MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Ubuntu 17.04 to Be Dubbed “Zesty Zapus,” Will Launch on April 2017

That’s right, we’re talking about Ubuntu 17.04, whose codename will be “Zesty Zapus.” While some of you are enjoying their brand new Ubuntu 16.10 (Yakkety Yak) installations, the Ubuntu development team has started working on Ubuntu 17.04, which will be yet another normal release of the Linux-based operating system that will receive 9 months of support.

• All Aboard Ubuntu 16.10 | LAS 439

Has Ubuntu fallen behind, or setting a new bar of refinement? We load up our hardware with Ubuntu 16.10, walk away with some big surprises & two totally different experiences.

The VeraCrypt Audit Results – OSTIF.org

VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more.

QuarksLab found:

• 8 Critical Vulnerabilities
• 3 Medium Vulnerabilities
• 15 Low or Informational Vulnerabilities / Concerns

This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.

• VeraCrypt download
• VeraCrypt Audit

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Plasma’s road ahead

Our general direction points towards professional use-cases. We want Plasma to be a solid tool, a reliable work-horse that gets out of the way, allowing to get the job done quickly and elegantly. We want it to be faster and of better quality than the competition.

Hotfix Your Ubuntu Kernels with the Canonical Livepatch Service!

_Today, Canonical has _publicly launched_the Canonical Livepatch Service— an authenticated, encrypted, signed stream of Linux livepatches that apply to the 64-bit Intel/AMD architecture of the Ubuntu 16.04 LTS (Xenial) Linux 4.4 kernel, addressing the highest and most critical security vulnerabilities, without requiring a reboot in order to take effect.

_ This is particularly amazing for Container hosts — Docker, LXD, etc. — as all of the containers share the same kernel, and thus all instances benefit.

New Tool Lets You Easily Install the Ubuntu Touch OS on Your Mobile Devices

• MariusQuabeck/magic-device-tool

TING

• Ting – mobile that makes sense

• LG Tribute 5 – Mobile phone | Ting

BUG_ON oh Come on!

• Linus Torvalds admits ‘buggy crap’ made it into Linux 4.8 • The Register

Devs have ‘NO F*CKING EXCUSE to knowingly kill the kernel’, says Linux lord

• Big no no to BUG_ON(), Beware of this Linux 4.8 Bug

This BUG_ON() is triggered when CONFIG_DEBUG_VM is enabled. Some distributions such as the standard Fedora Kernel config enable it by default. Linus Torvalds has discovered that once this BUG_ON() triggers, the machine will have problems handling kernel paging requests and report that a reboot is required to fix a recursive fault from which the machine will never recover!

Fixing this bug is number one priority for Linus and he asked Johannes Weiner to work on it. Measures are being taken to avoid having it end up in a stable release, but please check your kernel config to make sure CONFIG_DEBUG_VM is disabled until the bug is fixed.

Linus re-emphasized and warned to not use BUG_ON() for debugging, but rather use WARN_ON() which is a safer alternative to BUG_ON().

• LKML: Linus Torvalds: BUG_ON() in workingset_node_shadows_dec() triggers

Return of the Cantrill | BSD Now 163

• Bryan Cantrill, CTO of Joyent.
• Bryan Cantrill (@bcantrill)

Linux Academy

• Linux Academy | Linux and AWS Online Training

The role of Free Software in a world that doesn’t care

The Free Software movement is about personal and social
liberties. Giving the owner and user of a computer control
over it. But most people don’t see the problem with a small
number of multinational mega-corporations having control over
everyone’s computers. They think: “Apple and Microsoft know
what they’re doing, and they do a good job, so why would I
need Free Software?”

Accepting that most people reject the Free Software message,
what can the Free Software movement contribute to the world?

The post Livepatch Bait & Switch | LINUX Unplugged 167 first appeared on Jupiter Broadcasting.

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

• “TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
• “In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
• That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
• Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
• “We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
• So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
• “A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
• “It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
• With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
• Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
• “Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
• “It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
• Additional Coverage — The Independant
• Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
• Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
• Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
• Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
• Video from TalkTalk CEO
• If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
• New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
• “Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

• “Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
• “This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
• Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
• “Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
• “The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
• “The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
• US Regulators grant DMCA exemption to legalize vehicle software tinkering
• Additional Coverage: NPR
• The ruling uses the terms “good faith security research” and “lawful modification.”
• “The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
• “The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
• Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

• “Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
• Google’s Blog Post
• Symantec Report
• “Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
• It seems like Symantec was trying to downplay the incident, and gloss over its failings
• “Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
• “The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
• This brings up serious questions about the management and oversight of the Symantec certificate authority
• “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
• “More immediately, we are requesting of Symantec that they further update their public incident report with:”
• A post-mortem analysis that details why they did not detect the additional certificates that we found.
• Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
• “We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
• “Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
• It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

