python scripts shipped as part of SELinux allow attackers to execute commands as root

The post Any Cert Will Do | TechSNAP 208 first appeared on Jupiter Broadcasting.

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

• The way TLS certificates are issued currently is not always foolproof
• In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
• Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
• The problem comes when webmail services, like hotmail, allow these usernames to be registered
• That is exactly what happened with Microsoft’s live.be and live.fi
• A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
• It took Microsoft four to six weeks to solve the problem
• Additional Coverage – Ars Technica
• When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
• “After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

• Authy is a popular reusable 2 factor authentication API
• It allows 3rd party sites to easily implement 2 factor authentication
• Maybe a little too easily
• When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
• The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
• However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
• But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
• Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
• This API call is the one used to actually send the code to the user
• This call sends another token to the user and returns success
• The 3rd party application sees the ‘success’ part, and allows the user access
• It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
• Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

• An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
• A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
• This could allow:
• an attacker to inject malware into your site
• redirect your email, capturing password reset emails from other services
• redirect traffic from your website to their own
• issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
• Some of the social engineering steps:

  • Create a fake Social Media profile in the name of the victim (with the fake picture of them)

  • Create a gmail address in the name of the victim

  • Call and use myriad plausible excuses why you do not have the required information:
  • please provide your pin #? I don’t remember setting up a pin number
  • my assistant registered the domain for me, so I don’t have access to the email address used
  • my assistant used the credit card ending in: 4 made up numbers
  • create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
  • GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
  • Often, you can create a letter on a fake letterhead, and it will be acceptable
• In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
• GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
• GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
• It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
• GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

• Securing apache server

• How to set up SSH server for anonymous web surfing

• Latest iPod skimming device found at cashpoints

• ZFS vs Hardware RAID

• ZFS Snapshots & MySQL Backups

• Android ZFS Monitor app

• ZFS Monitor – on Google Play

Round Up:

• Cisco will ship equipment to dead drops for its most sensitive clients, to avoid NSA interception and tampering
• “Evolution Market” a digital underground shop selling everything illegal, has shut down, apparently the founders made of with 12 million in bitcoin
• Cisco still in the process of patching FREAK SSL flaw from January
• Facebook Develops ‘Yosemite’ Open Server Chassis with Intel
• HiltonHonors reward program offering 1000 points for changing your password before April 1st
• Safari’s Private Browsing Mode Saves URLs In an Easily Accessible File
• OpenSSL announces patch for multiple vulnerabilities
• GCHQ admits to hacking ISPs and other systems
• Researchers to demo new persistent bios rootkit at CanSecWest.
• Target reaches huge settlement with security breach victims – CBS News
• Convicted tax fraudster fugitive caught by authorities

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

It’s our one year anniversary episode, and we’ll be talking with Reyk Floeter about the new OpenBSD webserver – why it was created and where it’s going. After that, we’ll show you the ins and outs of DragonFly’s HAMMER FS. Answers to viewer-submitted questions and the latest headlines, on a very special BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation’s new IPSEC project

• The FreeBSD foundation, along with Netgate, is sponsoring some new work on the IPSEC code
• With bandwidth in the 10-40 gigabit per second range, the IPSEC stack needs to be brought up to modern standards in terms of encryption and performance
• This new work will add AES-CTR and AES-GCM modes to FreeBSD’s implementation, borrowing some code from OpenBSD
• The updated stack will also support AES-NI for hardware-based encryption speed ups
• It’s expected to be completed by the end of September, and will also be in pfSense 2.2

NetBSD at Shimane Open Source Conference 2014

• The Japanese NetBSD users group held a NetBSD booth at the Open Source Conference 2014 in Shimane on August 23
• One of the developers has gathered a bunch of pictures from the event and wrote a fairly lengthy summary
• They had NetBSD running on all sorts of devices, from Raspberry Pis to Sun Java Stations
• Some visitors said that NetBSD had the most chaotic booth at the conference

pfSense 2.1.5 released

• A new version of the pfSense 2.1 branch is out
• Mostly a security-focused release, including three web UI fixes and the most recent OpenSSL fix (which FreeBSD has still not patched in -RELEASE after nearly a month)
• It also includes many other bug fixes, check the blog post for the full list

Systems, Science and FreeBSD

• Our friend George Neville-Neil gave a presentation at Microsoft Research
• It’s mainly about using FreeBSD as a platform for research, inside and outside of universities
• The talk describes the OS and its features, ports, developer community, documentation, who uses BSD and much more

