BASH – Jupiter Broadcasting

Extended File Attributes Rock! – article from 2011
Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). from Wikipedia
Different namespaces (or attribute spaces if you will), often system and user. You can use the user namespace as non-root.
Use them for your own purposes, e.g.backup tags, reminders
If you rely upon them, make sure your archive & restore tools suppor them. – test test test
Most Linux and BSD modern file systems have had this capability for years. So does Mac OS X. Apart from minor interface differences, the feature works identically on all three systems.
We mention this mostly to prompt ideas, perhaps you’ve been trying to solve a problem and suddenly this information will show you the solution you’ve been waiting for.

On internet privacy, be very afraid

In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.
In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.
Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today.
…. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does.

Inside the Massive 711 Million Record Onliner Spambot Dump

The mechanics of this spambot
The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it.
I’ll take a stab at it and say that there’s not many legitimate drivers using the New South Wales toll road system with Russian email addresses!
A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach.
Yet another file contains over 3k records with email, password, SMTP server and port (both 25 and 587 are common SMTP ports):
This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports.

Feedback

ZFS Comments & Question see How I Learned to Stop Worrying and Love RAIDZ
Upgrading Bacula
“Can you please provide the Amazon link to the product Dan mentioned at the beginning of show #334” – Cinolink HA008 USB 2.0 to SATA Converter Adapter Cable for 2.5″/3.5″ Hard Drive Disk HDD and SSD, with On/Off Switch, Power Adapter Included – not yet used but it did arrive

Round Up:

Zsh Configuration From the Ground Up

The post Extended Usefulness | TechSNAP 335 first appeared on Jupiter Broadcasting.

That New User Smell | LINUX Unplugged 197

chris — Tue, 16 May 2017 20:49:17 +0000

RSS Feeds:

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Linux Action News Episode 1

Canonical IPO is a go, Microsoft brings more Linux to Windows, OpenWRT, LEDE agree on Linux-for-routers peace plan & Google launches project Treble.

Linux On Windows Server: Linux Admin Scripts Will Now Run On Windows

Last week, at its developer conference Build 2017, Microsoft announced that it’s bringing Windows Subsystem for Linux to Windows Server. Apart from this, Windows Server will also be joining Windows Insider program. The other new features of Windows Server will be aligned with the next release of Windows 10.

Windows Server for Developers: News from Microsoft Build 2017 – Hybrid Cloud Blog

I am pleased to share that we are also bringing the Windows Subsystem for Linux (WSL), commonly known as Bash on Windows, to Windows Server. This unique combination allows developer and application administrators to use the same scripts, tools, procedures and container images they have been using for Linux containers on their Windows Server container host. These containers use our Hyper-V isolation technology combined with your choice of Linux kernel to host the workload while the management scripts and tools on the host use WSL.

explainshell.com – match command-line arguments to their help text

write down a command-line to see the help text that matches each argument

ShellCheck – shell script analysis tool

finds bugs in your shell scripts.

Linux Academy

Linux Academy | Linux and AWS Online Training

SELF 2017 Registration, Schedule, Hotel Rooms, Parties, Carpools, and Room Shares

T- 1 Month. We're pleased to announce registration is up, our schedule is released, and MUCH much more! #self2017 https://t.co/Cout5ZEvCi

— SouthEast LinuxFest (@SELinuxFest) May 15, 2017

CasterSoundboard: A soundboard for hot-keying and playing back sounds. (For podcasting)

audio-visualizer-python: a little GUI tool to render visualization videos of audio files

a little GUI tool to render visualization videos of audio files

Netflix confirms it is blocking rooted/unlocked devices, app itself is still working (for now)

Earlier today, Netflix started showing up as ‘incompatible’ on the Play Store for rooted and unlocked Android devices.

TING

Ting – mobile that makes sense

magic-device-tool: A simple and feature full batch tool to handle installing/replacing Operating Systems (Ubuntu Phone / Ubuntu Touch, Android, LineageOS, Maru OS, Sailfish OS and Phoenix OS) on your mobile devices.

A simple and featureful tool to handle installing/replacing Operating Systems (Ubuntu Phone / Ubuntu Touch, Android, LineageOS, Maru OS, Sailfish OS, and Phoenix OS) on your mobile devices.

I just flashed LineageOS onto a OnePlus One (Bacon) using Magic Device Tool. Made the process so much easier. https://t.co/StMdp7ixOR

— Alan Pope (@popey) May 16, 2017

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Galago Pro – Review

Galago Pro is a 13.3” machine that weighs 2.87 lbs

Galago Pro comes with one USB-C with Thunderbolt, Ethernet, HDMI, SD Card slot and DisplayPort.

It also has a slot for a nano SIM card to get cellular connectivity while on the move. But I have been told the corresponding motherboard hardware bits are not installed.

CPU Intel Core i7-7500 @ 2.70 Ghz
GPU Intel HD Graphics 620
RAM 8 GB
Disk 256GB nvme
Battery 36.2WH

The post That New User Smell | LINUX Unplugged 197 first appeared on Jupiter Broadcasting.

Just Some Tools | CR 249

chris — Mon, 20 Mar 2017 15:10:26 +0000

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Feedback:

Hoopla

Trying out a new @daskeyboard #Programming pic.twitter.com/o7Oguhlpwl

— Michael Dominick (@dominucco) March 17, 2017

So I needed one…. #mac #xamarin #iosdev pic.twitter.com/9shIKvruaU

— Michael Dominick (@dominucco) March 18, 2017

The post Just Some Tools | CR 249 first appeared on Jupiter Broadcasting.

Best of 2016 | TechSNAP 298

chris — Thu, 22 Dec 2016 10:37:02 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Links

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

To .NET or to .NOT? | LINUX Unplugged 152

chris — Tue, 05 Jul 2016 19:40:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Noah joins Wes for the second time this week to talk with the mumble room. Package management for Bash takes it one step too far, Nvidia starts putting GPUs in your containers, we learn some surprising things about open source at Comcast & discuss just what “Microsoft Linux” really means.

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show

LuaRadio

LuaRadio can be used to rapidly prototype software radios, modulation/demodulation utilities, and signal processing experiments. It can also be embedded into existing radio applications to serve as a user scriptable engine for processing samples

Follow Up / Catch Up

Nvidia plugin makes GPU acceleration possible in Docker containers

Nvidia’s new approach — an open source Docker plugin named nvidia-docker — provides a set of driver-agnostic CUDA images for a container’s contents, along with a command-line wrapper that mounts the user-mode components of CUDA when the container is launched.
+ nvidia-docker plugin

Surf

surf is a simple web browser based on WebKit/GTK+

Mycroft AI Integration Now Available on KDE Plasma 5 Desktops

It took him about a month since the release of the Mycroft AI application for the GNOME Shell interface of the GNOME desktop environment, but developer Aditya Mehra managed to get it running on the KDE Plasma 5 desktop as well.