• Running a file server on Debian

• ZFS repairing capabilities

• Episode 237 comments and suggestions

Round up:

• 13 million plaintext passwords belonging to webhost users leaked online
• New banking trojan steals 20 million British Pounds from online bank accounts
• DOJ: Apple owns your iPhone’s software, so it should have a backdoor
• IBM tops the list of worst offenders for hosting spam, as it acquires Softlayer, which had previously acquired ThePlanet, which was known for being especially bad
• Joomla bug puts millions of websites at risk of remote takeover
• EFF Finds over 100 license plate readers that are accessible on the public internet
• Wall Street Journal subscriber base information may have been compromised
• WWII CIA (OSS) Simple Sabotage Field Manual (Field Manual #3)
• NSA issues warning about quantum cryptography, sparks concerns of secret advance in technology
• Debate over the depreciation of the leap second at the World Radiocommunication Conference Full ACM Article by Poul-Henning Kamp
  

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

Red Hat highlights how leaky many open source RSA implementations are, Netflix releases Sleepy Puppy & the Mac is definitely under attack.

Plus some quick feedback, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

NetFlix releases new open source security tool, Sleepy Puppy

• Sleepy Puppy is a delayed XSS (Cross-Site Scripting) vulnerability scanner
• In a typical XSS scan, and attacker (or the scanner program) attempts to send a script as part of some user input (the comment on a blog or something like that, or via a URL variable). This content is then shown to that user, and often times, other users. If I can make a bit of my javascript run on your computer, when you visit someone else’s site, I have achieved XSS
• There are a number of scanners out there, and they “fuzz test” all of the inputs and variables they can find, and attempt to get some code they submit to be returned to them
• This new tool from NetFlix addresses second level vulnerabilities, and beyond
• What if an attacker injects the code on the website, and the website mitigates this, but some other application, internal or public facing, also uses the data from the database, and it then ends up being vulnerable to the XSS
• Sleepy Puppy is a “XSS payload management framework”, it generates unique code snippets for each injection, so that when a successful XSS happens, it can be tracked back to its source, even if that is outside of the application where the exploit took place
• “Delayed XSS testing is a variant of stored XSS testing that can be used to extend the scope of coverage beyond the immediate application being tested. With delayed XSS testing, security engineers inject an XSS payload on one application that may get reflected back in a separate application with a different origin.”
  • Show Diagram
• “Here we see a security engineer inject an XSS payload into the assessment target (App #1 Server) that does not result in an XSS vulnerability. However, that payload was stored in a database (DB) and reflected back in a second application not accessible to the tester. Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.)”
• SleepyPuppy ships with a default set of assessments includes, so is ready to use out of the box

Researchers announce new iOS vulnerability: brokenchain

• The vulnerability allows a piece of malware to access the keychain in iOS, and copy your saved passwords and other secret keys
• These keys can then be exfiltrated via SMS or HTTP etc
• When the malware attempts to access the keychain, iOS presents a dialog asking them user to allow or deny the action, but the malware can simulate a tap on the screen and accept the dialog
• Further, some malware seems to be able to cause the popup to appear off screen, so the user never even sees it
• “Special-crafted commands can be triggered by malware — or even an image or video — which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user’s password and send it to the attacker via SMS or any other means.”
• “Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.”
• Ars Technica found that parts of the vulnerability have existed since 2011, and have been used actively
• “DevilRobber, the then new threat caught the attention of security researchers because it commandeered a Mac’s graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber’s use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.”
• “The same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that’s protected inside the Mac Keychain.”
• The same day, another group of researchers independently found the same vulnerability
• Windows UAC has a bunch of defenses against apps users accidentally accepting or malware auto-clicking the authorization popups. Maybe we need the same in mobile OSes
• “Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don’t require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.”
• Maybe the solution is to require the unlock code or password in order to authorize access to sensitive areas like the keychain
• “I think that Apple needs to isolate that particular window,” Reed told Ars on Wednesday. “They need to pull that particular window out of the window list … in a way that an app can’t tell it’s on the screen and get its location.”