Interview – Reyk Floeter – reyk@openbsd.org / @reykfloeter

OpenBSD’s HTTP daemon

Tutorial

A crash course on HAMMER FS

News Roundup

OpenBSD’s rcctl tool usage

• OpenBSD recently got a new tool for managing /etc/rc.conf.local in -current
• Similar to FreeBSD’s “sysrc” tool, it eliminates the need to manually edit rc.conf.local to enable or disable services
• This blog post – from a BSD Now viewer – shows the typical usage of the new tool to alter the startup services
• It won’t make it to 5.6, but will be in 5.7 (next May)

pfSense mini-roundup

• We found five interesting pfSense articles throughout the week and wanted to quickly mention them
• The first item in our pfSense mini-roundup details how you can stream Netflix to in non-US countries using a “smart” DNS service
• The second post talks about setting ip IPv6, in particular if Comcast is your ISP
• The third one features pfSense on Softpedia, a more mainstream tech site
• The fourth post describes how to filter HTTPS traffic with Squid and pfSense
• The last article describes setting up a VPN using the “tinc” daemon and pfSense
• It seems to be lesser known, compared to things like OpenVPN or SSH tunnels, so it’s interesting to read about
• This pfSense HQ website seems to have lots of other cool pfSense items, check it out

OpenBSD’s new buffer cache

• OpenBSD has traditionally used the tried-and-true LRU algorithm for buffer cache, but it has a few problems
• Ted Unangst has just switched to a new algorithm in -current, partially based on 2Q, and details some of his work
• Initial tests show positive results in terms of cache responsiveness
• Check the post for all the fine details

BSDTalk episode 244

• Another new BSDTalk is up and, this time around, Will Backman interviews Ken Moore, the developer of the new BSD desktop environment
• They discuss the history of development, differences between it and other DEs, lots of topics
• If you’re more of a visual person, fear not, because…
• We’ll have Ken on next week, including a full “virtual walkthrough” of Lumina and its applications

Feedback/Questions

• Ghislain writes in
• Raynold writes in
• Van writes in
• Sean writes in
• Stefan writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• We want to give a huge thank you to our viewer Toby for writing this week’s tutorial
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post It's HAMMER Time | BSD Now 53 first appeared on Jupiter Broadcasting.

We cover the latest from the IFA consumer electronics shows where the next major mobile devices are being showcased, the big new virtual reality backer & the Sony bump.

Plus we’ll discuss the inaccurate Linux security story floating around the net & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

• Driving the news: IFA 2014

IFA (Internationale Funkausstellung) is an annual consumer electronics show held in Berlin, Germany, which often serves as a launching platform for smartphone and tablet manufacturers. Think of it as a mini-Mobile World Congress. Last year’s IFA hosted the launch of the Samsung Galaxy Note 3 and Galaxy Gear, among others. This year’s event officially runs from Sept. 5-10, but we’re expecting many of larger announcements to be made in the couple of days before IFA officially begins.

The Galaxy Note Edge is a flagship phone with an entirely new kind of curved display | The Verge

Samsung has introduced the Note 4, a 5.7-inch phone with a 1440p SuperAMOLED display coming in October.

The Note Edge is, on paper at least, only the slightest variation on the new Note 4. It has the same metallic design. It has the same 16-megapixel camera, the same heart-rate monitor, the same processor, the same memory, the same software. It even has a Quad HD, 2560 x 1440 display like the Note 4, though this one is slightly smaller at 5.6 inches rather than 5.7.

It’s on the right side of the phone’s front face that a sharp difference appears between the two models. The screen starts to slope downward, falling off toward the edge and wrapping around the side. It’s as if two screens have been connected to each other at an acute angle, but there’s only one display here. The asymmetry of the phone feels a little odd, like I chipped part of the right side off by accident, but it doesn’t really hurt the aesthetic appeal of the phone. It’s still very comfortable, the metal body both solid and dense, and I like the way the screen curls under my right thumb. (If you’re a lefty, using the Note Edge in one hand is going to be terrible — but then again using a Note in one hand is already terrible.)

Sony announces its latest flagship smartphone, the Xperia Z3

You’ll find a 5.2-inch, 1080p display, a 20.7-megapixel camera and waterproofing. (Same as the Z2)

Sony has also added a new, wide-angle 25mm lens (to fit more into a shot) and extra-high ISO 12,800 light sensitivity.

A 2.5GHz Snapdragon 801 processor instead of the 2.3GHz chip you saw in the Z2.

Price and carries will be annouced in the fall.