Qt5 Frontend for Mycroft Aihttps://github.com/AIIX

Snappy in Arch moved to community repo

That’s right, snapd and snap-confine have now moved to the official community repository. This means that the barrier to entry is now significantly lower and that installation is even faster than before. You still want to read the snapd wiki page to know the details about various post-install activities.

TING

Ting – mobile that makes sense

bpkg is a bash package manager

JavaScript has npm, Ruby has Gems, Python has pip and now Shell has bpkg!

With bpkg you can easily install and manage Bash packages. It takes care of installing/uninstalling, execution permissions and everything.

Besides installing shell scripts globally you can use them on a per-project basis.

Packages by name

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

How Linux and Open Source Are Powering Comcast’s Massive Infrastructure

Comcast is a heavy user of Linux, and it touches everything: from back-end servers to customer facing devices like X1 products. Muehl said. “Comcast, like so many others, is a very Linux-heavy operating system company.”

Comcast has been involved with OpenStack since 2012. “We did a lot of early work around networking because we needed to get IPv6 working. We needed to do some traffic shaping and marking capabilities within the OpenStack infrastructure. All of those have now been upstreamed,” said Muehl.

Linux Academy

Linux Academy | Linux and AWS Online Training

Howto: Setup .NET Core on Ubuntu

.NET Core 1.0 is here and it’s a great, great opportunity to start playing with it not only on Windows platform but also on Linux.

.NET Core Github

Running i3 Window Manager on Bash For Windows

Imagine my surprise when I installed Bash for Windows on this build and pretty much everything worked. I cloned my dotfiles and ran the post-install scripts that install i3 window manager, neovim, zsh, Go, and all the requisite development tools that I’m used to. Nothing failed.

…Returning to bash, I typed i3 again. Gloriously, the famililar i3 session appeared. I’m able to install and run Linux GUI applications like Firefox. I have terminator running as my terminal emulator. I’m running zsh as my shell. Neovim just works, as does Go. All of them think they’re running on a Linux computer, because for all intents and purposes they are. It just happens to have a Windows NT kernel at its core.

Strange, strange times we live in. 20 years ago Microsoft called Linux a cancer and did everything they could to make it die. Today they’re embracing Linux – and by extension me – and I have to say I’m really impressed with the outcome.

Support Jupiter Broadcasting on Patreon

The post To .NET or to .NOT? | LINUX Unplugged 152 first appeared on Jupiter Broadcasting.

Windows Gets Bash-ed | LAS 411

chris — Sun, 03 Apr 2016 18:25:21 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft & Ubuntu working together to bring you Bash & the Ubuntu userland on Windows 10. Is this the ultimate Win for Linux? Or is this Embrace, Extend, Extinguish at its finest? We share our thoughts on this historic announcement.

Plus Red Hat wants to save you some money, TP-Link bans OSS firmwares, Edubuntu calls it quits, our new favorite note taking app for Linux & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Ubuntu Userland on Windows 10

Ubuntu on Windows — The Ubuntu Userspace for Windows Developers

Here’s let’s break it down slowly…

Windows 10 users

Can open the Windows Start menu

And type “bash” [enter]

Which opens a cmd.exe console

Running Ubuntu’s /bin/bash

With full access to all of Ubuntu user space

Yes, that means apt, ssh, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, gcc, tar, vim, emacs, diff, patch…

And most of the tens of thousands binary packages available in the Ubuntu archives!“So maybe something like a Linux emulator?”

Now you’re getting warmer! A team of sharp developers at Microsoft has been hard at work adapting some Microsoft research technology to basically perform real time translation of Linux syscalls into Windows OS syscalls. Linux geeks can think of it sort of the inverse of “wine” — Ubuntu binaries running natively in Windows. Microsoft calls it their “Windows Subsystem for Linux”. (No, it’s not open source at this time.)

So as part of the engineering work, I needed to wrap the stock Ubuntu root filesystem into a Windows application package (.appx) file for suitable upload to the Windows Store. That required me to use Microsoft Visual Studio to clone a sample application, edit a few dozen XML files, create a bunch of icon .png’s of various sizes, and so on.

Mono Relicensed MIT

At Microsoft Build today, we announced that we are re-releasing Mono under the MIT license and have contributed it to the .NET Foundation. These are major news for Mono developers and contributors, and I am incredibly excited about the opportunities that this will create for the Mono project, and for other projects that will be able to benefit from this.

Red Hat Hyping .NET Support

Get a behind the scenes sneak peek of .NET on Red Hat Enterprise Linux.

There is a lot of Microsoft on Linux and LAS sub-reddit these days

— PICKS —

Runs Linux

ICarus – CAR PC RUNS LINUX

iCarus is provided as a fully assembled device (from December 2015). Just connect it to your car’s radio connector directly (in the case your car uses a standard ISO-10487 connector)

BONUS RUNS LINUX:

Hotel Sign Runs linux

Desktop App Pick

Simplenote

Light, clean, and free. Simplenote is now available for iOS, Android, Mac, Windows, Linux, and the web.

Simplenote on Github

A Simplenote React client packaged in Electron. Learn more about Simplenote at Simplenote.com.

Weekly Spotlight

ZenyPass

Passwords are the keys to our online life, but they are painful to manage securely. We’ve all been told each account should be secured with a strong unique password, but we often fallback for the easy solution: a handful of simple memorizable passwords.

We want to make it even easier to do it right. We want to bring an end to password pain with a simple solution affordable to all: ZenyPass. Help us bridge the last mile by supporting our Kickstarter campaign. Offers start as low as 15€ per unlimited license: no recurring fees, no limitations, on all your devices.

Sent in By Arnaud V.

https://slexy.org/view/s2X7ixQlZi

— NEWS —

No-Cost RHEL Developer Subscription now available

Today, Red Hat announced the availability of a no-cost Red Hat Enterprise Linux developer subscription, available as part of the Red Hat Developer Program. Offered as a self-supported, development-only subscription, the Red Hat Enterprise Linux Developer Suite provides you with a more stable development platform for building enterprise applications — across cloud, physical, virtual, and container-centric infrastructures. Red Hat SVP Craig Muzilla added some good points in his blog, too.

The future is through software developers: Red Hat is the key | Red Hat

So, why did we do this? As DevOps processes and agile software methods become the primary means for creating software, it is critical that software developers have access to the same environments and tools during their development phases as they will use when they push out their software into production. Especially as they build applications for cloud environments. And we expect Linux to be key to future success.

Download Red Hat Enterprise Linux Developer Suite

To download Red Hat Enterprise Linux Developer Suite, which includes Red Hat Enterprise Linux 7 server, a collection of development tools, and much more, you must have an account and need to accept the terms and conditions of the Red Hat Developer Program which provides $0 subscriptions for development use only. Read more about the Red Hat Developers Program.

Router Company Lazily Blocks Open Source Router Firmware, Still Pretends To Value ‘Creativity’

“The FCC requires all manufacturers to prevent user from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.) In order to keep our products compliant with these implemented regulations, TP-LINK is distributing devices that feature country-specific firmware. Devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power.”

Edubuntu calling it quits

Edubuntu 16.04 and beyond

I’m announcing today that Edubuntu will NOT be releasing a
16.04 LTS version. Instead, Jonathan and I will focus on ongoing support
of Edubuntu 14.04 LTS until it goes EOL in April 2019.

Deployments | Edubuntu

DebianEdu

DebianEdu/Skolelinux is an operating system intended for educational use and a Debian Pure Blend . As skole [skuːlə] is the Norwegian word for school, Skolelinux’s literal translation is “school linux”. It has been created as an overall free software computer solution designed to fit on school’s resources and needs and is currently being internationally developed by a large international and growing community.
It is an advanced network solution that provides a terminal server environment suitable to most educational scenarios and it comes with most of its services pre-configured out-of-the-box. It allows both a technical and non-technical installation process depending on the user needs and expertise and highly simplifies middle to large system deployments and configurations.

ubermix Home

The ubermix is an all-free, specially built, Linux-based operating system designed from the ground up with the needs of education in mind. Built by educators with an eye towards student and teacher empowerment, ubermix takes all the complexity out of student devices by making them as reliable and easy-to-use as a cell phone, without sacrificing the power and capabilities of a full operating system. With a turn-key, 5 minute installation, 20 second quick recovery mechanism, and more than 60 free applications pre-installed, ubermix turns whatever hardware you have into a powerful device for learning. Learn more…

Feedback:

Brought to you by: System76

The review was IMMEDIATELY followed by an ad for a competitor who sponsored the show. Journalistic ethics???? https://t.co/DKEguncMu8

— Purism (@Puri_sm) April 3, 2016

Giselle Bisson, Principal at Visibility shift communications

Social media is PR + marketing + storytelling + branding + customer service. I love helping CEOs, founders and solopreneurs leverage it for success.

Visibility Shift – Shift your visibility to the next level

Mail Bag

https://slexy.org/view/s25NIWKptD
https://slexy.org/view/s209nFNd59
https://slexy.org/view/s28mFbqDRq

Noah v. Emma: Switching People to Linux

Noah vs Emma Card
Can not already be running Linux.
Must agree to install Linux, or have Linux installed
Will take place Sat during Linux Fest NW (Location TBD)
Come find Noah let him switch you to Linux and get a free SSD installed.

Call Box

Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post Windows Gets Bash-ed | LAS 411 first appeared on Jupiter Broadcasting.

Pay to Boot | TechSNAP 260

chris — Thu, 31 Mar 2016 15:02:17 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

New Ransomware locks your bootloader & makes you pay to boot. Malware with built in DRM? We’ll share the story of this clever hack.

Plus some great questions, our answers, a packed round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

New Petya malware encrypts the Master Boot Record then BSoDs your machine

“Malware experts from German security firm G DATA have found a new type of lock-ransomware that uses a DOS-level lock screen to prevent users from accessing their files”
Unlike some other malware, the researchers did not come up with the name, the malware has its own website and logo, where you pay the ransom
I am not sure “DOS-level” makes sense as a term, but ok
“Lock-ransomware, also known as lockers, is the first type of ransomware that existed before the rise of crypto-ransomware. This type of ransomware doesn’t encrypt files, but merely blocks the user’s access to his data”
“The latest lock-ransomware discovered by security researchers is the Petya ransomware, which was seen spread via spear-phishing campaigns aimed at human resource departments. HR employees are sent an email with a link to a file stored on Dropbox, where an applicant’s CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death.”
“As soon as the user restarts the PC after the blue screen, the computer will enter a fake check disk (CHKDSK) process that, after it finishes, will load Petya’s lock screen. Restarting the computer over and over will always enter this screen”
“This screen provides a link to the ransomware’s payment site, hosted on Tor. After the user purchases a decryption key, he can enter it at the bottom of the DOS lock screen. Petya claims to encrypt the user’s files, but G DATA says they can’t verify its claims, and that this is presumably a lie.”
“UPDATE: Trend Micro’s researchers also took a look at Petya and they confirm that the ransomware does encrypt files, while also revealing it alters the MBR , preventing users from entering in Safe Mode, and it ask for a 0.99 Bitcoin (~$400) ransom”
The encryption of the boot sector is very simple, the data is just XOR’d with the value 0x37 (the ascii code for the number 7): Animated GIF
Additional Coverage: Threat Post

New USB Thief trojan found in the wild

Researchers at ESET have identified a new trojan being spread on USB sticks, called “USB Thief”
What makes this malware so unique is how it protects itself from analysis by researchers
“Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.”
“It depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives. The malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.”
“The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements. The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.”
So when researchers copied the malware to a VM to try to dissect it, it stopped working, as it could no longer decrypt its payload
“It was quite challenging to analyze this malware because we had no access to any malicious USB device. Moreover, we had no dropper, so we could not create a suitably afflicted USB drive under controlled conditions for further analysis.”
“Only the submitted files can be analyzed, so the unique device ID had to be brute-forced and combined with common USB disk properties. Moreover, after successful decryption of the malware files, we had to find out the right order of the executables and configuration files, because the file copying process to get the samples to us had changed the file creation timestamp on the samples.”
“Finally, the payload implements the actual data-stealing functionality. The executable is injected into a newly created “%windir%\system32\svchost.exe -k netsvcs” process. Configuration data includes information on what data should be gathered, how they should be encrypted, and where they should be stored. The output destination must always be on the same removable device. In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called “WinAudit”. It encrypts the stolen data using elliptic curve cryptography.”
“In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.”

Six people charged in hacked lottery terminal scam

“Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off “5 Card Cash” tickets that granted on-the-spot payouts in the US state.”
“According to the Hartford Courant, a group of shop owners and employees setup the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones.”
“While those reports were being processed, the operator could enter sales for 5 Card Cash tickets,” the newspaper reports. “Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners.”
“The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate. The game was temporarily halted. The paper notes that more arrests are expected in the case.”
In Ontario, there are special provisions for when an employee of the store wants to buy a lottery ticket, specifically to deal with crimes of this nature
The other common lottery crime was replacing a customer large payout winning ticket with a smaller one. The employee would buy a number of tickets, keep the small winners ($10), and swap them for the larger winning tickets of unsuspecting customers when they came in to cash them
It is now common place for there to be an automated lottery checking machine that is used directly by the customer.
The ticket machines in Ontario also play an audible tune when a winning ticket is scanner, much to the annoyance of people who have to work there all day, but it ensures that customers are not ripped off

Feedback:

Mail Backup
DB2 on copy-on-write filesystem.
Server Rebooting After Updates
Is Krebs on holiday? No new posts since last week. How am I supposed to do this show without Krebs?

Round Up:

The post Pay to Boot | TechSNAP 260 first appeared on Jupiter Broadcasting.

Better than Linux | LINUX Unplugged 138

chris — Tue, 29 Mar 2016 18:24:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Has Linux met its match? That’s the claim several outlets are making this week. We look at the new & innovative operating systems stepping into the public light.

The first official Ubuntu tablet goes on sale & we share our thoughts, a little BASH on Windows & a lot more!

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

The software boutique will be available for other ubuntu flavors? – Development Discussion / 16.04 Xenial – Ubuntu MATE Community

Follow Up / Catch Up

Microsoft to show Bash on Linux running on Windows 10

However, given the latest session leak, it seems that Bash on Ubuntu will figure in somehow. Bash is a Linux shell. It’s a set of add-ons and plug-ins that are a superset of the Bourne shell, and provide users with the ability to employ text commands to evoke specific actions (and/or to use scripts to do so).

Microsoft Cloud: Helping the Digital Crimes Unit Fight Cybercrime – YouTube

Here come some games!

Linux And SteamOS Gamers Will Get To Play Tomb Raide

Red Hook Studios, the developers of Darkest Dungeon, a gothic roguelike turn-based RPG (role-playing game), have announced today, March 28, 2016, the availability of a public Beta build for the Linux platform.

Payday 2 Hits SteamOS, Goes Free for the Rest of March

Fedora 24 Alpha released! – No Mainstream Wayland Distro in 2016?

We have decided not to make Wayland, the next generation graphic stack, the default in Fedora 24 Workstation. However, Wayland remains available as an option, and the Workstation team would greatly appreciate your help in testing. Our goal is one full release where the non-default Wayland option works seamlessly, or reasonably close thereto. At that point we will make Wayland the default with X11 as the fallback option.

Arch Linux – News: Required update to pacman-5.0.1 before 2016-04-23

In order for the use of hooks to be started, we require all users to have updated to at least pacman-5.0.1 before 2016-04-23. Pacman-5.0.1 was released on 2016-02-23, so this will have given everyone two months to update their system.

TING

Ting – mobile that makes sense

You Can Pre-Order The Ubuntu M10 Tablet Right Now

Pre-order the first Ubuntu Linux tablet

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Stali distribution smashes assumptions about Linux

Stali’s project head, Anselm R. Garbe (a developer currently working at BMW, and creator of the DWM window manager), believes static linking works out better for most common use cases. The most obvious benefit is that static binaries have a smaller memory and on-disk footprint. Static binaries also claim to be faster, although there are no benchmarks as yet to show how Stali performs against other distributions.

Stali distribution smashes assumptions about Linux

Stali’s project head, Anselm R. Garbe (a developer currently working at BMW, and creator of the DWM window manager), believes static linking works out better for most common use cases. The most obvious benefit is that static binaries have a smaller memory and on-disk footprint. Static binaries also claim to be faster, although there are no benchmarks as yet to show how Stali performs against other distributions.

Linux Academy

Linux Academy | Linux and AWS Online Training

LinuxFest Northwest 2016

With 80 general sessions, 10 postgres sessions, and 6 tutorials, LinuxFest Northwest will be quite the full weekend of learning and fun. View the accepted sessions.

Here’s the thing… | Teespring

Support our venture to convert people to linux at LinuxFest Northwest!

Linux Hardware Build Project. HUGE for JB

Support Jupiter Broadcasting on Patreon

The post Better than Linux | LINUX Unplugged 138 first appeared on Jupiter Broadcasting.

Terminal Tackle Box | LINUX Unplugged 131

chris — Tue, 09 Feb 2016 19:41:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Upgrade your terminal with Fish & the new Fishery plugin market. We chat about one of the really neat bash replacements on Linux. Then we take a look at Maru, a Debian based image for Nexus 5 devices that sounds a lot like Ubuntu Touch.

Plus a quick look at a new app that combines Plex with Popcorn Time & the awesome new features we just all got as Linux users!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show

Purism Librem Shipping Status

Follow Up / Catch Up

Lumberyard + Amazon GameLift + Twitch for Games on AWS | AWS Official Blog

Today I would like to tell you about a pair of new AWS products that are designed for use by professional game developers building cloud-connected, cross-platform games.

Amazon Lumberyard

WOW, Wayland Over Wire! – Samsung Open Source Group Blog

A common complaint about Wayland is that it isn’t network transparent.

Fish: A Better Alternative to Bash That Many Are Not Aware of – Make Tech Easier

Replacing Bash with Fish is as simple as a single command.

Fisherman

A blazing fast, modern plugin manager for Fish

Fishery

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

maru

Maru is a new kind of computing experience. It gives you a single, context-aware device that makes personal computing really simple. And guess what? That device is your smartphone.

Korora 23 Screencast and Screenshots

The Korora Project has released version 23 (codename “Coral”) which is now available for download.

Existing 23 beta users do not need to re-install, just keep installing regular updates.

For the last three months we have been waiting for the RPMFusion repositories to be declared stable before releasing Korora 23. These community packages provide support for things that Fedora doesn’t normally ship, like multi-media codecs and proprietary kernel drivers. Normally, the stable RPMFusion repositories are available a few weeks after a Fedora release, however the community has moved to new infrastructure and this has caused some delays.

The First Ubuntu Tablet: The Aquaris M10 Ubuntu Edition Tablet

Aquaris M10 Ubuntu Table will have the following specs:

10.1 inch touchscreen with 1080p video
MediaTek quad-core MT8163A 1.5GHz processor
2GB RAM
16GB internal storage, approximately 11GBs is available for use
MicroSD slot (up to 64GB)
802.11n Wi-Fi, Bluetooth 4.0, GPS, FM Radio
8-megapixel camera with autofocus and dual flash
Front mounted speakers
Micro HDMI port
7,280mAh Li-Po battery

TING

Ting – mobile that makes sense

Virgil 3D GPU project by virgil3d

The project entails creating a virtual 3D capable graphics card for virtual machines running inside qemu. The design of this card is based around the concepts of Gallium3D to make writing Mesa and (eventually) Direct3D drivers for it easy.

LinuxChanges – Linux Kernel Newbies

virtio-gpu is a driver for virtualization guests that allows to use the host graphics card efficiently. In this release, it allows the virtualization guest to use the capabilities of the host GPU to accelerate 3D rendering. In practice, this means that a virtualized linux guest can run a opengl game while using the GPU acceleration capabilities of the host, as show in this or this video. This also requires running QEMU 2.5.

Virgil project page
44m linux.conf talk about the project
Code: commit
Why trying to base your 3D Supporter on an openGL implementation is a bit insane: https://youtu.be/rPeMrmeLTig?t=2m58s

Linux Academy

Linux Academy | Linux and AWS Online Training

Stremio – Watch instantly

Stremio is an app that helps you organize and instantly watch your favorite videos, movies, TV series and TV channels.

Support Jupiter Broadcasting on Patreon

The post Terminal Tackle Box | LINUX Unplugged 131 first appeared on Jupiter Broadcasting.

TurboHax | TechSNAP 203

chris — Thu, 26 Feb 2015 21:05:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Lenovo & Google are victims of DNS hijacking, we’ll share the details, Everyone wants you to secure your data, just not from them & how Turbotax profits from Cyber tax fraud!

Plus a great batch of your questions, a fantastic round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Attackers Hijack Lenovo Domain, Spoof Website and Intercept Company Emails

The lenovo.com website was replaced with a slideshow of some random person
The attack was apparently carried about by members of LizardCircle (or LizardSquad)
The identity of the person in the slideshow is unclear, but reports suggest they are two members of another hacking group (Hack The Planet) that have been trying to undermine LizardSquad for months
The pictures on the Lenovo site suggest that the webcam of the target may have been compromised
It seems the Lizard Squad was able to compromise webnic.cc, a large domain name registrar via a remote command injection vulnerability
They then reported installed a rootkit and took over the registrars infrastructure
Using this access, they were able to change the authoritative nameservers for the Lenovo.com domain to their own, and post the defacement page
This allow allowed them to intercept all incoming email sent to @lenovo.com addresses
They apparently used CloudFlare to host the site, and CloudFlare engineers eventually returned control of the site to Lenovo, while the DNS changes propagated
The attackers apparently also got access to the ‘auth codes’ required to transfer ownership of the domain to another registrar
Same attack also compromised google.com.vn domain in Vietnam
Additional Coverage: Krebs On Security
Additional Coverage: Ars Technica

Everyone wants you to secure your data, just not from them

Bruce Schneier writes a blog post about security and privacy
Google and Facebook was your data to be secure, on their server, so they can analyze it
Your government wants you to have security communications, as long as they have the magic keys to decrypt it, but other governments do not
“Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.”
Schneier also quotes Whitfield Diffie (pioneering cryptographer, co-developed the Diffie-Hellman key exchanged used in SSH and TLS): “You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.”
Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.
Bruce wrote in his recent book: Data and Goliath: “Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.”
“Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions yes, billions of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.”
“We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.”
I think at some level, part of the onus needs to be on the user as well, you are responsible for managing your passwords and security.
Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors | Just Security

The rise of tax refund fraud

Fraudsters made billions of dollars last year by filing fake federal tax refund requests in the names of millions of unsuspecting Americans
The IRS added a number of security measures and better automated screening, which drove the fraudsters to focus on state-level tax fraud
“Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings”
“Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike”
To learn more about what was going on, Krebs interviewed Indu Kodukula, chief information security officer at Intuit
“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
In the 2014 tax season, the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft
“But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
“States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.”
“Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.”
“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
The traditional way that income tax fraud has been perpetrated was to steal the identity of an individual, then create an online tax account on their behalf and file the fraudulent return
However, there has been a spike in compromised tax accounts, most appear to be because of password reuse
We have seen many sites being compromised in the last few years, like LinkedIn, and Adobe. When huge piles of passwords like that are dropped on the Internet, the attackers try those same username/email and password combinations on other sites, like tax preparation sites
“Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
“From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
Security experts (including Krebs) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
Krebs’ article also has some links and guidance for those who fall victim to this type of attack
A week after the above interview, Krebs interviewed Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014
Kreb’s 2nd Interview
Lee said that he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns
“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
“The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.”
Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.
But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.
“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.
“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.”
“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”
KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.
“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”
That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.
“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”
Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.
“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”
Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.
“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”
It will be interesting to see how this story develops

Feedback:

Round Up:

The post TurboHax | TechSNAP 203 first appeared on Jupiter Broadcasting.

wget a Shell | TechSNAP 186

chris — Thu, 30 Oct 2014 18:15:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
It is this mode that is the subject of the vulnerability
Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
The creation of new symlinks allows files to be overwritten
An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
“If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
Redhat Bug Tracker
Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
HD Moore Tweets
HD Moore Blog Post
Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
All users running Drupal core 7.x versions prior to 7.32 need to upgrade
Drupal Security Advisory
One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
Additional Coverage: Threat Post
It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
Drupal Public Sevice Announcement
Additional Coverage: Thread Post
It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
Researcher Post
Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

Round Up:

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

Xen Gets bashed | TechSNAP 182

chris — Thu, 02 Oct 2014 21:05:42 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Recent major flaws found in in critical open source software have sent the Internet into a panic. From Shellshock to Xen we’ll discuss how these vulnerabilities can be chained together to own a box.

Plus how secure are VLANs, a big batch of your questions, our answers, and much much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Bash plus Xen bug send the entire internet scrambling

A critical flaw was discovered in the bash shell, used as the default system shell in most versions of linux, as well as OS X.
The flaw was with the parsing of environment variables. If a new variable was set to contain a function, if that function was followed by a semi-colon (normally a separator that can be used to chain multiple commands together), the code after the semicolon would be be executed when the shell started
Many people are not aware, that CGI scripts pass the original request data, as well as all HTTP headers to the scripts via environment variables
After those using bash CGI scripts ran around with chickens with their heads cut off, others came to realize that even if the CGI scripts are actually perl or something else, if they happen to fork a shell with the system() call, or similar, to do something, that shell will inherit those environment variables, and be vulnerable
As more people spent brain cycles thinking of creative ways to exploit this bug, it was realized that even qmail was vulnerable in some cases, if a user has a .qmail file or similar to forward their email via a pipe, that command is executed via the system shell, with environment variables containing the email headers, including from, to, subject etc
While FreeBSD does not ship with bash by default, it is a common dependency of most of the desktop environments, including gnome and KDE. PCBSD also makes bash available to users, to make life easier to linux switchers. FreeNAS uses bash for its interactive web shell for the same reason. While not vulnerable in most cases, all have been updated to ensure that some new creative way to exploit the bug does not crop up
Apparently the DHCP client in Mac OS X also uses bash, and a malicious DHCP server could exploit the flaw
The flaw also affects a number of VMWare products
OpenVPN and many other software packages have also been found to be vulnerable
The version of bash on your system can be tested easily with this one-liner:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
Which will print “this is a test”, and if bash has not yet been patched, will first print ‘vulnerable’
ArsTechnica: Bug in bash shell creates big security hole on anything with linux in it
Concern over bash bug grows as it is actively exploited in the wild
First bash patch doesn’t solve problem, second patch rushed out to resolve issue
Now that people are looking, even more bugs in bash found and fixed
Shellshock fixes result in another round of patches as attacks get more clever
Apple releases patch for shellshock bug
There were also a critical update to NSS (the Mozilla cryptographic library, which was not properly validating SSL certificates)
The other big patch this week was for Xen
It was announced by a number of public cloud providers, including Amazon and Rackspace, that some virtual server host machines would need to be rebooted to install security fixes, resulting in downtime for 10% of Amazon instances
It is not clear why this could not be resolved by live migrations
All versions of Xen since 4.1 until this patch are vulnerable. The flaw is only exploitable when running fully virtualized guests (HVM mode, uses the processor virtualization features), and can not be exploited by virtual machines running in the older paravirtualization mode. Xen on ARM is not affected
Xen Security Advisory
Amazon Blog Post #1
Amazon Blog Post #2
Rackspace Blog Post
Additional Coverage: eweek

Cox Communications takes the privacy of its customers seriously, kind of

A female employee of Cox Communications (a large US ISP) was socially engineered into giving up her username and password
These credentials were then used to access the private data of Cox Customers
The attacker apparently only stole data about 52 customers, one of which was Brian Krebs
This makes it sound like a targeted attack, or at least an attacker by someone who is (or is not) a fan of Brian Krebs
It appears that the Cox internal customer database can be accessed directly from the internet, with only a username and password
Cox says they use two factor authentication “in some cases”, and plan to expand the use of 2FA in the wake of this breach
Cox being able to quickly determine exactly how many customers’ data was compromised suggests they atleast have some form of auditing in place, to leave a trail describing what data was accessed
Brian points out: “This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.” “Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.”

Other researches recreate the BadUSB exploit and release the code on Github

The “BadUSB” research was originally done by Karsten Nohl and Jakob Lell, at SR Labs in Germany.
Presented at BlackHat, it described being able to reprogram the firmware of USB devices to perform other functions, such as a USB memory stick that presented itself to the computer as a keyboard, and typed out commands once plugged in, allowing it to compromise the computer and exfiltrate data
Brandon Wilson and Adam Caudill were doing their own work in this space, and when they heard about the talk at BlackHat, decided to accelerate their own work
They have now posted their code on Github
“The problem is that Nohl and Lell—and Caudill and Wilson—have not exploited vulnerabilities in USB. They’re just taking advantage of weaknesses in the manner in which USBs are supposed to behave“
“At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC“
“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”
The way around this issue would be for device manufacturers to implement code signing
The existing firmware would only allow the firmware to be updated if the new firmware was signed by the manufacturer, preventing a malicious users from overwriting the good firmware with ‘bad’ firmware
However, users could obviously create their own devices specifically for the purpose of the evil firmware, but it would prevent the case where an attack modifies your device to work against you
At the same time, many users might argue against losing control over their device, and no longer being able to update the firmware if they wish
The real solution may be for Operating Systems and users to evolve to no longer trust random USB devices, and instead allow the user to decide if they trust the device, possibly something similar to mobile apps, where the OS tells the user what functionality the device is trying to present
You might choose to not trust that USB memstick that is also attempting to present a network adapter, in order to override your DHCP settings and make your system use a set of rogue DNS servers

Feedback:

Round Up:

The post Xen Gets bashed | TechSNAP 182 first appeared on Jupiter Broadcasting.

The Daemon’s Apprentice | BSD Now 57

chris — Thu, 02 Oct 2014 11:54:25 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’re back from EuroBSDCon! This week we’ll be talking with Steve Wills about mentoring new BSD developers. If you’ve ever considered becoming a developer or helping out, it’s actually really easy to get involved. We’ve also got all the BSD news for the week and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

NetBSD at Hiroshima Open Source Conference

NetBSD developers are hard at work, putting NetBSD on everything they can find
At a technology conference in Hiroshima, some developers brought their exotic machines to put on display
As usual, there are lots of pictures and a nice report from the conference

FreeBSD’s Linux emulation ports rehaul

For a long time, FreeBSD’s emulation layer has been based on an ancient Fedora 10 system
If you’ve ever needed to install Adobe Flash on BSD, you’ll be stuck with all this extra junk
With some recent work, that’s been replaced with a recent CentOS release
This opens up the door for newer versions of Skype to run on FreeBSD, and maybe even Steam someday

pfSense 2.2-BETA

Big changes are coming in pfSense land, with their upcoming 2.2 release
We talked to the developer a while back about future plans, and now they’re finally out there
The 2.2 branch will be based on FreeBSD 10-STABLE (instead of 8.3) and include lots of performance fixes
It also includes some security updates, lots of package changes and updates and much more
You can check the full list of changes on their wiki

NetBSD on the Raspberry Pi

This article shows how you can install NetBSD on the ever-so-popular Raspberry Pi
As of right now, you’ll need to use a -CURRENT snapshot to do it
It also shows how to grow the filesystem to fill up an SD card, some pkgsrc basics and how to get some initial things set up
Can anyone find something that you can’t install NetBSD on?

Interview – Steve Wills – swills@freebsd.org / @swills

Mentoring new BSD developers

News Roundup

MidnightBSD 0.5 released

We don’t hear a whole lot about MidnightBSD, but they’ve just released version 0.5
It’s got a round of the latest FreeBSD security patches, driver updates and various small things
Maybe one of their developers could come on the show sometime and tell us more about the project

BSD Router Project 1.52 released

The newest update for the BSD Router Project is out
This version is based on a snapshot of 10-STABLE that’s very close to 10.1-RELEASE
It’s mostly a bugfix release, but includes some small changes and package updates

Configuring a DragonFly BSD desktop

We’ve done tutorials on how to set up a FreeBSD or OpenBSD desktop, but maybe you’re more interested in DragonFly
In this post from Justin Sherrill, you’ll learn some of the steps to do just that
He pulled out an old desktop machine, gave it a try and seems to be pleased with the results
It includes a few Xorg tips, and there are some comments about the possibility of making a GUI DragonFly installer

Building a mini-ITX pfSense box

Another week, another pfSense firewall build post
This time, the author is installing to a Jetway J7F2, a mini-ITX device with four LAN ports
He used to be a m0n0wall guy, but wanted to give the more modern pfSense a try
Lots of great pictures of the hardware, which we always love

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Slides from most of the EuroBSDCon talks are up, hopefully we’ll have the links to all the videos soon
We got lots of great interviews, so look forward to those in the coming months
The Book of PF’s third edition is now available to buy digitally, and physical copies will be available later this month
OpenBSD 5.6 preorders are up on their new store, openbsdstore.com – there’s also some other cool things there
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Daemon's Apprentice | BSD Now 57 first appeared on Jupiter Broadcasting.

Weaponized Bash | Linux Action Show 332

chris — Sun, 28 Sep 2014 16:46:08 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The Shellshock bug is taking the internet by storm, Fedora project lead Matthew Miller joins us to discuss how this Bash bug works, how big of a problem it really is, and how large projects are responding to the issue. Plus we chat a little Fedora.next and more!

Then it’s our look at what’s great in Gnome 3.14, Ubuntu 14.10 & another systemd alternative that’s doing it right.

Thanks to:

Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Shellshock with Matthew Miller – FedoraProject

Brought to you by: System76

Shellshock BASH Vulnerability Tester

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is a vulnerability in GNU’s bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in the last 24 hours (See patch history), you’re most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Shellshock: How does it actually work? | Fedora Magazine

And there’s quite a lot of other little cleanups in there too — security people at Fedora, at Red Hat, and around the world sure have been busy for the couple of days. Thanks to all of you for your hard work, and to Fedora’s awesome QA and Release Engineering teams, who sprung into action to make sure that these updates got to you quickly and safely.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole | Ars Technica

Here’s how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell.

Shellshock just ‘a blip’ says Richard Stallman as Bash bug attacks increase | Technology

GNU Project founder: ‘Any program can have a bug. But a proprietary program is likely to have intentional bugs’

The bash vulnerability and Docker containers | Colin Walters

In a previous post about Docker, I happened to randomly pick bash as a package shared between the host and containers. I had thought of it as a relatively innocent package, but the choice turned out to be prescient. The bash vulnerability announced today shows just how important even those apparently innocent packages can be.

shellshock – What does env x='() { :;}; command’ bash do and why is it insecure? – Unix & Linux Stack Exchange

bash stores exported function definitions as environment variables. Exported functions look like this:

$ foo() { bar; }
$ export -f foo
$ env | grep -A1 foo
foo=() {  bar
}

That is, the environment variable foo has the literal contents:

() {  bar
}

When a new instance of bash launches, it looks for these specially crafted environment variables, and interprets them as function definitions. You can even write one yourself, and see that it still works:

$ export foo='() { echo "Inside function"; }'
$ bash -c 'foo'
Inside function

Unfortunately, the parsing of function definitions from strings (the environment variables) can have wider effects than intended. In unpatched versions, it also interprets arbitrary commands that occur after the termination of the function definition. This is due to insufficient constraints in the determination of acceptable function-like strings in the environment. For example:

$ export foo='() { echo "Inside function" ; }; echo "Executed echo"'
$ bash -c 'foo'
Executed echo
Inside function

Note that the echo outside the function definition has been unexpectedly executed during bash startup. The function definition is just a step to get the evaluation and exploit to happen, the function definition itself and the environment variable used are arbitrary. The shell looks at the environment variables, sees foo, which looks like it meets the constraints it knows about what a function definition looks like, and it evaluates the line, unintentionally also executing the echo (which could be any command, malicious or not).

This is considered insecure because variables are not typically allowed or expected, by themselves, to directly cause the invocation of arbitrary code contained in them. Perhaps your program sets environment variables from untrusted user input. It would be highly unexpected that those environment variables could be manipulated in such a way that the user could run arbitrary commands without your explicit intent to do so using that environment variable for such a reason declared in the code.

— PICKS —

Runs Linux

India’s Mission to Mars, runs Linux

India has made history today by being the first and only country in the world to send a space craft to Mars in first attempt. The country also made history as it achieved it in a budget lesser than the un-scientific Hollywood block buster Gravity; India spent only $71 million on the mission.

Desktop App Pick

How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Shellshock BASH Vulnerability Tester

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

shellshocker · GitHub

Weekly Spotlight

RockStor: Store Smartly: Free Advanced File Storage

Installs on 64-bit commodity hardware or virtual machine
Built on top of Enterprise Linux operating system
Supports NA sharing protocols including Samba/CIFS, NFS and SFTP
Efficient storage management functionility with web-ui or CLI
Extend functionality with plugins

— NEWS —

GNOME 3.14 Released, See What`s New

After six months of development, GNOME 3.14 was released today and it includes quite a few interesting changes such as multi-touch gestures for both the system and applications, re-worked default theme, new animations as well as various enhancements for the code GNOME applications.

Gnome 3.14 reviewed on Arch Linux

In a nutshell I like Gnome 3.14 a lot. It’s a really nice release. Though I am a hard core Plasma user, I see myself spending some time with Gnome, enjoying things like online integration, easy-to-set-up Evolution and many more features which I can’t find in KDE’s Plasma. That said, both are my favorite. They both excel in their focus areas. If you have not tried Gnome yet, do give it a try.

Gesture support in Shell Apart from Touch support in Shell there is also…

Apart from Touch support in Shell there is also support for GNOME apps and in fact some GNOME apps they do use gestures!

GTK+ 3.14 Brings Much Better Wayland Support, Multi-Touch, New Theme

The Wayland changes for GTK+ 3.14 include support for the recently released Wayland 1.6, touch input is now supported, working drag-and-drop support, and support for the GNOME classic mode.

Download GNOME 3.14 ISO (based on Fedora 21)
Touching on Touchscreen Support | Erich Eickmeyer

Touchscreens are no longer just for tablets and phones. Touchscreen laptop computers and desktops are becoming the norm, if not more common, in the computer market. Much of this has been spurred-on by Microsoft and Windows 8, whose “Modern” interface is about as touchscreen-friendly as you can get. In fact, it is what is driving the laptop market to include capacitive touchscreens.

The nosh package

It should also be suitable for filling the gap caused by the
systemd tool not being portable outwith the Linux kernel since it
is known to work on proper BSD and on Debian Linux, and therefore
should work on Debian kFreeBSD.

Ubuntu 14.10 Beta Downloads Now Available

There’s not even a new default desktop wallpaper.

Why GNOME 3.14 Won’t Be Included in Ubuntu 14.10 – OMG! Ubuntu!

Feature Freeze is the point past which no new features, packages or APIs are introduced, with emphasis placed on polish and bug fixing to ensure as stable an experience as possible. Feature Freeze for Ubuntu 14.10 and its flavors came into effect on August 21 — a month prior to the release of GNOME 3.14 Stable.

It’s this tight timeframe that conspires against the Ubuntu GNOME team, making it impossible for them to include latest GNOME stack. If you were one of those who hoped to find GNOME 3.12 in Ubuntu 14.04 LTS, you’ll be familiar with the impact this has.

A series of maintained PPAs — Stable, Staging, and Next — provide backports of newer GNOME releases to Ubuntu, allowing you to optionally roll with (potentially untested) newer software should you want to.

Tech Talk Today | A Daily Tech News Show with a Linux Perspective

Tech Talk Today Subreddit

— FEEDBACK —

— CHRIS’ STASH —

jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

Find us on Google+

Find us on Twitter

Follow the network on Facebook

Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post Weaponized Bash | Linux Action Show 332 first appeared on Jupiter Broadcasting.

The Bourne Shellshock | Tech Talk Today 65

chris — Thu, 25 Sep 2014 10:31:30 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A major flaw in the Bash shell has been discovered, and the Internet is losing its collective mind over it. We discuss the possible far reaching ramifications of the flaw, and the comparisons to Heartbleed.

Plus some solid rumors on the next Nexus device, major iOS 8 update issues, and India’s historical tech event from this week.

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: This is ‘Shamu,’ Motorola’s upcoming Nexus 6/X

Google’s upcoming “Nexus 6″ (some claim it will be called “Nexus X”) has long been rumored, and there have been many leaked specifications and details rolling out for quite some time now.

Notably, a report from last month based on specifications leaked via GFXBench seemingly all but confirmed a variety of facts about the device: a 2.6GHz quad-core Snapdragon 805 processor, 3GB of RAM, 32GB of internal storage, a 13-megapixel rear-facing camera, a 2-megapixel front-facing shooter and Android L (surprise, surprise).

The biggest unknown is the screen, but 9to5Google reports 5.92-inch screen, with QHD resolution of 2560 x 1440. This dense screen according to our calculations comes out to be 498 PPI—a fairly impressive number for any smartphone. As such, it’s going to have a battery that is equally impressive, packing 3,200 mAh to power all of those pixels.

Previous reports suggested a 5.2-inch screen instead of the currently rumored 5.92-inch

As for the overall appearance of the device, it’s basically going to be a scaled up 2nd generation Moto X with some minor tweaks to make the larger size easier to use.

Bug in Bash shell creates big security hole on anything with *nix in it | Ars Technica

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server.

Errata Security: Bash bug as big as Heartbleed

Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons.

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things

For the record, cygwin is vulnerable, as well as bash-3.1 from 2005 pic.twitter.com/yYtVnPlTAJ

— Robert Graham (@ErrataRob) September 25, 2014

First attacks using ‘shellshock’ Bash bug discovered

AusCERT earlier yesterday also claimed to have received reports the bug was being exploited in the wild.

Meanwhile, security researcher Robert Graham claims to have found at least 3,000 systems vulnerable to the bug. However Graham’s scan only looked at systems on port 80; the researcher noted embedded webservers on odd ports are the real danger and a scan for these “would give a couple times more results”.

Check our self:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Jupiter Broadcasting at Ohio LinuxFest

Going to Ohio LinuxFest? Join our Google+ event for future meetup plans!

iOS 8.0.1 Causing No Service, Touch ID Issues on iPhone 6/6 Plus, Apple Support Recommends iTunes Restore – Mac Rumors

Following the release of iOS 8.0.1 this morning, numerous of users found that their cellular service was disabled, reporting “No Service” messages after updating. Affected users also appear to be experiencing problems with Touch ID, which seems to be completely non-functional.

It appears that the issue is limited to users who have an iPhone 6 or an iPhone 6 Plus, but affected devices span several carriers.

Apple support has also recommended restoring iOS 8.0.1 via iTunes to fix the problem.

OS 8.0.1 is no longer available via an over-the-air download.

Apple says that it is actively investigating reports of problems and has pulled iOS 8.0.1 in the meantime. The company also says that it will provide information as quickly as it can.

Upcoming price increase for NEW Plex Pass subscriptions – Plex Blog : Plex Blog

So on September 29, 2014 we’ll be making some changes to our Plex Pass subscription rates for new subscribers:

Monthly Plex Pass subscriptions will increase from $3.99 to $4.99 per month.
Annual Plex Pass subscriptions will increase from $29.99 to $39.99 per year.
Lifetime Plex Passes will increase from $74.99 to $149.99.

India’s Mars mission could be a giant leap | Priyamvada Gopal | Comment is free | The Guardian

After a journey of 300 days and 420 million miles, an Indian satellite has arrived in orbit around Mars. To have done so on an economy ticket — at $74m “the cheapest interplanetary mission ever to be undertaken by the world”, according to the mission’s leader

The post The Bourne Shellshock | Tech Talk Today 65 first appeared on Jupiter Broadcasting.