Factoring RSA keys with TLS Forward Secrecy

• “Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures.”
• “This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”
• “We evaluated the source code of several free software TLS implementations to see if they implement hardening against this particular side-channel attack, and discovered that it is missing in some of these implementations. In addition, we used a TLS crawler to perform TLS handshakes with servers on the Internet, and collected evidence that this kind of hardening is still needed, and missing in some of the server implementations: We saw several RSA-CRT key leaks, where we should not have observed any at all.”
• “An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.”
• “Does this break RSA? No. Lenstra’s attack is a so-called side-channel attack, which means that it does not attack RSA directly. Rather, it exploits unexpected implementation behavior. RSA, and the RSA-CRT optimization with appropriate hardening, is still considered secure.“
• While it appears that OpenSSL and NSS properly implement the hardening, some other products do not
• It seems RedHat discovered this issue some time ago, and reported it to a number of vendors
• Oracle patched OpenJDK back in April
• “None of the key leaks we observed in the wild could be attributed to these open-source projects, and no key leaks showed up in our lab testing, which is why this additional hardening, while certainly desirable to have, does not seem critical at this time.”
• “Once the necessary data is collected, the actual computation is marginally more complicated than a regular RSA signature verification. In short, it is quite cheap in terms of computing cost, particularly in comparison to other cryptographic attacks.”
• Then the most important question came up
• “Does this vulnerability have an name? We think that “RSA-CRT hardening” (for the countermeasure) and “RSA-CRT key leaks” (for a successful side-channel attack) is sufficiently short and descriptive, and no branding is appropriate. We expect that several CVE IDs will be assigned for the underlying vulnerabilities leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.”
• Crypto Rundown, Hardened:
  • GnuPG
  • NSS
  • OpenSSL 1.0.1l
  • OpenJDK8 (after the April patch)
  • cryptlib (hardening disabled by default)
• Unhardened:
  • GNUTLS (via libgcrypt and Nettle)
  • Go 1.4.1
  • libgcrypt (1.6.2)
  • Nettle (3.0.0)
  • ocaml-nocrypto (0.5.1)
  • OpenSwan (2.6.44)
  • PolarSSL (1.3.9)
• Technical Record [PDF]

Feedback

• Reply to the pfSense question from episode 229
• Where to get news on vulnerabilities and urgent patches

Round Up:

• China and Russia cross-referencing OPM data, other hacks to out US spies
• The Zero Trust Initiative, making it possible to trust your vendors
• Hackers Stole the Biggest Number of Apple Accounts Ever with iOS Malware Researcher Post
• The police body camera business is not about camera, but overpriced cloud storage. 300 Cameras: $180,000. 5 year contract for storage: $889,000
• Pre-Installed Android Malware Raises Security Risks in Supply Chain
• AppLock, a popular Android app that claims to securely store photos, videos, and other content, turns out to just hide the files in a non-default location. It also has a weak pin reset feature, meaning it provides basically no security to its 100 million users
• Android ransomware uses XMPP chat to call home, claims it’s from NSA
• The Government should pay bug bounties and not attack security researchers
• Department of Justice being sued by Reuters for not fulfilling FoIA requests re: fake news stories with embedded malware used in 2007
• If documents are not for public release, try not posting them on the public Internet

The post Leaky RSA Keys | TechSNAP 231 first appeared on Jupiter Broadcasting.

Like a magic pony with one more trick, Comcast announces it will magically turn on 2Gbps Internet Service to some areas that recently had Google Fiber installed. Does Comcast’s sudden ability to deliver this service perfectly demonstrate how real competition is all thats needed to save the net?

Plus TrueCrypt’s audit wraps up, Ford is chasing a dream & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Comcast leapfrogs Google Fiber with new 2Gbps internet service | The Verge

One way to answer critics and competitors alike is to simply do better, and for once Comcast is doing exactly that. The US cable giant is today announcing a new 2Gbps broadband service, which it will start rolling out in Atlanta from next month. There’s no price yet, but Comcast says it will be symmetrical — meaning you’ll upload just as quickly as you can download — and it won’t be limited “just to certain neighborhoods.”

Ford Is Chasing Tesla And Uber Into The Future – BuzzFeed News

Ford CEO Mark Fields says the legacy car manufacturer is trying to think like a startup.

U.S. Smartphone Use in 2015 | Pew Research Center’s Internet & American Life Project

10% of Americans own a smartphone but do not have broadband at home, and 15% own a smartphone but say that they have a limited number of options for going online other than their cell phone. Those with relatively low income and educational attainment levels, younger adults, and non-whites are especially likely to be “smartphone-dependent.”

A Few Thoughts on Cryptographic Engineering: Truecrypt report

The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

Microsoft will adopt open document standards following government battle | ITProPortal.com

Microsoft has confirmed it will start supporting the Open Documents Format (ODF) in the next update to Office 365, following a lengthy battle against the UK government.

Jupiter Broadcasting Meetup

Jupiter Broadcasting is interested in semi-frequent listener meetups, events in your area, and more. We’ll use this group to organize events.

The post Magical 2Gbit Internet | Tech Talk Today 152 first appeared on Jupiter Broadcasting.

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

• The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
• The exploit kit currently uses three different flash exploits:
• CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
• CVE-2015-0310 – Which was patched today
• and a 3rd new exploit, which is still being investigated
• Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
• However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
• Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
• Additional Coverage – Krebs On Security
• Additional Coverage – PCWorld
• Additional Coverage – Malware Bytes
• Additional Coverage – ZDNet

How was your credit card stolen

• Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
• Different ways to get your card stolen, and your chance of proving it:
• Hacked main street merchant, restaurant (low, depends on card use)
• Processor breach (nil)
• Hacked point-of-sale service company/vendor (low)
• Hacked E-commerce Merchant (nil to low)
• ATM or Gas Pump Skimmer (high)
• Crooked employee (nil to low)
• Lost/Stolen card (high)
• Malware on Consumer PC (very low)
• Physical record theft (nil to low)
• “I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
• Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
• With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
• Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
• Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

• Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
• In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
• Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
• The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
• The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
• Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
• When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
• Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
• If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
• When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
• Infographic
• Report

Feedback:

• ZFS me timbers

• Allan’s Modified Lenovo

• Sharing a large movie collection over the internet

• RAID alternatives for a bug

Round Up:

• Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)
• CERT-UK offers a new best practices guide to combat social engineering
• FBI seeks to legally hack you if you are using TOR or a VPN
• Java patches 19 security holes (13 with 10/10 exploitability score). Make sure you are running at least 7u75 or 8u31
• NSA says it has proof DPRK was behind Sony hack, because they had already hacked the DPRK
• Government health care website quietly sharing personal data
• Steam shell script bug causes it to rm -rf /
• NSA Preps America for Future Battle
• Diary of an NSA Intern
• Password reuse causes spike in Hotel Rewards fraud
• The Sorry State of In-Flight Wi-Fi
• Technical mistake, not terrorist DDoS downed french media websites
• Blackhat, the movie, gets the technobabble mostly right
• All you need is a clipboard, or a stethoscope

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

The Fedora Project Lead joins us to explain Fedora.next, their ambitions for the cloud, desktop, and what success means for Fedora.next. Tyler from Arch Assault joins us to update us on the latest from Blackhat, the new developments with their distro, and the what the future holds.

Plus news of the week, our picks, your feedback, and more!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Matthew Miller – FedoraProject

Brought to you by: System76

I’ve been involved in Fedora since… a long time. I helped organize the first FUDCons at Boston University, worked on the original Fedora Legacy project, hacked on Anaconda for Boston University’s remix, and some other stuff (including maintaining a few packages). Now I work for Red Hat and am basically paid to care about Fedora full time, as Fedora Project Leader. I’m involved in the Cloud SIG and hacking on the Fedora Cloud Image. I’m also on FESCo (the Fedora technical steering committee) and generally interested in anything and everything related to Fedora’s success (so, correspondingly, please feel free to complain to me about anything).

• Red Hat | Introducing Fedora Project Leader Matthew Miller

• Red Hat | Introducing Fedora Project Leader Matthew Miller

• Matthew Miller on G+

— PICKS —

Runs Linux

The European Space Agency, Runs Linux

• Space in Videos – 2012 – 08 – Virtual spacecraft, simulated cosmos, real exploration

Operational Simulators: Testing solutions on earth before going to space

Spacecraft require constant oversight from ground experts at every moment of their missions.

Desktop Ap Pick

Lynis – Security auditing tool for Unix/Linux systems

• Lynis – App Pick Suggestion by darthpenguin

Weekly Spotlight

DEFT 8.2 ready for download | DEFT Linux – Computer Forensics live CD

• Distribution Release: DEFT Linux 8.2 (DistroWatch.com News)

DEFT (Digital Evidence & Forensic Toolkit) is a customised distribution of the Ubuntu live Linux CD. It is an easy-to-use system that includes excellent hardware detection and some of the best open-source applications dedicated to incident response and computer forensics.

— NEWS —

The future of SolydXK | SolydXK

Our main goal is to create a stable and secure distribution for businesses and organizations. We will need to focus on those things that will help us attain our goals. So, we have decided to make some changes:

• When Debian’s current testing release (Jessie) becomes stable, our Home Editions and Business Editions will merge and become our new main editions. They will be based on Debian stable. We will provide businesses and organizations a subset of up-to-date software. Additionally, home users will be offered to use a complete set of up-to-date software through our complete backport repository which is not fully tested on SolydXK.

• At that time, we will stop providing the Home Editions as semi rolling editions with Update Packs. We will however provide truly rolling editions following Debian testing directly. They will include snapshot ISOs, to be released at regular intervals, maybe twice or three times a year. Other than that, these rolling editions will not be officially supported! They will have to be carried by the community.

Freya Beta 1 Available for Developers & Testers | elementary OS

As tempting as it might be, we strongly recommend against using this beta in a production environment. A few more stages remain in the development process wherein we’ll be addressing serious bugs before the final release. That said, this post is going to be more technical and focus on things that are important to developers. We’ll save announcing all the cool new user-facing features for our final release.

• Elementary Freya running on a HP Chromebook, thought you guys and gals might appreciate this.

Red Hat Releases Project Atomic

In April, Red Hat released Project Atomic, a prototype system for running Docker containers. This is Red Hat’s response to the interest in CoreOS a system for hosting Docker containers based on ChromeOS.

Project Atomic is not intended to be another operating system

The core of Project Atomic is the package installation system, rpm-ostree, which takes the packages from Fedora (or potentially another distro in future), and acts as a “Git for operating system binaries”, allowing different collections of packages, or operating installs, and switch atomically between them. Switching still requires a reboot, but you can revert to any old version if there is a problem.

Like CoreOS, systemd is the core running the processes. In order to run distributed applications, Project Atomic uses Geard, a project from Red Hat’s OpenShift PaaS framework. Geard will be the basis of the next generation of OpenShift, and is integrated with systemd

Also included is a browser based graphical management tool, called Cockpit, to manage both the Project Atomic host and the running containers, and manage resource usage. Again this is beta code, and the Project Atomic install is the recommended way of using it.

OpenGL 4.5 released—with one of Direct3D’s best features

</a

ArchAssault

The ArchAssault Project is an Arch Linux derivative for penetration testers,
security professionals and all-around Linux enthusiasts. This means we import the
vast majority of the official upstream Arch Linux packages, these packages are unmodified
from their upstream source. While our Arch Linux base is primarily untouched, there are times
were we have to fork a package to be able to better support our vast selection of tools.
All of our packages strive to maintain the Arch Linux standards, methods and philosophies.

— FEEDBACK —

• core i3 NUC server advice

• LAS was running Insane Inflatable 5K in Atlantic City NJ – Pictures attached

• imgur: the simple image sharer

— CHRIS’ STASH —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• Hidden Linux Benefits, Clear Linux Challenges
• Rogue Legacy – Part 2 | Geek And The Gamer

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post What’s Next for Fedora | LAS 326 first appeared on Jupiter Broadcasting.

You know you need to do it, and today Mike tries to convince you. At a minimum errors need to be logged with enough information to point to the line of code, but where do you go from there? Slogging through bug reports, pulling important metrics, and a few bumps and bruises.

Plus: The inventory problem developers face, some forgotten glory, defending Yahoo, a batch of your feedback and more!

Thanks to:

GoDaddy.com Use our code coder295 to get a .COM for $2.95.
Ting.com Visit coderradio.ting.com to save $25 off your device or service credits.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes —

Feedback

• Louie points out my super high pitched voice on the word “business” in the last show

• Mike asks:

  “With every platform having its own app store you would think that it would be a boom for Indy Devs. But I don\’t believe that is the case because app discovery seems to suck on all platform. Am I crazy or correct? Is there anyone trying to fix this? Like a place that promotes Indy apps?”

• Dominic’s Question: The Stupid Client Problem

• Mike share’s the forgotten glory of Balmer doing TV ads in the 80’s
• A lot of divided opinion re Yahoo’s ban on working from home

Logging

• The essence of ¿Que?
• The feel of ¿Por Que?

Two key types of logging

• Diagnostic logging

Do you care enough to throw an exception up through the app or manage it another way? This is an \”it depends\” but logging info level messages probably should be skipped.

• Audit logging

Audit logging captures significant events in the system and are what management and the legal eagles are interested in. This is things like who signed off on something, who did what edits, etc. As a sysadmin or developer troubleshooting the system, you\’re probably only mildly interested in these. However, in many cases this kind of logging is absolutely part of the transaction and should fail the whole transaction if it can\’t be completed.

Follow the show

• Email the show
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Captain’s Log | CR 39 first appeared on Jupiter Broadcasting.

We use BackTrack 5 R3 to hack a remote box, and get root access. We cover the high and low points of the security toolbox distribution.

Plus – The outreach from the Linux community helping one of our own receive life saving medical treatments.

Then it’s your feedback…

And so much more!

All this week on, The Linux Action Show!

Thanks to: