Show Notes: linuxunplugged.com/451

The post The NixOS Challenge | LINUX Unplugged 451 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/438

The post The Oppenheimer Problem | Coder Radio 438 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google Will Survive SESTA. Your Startup Might Not.

• Requires unreliastic levels of censorship by platforms; not even the big players will be able to comply 100%

• Proponents consider startups to be outliers, which “will be successfully prosecuted, civilly and criminally under this law”.

• Proponents are overstating the effectiveness of filtering

• Proposed standards actually discourage platforms from filtering

Companies Look to an Old Technology to Protect Against New Threats

• Tape is an old techology. It is also highly reliable and stable

• Tape sales are increasing

• Yep, backup to NAS is great, but do you have different versions of your data?

CBS’s Showtime caught mining crypto-coins in viewers’ web browsers

• This isn’t about CBS. It’s about the potential for abuse by website owners

• Code unlikely to be official sanctioned / added by CBS; mure more likely it was a malicious third party or insider.

• The email address associated with the mining account is personal, not corporate

• Ethical issues for content providers to figure out

Feedback

• Funny sounds throughout the show

• Cox checking for credit score

Round Up:

• One week after

• SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors

• APFS AND HFS+ BENCHMARKS

• What’s New in PostgreSQL 10?

• a 160-terabits-per-second cable

The post Laying Internet Pipe | TechSNAP 339 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

APFS

• Just what’s so great about APFS?
• Prepare for APFS in macOS High Sierra
• Apple is upgrading millions of iOS devices to a new modern file system today

iOS Dev X

Challenges of the iPhone X

• The ‘nub’ and its implications
• iPhone X
• iPhone 8
• Issues with FaceID

Abstractions And Leaks

• Difficulties of multiple abstraction levels
• Apache Cordova
• Ionic Framework
• React Native

AR as the future of iOS Development

• Introducing ARKit

iPhone X and ARKit enable a revolutionary capability for robust face tracking in augmented reality apps. Using the TrueDepth camera, your app can detect the position, topology, and expression of the user’s face, all with high accuracy and in real time, making it easy to apply live selfie effects or use facial expressions to drive a 3D character.

• Expect some Halloween fun from Mike

Wes is HomeKit Curious

• Limitations of Alexa
• Security Implications
• iHome
• HomeKit
• Issues integration with Open Source

The post Bite of the AR Apple | CR 276 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Apple’s New File System: Who Cares?

• Apple’s Hierarchical File System

• Apple File System

ZFS, jails, FreeBSD

• FreeBSD Jails

• Origins of FreeBSD Jail and why imperfect virtualization is good

• Jails are like little virtual machines (jails) running on a bigger machine (the jail host)

• From the jail host (often just referred to as the host), you can see into the jails, see everything that’s running, monitor, etc.

• Stuff in the jail cannot see outside the jail and have no interactions with the host

• You can configure the host so that the jail can access stuff on the host (e.g. a tape drive) but that requires explicit action by the sysadmin.

• Simplified concept of a FreeBSD Jail: create a directory, install FreeBSD in there, chroot, done.

Feedback

• Changing bacula volume sizes pt2

• When to choose MySQL over Postgres?

• Bacula System

• File sharing in diverse environment

• Pin entry pad randomised feature

• Good $TIME_OF_DAY!

Round Up:

• FreeNAS Corral relegated to “TECHNOLOGY PREVIEW” status

• Dallas’ emergency sirens were hacked with a rogue radio signal

• Malware Reaches Play Store as Google Wages War Against BankBot Trojan

• Prisoners built two PCs from parts, hid them in ceiling, connected to the state’s network and did cybershenanigans

• Historian

Other links:

• Bacula copy job via SQL

• The Cuckoo’s Egg

• Acme Klein Bottle

The post Tales of FileSystems | TechSNAP 315 first appeared on Jupiter Broadcasting.

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

The real reason LAS is ending

• Noah reveals the real reason LAS is ending, discussing the details with Allan.
• Allan has been helping Noah for months.
• Allan has been helping Noah for months.
• Noah is switching from Telegram to Threema
• Plus another major switch!

— PICKS —

Runs Linux

• TravelMate Laptop with Rasp Pi RUNS LINUX!

Desktop App Pick

• sesutils

— NEWS —

Open Shot 2.3 Released

• new transform tool (make pictures bounce/scale etc – real-time transformations in preview window )
• razor tool (back from version 1.4.3) quickly cut clips or transitions
• better zoom (in and out of timeline – centers on mouse position)
• improved title editor (grid of thumbnails to make finding the correct title easier)
• better animated titles (type, pick color, refresh)
• new preview window (dedicated video player – multiple video preview windows at the same time, renders audiofiles a waveform by default)
• huge update (esp real-time preview performance – fewer freezes, hangs, frame detection)
• new user guide using sphynx documentation
• better audio
• improved export dialog, new windows build server (the development system died), gitHub bug management
• his kids put together a cat video

Steinberg Brings VSTs to Linux

• VST plug in
• 3.6.7 version of their plug-in SKD for Linux (in addition to other OS)
• nice for developers and end users
• more native plug-ins for linux
• cmake support
• VST3 SDK on GitHub
• GPL v3 license is now alongside the proprietary license (necessary for some open projects)

RedHat Profit Highest since 2015

• shares climbed 6% on Tuesday – best day since March 2015

• surpassed 30 day average trading volume of 1.83 million shares on Tuesday — with more than 1.89 million shares changing hands before noon

• Revenue: $629 million vs $619 million expected (Fourth Quarter 2017)

• The company’s subscription revenue, which accounted for 89 percent of total revenue for the quarter, was at $560 million, or up 17 percent from one year ago Red Hat said. It crossed $2 billion in annual subscription revenue for the first time this fiscal year.

• first-ever deal of approximately $100 million in the fourth quarter

• As of Monday’s close, shares of Red Hat were up more than 17 percent for the year and up more than 12 percent over the past 12 months.

• Shares closed at $82.20 Monday and were trading above $86 per share after hours, on the heels of the company’s upbeat fourth-quarter earnings report.

Apple’s new FIle System

• ZFS: Apple’s New Filesystem That Wasn’t
• APFS in Detail, a breakdown by a Mac using ZFS developer
• Hacking APFS to get access to snapshots

Feedback:

Mail Bag

• Name: Jonathan G

• Subject: LAS Feedback

• Message:

I just started watching LAS starting in January, and last week I overheard co-workers talking about Linux and I had to jump in and tell them about LAS. Was behind on my podcast watching but just finished 462. Sad to see this chapter ending but happy to see what you both will bring to us next. One thing that would love to see in Ask Noah or maybe in a monthly’ish podcast: do picks and dist reviews when the make scene. Do your top 5-10 app pick and what new dist came out. I really like those, but some times the picks and dist felt like you were forcing it too much. I have enjoyed LAS and really hope to more from Jupiter broadcasting.

• Name: Efrain C
• Subject: LAS – More than just Linux
• Message:

hey Chris i’m writing this to you to say thank you so much for LAS.around 2010 i got hurt on my job and was home with nothing to do,sad having depression on top of that. it was very hard time for me.but i thought i try something new and watch a watch called Las on youtube.And thanks to you and Angela’s (fauxshow).i was able to deal with it and survive.i know this is not a linux question,but i thought you should hear this.linux not just a OS it can be so much more.i’m not a big linux user i’m still a bit of a noob .but i do like it.i use it every day.and i do try to switch people to it.and ohh Noah love you dude your one hell of a smart ass don’t stop doing what you do,guys like me who are not big on linux still care to know something about it,so i can’t wait to see ask Noah.and learn.sorry if this was to long,i just wanted to say thank you and i love you guys.

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Allan Jude
• Altispeed Technologies
• System76 – system76

The post Dubstep Allan | LAS 463 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla

How to Prevent Coding Hereos From Destroying the Team

Gitter is joining the GitLab Team

Gitter will continue to operate as a standalone network, continuing to making its project chat capabilities available to all. Over the coming months, the GitLab integration will be improved to include ‘Login with GitLab’ and the ability to easily create chat rooms and communities from GitLab groups and projects.

• How an open source Gitter could challenge Slack

Docker Powered Testing with BitBucket Pipelines

• What is this?
• Who is this for?
• What about Jenkins or my favorite testing tool?

APFS Going Live, the end of HFS+ is Near

iOS 10.3 introduces a new Apple File System (APFS), which is installed when an iOS device is updated. APFS is optimized for flash/SSD storage and includes improved support for encryption. Other features include snapshots for freezing the state of a file system (better for backups), space sharing, and better space efficiency, all of which should result in a more stable platform. Customers updating to iOS 10.3 should first make a backup given that the update installs a new file system.

• Apple’s Lottery for 2017 Worldwide Developers Conference Tickets Kicks Off – Mac Rumors

Developers hoping to attend Apple’s 2017 Worldwide Developers Conference in San Jose, California can now apply for a chance to purchase a ticket, with Apple’s lottery having kicked off at 10:00 a.m. Pacific Time. Tickets are priced at $1,599.

Stack Overflow Developer Survey 2017

We learn something new every time we run our survey. This year is no exception:

• A common misconception about developers is that they’ve all been programming since childhood. In fact, we see a wide range of experience levels. Among professional developers, 11.3% got their first coding jobs within a year of first learning how to program. A further 36.9% learned to program between one and four years before beginning their careers as developers.
• Only 13.1% of developers are actively looking for a job. But 75.2% of developers are interested in hearing about new job opportunities.
• When we asked respondents what they valued most when considering a new job, 53.3% said remote options were a top priority. A majority of developers, 63.9%, reported working remotely at least one day a month, and 11.1% say they’re full-time remote or almost all the time.
• A majority of developers said they were underpaid. Developers who work in government and non-profits feel the most underpaid, while those who work in finance feel the most overpaid.

Tool

• ShellCheck – shell script analysis tool

finds bugs in your shell scripts.

The post Captivated by Containers | CR 250 first appeared on Jupiter Broadcasting.

