Show Notes: coder.show/459

The post Revolution in Review | Coder Radio 459 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/441

The post Planet Incinerating Technology | LINUX Unplugged 441 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/440

The post Saving Podcasting from Centralization | LINUX Unplugged 440 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/440

The post Just Say No to M1 | Coder Radio 440 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/127

The post Linux Action News 127 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/104

The post Linux Action News 104 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• LG releases webOS Open Source Edition, looks to expand webOS usage — LG wants to expand the adoption of webOS and the company is working with the South Korean government to solicit business proposals from other companies interested in using webOS.
• The Linux Foundation Announces an Open Source Reference Hypervisor Project Designed for IoT Device Development — ACRN is comprised of two main components: the hypervisor and its device model
• Linux Foundation backs new ‘ACRN’ hypervisor for embedded and IoT
• GNOME Shell memory leak — A number of Ubuntu users have reported that GNOME Shell 3.26.2, the version used in Ubuntu 17.10, has a “sneaky leak” that causes GNOME Shell’s memory usage to increase every minute following a Shell animation
• A GNOME performance bug fixed — So, how can something as simple as updating the displayed time cause such a large increase in the time required to draw a frame?
• Firefox Master Password System Has Been Poorly Secured for the Past 9 Years — For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the “master password” feature.
• Questionable changes coming to Firefox DNS queries — Nightly build fans’ hostname lookups piped to Cloudflare in limited security feature trial
• Firefox plan to start blocking ads — Mozilla intends to add basic ad filtering capabilities to its Firefox browser later this year, according to its recently updated roadmap.
• Bitcoin blockchain contains more than transaction data — Boffins warn of legal risks from arbitrary data distribution
• CryptoGraffiti – Bitcoin Blockchain Messages as Text

The post Linux Action News 46 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Skype can’t fix a nasty security bug without a massive code rewrite

The bug grants a low-level user access to every corner of the operating system.

Zero-day vulnerability in Telegram

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

Microsoft To Embrace Decentralized Identity Systems Built On Bitcoin And Other Blockchains

In a new post today, Microsoft announced their embrace of public blockchains, such as Bitcoin and Ethereum, for use in decentralized identity systems. Initially, the longtime tech giant will support blockchain-based decentralized IDs (DIDs) through the Microsoft Authenticator app.

BitGrail lost $170 million worth of Nano XRB tokens because… the checks for whether you had a sufficient balance to withdraw were only implemented as client-side JavaScript https://t.co/XH5mbIWUno pic.twitter.com/WmCwj5gy8W

— Tony Arcieri (@bascule) February 11, 2018

• XRballer comments on The Stolen XRB has already been Redistributed/Sold Off

Containers Will Not Fix Your Broken Culture (and Other Hard Truths)

We focus so often on technical anti-patterns, neglecting similar problems inside our social structures. Spoiler alert: the solutions to many difficulties that seem technical can be found by examining our interactions with others. Let’s talk about five things you’ll want to know when working with those pesky creatures known as humans.

Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Our method is based on an exploitation of the magnetic field generated by the computer’s CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic radiation propagates through the air, penetrating metal shielding such as Faraday cages (e.g., compass still works inside Faraday cages).

Feedback / Follow Up

• Some BeyondCorp Follow Up
• Taylor points us to a new tool
• Dave and MANY Others want to know the make and model of my SuperMicro FreeNAS
• Super Micro Computer, Inc. – Products | Motherboards | Xeon Boards | X8DTN+

The post The Concern with Containers | TechSNAP 356 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

• Netflix US on Twitter: “To the 53 people who’ve watched A Christmas Prince every day for the past 18 days: Who hurt you?”

Follow Up / Catch Up

Does Systemd Makes Linux Complex, Error-Prone, and Unstable?

We are a small team at _ungleich_and we simply don’t have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope.

Context on Conservancy’s Filing for Summary Judgment with the TTAB

Therefore we’ve proceeded today with the most expedient defense available to us:
a summary judgment motion which can be read on the USPTO’s website. As a
non-lawyer, I explain in this blog post some details of that motion and its
supporting documents in more mundane, non-legal terms.

We filed a motion for summary judgment today against SFLC's motion to dismiss our trademark. https://t.co/z64bOLCBjW

— Software Freedom Conservancy (@conservancy) December 12, 2017

TING

• Ting – mobile that makes sense

Snaps & automatic updates prove popular with email client, Mailspring

In the latest interview with a snap developer, we spoke to Ben Gotow who is the lead maintainer of Mailspring, a free, modern email client for Linux, Windows, and macOS. Originally started and open-sourced by Nylas in California, Ben took on the project earlier this year after Nylas changed course and stopped development. Mailspring has more than 10k active users on Linux, and will offer the snap as the preferred install method beginning from this week.

“The vision for Canonical is to provide the platform that you see everywhere other than the personal domain. We won’t make a dent in phone or PCs. But pretty much your entire data center runs Linux and every other thing in the room is running Linux,” Shuttleworth said. “Can we help deliver that innovation and do it in a format that is secure, reliable and very, very cheap? That’s an interesting set of challenges.”

Spaceman Shuttleworth Finds Earthly Riches With Ubuntu Software

“Afronaut” Mark Shuttleworth has become as billionaire from his bet on Ubuntu Linux software https://t.co/8CBiRBcOnF pic.twitter.com/ANp5ahIvLu

— Bloomberg (@business) December 12, 2017

Steam now lets developers know how many users want their game on Mac and Linux

Valve has made a change to the developer side of Steam that gives developers a breakdown of the different platforms people choose when adding a game to their wishlist.

This is helpful because it also shows platforms that the game does not currently support, letting the developer know how much interest there is for ports on platforms other than Windows. This is obviously only limited to PC operating systems, so Mac, Linux, and SteamOS.

LinuxFest Northwest 2018

LinuxFest Northwest, an annual Open Source event in Bellingham, WA USA, features presentations and exhibits on free and open source topics, as well as Linux distributions & applications, InfoSec, and privacy; something for everyone from the novice to the professional!

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

• An Introduction to DigitalOcean Spaces

Open Source Replacements for Centralized Services and Platforms

It’s all about the platform, building the biggest platform, with the most engaged users, with the most control.

YouTube is a platform, Patreon is also a platform. It feels like the walls are closing in tighter and tighter than ever. 

Early Linux users watched this as Microsoft used the position of their platform to keep Linux off the desktop. 

But now these platform wars happen at an exponential rate across every tech category. Recently Google started blocking YouTube on Echo Show's because Amazon doesn't sell Nest cams and Chromecasts (amongst others). 

It's always the users that lose these platform wars, and the large corporations don't care about the collateral damage.

But are we starting to see the cracks in these platform's grip?

• YouTube Demonetization Screenshot Leaks + Secret YouTube Meeting

Open Source YouTube Replacement

PeerTube

Federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.

We can’t build a FOSS video streaming alternatives to YouTube, Dailymotion, Vimeo… with a centralized software. One organization alone cannot have enough money to pay bandwidth and video storage of its server.

So we need to have a decentralized network (as Diaspora for example).

But it’s not enough because one video could become famous and overload the server.
It’s the reason why we need to use a P2P protocol to limit the server load.
Thanks to WebTorrent, we can make P2P (thus bittorrent) inside the web browser right now.

Open Source Patreon Replacement

Liberapay

Liberapay is a recurrent donations platform.

Dash Crypto Currency — Dash

At Dash’s core is a unique fully-incentivized peer-to-peer network. Miners are rewarded for securing the blockchain and masternodes are rewarded for validating, storing and serving the blockchain to users.

Masternodes represent a new layer of network servers that work in highly secure clusters called quorums to provide a variety of decentralized services, like instant transactions, privacy and governance, while eliminating the threat of low-cost network attacks.

Open Source Twitter Replacement

Mastodon

The world’s largest free, open-source, decentralized microblogging network

Matrix

An open network for secure, decentralized communication.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Gentoo Challenge Check-In

The post Peer Pressure | LINUX Unplugged 227 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Bitcoin surges past $10k — Bitcoin has spiked 933 percent since the beginning of the year, when it traded at $968.23
• Big companies join the compliance-first approach to GPLv2 — To provide greater predictability to users of open source software, Red Hat, Facebook, Google and IBM today each committed to extending the GPLv3 approach for license compliance errors to the software code that each licenses under GPLv2 and LGPLv2.1 and v2.
• LTS kernel support window clarified — Just because +Greg Kroah-Hartman​ is doing it for 4.4 does not mean that all LTS kernels from now on are going to be maintained for that long.
• New x86 version of Raspbian Released — Today, we are launching the first Debian Stretch release of the Raspberry Pi Desktop for PCs and Macs, and we’re also releasing the latest version of Raspbian Stretch for your Pi.
• LOL
• Mozilla’s Open Source Speech Recognition Model and Voice Dataset — I’m excited to announce the initial release of Mozilla’s open source speech recognition model that has an accuracy approaching what humans can perceive when listening to the same recordings. We are also releasing the world’s second largest publicly available voice dataset, which was contributed to by nearly 20,000 people globally.
• Mozilla still loaded — The State of Mozilla 2016 is our annual report. This report highlights activities for 2016 and is accompanied by detailed financials.
• Jolla update — Sailfish X has been now out for six weeks

The post Linux Action News 30 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Ubuntu Rally in NYC — The Ubuntu Rally, taking place in New York City September 25th-29th, is a forward-thinking five day software hackathon attended by major software vendors, Ubuntu developers working at every level of the stack, and community contributors.
• 17.10 Beta 1 of Ubuntu flavours released — The first beta is available today for the Ubuntu 17.10 “Artful Aardvark” release for the flavors opting in to participate in this development milestone ahead of the official launch in October.
• Reddit closes its source — Open-source makes it hard for us to develop some features “in the clear” (like our recent video launch) without leaking our plans too far in advance. As Reddit is now a larger player on the web, it is hard for us to be strategic in our planning when everyone can see what code we are committing.
• Phoenix OS urged to open source their kernel — So a dedicated fan of the platform, Karol Putra, has created a Change.org petition in hopes that it will change their minds.
• Petition update * Victory! — It’s most likely really the Phoenix OS kernel as it carries slight unique modifications in comparison to Android-x86 and it’s forks
• Google mandates 4.4+ kernel for Oreo — Starting this year with smartphones which ship with Android Oreo, Google is requiring that all SoCs productized in 2017 must launch with kernel 4.4 or newer.
• Essential underdelivers — Essential — a device, marketing team, and CEO that seem to blur the lines between fact and fiction and possible and impossible
• Then Essential royally screws up — Dozens of customers replied with their personal information, but those emails didn’t just go to Essential. Instead, they went out to everybody who had received the original email.
• Blockchain is big in big business — Hundreds of projects have collectively raised more than a billion dollars through “initial coin offerings” (ICOs). There are now tokens funding every conceivable endeavor
• Linux creeps above 3% browser marketshare — According to Net Applications’ Netmarketshare, the Linux market share on the desktop as judged by browser interactions may now be above 3%.

The post Linux Action News 17 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla

Swift creator departs Tesla after just six months

Six months later, he announced on Twitter that he was leaving the car company. “Turns out that Tesla isn’t a good fit for me after all,” he said. Lattner doesn’t have a new job in mind just yet.

Turns out that Tesla isn't a good fit for me after all. I'm interested to hear about interesting roles for a seasoned engineering leader!

— Chris Lattner (@clattner_llvm) June 21, 2017

Stripe refocuses European effort with 6 new markets and expanded payments platform

Stripe serves as the technical and banking infrastructure that allows businesses and individuals to accept online payments. The company has garnered more than $400 million in equity financing from big-name backers since its inception back in 2010, including CapitalG (Google), Sequoia Capital, Andreessen Horowitz, American Express, and Elon Musk. For many, the company is a prime candidate to go public, but Stripe CEO Patrick Collison stated recently that he has no intentions of pursuing an IPO anytime soon.

Blockchain raises $40 million from Lakestar and Google’s venture arm

European venture capital fund Lakestar and GV, Google’s venture capital arm, both led the round. Nokota Management and Digital Currency Group also took part in the investment, as did Blockchain’s existing investors Lightspeed Venture Partners, Mosaic Venture Partners, Prudence Holdings, Virgin, and Sir Richard Branson.

Inside Microsoft’s Artificial Intelligence Comeback

“We don’t want one or two companies, which I will not name, to be the only big players in town for AI,” he says

The post Summer of GitHub | CR 262 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Spreading the DDoS Disease and Selling the Cure

• Krebs has done some more digging into DDoS for hire businesses
• “Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.”
• “The domain name where the Mirai source code was originally placed for download — santasbigcandycane[dot]cx — is registered at the same domain name registrar that was used to register the now-defunct DDoS-for-hire service vdos-s[dot]com”
• “Normally, this would not be remarkable, since most domain registrars have thousands or millions of domains in their stable. But in this case it is interesting mainly because the registrar used by both domains — a company called namecentral.com — has apparently been used to register just 38 domains since its inception by its current owner in 2012, according to a historic WHOIS records gathered by domaintools.com (for the full list see this PDF).”
• That is highly unusual, the cost of ICANN accreditation ($3,500, plus $4,000/year) makes this seem unlikely
• “What’s more, a cursory look at the other domains registered via namecentral.com since then reveals a number of other DDoS-for-hire services, also known as “booter” or “stresser” services.”
• vDoS, before it was taken down by authorities thanks to Krebs, was hacked, and its user database and history were posted online. From this data, Krebs was able to gather a list of other DDoS for Hire services, that were just reselling the vDoS service, using its API to launch attacks on behalf of their own customers
• “And a number of those vDOS resellers were registered through Namecentral, including 83144692[dot].com — a DDoS-for-hire service marketed at Chinese customers. Another Namecentral domain — vstress.net — also was a vDOS reseller.”
• “Other DDoS-for-hire domains registered through Namecentral include xboot[dot]net, xr8edstresser[dot]com, snowstresser[dot]com, ezstress[dot]com, exilestress[dot]com, diamondstresser[dot]net, dd0s[dot]pw, rebelsecurity[dot]net, and beststressers[dot]com.”
• So, it seems a lot of these might have actually been the same company, just with many faces
• “Namecentral’s current owner is a 19-year-old California man by the name of Jesse Wu. Responding to questions emailed from KrebsOnSecurity, Wu said Namecentral’s policy on abuse was inspired by Cloudflare, the DDoS protection company that guards Namecentral and most of the above-mentioned DDoS-for-hire sites from attacks of the very kind they sell.”
• When asked about why the registrar had so few domains: Wu: “Like most other registrars, we register domains only as a value added service,” he replied via email. “We have more domains than that (not willing to say exactly how many) but primarily we make our money on our website/ddos protection/ecommerce protection.”
• Wu: “We have a policy inspired by Cloudflare’s similar policy that we ourselves will remain content-neutral and in the support of an open Internet, we will almost never remove a registration or stop providing services, and furthermore we’ll take any effort to ensure that registrations cannot be influenced by anyone besides the actual registrant making a change themselves – even if such website makes us uncomfortable,” Wu said. “However, as a US based company, we are held to US laws, and so if we receive a valid court issued order to stop providing services to a client, or to turn over/disable a domain, we would happily comply with such order.”
• “Taking a page from Cloudflare, indeed. I’ve long taken Cloudflare to task for granting DDoS protection for countless DDoS-for-hire services, to no avail. I’ve maintained that Cloudflare has a blatant conflict of interest here, and that the DDoS-for-hire industry would quickly blast itself into oblivion because the proprietors of these attack services like nothing more than to turn their attack cannons on each other. Cloudflare has steadfastly maintained that picking and choosing who gets to use their network is a slippery slope that it will not venture toward.”
• “Although Mr. Wu says he had nothing to do with the domains registered through Namecentral, public records filed elsewhere raise serious unanswered questions about that claim.”
• Krebs found a paper trail linking a number of the DDoS for Hire services to Thomas McGonagall, who at one point is also listed as the directory of “Namecentral LTD”
• “Now we were getting somewhere. Turns out, Wu isn’t really in the domain registrar business — not for the money, anyway. The real money, as his response suggests, is in selling DDoS protection against the very DDoS-for-hire services he is courting with his domain registration service.”
• But then Krebs caught Wu in a lie
• “That other company —SIMPLIFYNT LTD — was registered by Mr. McGonagall on October 29, 2014. Turns out, almost the exact same information included in the original Web site registration records for Jesse Wu’s purchase of Namecentral.com was used for the domain simplifynt.com, which also was registered on Oct. 29, 2014. I initially missed this domain because it was not registered through Namecentral. If someone had phished Mr. Wu in this case, they had been very quick to the punch indeed.”
• “In the simplyfynt.com domain registration records, Jesse Wu gave his email address as jesse@jjdev.ru. That domain is no longer online, but a cached copy of it at archive.org shows that it was once a Web development business. That cached page lists yet another contact email address: sales@jjdevelopments.org. I ordered a reverse WHOIS lookup from domaintools.com on all historic Web site registration records that included the domain “jjdevelopments.org” anywhere in the records. The search returned 15 other domains, including several more apparent DDoS-for-hire domains such as twbooter69.com, twbooter3.com, ratemyddos.com and desoboot.com.”
• “Among the oldest and most innocuous of those 15 domains was maplemystery.com, a fan site for a massively multiplayer online role-playing game (MMORPG) called Maple Story. Another historic record lookup ordered from domaintools.com shows that maplemystery.com was originally registered in 2009 to a “Denny Ng.” As it happens, Denny Ng is listed as the co-owner of the $1.6 million Walnut, Calif. home where Jesse until very recently lived with his mom Cindy Wu (Jesse is now a student at the University of California, San Diego).”
• Then there is another person, that uses Namecentral
• “Another domain of interest that was secured via Namecentral is datawagon.net. Registered by 19-year-old Christopher J. “CJ” Sculti Jr., Datawagon also bills itself as a DDoS mitigation firm. It appears Mr. Sculti built his DDoS protection empire out of his parents’ $2.6 million home in Rye, NY. He’s now a student at Clemson University, according to his Facebook page.”
• Krebs talked to this person back in 2015 about their cybersquatting suit with Dominos Pizza, and when Sculti didn’t like what Krebs wrote about him, he started DDoS’ing Krebs’ skype account and website.
• “Last year, Sculti formed a company in Florida along with a self-avowed spammer. Perhaps unsurprisingly, anti-spam group Spamhaus soon listed virtually all of Datawagon’s Internet address space as sources of spam.”
• “Are either Mr. Wu or Mr. Sculti behind the Mirai botnet attacks? I cannot say. But I’d be willing to bet money that one or both of them knows who is. In any case, it would appear that both men may have hit upon a very lucrative business model. More to come.”
• DDoS Protection services, with connections to DDoS for Hire services, sounds an aweful lot like racketeering to me

The VeraCrypt Audit Results

• “The QuarksLab audit of VeraCrypt has been completed, and this is the public release of the results”
• The quick and dirty:
• VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more. QuarksLab found:
• 8 Critical Vulnerabilities
• 3 Medium Vulnerabilities
• 15 Low or Informational Vulnerabilities / Concerns
• “This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.”
• “VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”
• “I’d also like to extend a special thank you to Fred, Jean-Baptiste, and Marion at QuarksLab for conducting this audit, to Mounir at Idrix for his enthusiastic participation and continued development of this crucial open-source software, and to VikingVPN and DuckDuckGo and all of our individual donors for the funding to make this audit possible. We have all made the digital world a little bit safer for all of us.”
• “This report describes the results of the security assessment of VeraCrypt 1.18 made by Quarkslab between Aug. 16 and Sep. 14, 2016 and funded by OSTIF. Two Quarkslab engineers worked on this audit, for a total of 32 man-days of study.”
• The audit followed two lines of work:
• The analysis of the fixes introduced in VeraCrypt after the results of the Open Crypto Audit Project’s audit of TrueCrypt 7.1a have been published.
  • The assessment of VeraCrypt’s features that were not present in TrueCrypt.
• “VeraCrypt is a hard to maintain project. Deep knowledge of several operating systems, of the Windows kernel, of the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills.”
• “Vulnerabilities which require substantial modifications of the code or the architecture of
  the project have not been fixed. These include:”
• TC_IOCTL_OPEN_TEST multiple issues (need to change the application behavior)
• EncryptDataUnits() lacks error handling (need to design a new logic to retrieve
  errors)
• AES implementation susceptible to cache-timing attacks (need to fully rewrite the AES implementations)
• “Vulnerabilities leading to incompatibilities with TrueCrypt, as the ones related to cryptographic mechanisms, have not been fixed. Most notable are:”
• Keyfile mixing is not cryptographically sound
• Unauthenticated ciphertext in volume headers.
• “Among the problems found during the audit, some must be corrected quickly:”
• The availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size, is an issue. This algorithm must not be used in this context.
• Compression libraries are outdated or poorly written. They must be updated or replaced
• If the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker
• “Finally, the UEFI loader is not mature yet. However, its use has not been found to cause security problems from a cryptographic point of view”
• The full assessment PDF is on the website linked at the top of this story
• With the original authors not around to sue anyone, it seems this Apache 2 licensed fork will continue, and might not be a bad choice for those that need to encrypt files across OSes

SSL/TLS and PKI History

• “A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić”
• It starts in November of 1994: “Netscape develops SSL v2, an encryption protocol designed to support the Web as a hot new commerce platform. This first secure protocol version shipped in Netscape Navigator 1.1 in March 1995.”
• A year later: “SSL v2 is shot down because of serious security issues. Consequently, Netscape scrambles to release SSLv3. This protocol seems good enough for now and the golden era of the Web begins. The specification was eventually published as RFC 6101”
• So, we knew SSLv2 was bad, in 1995… why was it still in use in 2015?
• January 1999: “In 1996, an IETF working group is formed to standardize SSL. Even though the resulting protocol is almost identical to SSL v3, the process takes 3 years. TLS v1.0 is published as RFC 2246. Microsoft forces the change of protocol name to Transport Layer Security (TLS), creating a confusion that continues to this day.”
• January 2001: “Someone calls VeriSign claiming to be from Microsoft, pays $400, and gets away with two code-signing certificates. The certificates have no special powers, but the owner name is misleading and potentially dangerous.”
• April 2006: “A new version of the TLS protocol is released as RFC 4346. This version addresses the BEAST attack, but it will be 5 years before the world realizes.”
• June 2007: “In the early days, CAs are strict about identify verification before certificate issuance. Eventually, some CAs realise that they can get away with less work and domain-validated (DV) certificates are born. To restore the balance, Extended Validation (EV) certificates are designed as a way of guaranteeing a connection between a domain name and a real-life business entity.”
• It used to require a lot of money ($100s or $1000s), a lot of paperwork, and a reasonable amount of time to get an SSL certificate. Eventually DV certificates meant anyone could get a cert for $9 a year. So the CAs came up with a way to charge $100s again.
• May 2008: “It is discovered that a catastrophic programming error had been introduced to Debian in September 2006, becoming part of the official release in April 2007. All private keys generated on vulnerable systems were insecure.”
• August 2008: “A new version of TLS is released as RFC 5246, although hardly anyone notices. A major new feature in this version is authenticated (AEAD) encryption, which removes the need for streaming and block ciphers (and thus the inherently vulnerable CBC mode).”
• July 2009: “SSL Labs launches to build better tools for secure server assessment and research how SSL/TLS and PKI are used in practice.”
• March 2011: “The IETF attempts to formally deprecate SSL v2 by publishing RFC 6176. According to SSL Labs, 54% HTTPS servers supported this obsolete protocol version in 2011.”
• August 2011: DigiNotar
• July 2012: “After their success with EV certificates, the CA/Browser Forum publishes Baseline Requirements to standardise issuance of all certificates.”
• May 2013: “Edward Snowden releases thousands of classified NSA documents to selected journalists, changing the public’s perspective of the Internet forever. We eventually realise the extent of passive monitoring of plaintext communication.”
• August 2013: “Work on TLS 1.3 begins. Although TLS 1.2 seems good enough for now, it’s clear that it can’t support the next few decades of Internet evolution. Thus, work on the next-generation encryption protocol begins.”
• January 2014: “At the beginning of 2014, 1024-bit RSA keys for subscriber certificates are retired; 2048-bit RSA certificates become the new minimum. Weak intermediate and root keys remain in use.”
• April 2014: “A critical vulnerability in OpenSSL, a very widely used TLS library, is discovered. If exploited, Heartbleed enables attackers to retrieve process memory from vulnerable servers, often resulting in private key compromise. Because of tremendous hype associated with the attack, most public servers fix the vulnerability practically overnight. A long tail of vulnerable devices remains, though. Heartbleed’s biggest contribution is showing the world how severely underfunded the OpenSSL project was in its 20 years of existence. In the following months, large organisations start contributing to the project and a big cleanup begins.”
• February 2015: “The IETF publishes RFC 7465 to formally prohibit usage of the weak but ever-popular RC4 cipher.”
• November 2015: “Let’s Encrypt is launched to provide free certificates with automated issuance. It is widely expected that this new non-profit CA will further drive down the price of DV certificates and encourage similar programs from other, more established CAs. However, it is their focus on automated issuance that excites, allowing all infrastructure to be protected.”
• January 2016: “CAs are no longer allowed to issue public SHA1 certificates. The key word here is “public”. Some CAs continue to issue SHA1 certificates from roots that are not trusted by modern browsers, but continue to be trusted by older devices.”
• February 2016: “Previous versions of SSL and TLS were either rushed (SSL v2 and SSL v3) or maintenance efforts (TLS v1.0-v1.2). With TLS v1.3, the working group is taking a different approach; after more than two years in development, a workshop is held to carefully analyse the new designs.”
• The timeline extends into the future
• January 2017: Browsers will stop accepting all SHA1 certificates
• July 2018: “From July 2018, PCI-compliant merchants must not support TLS 1.0. Originally, this date was intended to be in July 2016, but that was not realistic because of too many users relying on obsolete technology that doesn’t support modern protocols.”

Feedback:

• Phone update and feedback for the gentleman with the overheating laptop

• How to update firmware using Linux or BSD?

• ZFS on my home computer/server

• Home Server backup help?

• Leaving Company: How to document IT for next admin?

• 8 ExaBytes nfs share problem

Round Up:

• Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones
• Skyping (or Streaming) and Typing – the latest threat to privacy
• Android Trojan Asks Victims to Submit a Selfie Holding Their ID Card
• Self checkout skimmers go Bluetooth
• Best Buy and Google to open 14 Google Shops across Canada
• Take care choosing your storage devices
• Prosecutors say contractor stole 50 terabytes of NSA data
• Virtual Kidnapping
• Blockchain Platform Developed by Banks To Be Open-Source
• GlobalSign screw-up cancels top websites’ HTTPS certificates
• Update: Automatic Forwarding Re-enabled in Yahoo…
• People still can’t do password hashing correctly

The post Long Broken SSL History | TechSNAP 289 first appeared on Jupiter Broadcasting.

Inspired by the Let’s Encrypt project, we break down the basics of SSL & how easy it is to set up on your Linux box now.

Plus hacking GRUB by hitting backspace 28 times, the Linux Foundation wants the Blockchain, without the Bitcoin and their bedfellows are concerning, the steady steps towards cross distro application bundles & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Linux Academy Apache and SSL Self Signed Certificates

Apache and SSL Self Signed Certificates

This course will detail how to install and configure Apache web services to answer for HTTPS connections. In addition, we will show how to generate a key file to use for obtaining a third party certificate and then use that key to generate a full self-signed certificate. Finally, we will configure our SSL VHOST to use that SSL certificate and verify its availability and content serving from an external location.

Let’s Encrypt

What is encryption

Asymmetric vs Symmetric Antenna

Symmetric encryption uses the identical key to both encrypt and decrypt the data. Symmetric key algorithms are much faster computationally than asymmetric algorithms as the encryption process is less complicated.

Asymmetric encryption uses two related keys (public and private) for data encryption and decryption, and takes away the security risk of key sharing. The private key is never exposed. A message that is encrypted by using the public key can only be decrypted by applying the same algorithm and using the matching private key.

Secure Socket Layer

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

Let’s Encrypt

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.
No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

This page describes how to carry out the most common certificate management functions using the Let’s Encrypt client. You’re welcome to use any compatible client, but we only provide instructions for using the client that we provide.

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate
  at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

• Welcome to the Let’s Encrypt client documentation! — Let’s Encrypt 0.2.0.dev0 documentation

• Caddy 0.8 Released with Let’s Encrypt Integration

Today, I’m very excited to announce Caddy 0.8! It features automatic HTTPS, zero-downtime restarts, and the ability to embed Caddy in your own Go programs.

— PICKS —

Runs Linux

George’s Hacked Acrua, Runs Linux

He’s been keeping the project to himself and is dying to show it off. We pace around the car going over the technology. Hotz fires up the vehicle’s computer, which runs a version of the Linux operating system, and strings of numbers fill the screen. When he turns the wheel or puts the blinker on, a few numbers change, demonstrating that he’s tapped into the Acura’s internal controls.

Desktop App Pick

Nuvola Player

Nuvola Player is a runtime for web-based music streaming services providing more native user experience and integration with Linux desktop environments than usual web browsers can offer. It tries to feel and look like a native application as possible.

Sent in by Rikai

Weekly Spotlight

GDriveFS

GDriveFS is an innovative FUSE wrapper for Google Drive developed under
Python 2.7.

DOUBLE SPOTLIGHT

Block Spoilers for Star Wars

Force Block is safer than ever! Now, in addition to our standard pattern matching logic which requires a critical mass of related keywords to initiate a block, we’ve added a handful of instant-blocking keyphrases, sourced from people who have seen the film via early screenings. One of our engineers took one for the team punching those in! Ironic, he could save others from spoilers… but not himself.

— NEWS —

You Can Break Into a Linux System by Pressing Backspace 28 Times. Here’s How to Fix It

The researchers, Hector Marco and Ismael Ripoll from the Cybersecurity Group at Polytechnic University of Valencia, found that it’s possible to bypass all security of a locked-down Linux machine by exploiting a bug in the Grub2 bootloader. Essentially, hitting backspace 28 times when the machine asks for your username accesses the “Grub rescue shell,” and once there, you can access the computer’s data or install malware. Fortunately, Marco and Ripoll have made an emergency patch to fix the Grub2 vulnerability. Ubuntu, Red Hat, and Debian have all issued patches to fix it as well.

Linux is often thought of as a super secure operating system, but this is a good reminder to take physical security just as seriously as network security (if not more). Take extra care when your machine is around people you don’t know, especially if your system has sensitive data on it.

Description

A vulnerability in Grub2 has been found. Versions from
1.98 (December, 2009) to 2.02 (December, 2015) are affected.
The vulnerability can be exploited under certain circumstances,
allowing local attackers to bypass any kind of authentication
(plain or hashed passwords). And so, the attacker may take
control of the computer.

Grub2 is the bootloader used by most Linux systems including
some embedded systems. This results in an incalculable number
of affected devices.

As shown in the picture, we successfully exploited this
vulnerability in a Debian 7.5 under Qemu getting a Grub
rescue shell.

Am I vulnerable ?

To quickly check if your system is vulnerable, when the Grub
ask you the username, press the Backspace 28 times. If
your machine reboots or you get a rescue shell then your
Grub is affected.

Impact

An attacker which successfully exploits this vulnerability will
obtain a Grub rescue shell. Grub rescue is a very powerful shell
allowing to:

• Elevation of privilege: The attacker is authenticated
  without knowing a valid username nor the password. The
  attacker has full access to the grub’s console (grub
  rescue).

• Information disclosure: The attacker can load a
  customized kernel and initramfs (for example from a USB) and
  then from a more comfortable environment, copy the full disk
  or install a rootkit.

• Denial of service: The attacker is able to destroy
  any data including the grub itself. Even in the case that the
  disk is ciphered the attacker can overwrite it, causing a
  DoS.

Linux Foundation assembles gang to build a better Blockchain

The Linux Foundation has decided the time is right to apply its special brand of collaboration to the Blockchain, the distributed ledger technology behind Bitcoin and other cryptocurrencies.

The Foundation is talking up the blockchain as a supply-chain enhancer and electronic-transaction-speeder-upper, thanks to its provision of a distributed ledger that has no central point of control and therefore allows secure peer-to-peer information exchange.

Big companies desperately hoping for blockchain without Bitcoin is exactly like 1994: Can't we please have online without Internet??

— Marc Andreessen (@pmarca) December 18, 2015

• Wall Street’s New Distributed Ledger Blockchain | PYMNTS.com

there’s a big group of backers in the financial, tech and business industries that have taken the next step to making blockchain move forward without ties to bitcoin.

But as Webster pointed out in her column, “if we kill bitcoin that means we will also kill and bury the blockchain since bitcoin is what keeps the blockchain alive.” Because bitcoin is the method of transport used by the blockchain to move data between the miners, there’s a case for why bitcoin’s blockchain has stuck around.

But big banks like JPMorgan, along with the support of IBM and Intel want to bury that vision and resurrect their own vision for what they envision to be a more productive use case for the concept of a distributed ledger. This is like a blockchain, but sans the bitcoin.

The goal of the Open Ledger Project is not to work in the cryptocurrency space, but rather to leverage the technology behind the distributed ledger in order to streamline business tools that enable transactions and documents to move between parties faster. Another goal of the project would be to create open ledgers that can decide who can access that ledger.

XDG-App Continues Maturing For GNOME App Sandboxing

XDG-App has made much progress and is found in a “tech preview” state for GNOME 3.18 but it’s not until GNOME 3.20 and later where things will get more interesting. Alexander Larsson has provided a “Christmas 2015” update concerning the project for GNOME sandboxing.

Google’s killing Chrome support for 32-bit Linux, Ubuntu 12.04, and Debian 7

In an update posted to the Chromium-dev mailing list, Google’s Dirk Pranke wrote:

“To provide the best experience for the most-used Linux versions, we will end support for Google Chrome on 32-bit Linux, Ubuntu Precise (12.04), and Debian 7 (wheezy) in early March, 2016. Chrome will continue to function on these platforms but will no longer receive updates and security fixes.

We intend to continue supporting the 32-bit build configurations on Linux to support building Chromium. If you are usingPrecise, we’d recommend that you to upgrade to Trusty.”

Feedback:

Brought to you by: System76

• https://slexy.org/view/s20p9vkcTi

• https://slexy.org/view/s21mtiOvGQ

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Let's Encrypt: A New Hope | LAS 396 first appeared on Jupiter Broadcasting.

A landmark ruling in Germany combined with the media’s attempt to label Bitcoin legal status collide this week on the Plan B show. Plus the security warning Blockchain.info users need to know, and Butterfly Labs pokes the hornets nest!

Downloads:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

— Feedback —

• Wallet Address Question

• waxwing comments on US vs Bitcoin Revolution | Plan B 19

• I put all my life savings into bitcoins

Help spread the word on iTunes with a Rating and Review:

• iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

— Discussion —

Bitcoin now \’unit of account\’ in Germany

• German government okays Bitcoins for private transactions | PCWorld

The German Federal Ministry of Finance said on Monday that Bitcoin is not a full-fledged currency but that it is permissible to use it in private transactions.

But if companies want to use Bitcoins for commercial transactions, they need the permission of the Federal Financial Supervisory Authority (BaFin), said Martin Chaudhuri, ministry spokesman.

• Bitcoin now \’unit of account\’ in Germany

While not putting Bitcoins on the same footing as formal currencies such as the pound or dollar, Germany\’s move does mean that people who have speculated in the online cryptocurrency could be liable for capital gains taxes if they sell them less than a year after acquiring them.

People who have held on to them for longer will not be liable, the ministry told German MP Frank Schaeffler, who raised the question with the ministry. German authorities are trying to work out how — or whether — they could determine taxes due on Bitcoin transactions between individuals.

• Germany\’s ruling on Bitcoin paves the way for its legitimacy in the EU | The Verge

The most interesting aspect of the German ruling may be the consequences for the rest of the EU. The designation means that any exchange that wants to sell Bitcoin in Germany knows exactly what it needs to do: get a license from BaFin under Article 32 Kreditwesengesetz. Once an exchange is licensed in Germany, it would be allowed to operate anywhere in the EU — a stark contrast from the US, which requires a federal registration in addition to separate licenses from the states.

BFL 600 GH Bitcoin Mining Card

Performance Specifications

• 600 GH/s nominal performance ( + / – 20% )
• 350w (0.6w/GH conservative estimate)

Connectivity

• USB 2.0 – Monarch cards can be used as an external computer peripheral and chained via USB hub. In this mode it can be controlled via an Android host or standard Linux or Windows computer.
• PCI Express – Monarch cards consume two PCI slots when installed in a standard ATX motherboard. The PCIe format used is 1X for maximum compatibility.

Mining Software compatibility

• EasyMiner software is provided for Android, Windows & Linux operating systems.
• BFGminer – Open source available
• CGminer – Open source available
• BitMinter – Java Client

Prior to this announcement, BFL’s largest mining rig ran at 500 GH/s and cost $22,484. It required over 100 chips and an enclosure of almost two cubic feet. The new 600 GH/s device will be the first ASIC miner to take the form factor of a standard graphics card.

Blockchain.info Users Need to Update Browser Plugin/Clear Cache

• Blockchain.info security [FUNDS STOLEN]

Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.

Patches have now been deployed, Please ensure you upgrade to the latest version of your Blockchain.info client.

• Chrome extension – v2.85
• Fixefox extension – v1.97
• Mac client – v0.11

Users of the web interface should clear their browsers cache before next login.

Only a handful of addresses are known to be affected thus far. Likely if you have been affected by this problem your coins will have been taken already. All affected users will be refunded in full, please PM me or email help@blockchain.info.

Bitcoin Pick

• Myths – Bitcoin

Let\’s clear up some common Bitcoin misconceptions.

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

• JbLive.tv

— Plan B Subreddit —

• Plan B Show

— Contact us —

• Chris on G+
• Drew on G+

— Music —

• Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

The post Bitcoin is Legal-ish | Plan B 20 first appeared on Jupiter Broadcasting.