• A closer look at Sony’s Xperia Z3 flagship

Samsung and Oculus partner to create Gear VR, a virtual reality headset that uses the Note 4 (hands-on)

Samsung’s getting in on the virtual reality action, announcing Gear VR at IFA 2014 today in Berlin, Germany. Gear VR is a virtual reality headset with a removable front cover where Samsung’s newly announced Note 4 slips in, acting as the screen. Paired with adjustable lenses built into the headset

• Built in Camera
• No wires (that means no PC to drive it too)
• Touch Pad
• Good build

The only information on availability is “this year,” and there is no price just yet; it’ll be available for purchase online and through “select carriers.” Considering how low-tech Gear VR is, and the fact that Samsung’s pushing a product into a market that doesn’t really exist just yet, I expect the company will aim as low as possible in terms of pricing.

When you do get one, it comes with a 16GB microSD preloaded with a variety of “360-degree videos and 3D movie trailers from major studios” (that’ll go into the Note 4, naturally). Oh, and you’ll need a Note 4 (not a Note 4 Edge — just the Note 4), as Gear VR is built to work with only that device.

Linux systems infiltrated and controlled in a DDoS botnet

Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals.

The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities.

Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.

A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot.

The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.

“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior VP and GM, Security Business Unit, Akamai.

The post Linux Fear-Mongering | Tech Talk Today 52 first appeared on Jupiter Broadcasting.

An Android flaw from 2010 allows any app to break out of the Android sandbox. But is it really a threat in practice? We’ll dig in.

The Podcast patent troll takes it on the nose, and some highlights from the Gnome development conference this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Android crypto blunder exposes users to highly privileged malware | Ars Technica

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

The App simply needs to claim its Adobe flash, and it gets to break out of the sandbox.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Google’s Response to Ars

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

The Reality of the Situation

First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

• New Android ‘Fake ID’ flaw empowers stealthy new class of super-malware

A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.

• Android ‘supermalware’ can impersonate any app- The Inquirer

The vulnerability in the Android code that allows “Fake ID” in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon’s Fire OS.

• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk – Bluebox Security

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

• Old Apache Code At Root of Android FakeID Mess – Slashdot

Podcasting patent troll: We tried to drop lawsuit against Adam Carolla | Ars Technica

In a statement released today, Personal Audio says that Carolla, who has raised more than $450,000 from fans to fight the case, is wasting their money on an unnecessary lawsuit. The company, which is a “patent troll” with no business other than lawsuits, has said Carolla just doesn’t care since his fans are paying his lawyers’ bills.

Adam Carolla’s assertions that we would destroy podcasting were ludicrous on their face,” said Personal Audio CEO Brad Liddle. “But it generated sympathy from fans and ratings for his show.

According to Personal Audio, they’ve lost interest in suing podcasters because the podcasters—even one of Adam Carolla’s size—just don’t make enough money for it to care.

“[Personal Audio] was under the impression that Carolla, the self-proclaimed largest podcaster in the world, as well as certain other podcasters, were making significant money from infringing Personal Audio’s patents,” stated the company. “After the parties completed discovery, however, it became clear this was not the case.”

Personal Audio also says it has a patent covering playlists.

Personal Audio has already dropped its lawsuits against two other podcasting defendants from the case (Togi Net and How Stuff Works) apparently without getting paid anything.

The patent company is charging ahead with its patent case against the big three television networks, CBS, NBC, and ABC. Personal Audio is trying to wring a royalty from those companies for releasing video “episodic content” over the Internet.

In response, Carolla sent Ars a statement saying he’ll continue to pursue counterclaims against Personal Audio, seeking to invalidate the patent “so that Personal Audio cannot sue other podcasters for infringement of US Patent 8,112,504.” Lotzi (Carolla’s company) has already “incurred hundreds of thousands of dollars in fees and expenses to defend itself” against the Personal Audio patents.

GUADEC 2014, Day Four: Hardware, New IDE for GNOME | Fedora Magazine

The fourth day of GUADEC was devoted to hardware and its interaction with desktop. The first talk was “Hardware Integration, The GNOME Way” by Bastien Nocera who has been a contributor to GNOME and Fedora for many years.

Performance Testing on Actual Hardware

Owen Taylor talked on continuous integration performance testing on actual hardware. According to Owen, continuous performance testing is very important. It helps find performance regressions more easily because the delta between the code tested last time and the code tested now is much smaller, thus there are much fewer commits to investigate.

He noted that desktop performance testing in VMs is not very useful which is why he has several physical machines that are connected to a controller which downloads new builds of GNOME Continuous and installs them on the connected machines. The testing can be controlled by GNOME Hardware Testing app Owen has created. And what is tested?

Here are currently used metrics:

• time from boot to desktop
• time redraw entire empty desktop
• time to show overview
• time to redraw overview with 5 windows
• time to show application picker
• time to draw frame from test application, time to start gedit.

Tests are scripted right in the shell (javascript) and events logged with timestamp. The results are uploaded to perf.gnome.org. In the future, he’d like to have results in the graph linked to particular commits (tests are triggered after very commit), have more metrics (covering also features in apps), assemble more machines and various kinds of them (laptops, ARM devices,…).

Builder: a new IDE for GNOME

The last talk of the day was “Builder, a new IDE for GNOME” by Christian Hergert. Christian started the talk by clearly stating what Builder is not intended to be: a generic IDE (use Eclipse, Anjuta, MonoDevelop,… instead). And it most likely won’t support plugins. Builder should be an IDE specializing on GNOME development.

Here are some characteristics of Builder:

• components are broken into services and services are contained in sub-processes,
• uses basic autotools management,
• source editor uses GtkSourceView,
• has code highlighting, auto-completation,
• cross-reference, change tracking,
• snippets,
• auto-formatting,
• distraction free mode.
• Vim/Emacs integration may be possible.
• The UI designer will use Glade and integrate GTK+ Inspector.
• Builder will also contain resource manager, simulator (something similar to Boxes, using OSTree), debugger, profiler, source control.

After naming all Builder’s characteristics Christian demoed a prototype.

For Later Reading Pick:

• AnandTech | The NVIDIA SHIELD Tablet Review

Feedback:

• More information on the “Trans Pacific Partnership” from an Avid Australian listener – Magentium

Hey Guys at Jupiter Broadcasting. Just wanted to put a bit more info to you that I saw on Tech Talk Today about the Copyright Act that’s being brought into Australia. Someone mentioned that “Netflix could come in” and make some serious mone. Netflix would be awesome if our Internet Infrastructure wasnt at a maximum of 12Mbps speeds (If you are lucky).

On a good day (and ive got some of the best net here) i get around 8mbps down. Netflix wouldn’t be viable because it wouldnt be available to even 30% of the country. We have Foxtel (like SKY / Cable) which is Premium Paid TV and costs a FORTUNE. It’s still not viable.

In regards to the Copyrighting, the Government also has it all wrong. The number one reason that I am always told by people I know as to why they pirate TV shows, movies and Games, is that the pricing of this stuff over here is unbelievable. For instance, the box set of Star Trek : The Next Generation will cost you over US$250 if you convert the costs, depending if its on special / discount or not.

Either way, you guys were spot on. Keep up the great work, Love the show, and a big shoutout from Australia! CRICKEY! ( we dont actually say that, so don’t get fooled by the stereotype). And no I don’t have a pet Kangeroo (not anymore).

The post Android's Leaky Sandbox | Tech Talk Today 35 first appeared on Jupiter Broadcasting.

Chris and Mike face the limitations of remote workers, and the challenges they’ve experienced. We take your live calls, and discuss the awesome projects you\’re working on.

Why you should write code every day, the hard numbers about mobile games, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• Ansible – your evaluation
• Easy Reporting needed
• Global Game Jam
• Buy This: The Greatest Gear For Making Awesome Coffee

Dev Hoopla

Most Mobile Game Players Quit After One Day

John Resig – Write Code Every Day

I consider this change in habit to be a massive success and hope to continue it for as long as I can. In the meantime I\’ll do all that I can to recommend this tactic to others who wish to get substantial side project work done.
John Resig is the Dean of Computer Science at Khan Academy and the creator of the jQuery JavaScript library. He’s also the author of the books Pro JavaScript Techniques and Secrets of the JavaScript Ninja.

• Fingertip Tech, INC on Facebook

The post Always Be Coding | CR 98 first appeared on Jupiter Broadcasting.

The Heartbleed bug has ignited a new round of open source doubters, but are the renewed concerns about the open source development model unfounded? And what can be done to avoid catastrophes like this in the future? We discuss.

Plus an honest discussion about that moment of no return, your feedback, and more!

Note: Apologies for the transitional audio setup while we move between studios. Improvements next week!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• How do you know what to use?
• I quit!!! The difficult conversations and the road ahead.

Dev Hoopla

Heartbleed security bug: a software developer perspective?

Open Source software is the worst kind except for all of the others

A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They\’re wrong.

So all in all, it\’s a miracle that OpenSSL works at all, and a tribute to the skill
and diligence of the handful of people who\’ve been working on it all these years.
Experience with heartbleed shows that while open source doesn\’t prevent bugs, it
makes it very fast to fix them.
It\’s been little more than a week since we learned about heartbleed, and surveys show that
the majority of vulnerable systems are already fixed.
(I fixed mine last Tuesday.)

Pick of the week

• pyvideo.org – PyCon US 2014
  > PyCon is the largest annual gathering for the community using and developing the open-source Python programming language. It is produced and underwritten by the Python Software Foundation

The post Open Source, Closed Wallets | CR 97 first appeared on Jupiter Broadcasting.