What’s got Windows admins in a Panic? Total chaos my friends, we’ll tell you why. Extensive coverage of Apple’s new filesystem, Ransomware that might just impress you…

Your great questions, our answers, a packed round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Windows Admins in panic after Microsoft fix breaks Group Policies

• Group Policies are a powerful set of Windows registry settings that are downloaded and applied when a computer and/or user login to a domain controller.
• Group Policy Objects (GPOs) allow Administrators to control settings and access to Windows computers centrally. They allow things like disabling the run menu, hiding specific drives, controlling access to applications, and even application whitelisting
• On June 14th, Microsoft released MS16-072: Security update for Group Policy rated “Important for all supported releases of Microsoft Windows”
• “An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine.
  To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.”
• later Microsoft released a knowledge base article about this issue: KB 3163622
• “MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.”
• “Symptoms: All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.”
• “Cause: This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.”
• Resolution:
• To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
• Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
• If you are using security filtering, add the Domain Computers group with read permission.
• This issue struck a large number of Windows administrators, some of them extremely hard
• GPOs are the main tool administrators have to enforce policies throughout the network
• One admin reported: “desktop images were configured such that the A, B, C and D drives that were hidden from users, but they are now showing up”
• This was likely done to keep users from accidentally saving files to the local computer, rather than the network where they can be accessed from other computers, and centrally backed up.
• “Other users report having printers and drive maps become inaccessible and security group settings no longer applying”

More coverage of APFS, in detail this time

• Building on the post from last week, Adam Leventhal breaks down his early analysis of APFS
• “APFS, the Apple File System, was itself started in 2014 with Dominic as its lead engineer. It’s a stand-alone, from-scratch implementation. I asked him about looking for inspiration in other modern file systems such as BSD’s HAMMER, Linux’s btrfs, or OpenZFS, all of which have features similar to what APFS intends to deliver. Dominic explained that while, as a self-described file system guy (he built the file system in BeOS), he was aware of them, but didn’t delve too deeply for fear, he said, of tainting himself.”
• “APFS first and foremost pays down the unsustainable technical debt that Apple has been carrying in HFS+. HFS was introduced in 1985 when the Mac 512K (of memory!) was Apple’s flagship. HFS+, a significant iteration, shipped in 1998 on the G3 PowerMacs with 4GB hard drives. Since then storage capacities have increased by factors of 1,000,000 and 1,000 respectively.”
• Compression: “in typical Apple fashion—neither confirmed nor denied while strongly implying that it’s definitely a feature we can expect in APFS”
• Encryption: “Encryption is clearly a core feature of APFS. This comes from diverse requirements from the various devices, for example multiple keys within file systems on the iPhone or per-user keys on laptops”
• Filesystems (and possibly individual files) will support 3 different flavours:
• Unencrypted
• Single-key for metadata and user data
• Multi-key with different choices for metadata, files, and even sections of a file (“extents”)
• “Multi-key encryption is particularly relevant for portables where all data might be encrypted, but unlocking your phone provides access to an additional key and therefore additional data. Unfortunately this doesn’t seem to be working in the first beta of macOS Sierra (specifying fileEncryption when creating a new volume with diskutil results in a file system that reports “Is Encrypted” as “No”).”
• “APFS (apparently) supports constant time cryptographic file system erase, called “effaceable” in the diskutil output. This presumably builds a secret key that cannot be extracted from APFS and encrypts the file system with it. A secure erase then need only delete the key rather than needing to scramble and re-scramble the full disk to ensure total eradication. Various iOS docs refer to this capability requiring some specialized hardware; it will be interesting to see what the option means on macOS. Either way, let’s not mention this to the FBI or NSA, agreed?”
• Snapshots: APFS will support snapshots, but likely not the same type of serialization that “zfs send” provides. “ZFS sends all changed data while Time Machine can have exclusion lists and the like.”
• “APFS right now is incompatible with Time Machine due to the lack of directory hard links, a fairly disgusting implementation that likely contributes to Time Machine’s questionable reliability. Hopefully APFS will create some efficient serialization for Time Machine backup.”
• “While Eric Tamura, APFS dev manager, demonstrated snapshots at WWDC, the required utilities aren’t included in the macOS Sierra beta.”
• Management: “APFS brings another new feature known as space sharing. A single APFS “container” that spans a device can have multiple “volumes” (file systems) within it. Apple contrasts this with the static allocation of disk space to support multiple HFS+ instances, which seems both specious and an uncommon use case. Both ZFS and btrfs have a similar concept of a shared pool of storage with nested file systems for administration and management.”
• Clones: “Apple’s sort-of-unique contribution to space efficiency is constant time cloning of files and directories.” “With APFS, if you copy a file within the same file system, no data is actually duplicated. Instead a constant amount of metadata is updated and the on-disk data is shared. Changes to either copy cause new space to be allocated (so-called “copy on write” or COW).”
• “As a quick aside, “files” in macOS are often really directories; it’s a convenient lie they tell to allow logically related collections of files to be treated as an indivisible unit. Right click an application and select “Show Package Contents” to see what I mean.”
• “Side note: Finder copy creates space-efficient clones, but cp from the command line does not.”
• Performance: “APFS claims to be optimized for flash” “SSDs mimic the block interface of conventional hard drives, but the underlying technology is completely different. In particular while magnetic media can read or write sectors arbitrarily, flash erases large chunks (blocks) and reads and writes smaller chunks (pages). The management is done by what’s called the flash translation layer (FTL), software that makes blocks and pages appear more like a hard drive. An FTL is very similar to a file system, creating a virtual mapping (a translation) between block addresses and locations within the media. Apple controls the full stack including the SSD, FTL, and file system; they could have built something differentiated, optimizing this components to work together. What APFS does, however, is simply write in patterns known to be more easily handled by NAND. It’s a file system with flash-aware characteristics rather than one written explicitly for the native flash interfaces, more or less what you’d expect in 2016.”
• “APFS includes TRIM support. TRIM is a command in the ATA protocol that allows a file system to indicate to an SSD (specifically, its FTL) that some space has been freed.”
• “APFS also focuses on latency; Apple’s number one goal is to avoid the beachball of doom. APFS addresses this with I/O QoS (quality of service) to prioritize accesses that are immediately visible to the user over background activity that doesn’t have the same time-constraints. This is inarguably a benefit to users and a sophisticated file system capability.”
• Redundancy: “APFS makes no claims with regard to data redundancy. As Apple’s Eric Tamura noted at WWDC, most Apple devices have a single storage device (i.e. one logical SSD) making RAID, for example, moot. Instead redundancy comes from lower layers such as Apple RAID (apparently a thing), hardware RAID controllers, SANs, or even the “single” storage devices themselves.”
• “Also, APFS removes the most common way of a user achieving local data redundancy: copying files. A copied file in APFS actually creates a lightweight clone with no duplicated data. Corruption of the underlying device would mean that both “copies” were damaged whereas with full copies localized data corruption would affect just one.”
• Crash Consistency: In order to maintain consistency of the file system after a crash, you need to be able to revert any incompleted operations. The problem is that a typical file system overwrites data in place, making this impossible
• “APFS claims to implement a “novel copy-on-write metadata scheme”; APFS lead developer Dominic Giampaolo emphasized the novelty of this approach without delving into the details. In conversation later, he made it clear that APFS does not employ the ZFS mechanism of copying all metadata above changed user data which allows for a single, atomic update of the file system structure.”
• So APFS does COW for metadata, but not for data. Meaning the filesystem will be consistent, but your data might not be
• “It’s surprising to see that APFS includes fsck_apfs—even after asking Dominic I’m not sure why it would be necessary.”
• Checksums: “Notably absent from the APFS intro talk was any mention of checksums. A checksum is a digest or summary of data used to detect (and correct) data errors. The story here is surprisingly nuanced. APFS checksums its own metadata but not user data. The justification for checksumming metadata is strong: there’s relatively not much of it (so the checksums don’t consume much storage) and losing metadata can cast a potentially huge shadow of data loss. If, for example, metadata for a top level directory is corrupted then potentially all data on the disk could be rendered inaccessible. ZFS duplicates metadata (and triple duplicates top-level metadata) for exactly this reason.”
• So ZFS can recover from corrupt metadata even in a single device configuration, because metadata is always stores as 2 complete copies, or 3 for important pool-wide metadata
• “Explicitly not checksumming user data is a little more interesting. The APFS engineers I talked to cited strong ECC protection within Apple storage devices. Both flash SSDs and magnetic media HDDs use redundant data to detect and correct errors. The engineers contend that Apple devices basically don’t return bogus data.”
• So Apple relies on the hardware to do the right thing, this is likely to backfire eventually
• “The Apple folks were quite interested in my experience with regard to bit rot (aging data silently losing integrity) and other device errors. I’ve seen many instances where devices raised no error but ZFS (correctly) detected corrupted data. Apple has some of the most stringent device qualification tests for its vendors; I trust that they really do procure the best components. Apple engineers I spoke with claimed that bit rot was not a problem for users of their devices, but if your software can’t detect errors then you have no idea how your devices really perform in the field. ZFS has found data corruption on multi-million dollar storage arrays; I would be surprised if it didn’t find errors coming from TLC (i.e. the cheapest) NAND chips in some of Apple’s devices. Recall the (fairly) recent brouhaha regarding storage problems in the high capacity iPhone 6. At least some of Apple’s devices have been imperfect.”
• Scrub: “As data ages you might occasionally want to check for bit rot. Likely fsck_apfs can accomplish this; as noted though there’s no data redundancy and no checksums for user data, so scrub would only help to find problems and likely wouldn’t help to correct them. And if it makes it any easier for Apple to reverse course, let’s say it’s for the el cheap-o drive I bought from Fry’s not for the gold-plated device I got from Apple.”
• Conclusions: “Any file system started in 2014 should of course consider huge devices, and SSDs–check and check. Copy-on-write (COW) snapshots are the norm; making the Duplicate command in the Finder faster wasn’t much of a detour. The use case is unclear, it’s a classic garbage can theory solution, a solution in search of a problem, but it doesn’t hurt and it makes for a fun demo. The beach ball of doom earned its nickname; APFS was naturally built to avoid it.”
• “There are some seemingly absent or ancillary design goals: performance, openness, and data integrity. Squeezing the most IOPS or throughput out of a device probably isn’t critical on watchOS, and it’s relevant only to a small percentage of macOS users. It will be interesting to see how APFS performs once it ships (measuring any earlier would only misinform the public and insult the APFS team).”
• “APFS development docs have a bullet on open source: “An open source implementation is not available at this time.” I don’t expect APFS to be open source at this time or any other, but prove me wrong, Apple. If APFS becomes world-class I’d love to see it in Linux and FreeBSD–maybe Microsoft would even jettison their ReFS experiment. My experience with OpenZFS has shown that open source accelerates that path to excellence. It’s a shame that APFS lacks checksums for user data and doesn’t provide for data redundancy. Data integrity should be job one for a file system, and I believe that that’s true for a watch or phone as much as it is for a server.”
• “At stability, APFS will be an improvement, for Apple users of all kinds, on every device. There are some clear wins and some missed opportunities. Now that APFS has been shared with the world the development team is probably listening. While Apple is clearly years past the decision to build from scratch rather than adopting existing modern technology, there’s time to raise the priority of data integrity and openness. I’m impressed by Apple’s goal of using APFS by default within 18 months. Regardless of how it goes, it will be an exciting transition.”
• I am not sure anyone has ever wanted an “Exciting” filesystem.

New Ransomware written entirely in javascript, RAA

• A new crypto ransomware has made an appearance on the Internet, and it is slightly unusual.
• The malware arrives as an attachment pretending to be a .doc file, but is actually .js
• For whatever reason, the default file association for .js on Windows is the Windows Scripting Host, so when opened, the javascript actually executes
• The javascript standard library does not include any encryption mechanisms, however the designers of the malware bundled CryptoJS, a framework that provides standard crypto primitives like AES256 in pure javascript
• The ransomware demands around $250 worth of bitcoin for the key to decrypt your files
• The ransomware also comes bundled with an embedded password stealing malware
• So even if you pay, the attackers have already stolen all of your saved passwords
• Once the ransomware is run, it generates a random .doc file and opens it. The object is to make the user think the file was corrupt, and avoid the user being suspicious
• “While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption”
• It also seems to purposely disables the Windows Volume Shadow Copy service. May also destroy actual shadow copies, code is too obfuscated to tell right now.
• “Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The text of this ransom note is in Russian”
• “When a JavaScript file, such as RAA, executes outside of the browser it requires an interpreter that can read the file and execute the JavaScript commands within it. As most people do not need to execute Javascript outside of a web browser, it is suggested that everyone disables the Windows Script Host so that these types of files are not allowed to execute. If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
• You probably don’t need to execute javascript on your machine anyway. Push this out as a group policy… and hope it works

Feedback:

• Port Knocking and WordPress Security

• Port Knocking pfSense Followup

• Cloud Based Backups?

• securing the network with a Router behind an untrusted Router

Round Up:

• Defending Our Brand – Let’s Encrypt
• What’s worked in computer science, 1999 vs 2015
• Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users
• The history of .com
• Apple’s official statement on why the iOS 10 kernel is not encrypted
• GitHub resets passwords for a number of users compromised by attackers using list of email addresses and passwords from other recent breaches
• Alicia Keys is done playing nice. Your phone is getting locked up at her shows now.
• After over a week of working around the clock, Lockheed Martin says it WILL be able to recover those 100,000 lost Air Force files, Internal review ordered to determine why backups were not usable.
• Hardware review sites find that MSI and others send reviewers pre-overclocked GPUs to get better scores than their competitors
• 1,127,818 different IP addresses being used to launch 744,361,093 login attempts using 220,758,340 different email addresses against a pair of financial institutions
• Buy and return a Wifi Security Camera. Then watch the video of who buys it next
• 0 to 0 day, breaking the shannon baseband firmware
• Senate rejects FBI bid for warrantless access to internet browsing histories

The post Game of File Systems | TechSNAP 272 first appeared on Jupiter Broadcasting.

Why didn’t Apple choose ZFS for its new filesystem? We journey through the long history of ZFS at Apple. Plus how the BadTunnel bug can hijack traffic from all versions of Windows & should we worry about Intel’s management tech?

Plus great questions, a huge round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

BadTunnel bug can hijack traffic from all versions of Windows

• “Microsoft has patched a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released”
• “Among the more than three dozen vulnerabilities Microsoft patched on Tuesday was a fix for a bug that the researcher who found it said has “probably the widest impact in the history of Windows.””
• “An attacker could leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker.”
• “The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.”
• “The flaw is particularly serious because it affects every version of Windows, including long-unsupported versions of the OS going back to Windows 95.”
• “To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick. [You] even may not need the victim to do anything when the victim is a web server.”
• “For example, if a file URI or UNC path is embedded into a shortcut link file (Microsoft’s LNK), the BadTunnel attack can be triggered at the moment the user views the file in the Windows Explorer. It therefore can be exploited via webpage, email, flash drive and many other medias. It can even be effective against servers.”
• “Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these operating systems, and for those that can’t be updated just yet, system administrators should disable NetBIOS.”
• Additional Coverage: Threat Post
• Official Microsoft Bulletin MS16-077 CVE-2016-3213

ZFS: Apple’s New Filesystem That Wasn’t

• Adam Leventhal, a ZFS developer who designed features such as RAID-Z3, and also worked on DTrace, writes a post about Apple’s recent announcement of its new file system, APFS.
• This story is mostly about how ZFS was almost the Apple file system, and what happened.
• To learn more about Adam and what he has done, check out our BSDNow #122 Interview with him
• “I attended my first WWDC in 2006 to participate in Apple’s launch of their DTrace port to the next version of Mac OS X (Leopard). Apple completed all but the fiddliest finishing touches without help from the DTrace team. Even when they did meet with us we had no idea that they were mere weeks away from the finished product being announced to the world. It was a testament both to Apple’s engineering acumen as well as their storied secrecy.”
• “At that same WWDC Apple announced Time Machine, a product that would record file system versions through time for backup and recovery. How were they doing this? We were energized by the idea that there might be another piece of adopted Solaris technology. When we launched Solaris 10, DTrace shared the marquee with ZFS, a new filesystem that was to become the standard against which other filesystems are compared. Key among the many features of ZFS were snapshots that made it simple to capture the state of a filesystem, send the changes around, recover data, etc. Time Machine looked for all the world like a GUI on ZFS (indeed the GUI that we had imagined but knew to be well beyond the capabilities of Sun).”
• “Of course Time Machine had nothing to do with ZFS. After the keynote we rushed to an Apple engineer we knew. With shame in his voice he admitted that it was really just a bunch of hard links to directories. For those who don’t know a symlink from a symtab this is the moral equivalent of using newspaper as insulation: it’s fine until the completely anticipated calamity destroys everything you hold dear. So there was no ZFS in Mac OS X, at least not yet.”
• “A few weeks before WWDC 2007 nerds like me started to lose their minds: Apple really was going to port ZFS to Mac OS X. It was actually going to happen! Beyond the snapshots that would make backing up a cinch, ZFS would dramatically advance the state of data storage for Apple users. HFS was introduced in System 2.1. HFS improved upon the Macintosh File System by adding—wait for it—hierarchy! No longer would files accumulate in a single pile; you could organize them in folders. And that filesystem has limped along for more than 30 years, nudged forward, rewritten to avoid in-kernel Pascal code, but never reimagined or reinvented.”
• “ZFS was to bring to Mac OS X data integrity, compression, checksums, redundancy, snapshots, etc, etc etc. But while energizing Mac/ZFS fans, Sun CEO, Jonathan Schwartz, had clumsily disrupted the momentum that ZFS had been gathering in Apple’s walled garden. Apple had been working on a port of ZFS to Mac OS X. They were planning on mentioning it at the upcoming WWDC. Jonathan, brought into the loop either out of courtesy or legal necessity, violated the cardinal rule of the Steve Jobs-era Apple. Only one person at Steve Job’s company announces new products: Steve Jobs.”
• “In fact, this week you’ll see that Apple is announcing at their Worldwide Developer Conference that ZFS has become the file system in Mac OS 10,” mused Jonathan at a press event, apparently to bolster Sun’s own credibility. Less than a week later, Apple spoke about ZFS only when it became clear that a port was indeed present in a developer version of Leopard albeit in a nascent form. Yes, ZFS would be there, sort of, but it would be read-only and no one should get their hopes up.
• “By the next WWDC (2008) it seemed that Sun had been forgiven. ZFS was featured in the keynotes, it was on the developer disc handed out to attendees, and it was even mentioned on the Mac OS X Server website. Apple had been working on their port since 2006 and now it was functional enough to be put on full display. I took it for a spin myself; it was really real. The feature that everyone wanted (but most couldn’t say why) was coming!”
• “By the time Snow Leopard shipped (2009) only a careful examination of the Apple web site would turn up the odd reference to ZFS left unscrubbed. Whatever momentum ZFS had enjoyed within the Mac OS X product team was gone. I’ve heard a couple of theories and anecdotes from people familiar with the situation”
• The uncertainty created by Oracle acquiring Sun, and the fact that it took over a year to close the deal, may not have helped
• “In the meantime Sun and NetApp had been locked in a lawsuit over ZFS and other storage technologies since mid-2007”, that certainly didn’t help
• “Finally, and perhaps most significantly, personal egos and NIH (not invented here) syndrome certainly played a part. I’m told by folks in Apple at the time that certain leads and managers preferred to build their own rather adopting external technology—even technology that was best of breed. They pitched their own project, an Apple project, that would bring modern filesystem technologies to Mac OS X”
• “The design center for ZFS was servers, not laptops—and certainly not phones, tablets, and watches—his argument was likely that it would be better to start from scratch than adapt ZFS.”
• “Licensing FUD was thrown into the mix; even today folks at Apple see the ZFS license as nefarious and toxic in some way whereas the DTrace license works just fine for them. Note that both use the same license with the same grants and same restrictions.”
• By 2010, “Amazingly that wasn’t quite the end for ZFS at Apple. The architect for ZFS at Apple had left, the project had been shelved, but there were high-level conversations between Sun and Apple about reviving the port. Apple would get indemnification and support for their use of ZFS”
• “The Apple-ZFS deal was brought for Larry Ellison’s approval, the first born child of the conquered land brought to be blessed by the new king. “I’ll tell you about doing business with my best friend Steve Jobs,” he apparently said, “I don’t do business with my best friend Steve Jobs.””
• “Amusingly the version of the story told quietly at WWDC 2016 had the friends reversed with Steve saying that he wouldn’t do business with Larry. Still another version I’ve heard calls into question the veracity of their purported friendship, and has Steve instead suggesting that Larry go f*ck himself.”
• “In the 7 years since ZFS development halted at Apple, they’ve worked on a variety of improvements in HFS and Core Storage, and hacked at at least two replacements for HFS that didn’t make it out the door. This week Apple announced their new filesystem, APFS, after 2 years in development. It’s not done; some features are still in development, and they’ve announced the ambitious goal of rolling it out to laptop, phone, watch, and tv within the next 18 months. At Sun we started ZFS in 2001. It shipped in 2005 and that was really the starting line, not the finish line. Since then I’ve shipped the ZFS Storage Appliance in 2008 and Delphix in 2010 and each has required investment in ZFS / OpenZFS to make them ready for prime time. A broadly featured, highly functional filesystem takes a long time.”
• “APFS has merits (more in my next post), but it will always disappoint me that Apple didn’t adopt ZFS irrespective of how and why that decision was made. Dedicated members of the OpenZFS community have built and maintain a port. It’s not quite the same as having Apple as a member of that community, embracing and extending ZFS rather than building their own incipient alternative.”
• Additional Coverage
• Apple’s APFS guide

Intel ME/AMT: The other processor inside your computer

• Recent Intel x86 processors implement a rarely discussed powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine.
• Many (all?) vPro chipsets (MCHs) have:
• An Independent CPU (not IA32!)
• Access to dedicated DRAM memory
• Special interface to the Network Card (NIC)
• Execution environment called Management Engine (ME)
• The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that’s physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.
• On some chipsets, the firmware running on the ME implements a system called Intel’s Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.
• The purpose of AMT is to provide a way to manage computers remotely.
• This is similar to an older system called “Intelligent Platform Management Interface” or IPMI, but more powerful).
• It can offer VNC access to the screen (optionally prompting the local user for permission), IDE redirection (Virtual Media, to boot from a remote device), Serial redirection, etc
• To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine addresses to the second MAC address bypass any firewall running on your system.
• ME is classified by security researchers as “Ring -3”.
• Rings of security can be defined as layers of security that affect particular parts of a system, with a smaller ring number corresponding to an area closer to the hardware.
• For example, Ring 3 threats are defined as security threats that manifest in “userspace” mode. Ring 0 threats occur in “kernel” level,
• Ring -1 threats occur in a “hypervisor” level, one level lower than the kernel
• Ring -2 threats occur in a special CPU mode called “SMM” mode. SMM stands for System-Management-Mode, a special mode that Intel CPUs can be put into that runs a separately defined chunk of code. If attackers can modify the SMM code and trigger the mode, they can get arbitrary execution of code on a CPU.
• Although the ME firmware is cryptographically protected with RSA 2048, researchers have been able to exploit weaknesses in the ME firmware and take partial control of the ME on early models. This makes ME a huge security loophole, and it has been called a very powerful rootkit mechanism.
• On systems newer than the Core2 series, the ME cannot be disabled.
• Intel systems that are designed to have ME but lack ME firmware (or whose ME firmware is corrupted) will refuse to boot, or will shut-down shortly after booting.
• There is no way for the x86 firmware or operating system to disable ME permanently. Intel keeps most details about ME absolutely secret. There is absolutely no way for the main CPU to tell if the ME on a system has been compromised.
• “We also discovered that the critical parts of the ME firmware are stored in a non-standard compressed format, which gets decompressed by a special hardware decompressor. My initial attempts to brute-force the decompression scheme failed miserably. Another group had better success and they have now completed a working decompression routine for all versions of ME up to but not including version 11.”
• There are only a few methods to enable AMT, which is disabled by default.
• Most require physical presence during the BIOS boot
• ME hardware – ME
• Intel ME huffman dictionaries – Unhuffme v2.4
• Introducing Ring -3 Rootkits PDF

How to Write Service Status Updates

• “The lowly incident status update happens to be one of the most essential pieces of communication a company gets to write”
• Your company is having a bad time, your customers are hurting. Everyone is busy, scrambling to fix things, but it is still important to communicate clearly, and regularly, with your customers.
• “When users navigate to a status page, they’re driven by a heightened sense of urgency (compared to, say, a website, a blog, or a newsletter). Not many words get as dissected, discussed and forwarded as the ones we place on our status page.”
• Often times, very little is written, possibly because very little is known. Everything is read with a slant, because you know the company write it to try to minimize how bad they look.
• “Now let’s state the obvious. Customers couldn’t care less about a string of words posted on a status update. What they care about is, “am I in good hands?” Every time we publish (or fail to publish) a service status update we are ultimately answering that question.”
• Goals:
  1. Write frequent status updates — This can mean postly updates hourly, or even more often. It depends how rapidly the situation is developing. There is nothing worse than an acknowledgement that there is a problem from hours ago, with no further updates. Ideally, indicate when to expect the number post at the end of each update.
  2. Well written status updates — Write authoritatively and honestly. Avoid “weasel phrases”.
  3. Productive Updates — “What we learned early on was that regular and well-written status updates reduce the amount of incoming support requests. Investing the time to get incident updates right was paying productivity dividends for the rest of the team”
• “When faced with service interruptions, we drop everything in our hands and perform operational backflips 24×7 until the service is restored for all customers. During this time, over-communication is a good thing. As is transparency, i.e. acknowledging problems and throwing the public light of accountability on all remaining issues until they’re resolved.”
• “While the crisis is unfolding we publish short status updates at regular intervals. We stick to the facts, including scope of impact and possible workarounds. We update the status page even if it’s just to say “we’re still looking into it.””
• “Once service is resolved, it’s time to turn our focus on the less urgent, but equally important piece of writing: the post mortem. It demonstrates that someone is investing time on their product. That they care enough to sit down and think things through. Most crucially, it also creates the space for our team to learn and grow as a company”
• They link to a second post: How to Write a Post Morten
• Or you can just not: Apple offers no explanation for 7 hour outage

Feedback:

• easy SCP server?

• Port Knocking for SSH

• pfSense in a FreeNAS jail

• Email Archiving

• virtualization of Windows Servers

• Proxmox – Powerful Open Source Server Solutions

Round Up:

• An online blackmarket is selling access to government servers for $6
• Dropbox wrongly smeared by LifeLock’s automated breach detection
• Let’s Encrypt Accidentally Spills 7,600 User Emails
• Lecture on OpenZFS read and write code paths
  
• ‘Spam King’ who sent 27 million Facebook messages gets 30 months in jail
• Joyent acquired by Samsung
• LAVA: Large-scale Automated Vulnerability Addition
• New gmail phishing attack pretends to be a different account falsely registered in your name, with a link from google to disavow the account. The link actually disavows YOUR account
• 45 million accounts from 1100 forums stolen after hosting company breached
• Steal 4096 bit RSA keys with a microphone. Your CPU is whispering your private key to everyone
• Telegram flaw allows attackers to crash your device and run up your phone bill
• In wake of Dell / EMC merge, Massachusetts considers law requiring laid off employees be paid 50% of their salary while restricted by non-compete clauses. 18% of all US workers are currently under non-complete agreements, and 37% will be at some point in their career
• MitM attack against Keepass 2’s update checker
• How to improve InfoSec (and other) conferences
• Password Autocorrect — without compromising security?
• A short story: “Access”
• The Crucial MX300 750GB SSD Review: Micron’s 3D NAND Arrives
• ClamAV command injection vulnerability
• Choosing a Key Length

The post Apple Pretend Filesystem | TechSNAP 271 first appeared on Jupiter Broadcasting.

Canonical drops a bombshell by making snap packages available for nearly all Linux distributions, Nextcloud has some serious momentum, Samsung is rumored to drop Android in favor of Tizen across all devices & Wes kicks the tires of elementary OS’ new Beta of Loki.

Then we try out Snap packages & discuss needs to happen next to really make them take off as the standard universal Linux installer.

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

• Wireless Convergence on the PRO 5 Ubuntu Phone

Follow Up / Catch Up

Nextcloud 9 Available, Enterprise Functionality to be Open Source

Well ahead of the early July promise, today Nextcloud makes available Nextcloud 9. With this release we also announce to release all enterprise functionality as open source. Building on top of the open source ownCloud core and adding functionality and fixes, this release provides a solid base for users to migrate to. All enterprise functionality users and customers need will be made available over the coming weeks, fully developed in the open and under the AGPL license.

After a slow start, Dell turns up the dial on Steam Machines

Samsung Planning To Replace Android With Linux-based Tizen OS On All Smartphones

The largest Android smartphone manufacturer Samsung is considering a shift from Google’s Android mobile operating system. According to a report, the South Korean tech giant is planning to expand its homegrown Tizen OS to all of its devices in future.

The executive said that Samsung launched Samsung Z1 and Z3 in the Indian market to see Tizen’s performance. “Samsung’s Z-branded Tizen-powered phones are popular with Indian consumers. During the first quarter of this year, Samsung sold about 64 million phones there. This means that Tizen is proving its competitiveness,” said the executive.

Apart from smartphones and smartwatches, the Korean giant wants to use Tizen in the Internet of Things applications. The company is soon looking to expand Tizen’s reach to more household devices like cameras, televisions, smart refrigerators etc.

TING

• Ting – mobile that makes sense

Digging into the dev documentation for APFS, Apple’s new file system

• Using Apple File System

An open source implementation is not available at this time. Apple plans to document and publish the APFS volume format when Apple File System is released in 2017.

you can use MPV to make a Picture in Picture video like the one apple showed off yesterday

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Loki Beta is Here

This release brings tons of fixes and new features for both users and developers. Over 20 blueprints were implemented and over 800 issues closed. Time to break it all down and reveal what the future holds for the next version of elementary OS!

Linux Academy

• Linux Academy | Linux and AWS Online Training

Universal “snap” packages launch on multiple Linux distros

• snapcraft – Snaps are universal Linux packages

• Ubuntu Snap Apps Can Run On (Pretty Much) ANY Linux Distrio

“We hope today’s announcement will be surprising because it’s not about Ubuntu,” Shuttleworth said in a press calls held earlier today.

• Adios apt and yum? Ubuntu’s snap apps are coming to distros everywhere | Ars Technica

Ubuntu’s “snappy” new way of packaging applications is no longer exclusive to Ubuntu. Canonical today is announcing that snapd, the tool that allows snap packages to be installed on Ubuntu, has been ported to other Linux distributions including Debian, Arch, Fedora, and Gentoo among others.

• uApp Explorer – telegram-sergiusens.sergiusens

Support Jupiter Broadcasting on Patreon

The post Snaps are Go! | LINUX Unplugged 149 first appeared on Jupiter Broadcasting.