Show Notes: linuxunplugged.com/428

The post Pi for the People | LINUX Unplugged 428 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/396

The post How Linux Got to Mars | LINUX Unplugged 396 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

• This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
• CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
• The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
  • CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
  • A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
  • CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
• During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
• When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
• Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

• “Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
• But, there are some shortcomings to that type of password manager
• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?
• To solve this, LessPass does it differently
• “The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
• “No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
• There are some issues though.
  • Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
  • Some sites obviously do not hash passwords correctly, and do not allow some characters
  • What if you want to, or need to, change your password?
• LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
• To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
• Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
• So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
• There are obviously some privacy concerns, and security concerns here.
• How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
• Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
• “You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
• The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
• This leaves a few problems:
  • You can never change your master password, as it will effectively change all of your passwords
  • It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
  • The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
  • LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
• There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

• It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
• Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
• Colin’s day job is running Tarsnap – backups for the truly paranoid.
• To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
• “While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
  • the vulnerability can be exploited remotely, over the internet;
• the attack cannot be blocked by firewalls;
  • the attack can be carried out without any account credentials on the system being attacked;
  • the attack yields money (as opposed to say, credit card details which need to be separately monetized);
  • once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
  • the attack can be performed without writing a single line of code.
• “Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
• “The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
• “Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
• “For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
• The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
  • Pay for something using bitcoin.
  • Wait until the price of bitcoin drops.
  • Send more bitcoins to the address used for the initial payment.
  • Ask for a refund of the excess bitcoin.
• “Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
• “Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
• “Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
• “As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
• “And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
• A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

• ipV6 vs Mirai

• Freenas replication

• Freenas 10 question

• Backup & LUKS

• Chromecast across subnets

• A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

• Windows Atom Tables popped by security researchers
• The Million-Key Question—Investigating the Origins of RSA Public Keys
• Microsoft stops selling Windows 7 and Windows 8.1 to computer makers i
• Researchers make high performance battery from junkyard scraps
• Why Windows hack is being blamed on Russia-linked group
• “Decimeter-Level Localization with a Single WiFi Access Point” — Locating a device to within 4 inches using only 1 WiFi access point
• Stealth Cell Tower
• Kaspersky quarterly DDoS report: 70-80% of botnets consist of Linux devices, most attacks last under 4 hours.
• Level 3 drops its packets for hours, causing Internet traffic jam
• Microsoft Reimagines Open Source Cloud Hardware
• Pagliano Emails Detail Attempts to Hack Clinton Unsecure Email Server 10 Times in Two Days in November 2010 – U.S. Secret Service Informed of Hacking Attempts – Judicial Watch
• Teenager accidentally DDoSes 911 system

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

Our road trip to SCALE14x in Pasadena gets a bit exciting when we move into our new home, a 37 foot Class A RV while on the road. Plus a behind the scenes look at attending SCALE, and thoughts on Cory Doctorow’s DRM talk.

Technical challenges, new lessons, and good friends.

Note: Footage is from January 2016.

The post DRM Shame and New Rig Troubles | Rover Log 16 first appeared on Jupiter Broadcasting.

We look at the hard numbers of the biggest sector in the tech industry, have a skeptical discussion around YouTube coming to the aide content creators & debate Google+’s new UI design.

Then we fail to make even the most obvious Kickstarter sound compelling & wrap it all up with a little technical disaster vamping.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Apple takes 94% of smartphone industry profits: Canaccord Genuity – Business Insider
• YouTube Fair Use Protection programme launched
• Dive into the new Google+ As +Eddie Kessler shared this afternoon (goo.gl/2Qj…
• LG cancels smartwatch after just six days on the market | Ars Technica
• World’s First Solar Powered Airplane Science Kit for Kids! by ToyLabs — Kickstarter
• Computer Show – YouTube

The post Faux Use Protection Program | TTT 223 first appeared on Jupiter Broadcasting.

LastPass gets bought, FireFox loves Flash long time, just not your plugins, good iPhone vs bad iPhone & why the rest of the world laughs at the state of the US’ mobile payments.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• LogMeIn acquires LastPass for $125m
• Obama administration opts not to force firms to decrypt data — for now – The Washington Post
• Mozilla Firefox will drop support for NPAPI plugins by the end of 2016, but will keep Flash around | VentureBeat | Dev | by Emil Protalinski
• Samsung and TSMC iPhone 6s Chips Show Smaller Real-World Battery Impacts Compared to Benchmarks – Mac Rumors
• Apple Claims TSMC vs Samsung A9 Chip Variants Result in Only 2-3% Difference in ‘Real World’ Battery Life – Mac Rumors
• The story in English | MobilePay

The post LogMeIn to LastPass | TTT 217 first appeared on Jupiter Broadcasting.

Heading north to get the brake controller installed for the trailer & things go really well! I ended up taking the trailer with me & I give you a first peek at the new digs before we move it & make a mess!

Help us with the adventure:

Road Trip Wishlist: https://bit.ly/jbroadtrip

Support the network on Patreon: https://www.patreon.com/jupitersignal

The post Trailer Picked Up and Brake Controller Installed | Rover Log #2 first appeared on Jupiter Broadcasting.

Freshly back from LinuxCon we update you on the stories of the day, the big players pushing Flash out the door & how forgetful scientists accidentally quadruple lithium-ion battery lifespan.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Ashley Madison’s $19 ‘Full Delete’ Option Made The Company Millions – BuzzFeed News
• Amazon puts another nail in Flash’s coffin – Digiday
• IAB Says HTML5 Is New Standard, Adobe Agrees | Digital – Advertising Age
• Forgetful scientists accidentally quadruple lithium-ion battery lifespan | Chips | Geek.com

The post Happy Little Accidents | TTT 205 first appeared on Jupiter Broadcasting.

Preparing for a camping trip in the woods has never been more stressful, we debate how much tech to take. Plus the US suspects China breached about 4 million government records, Steam Machines get a ship date & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say – WSJ
• Meet Cinch!– The ultimate pop-up tent with solar power & LED by Jake Jackson — Kickstarter
• Apple Still Negotiating With Music Labels Over Streaming Terms Days Before WWDC Launch – Mac Rumors
• Review #Jolla #SailfishOS: [News] New Sailfish OS phone manufacturer confirmed
• Steam Machines, Steam Link, & Steam Controller Launching November 10th
• Spotify Client 1.x beta for Linux has been release… – The Spotify Community
• Skype for Web (Beta) in US and UK | Skype Blogs – – Skype Blogs
• Jupiter Broadcasting Meetup (Seattle, WA) – Meetup
• Support Tech Talk Today creating DAILY PODCASTS
• Portable Generators – Power Practical

The post Solar Freaking Tents! | Tech Talk Today 179 first appeared on Jupiter Broadcasting.

Apple Watch reviews are hitting the web & we’ll give you a quick meta-roundup of the Internet’s opinion of Apple’s new wearable.

Plus the Android App that truly saves battery life, Popcorn Time expands & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Apple Watch Review Roundup: The ‘World’s Best Smartwatch’, But ‘Not For Everyone’

Apple has given members of the media several hands-on experiences with the Apple Watch following its special events, but ahead of Apple Watch pre-orders, select sites have been able to get a much closer look at the device. Apple has provided a handful of publications with Apple Watch review units, giving them a chance to spend multiple days with the watch, and they’ve now shared their opinions in reviews published today.

Stop Android Lollipop from killing your battery – TechRepublic

I was wrong. As is the case with many upgrades, I quickly ran into a troubling side effect: significant battery issues.

• Greenify

Greenify help you identify and put the misbehaving apps into hibernation when you are not using them, to stop them from lagging your device and leeching the battery, in an unique way! They can do nothing without explicit launch by you or other apps, while still preserving full functionality when running in foreground, similar to iOS apps!

Popcorn Time’s Launched on iOS

While Popcorn Time has been available on Android for some time, it’s now arrived on iOS with an installer that can put the app on non-jailbroken devices. It’s likely that it uses a test key from an enterprise device to achieve that.

The new development could cause serious headaches for both Apple and legal streaming services like Netflix. In fact, Netflix itself singled out Popcorn Time as a serious competitor in a shareholder letter earlier this year.

Heartbleed One Year Later: Has Anything Changed? – Slashdot

It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled “TLS heartbeat read overrun” in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed. A new report from certificate vendor Venafi claims that 76% of organizations are still at risk, though it’s a statistic that is contested by other vendors as well as other statistics. Qualys’ SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse?

@ChrisLAS got my shirts today! pic.twitter.com/LYRQDjrjgU

— Erik (@Erikwas) April 7, 2015

The post The Forced Touchables | Tech Talk Today 155 first appeared on Jupiter Broadcasting.

The first Ubuntu phone goes on sale tomorrow & we ask all the interesting questions you might have been wondering. The details on the launch of the phone, some of the great apps & what’s still missing.

Plus the new Raspberry Pi hates being flashed & we read a quick batch of great emails.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Secure Your Google Account, and Get 2 GB of Drive Storage

FU:

• Do you use Owncloud and for what?

• READ DOCUMENTATION BEFORE UPGRADING OWNCLOUD

• DistroPlaza: Share Distros!

• Distro Plaza

• Ad blocking

Bq Ubuntu Phone Goes on Sale Next Week at €169, Meizu Device Coming Soon – OMG! Ubuntu!

As we shared towards the end of last year, the Bq Aquaris E4.5 Ubuntu Edition handset will go on sale in Europe from next week priced at €169.

• This Is Bq’s Exclusive Ubuntu Phone Case Accessory – OMG! Ubuntu!

Bq has you covered with an exclusive ‘Ubuntu Edition’ of their popular Duo case accessory designed especially for the Aquaris E4.5, which is being made available for purchase alongside the handset.

• Debut Ubuntu phone’s first flash sale announced, more to come – CNET

The BQ Aquaris E4.5 Ubuntu edition is the first phone that will let phone fans snap up an Ubuntu-running device for themselves. Best known as an open-source operating system for computers, Ubuntu is expanding to phones as part of a plan that will see the software power everything from TVs to drones. And to kick things off, the BQ phone will be up for grabs between 9 a.m. and 6 p.m. (CET) on Wednesday 11 February.

• First Ever Ubuntu Phone Unboxing Video Appears Online – OMG! Ubuntu!

Ubuntu Touch Apps

Browse, download, and search apps from the Ubuntu click appstore – appstore.bhdouglass.com.

While this app uses the Ubuntu click appstore api, it caches images and data to be kind to the api.

• Jupiter Broadcasting – Ubuntu Touch Apps

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• $10K Ethernet Cable Claims Audio Fidelity, If You’re Stupid Enough To Buy It – Slashdot

The post Ubuntu Calling | LINUX Unplugged 79 first appeared on Jupiter Broadcasting.

Hypocrisy abounds this episode as new methods of tracking citizens by governments have been revealed & the campaign to shut down cop reporting on Waze has gone public.

Plus the amazing mesh network in Cuba, bullet proof vest for batteries in a smartphone & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

France Seeks to Sanction Web Companies for Posts Pushing Terror

President Francois Hollande said Tuesday in Paris the government will present a draft law next month that makes Internet operators “accomplices” of hate-speech offenses if they host extremist messages.

Researchers Tie Regin Malware To NSA, Five Eyes Intel Agencies

Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel. The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together. “Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report.

Police Organization Wants Cop-Spotting Dropped From Waze App

“The Register reports on a request from the US National Sheriffs’ Association, which “wants Google to block its crowd-sourced traffic app Waze from being able to report the position of police officers, saying the information is putting officer’s lives at risk.” From the article: “‘The police community needs to coordinate an effort to have the owner, Google, act like the responsible corporate citizen they have always been and remove this feature from the application even before any litigation or statutory action,’ AP reports Sheriff Mike Brown, the chairman of the NSA’s technology committee, told the association’s winter conference in Washington….Brown called the app a ‘police stalker,’ and said being able to identify where officers were located could put them at personal risk. Jim Pasco, executive director of the Fraternal Order of Police, said his members had concerns as well. ‘I can think of 100 ways that it could present an officer-safety issue,’ Pasco said. ‘There’s no control over who uses it. So, if you’re a criminal and you want to rob a bank, hypothetically, you use your Waze.'”

DEA cameras tracking hundreds of millions of car journeys across the US

A U.S. Drug Enforcement Administration program to keep tabs on cars close to the U.S.-Mexican border has been gradually expanded nationwide and is regularly used by other law enforcement agencies in their hunt for suspects.

The extent of the system, which is said to contain hundreds of millions of records on motorists and their journeys, was disclosed in documents obtained by the American Civil Liberties Union as part of a Freedom of Information Act request. Much of the information disclosed to the ACLU was undated, making it difficult to understand the growth of the network, which is different from the cameras used to collect traffic tolls on expressways.

Batteries Made With Bulletproof Kevlar Fibers May Never Explode

The researchers at the University of Michigan layered nanofibers extracted from Kevlar on top of each other to create very thin insulating sheets. And it turns out the microscopic pores on this new material are actually far too small to allow the tips of those fern-like dendrite structures to poke through and make contact with other electrodes. Individual lithium-ions can still squeeze through as needed, but nothing else.

The post Two Waze Street | Tech Talk Today 122 first appeared on Jupiter Broadcasting.

Can a cheap Chromebook loaded with Linux replace an Ultrabook? Is this the best bang for the battery life? We load Linux on the Acer C720 and put it to the test.

Plus: The big security mistake that impacts tons of open source software, a quick demo of the new Krita release, our picks of the week…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Chromebook Acer C720 Running Linux Review:

Brought to you by: System76

• My UltraPro has finally arrived! The JB Logo looks pretty awesome if I may say so myself… almost like it was designed for it.

• Amazon.com: Acer C720 Chromebook (11.6-Inch, 2GB)

• Buying Chromebooks for their Hardware, not their OS

• Acer C720 inxi text Output

• Acer C720 inxi Image Output

• How to upgrade the SSD in your Acer C720 Chromebook

Whatever the reason, you may find the paltry offering of a 16GB SSD on the Acer C720 Chromebook to be lacking for some use cases out there. You can pick up a C720P model with 32GB of internal storage — and a touchscreen — for $50 more than the regular C720, but what if you already have one or need more than 32GB? Well, it turns out it’s extremely simple to replace the SSD in the Acer C720, and we’re going to show you how to do it.

Installing Arch Linux on the C720

• Acer C720 Chromebook – ArchWiki

• Need to enable legacy bios mode.

• Has a guide on getting the trackpad to work.

• SeaBIOS – coreboot

SeaBIOS is an open source implementation of a 16bit X86 BIOS. SeaBIOS can run in an emulator or it can run natively on X86 hardware with the use of coreboot.

SeaBIOS is the default BIOS for qemu and kvm.

Battery Life

• IBAM, the Intelligent Battery Monitor

• thermal_daemon · GitHub

• CPU Frequency Scaling

Tip: To monitor cpu speed in real time, run:

$ watch grep \“cpu MHz\” /proc/cpuinfo

• Power saving – Audio

Cons:

• Screen Viewing Angle is really limited. Even leaning on my hand with elbow on the desk decreases viewability by a very noticeable amount.
• Only one USB3 Port.

– Picks –

Runs Linux:

• Gabe Newell, the CEO of Valve, Runs Linux. Debian GNU/Linux

Desktop App Pick

• uGet 1.10.4 Released and a bit of Celebration

This year marks the 11th Year of uGet, that’s right, uGet has been available to the Linux community for over 11 years now and we are not slowing down, we are excited for the future of uGet! If you’re excited too then please consider donating to the project. (blog post about the donation drive)

Weekly Spotlight

• Dukto R6

• Simple user interface

• No server or internet connection needed

• Zero configuration

• Clients auto-discovery

• High speed file transfer

• Multi-OS native support

• Portable version available

• Multi files and folders transfer

• Transfers log

• Send and receive text snippets (eg. useful for sending URLs)

• Open received files directly from the application

• Windows 7 taskbar integration with progress and transfer indicator

• Show your IP addresses on the IP connection page

• Full Unicode support

• Metro style UI

• Free and open source

• There is one issue with Dukto though: its security: the application doesn’t use any passwords, no encryption, etc., so its developer recommends using it only on trusted local area networks.

Dukto is a free open source project, licensed under GPL. Official releases are made by me for the following platforms:

• Windows (XP or later)

• OS X (10.6.x or later)

• Linux (packaged for Ubuntu and Fedora)

• Symbian (for Nokia touch phones)

• Write up at Web Upd8: Dukto LAN File Transfer Tool Is Easy To Use, Multi-Platform

— NEWS —

A longstanding GnuTLS certificate validation botch

Perhaps the biggest irony is that the fix changes a handful of “goto cleanup;” lines to “goto fail;”. It also made other changes to the code (including adding a “fail” label), but the resemblance to the Apple bug is too obvious to ignore. While the two bugs are actually not that similar, other than both being in the certificate validation logic, the timing and look of the new bug does give one pause.

The problem boils down to incorrect return values from a function when there are errors in the certificate.

It is hard to say how far back this bug goes, as the code has been restructured several times over the years, but the GnuTLS advisory warns that all versions are affected.

Emacs, wget, NetworkManager, VLC, Git, and others.

Fedora 20 system, attempting to remove GnuTLS results in Yum wanting to remove 309 dependent packages, including all of KDE, Gnucash, Calligra, LibreOffice, libvirt, QEMU, Wine, and more.

It was a code audit done by GnuTLS founder Nikos Mavrogiannopoulos (at the request of Red Hat, his employer) that discovered the bug.

• Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Video Acceleration Takes The Backseat On Chrome For Linux

Due to notorious Linux graphics drivers, Google developers working on Chrome/Chromium aren’t looking to enable hardware video acceleration by default anytime soon. The problem ultimately comes down to poor Linux graphics drivers.

Ami Fischman explained in a bug comment yesterday, “There is a history of users disabling the blacklist (entirely) because they want a feature that is disabled. That destabilizes the entire browser, and users frequently forget about this action (and waste time trying to re-stabilize their browser later). If this landed I expect that sooner or later we’d get a rash of blog posts explaining how to get HW decode on linux ‘for free’ (by disabling the GPU blacklist) and the overall result for our Linux userbase would be a worse experience (because the blacklist will never be consulted on their system), not better (b/c they’ll have HW acceleration of h.264 decode). This is a judgement call and I can certainly see how reasonable people can disagree, but this is my personal judgement.”

Ami went on to imply that the VA-API Linux support will never be in good enough shape for Chrome, “We don’t ship code we consider to be permanently ‘experimental’ or ‘beta’, only code we expect to be stable/production-quality eventually, if not at landing. This feature will never graduate to that status, so this CL is effectively shipping a feature that is known to be mostly-broken on most Linux installations.”

Chrome developer Jorge Lucangeli Obes also commented on this report, “Supporting GPU features on Linux is a nightmare (I know from dealing with the GPU sandbox). Enabling this feature should come after thinking how we can make it available without making Chrome on Linux less stable.”

Fedora To Have a “Don’t Ask, Don’t Tell” For Contributors

"The Fedora Project is now going to enforce a “Don’t Ask, Don’t Tell” policy for contributors. What the project’s engineering committee is asking their members to conceal is a contributor’s nationality, country of origin, or area of residence. There’s growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina

• Developers from Cuba, Iran, North Korea, Sudan & Syria can’t contribute to US based open source projects?

Krita 2.8.0 Released

Some major updates in Calligra office suite are:

• The word processor, Words received support for comments

• Sheets has better support for pivot tables

• Kexi now runs on Windows and about 30 major issues has been fixed in this visual database application.

• Flow now supports SVG based stencils.

• A thumbnail sketch of Krita 2.8

The 2.8 release marks the debut of several new under-the-hood changes in Krita. The first is a major refactoring of the application’s OpenGL canvas code.

For 2.8 the OpenGL support was brought up to OpenGL 3.1 and OpenGL ES 2.0 compliance (the latter of which enables the tablet-centric “Krita Sketch” variant to run on embedded hardware).

Along the way, Krita’s Windows builds gained OpenGL support as well; 2.8 marks the first version of Krita to be declared stable on Windows

The more interesting improvement for Linux users is an entirely new OpenGL scaling algorithm that offers better quality than the default OpenGL scaling options. The upshot is smoother rendering, especially when zooming in on the canvas.

The new rendering code was written by Kazakov, whose time on the project is funded by the Krita Foundation. Kazakov also undertook the other major piece of plumbing to debut in version 2.8: native support for pressure-sensitive graphics tablets.

– Feedback: –

• Red Hat certificate

• Acer C720 Chromebook

• OpenArtist Distro

— Chris’ Stash —

• Call in Edition of Coder Radio on Monday! 9am PDT / 12pm EDT

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged

• Why XFCE beats KDE and GNOME

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Linux Your Chromebook | LAS s31e03 first appeared on Jupiter Broadcasting.

Two developers from the TOX project, an open source secure Skype killer join us to discuss their new project, the future, and how they hope to become your new messaging system.

Plus getting more battery life out of a Linux laptop, the Steam problem, and your feedback.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• Thoughts on \’How To Linux\’

• Linux how-to Community Help

• Outlook inertia

Tox

• Tox (ProjectTox) on Twitter

• irungentoo/ProjectTox-Core · GitHub

• NaCl: Networking and Cryptography library

NaCl (pronounced \”salt\”) is a new easy-to-use high-speed software library
for network communication, encryption, decryption, signatures, etc. NaCl\’s goal is to provide all of the core operations needed to build higher-level cryptographic tools.

• Crypto Fails — Telegram\’s Cryptanalysis Contest

• Project Tox Google Summer of Code

• Submit your questions for the TOX developers

Mailsack:

• openSUSE has better battery life than Arch on the same rig?

• Non-Free Software

The post Talkin' Tox | LINUX Unplugged 30 first appeared on Jupiter Broadcasting.

Is the Galago UltraPro the ultimate Linux ultrabook? We’ve got that and the Kudu Professional from System76 in studio. It’s our review of these Haswell powered laptops.

PLUS: Does the Intel Iris GPU hold up to the Steam challenge? And Linux’s big area of growth in 2014, that nobody’s talking about.

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: